
PageFair: Economist hacked - aburan28
http://www.economist.com/help/pagefair
======
cperciva
I'm going to copy-and-paste the important bit in case nonsubscribers need to
read it. I wouldn't normally do this, but I figure it's an important
announcement rather than a creative work:

 _On Oct. 31, 2015, one of economist.com’s vendors, PageFair, was hacked. If
you visited economist.com at any time between Oct. 31, 23:52 GMT and 01:15
GMT, Nov. 1, using Windows OS and you do not have trusted anti-virus software
installed; it is possible that malware, disguised as an Adobe update, was
downloaded onto your PC._

~~~
cperciva
This is one of the most impressive security disclosures I've ever seen. They
identify the precise window of exposure; they identify the systems which could
have been affected; and they provide details which may help people determine
if they were attacked.

I'm also impressed with how quickly they fixed the problem: Apparently it only
took 83 minutes to discover and shut down the malware distribution.

~~~
dfc
Just to be clear, you should be impressed with pagefair, not the economist.
The PF blog has even more information with a no BS mea culpa that would make
your grandmother proud:

[http://blog.pagefair.com/2015/halloween-security-
breach/](http://blog.pagefair.com/2015/halloween-security-breach/)

"If you are a publisher using our free analytics service, you have good reason
to be very angry and disappointed with us right now. For 83 minutes last
night, the PageFair analytics service was compromised by hackers, who
succeeded in getting malicious javascript to execute on websites via our
service"

~~~
chinathrow
I would rather say we should be not so much impressed with pagefair.

Running stuff on an externally managed CDN without 2FA is simply stupid and
dangerous. And even more as they are a third party script used by dozens of
news papers.

------
johncolanduoni
Ugh. To paraphrase PageFair's website, ads keep the internet free, but the way
ads are implemented today also keeps botnets around.

~~~
rayuela
Why is this so? Is this because of their use as fake traffic?

~~~
johncolanduoni
That's true, but not what I was thinking of. Even big websites of some repute
(like The Economist) are in the habit of letting a multitude of external
agents run unrestricted JavaScript on their pages. As in this case, that power
can be used to distribute exploits.

~~~
rayuela
Ah, very interesting...

------
mirimir
Damn, they won't even show _this_ page without subscription ;)

Edit: Maybe I overreacted. I just tried the direct link again, and it loaded.
The first time, loading stalled with a blank popover.

~~~
peteretep
I have a paid Economist subscription but it's less hassle to not login and use
a combination of expiring cookies, self-clearing cache, and some specific
AdBlock rules to read their content...

~~~
IndianAstronaut
I've spoken to some devs who used to work for them. They have said the working
environment ther for devs is terrible and retention of quality is a big issue.

Their site is awful and has been awful for ages. Theh are also usually a good
3 to 5 years behind the times with their magazine technology. Late to deliver
apps, poor user experience on the site, terrible mobile pages, etc.

I say this as an avid reader (andnow listener) to their magazine for over
nearly 15 years.

~~~
mrweasel
Even their subscription management site is terrible, it's really much more
complicated than it needs to be.

I love the paper version of The Economist, but I never read their online
content. Partly because I can't be bothered to login.

------
vonklaus
> it is possible that malware, disguised as an Adobe update, was downloaded
> onto your PC.

If you weren't affected by this you can still download genuine Adobe malware
from:

www.adobe.com/creativecloud.html

------
cm2187
Another attack that disabling javascript would have defeated.

~~~
olemartinorg
Another attack that unplugging your computer and going to live in the woods
would have defeated.

More and more of the web is built on javascript, so opting out of a chunk of
what the web runs on will naturally limit your exposure to the dangers (and
joys) of the web.

~~~
jarek
> More and more of the web is built on javascript

Yes, you should definitely allow arbitrary code to run in a Turing-complete
interpreter on your personal computer to read some text in the Economist.

This isn't some advanced app or game pushing the limits of web technology,
it's words and a few charts.

------
k8tte
with dnsmasq

    
    
      address=/pagefair.com/127.0.0.1
      address=/pagefair.net/127.0.0.1
    

seriously, this only strengthens my argument for blocking all sorts of 3rd
party crap

------
manigandham
I think it needs to be said that while external ad networks can increase the
surface area of a hack like this, the major issue is email security and having
tight access controls and MFA in place for all major services.

The same thing could've easily happened to economists own website and CDN.

There have been dozens of stories including major studios, politicians and the
CIA that show how losing access to an email account can cause major damage or
even cripple a business, if not get them shutdown completely.

It's something that seems to be overlooked a lot but with the prevalence of
email access everywhere on mobile devices and the amount of phishing attempts
and surveillance, this should be one of the highest priority security issues.

------
aexaey
Hold on... Economist wants both subscription fee _and_ to serve 3rd party
malware (a.k.a. ads) to me?

~~~
rglullis
Just like cable TV? Just like any sports broadcaster that charge for tickets
AND have billboards?

How long is it going to take people to realize that ads vs paid content is not
an either/or proposition, and that we should get rid of any ad-supported
economy?

~~~
manigandham
How long is it going to take people to realize there is nothing wrong with an
ad supported economy and many products, services and media would go away
without it, even if relying solely on subscriptions.

~~~
rglullis
"Nothing wrong"?

\- The ads are almost never useful for the consumers

\- Companies keep shoveling money into ad campaigns just so that marketing
teams can justify their budgets

\- Ad publishers are incentivized to completely undermine the idea of private
data

\- Thomas Watson is often mocked for saying "I think there is a world market
for maybe five computers". If we look today at Google, Facebook, Amazon,
Microsoft and Apple, we are not that far from that reality. The "ad economy"
is at direct odds against an open web.

I'll give you that Google's breakthrough came because they could find a way to
revenue, and that without ads they would never bring many useful things for
fruition. But the best way to justify their wealth creation is that they
manage to make the social function of advertising (connect producers and
consumers) and make it more effective.

There was almost zero progress in that regards afterwards. It is just a race
to the bottom. I can actually bet that we would be better off without these
products, services and media if they were gone. Case in point: one of the
links on the front-page right now is
[http://www.thedailybeast.com/articles/2015/11/04/no-
spooning...](http://www.thedailybeast.com/articles/2015/11/04/no-spooning-isn-
t-sexist-the-internet-is-just-broken.html)

~~~
manigandham
I've heard all this arguments and more a 1000 times, it's nothing new and
usually based on emotions and opinions rather than any objective study.

1) Ads are useful for consumers as it leads to them solving their problem.
Whether that's a discovering a new service or buying a product, they needed
something and they got it. It's still ultimately their decision.

2) Do you know the best thing about digital ads? It's the data. These aren't
billboards that are bought without any idea who's seeing them or giant print
ads bought on ego, we can tell exactly who's clicking on what and what they do
after all the way to purchase. It's not just money thrown around, it leads to
real bottom line results. The ad industry is one of the biggest data-driven
industries in the world, contrary to what many might think.

3) Not sure how you came to this conclusion. There is no such thing as the "ad
economy"... it's just a business model and industry, not some major paradigm
of society. It will always exist because it works and serves and need, and
outside of the direct monetization, it's the best form of payment there is.
It's quick, passive and requires no decision willpower and is the primary
reason for so many websites and such a large open web. We wouldn't have nearly
as many sources on the internet if it weren't for ads. The monopolies you
mentioned exist in every industry because that's the most efficient way to
scale and run a business, it's got nothing to do with ads specifically.

4) I don't get the last point - are you saying that article isn't worth
anything? Why? because you don't like it? So you're the judge of good content?
I'm not a fan of celeb news but it's a huge market and draw for readers online
so who am I to judge? There are billions of people with their own interests
and needs, nobody get's to just set the baseline here. Yes there are scams and
fraudulent stuff and arguably 'low-quality' bits out there but this exists in
every field and is a constant battle. It doesn't mean we devalue everything
because of it.

~~~
rglullis
1) What I was talking about Google being one exception to the rule. The thing
is that at least with AdWords you get related to your search. When I am
reading some news, the last thing I care about is if I could be missing some
opportunity to buy a car, or if be bombarded with ads from Coca-Cola, or some
possible tourist destination.

Ultimately, there is no problem to be solved when people are visiting whatever
source of content they are going for. That people that tolerate ads in web
pages do it only because they think it is the only way to get the content for
free, not because of the value-add of the promoted advertisement.

2) Yes, the best thing about digital ads is the data... _for the marketers_.
The producers get very little real benefit from it and in the end are put in
an arms race by the marketing companies that tell them that the only way to
keep their market share is by outspending the competition.

3 and 4) "We wouldn't have nearly as many sources on the Internet if it
weren't for ads." That would be great, actually. We need more quality, not
quantity. What you list as qualities ("quick, passive and requires no decision
willpower") is _exactly_ what brings the quality of the content down.

And yes, I am saying that the linked article is worthless. Not because I just
don't like it, but because I seriously doubt that the "huge market" would
actually vote with their wallets to get that kind of content produced.

We don't need ad money to fund something like Wikipedia. Conversely, ad money
is what makes Buzzfeed, Gawker and Jezebel to pass for journalism nowadays.
And these are not even the worst around.

\--

I truly believe that people accepting ads as a way to get content is one of
the largest disgraces for society in the digital age. I like to make the
analogy with the corn industry and the government subsidies since the 70's.
People wanted to get "cheap" food, and all they got was externalized costs.
Years later we got an obesity epidemic, huge costs in healthcare and corn-
ethanol, which is energy net-negative. The Advertisement industry does the
same thing for our culture, our education, our civic values (slacktivism) and
the economy at large. This "just a business model" is morally bankrupt.

~~~
manigandham
1) Ads work whether you care about them or not. Google isn't an exception to
anything, they run ads and you either have a problem with ads or you don't.
You're just more accepting to ad suggestions when searching since you're in a
natural discover mode and Google is extremely relevant because you type your
intent right into the search box, that's about as good as it gets.

2) The producers/manufacturers get all the data they want. Don't you think
they know who's buying their stuff? The money comes from them to the agencies
and ad networks so they will always know the most. And yes, marketing is a
race because it works. They have to spend to get people aware and interested
in their products and services. There's always a user acquisition cost,
especially if you're competing with another company for the same user. It's
not some made up thing. These companies aren't stupid. If they could do it
without it they would.

3) Have you read the journalism that Buzzfeed puts out? They have an acclaimed
hard news section and are partners with even the White House. They have
several levels of content in depth and coverage, much like many other media
companies. Again YOU are not the judge of quality and the mass market already
spends lots of money on tons of things that are similar to what you claim is
low quality media. It's just not that simple to suggest that certain things
somehow don't value to someone else.

4) Wikipedia isn't a business. They don't do anything except host servers and
have some developers building features. ALL of their content is user
generated. No real business can work that way.

\---

It's FAR better to have democratic and free access to content rather than
tying it to direct payments and vastly limiting access and amount. That is
going backwards to the entire intent of the internet and the spread of
information.

~~~
rglullis
You misunderstood what I said about Google. I still don't care about the ads
shown by Google (I run my ad blocker just the same). What I meant is that at
least you have a point that Google can be more effective, for the reasons you
mentioned. And if that is "as good as it gets", why should let other business
take for granted that all they need is to get eyeballs and the ad money will
come? It makes no sense.

Also... please, Buzzfeed _partnering with the White House_ is a sign of
"quality news"? The quote "If you want something in the paper, that’s
advertising; you want something kept out, that’s news" comes to mind.

> It's FAR better to have democratic and free access to content rather than
> tying it to direct payments and vastly limiting access and amount. That is
> going backwards to the entire intent of the internet and the spread of
> information.

That is a false dichotomy. You can get free access to content without relying
on ads as your revenue stream. Wikipedia is not a business and does it.
Stackoverflow _is_ a business and uses the careers site as the main revenue
source. We don't need an "Ads industry" to have quality content.

~~~
manigandham
1) Eyeballs = attention = what advertising is all about. Relevancy is a way to
target to make best use of that attention but it's not required.

2) Why don't you actually read some of the BuzzFeed news:
[http://www.buzzfeed.com/news](http://www.buzzfeed.com/news)

They have writers from NYT and WSJ amongst others on their staff. Put aside
your prejudice and actually see for yourself.

3) Wikipedia isn't a business, but their business arm Wikia makes all their
money on advertising. StackExchange makes all their money on advertising
(those job postings are ads and other banners on their site). However both
companies are not in the content business because all their content is user
generated. That's why they have no costs other than technical upkeep.

A real content business requires people to actually create that content so
your examples aren't relevant. Sure we can replace everything with direct
subscriptions but that doesn't scale and severely limits the access to and
quantity of content available. Those are the facts in the industry, there's no
denying that, no matter how much you hate ads.

~~~
rglullis
_> > Why don't you actually read some of the BuzzFeed news:
[http://www.buzzfeed.com/news](http://www.buzzfeed.com/news) _

I did. Sorry to tell you, but they seem as "hard news" as CNN. It is
infotainment. Most of the topics are still about what is popular, what can
generate clicks and what can polarize. There is nothing in there that I feel I
would pay to see investigated, studied or analyzed.

(1) and (3) The point I am trying to get across is that any kind of business
is supposed to exist to support some kind of need for society. The
"advertising industry" only fulfills any social utlity when it manages to
efficiently connect producers to their target consumer.

If to do that, it needs to steal attention from people, it is not doing its
job properly.

If the "advertising industry" ends up providing a system that makes people
consume only things from the producers with more capital, instead of the best
product, then the industry is not doing its job properly.

If the "advertising industry" ends up creating by collateral a huge mass of
well educated people that depend on this "meta-work" of producing content that
can be pass for journalism or entertainment, then it fails to fulfill its
social function.

 _> > Wikipedia isn't a business, but their business arm Wikia makes all their
money on advertising._

Society benefits from something like wikipedia. I can donate $25/year like I
do to Wikipedia, and hope that enough people will contribute to it to keep it
running. Good thing that Wikia can bring some funds and not have to rely on
many more people. But if Wikia ceased to exist, people can still find ways to
keep wikipedia around. If society loses wikipedia, we would lose a lot.

Now, if for some reason Wikia was not being profitable, do you really think
society would be worse off? Perhaps for historical and cultural reasons, it
would be bad to lose it - just look at all the work from the archive.org
people. But look at Geocities: do you think society is that worse off without
it? Would we be worse off without Wikia?

 _> > Eyeballs = attention = what advertising is all about._

To come back to my point: I do believe that there are cases where business
manage to provide the social function of advertising (establish a
communication channel between producers and consumers), but this "produce
content and try to monetize it" with ads is not one such case.

\- The content that gets produced is of dubious quality (because the focus of
the content producer is not in the quality of the content, rather how much of
the people's attention it can grab)

\- There is no real connection between content producer and the producer
paying for ads. So content producers may end up becoming crap-pushers without
even knowing.

\- It makes for an uneven field for smaller producers. We live in an era where
the cost of producing, processing and distributing information is almost zero.
The balance of power could be completely in favor of the people. We HAVE the
means of production of wealth in our hands. But because of advertising, we
give this power back to the Capital owners. You describe your work as a
"marketing platform for top brands". Let me tell you one thing: I WANT BRANDS
TO BE DESTROYED. There is no real value in brands, except for the brand
owners. They stiffle innovation. They created consumerism as a lifestyle.

I am all for free-market and minimal intervention on business. But you state a
equation like this one where "attention" as something that can be extracted
value from WHEN IT IS NOT FUCKING YOURS! It is immoral and you don't even see
it.

~~~
manigandham
I'm sorry but at some point I can't take it seriously if you just discount
everything as bad. So what's "good" quality then?

You also seem to have some idealistic idea of what advertising is. It's not
some efficient marketplace to connect people. It is an industry about
attention. And no it's not "stealing" as everything in the world competes for
attention. It's more of paying to capture that attention as best it can. There
is no greater "social function" here.

Society benefits from all things. Again YOU cannot judge this based on some
random questions about Wikipedia vs some entertainment publication. The
careers of those mentioned in that publication and their livelihoods and
families certainly benefit from it so it's all relative and there's no right
or ideal.

There might be misaligned incentives for some publishers choosing to maximize
revenue (that's not the bad thing since they are businesses) by focusing on
improving ad load rather than content. That doesn't mean there's something
wrong with advertising, only that that business has become focused on selling
ads rather than producing content.

The whole last part of your statement makes no sense to me. Destroy brands?
Why? What's that do? Do you know what brands are? They are just reputations,
but at a higher level for corporations and product lines. You should read
this: [http://www.economist.com/news/business/21614150-brands-
are-m...](http://www.economist.com/news/business/21614150-brands-are-most-
valuable-assets-many-companies-possess-no-one-agrees-how-much-they)

Attention can absolutely be extracted, it doesn't have to "belong" to someone
because it's an abstract thing in itself. There is no "attention" tangible
good. You have as much of it as you want. It's just a way to think of the
value exchange. I'm not sure what you're so confused about but calling others
immoral certainly isn't the way to prove your point.

~~~
rglullis
> You also seem to have some idealistic idea of what advertising is.

When I mention a "social function", I don't mean a "public service". I mean in
the utilitarian sense. Every economic activity has a social function. If you
consider yourself to be living in a free society, for every kind of activity
you do you are expected to provide some kind of good or service that is of
interest of others. If it is considered to be beneficial only to one of the
parties, it is not going to happen (unless it is done by force, but then we
don't have an actual free society)

From brick layers to gas stations, from restaurant chefs to prostitutes, from
Venture Capital Fund Managers to shoe makers to Hollywood. That is the case
even to advertising. Advertising's "social function" is to inform the consumer
public about what is available in the market at large, and to give to
producers a chance to showcase their offerings. This may sound "idealistic",
but it shouldn't be.

You seem to be focused on the "business" part of the things. As in "how to
make money to keep that activity?" For society, this doesn't matter. If there
is any other way to fulfill that need, the business is obsolete and can
(should) go extinct or adapt into something else.

You have the arrows reversed: you want society to accept that the business
needs to exist, and that it should change to support it. In fact, it is the
business that needs to change to always support the needs of society.

Yours is the corporatist view. This view is what brings us the continued
influence of RIAA and MPAA and DRM. It's what brings us poor-quality American
cars. It is what brings "Food, Inc" thanks to subsidies in the corn industry.
It is what brings us a society that is so drowned in "cheap" entertainment
that leads to this dystopia we live in
([https://en.wikipedia.org/wiki/Amusing_Ourselves_to_Death](https://en.wikipedia.org/wiki/Amusing_Ourselves_to_Death))

> Destroy brands? Why? What's that do?

I don't say in the sense of setting corporate places on fire. I mean in the
sense of being able to convince people that most of the time, there is a
"brand-free" version of a product that is of equal or superior quality but
that costs less.

Think of things like consumer electronics: most of the audio equipment or LCD
panels can be virtually the same, yet people are so bombarded by ads from the
"reputable brands", they can't even conceive or looking for an OEM factory.

Another example: at least in São Paulo I remember going to the mall and seeing
"designer" jeans that would cost $100. Those jeans were produced in many
different small shops around the city, spec'd by the "designer". The uncle of
a friend of mine ran one of those shops. He would sell the "unbranded" version
of the jeans for $15.

Another example: Go to any supermarkets, and you find "white label" products
that are sometimes produced by companies that produce the very same "branded"
version. The contents can be the same, yet the branded one will cost more.

What is the benefit of "brands" in these examples? How are the advertising
companies helping people in making better informed decisions?

------
hannob
There must be an error on that page. It is missing the part where they
apologize and explain how they'll make sure that this never happens again. Oh,
that part isn't there? Well...

~~~
jacquesm
As linked above:

[http://blog.pagefair.com/2015/halloween-security-
breach/](http://blog.pagefair.com/2015/halloween-security-breach/)

So, that part is there. Note that the site posted is not the site that was
affected by the breach.

------
hooray_yogurt
This is why you own your infrastructure.

~~~
johncolanduoni
For the Economist, yes. The attack on PageFair was by spearphising an
employee's email, so there isn't much owning your own infrastructure can do
for that.

~~~
chinathrow
Sure it is... their external CDN account was compromised - no 2FA in place.
Proper 2FA (read: 2FA reset key stored offline and safe, not done via mail)
helps against spearphishing.

~~~
johncolanduoni
So for a business with their traffic needs, you'd recommend they do what? Buy
up a bunch of physical locations all over the world and get some of OC lines?

I'd be shocked if they could stay out of the red, even at their size. Your
proposal would also kill virtually every startup that needs a website.

~~~
chinathrow
No, that is not what I would recommend, so please don't label it "Your
proposal".

My recommendation was already stated: if you use any external CDNs, make sure
you don't fuck up those accounts. 2FA is one thing to safeguard against
account compromise. Subresource integrity would be the next step, it's coming
soon or is already here.

[http://caniuse.com/#feat=subresource-
integrity](http://caniuse.com/#feat=subresource-integrity)

~~~
bbrazil
The problem with subresource integrity is that it ties you to one version of
the code. That's fine for something like jQuery, but doesn't work in this case
where you expect the code to change relatively frequently.

