
Ad Nauseam - bjcubsfan
http://www.hackerfactor.com/blog/index.php?/archives/713-Ad-Nauseam.html
======
genedickson
Stop calling them ad blockers. They block surveillance features that
advertisers put in their ads. I do not believe that ads would be blocked by
surveillance blockers if they were just ads. Absent the surveillance, how
would they recognize them? If ads were identical to the ads in analogue
newspapers then surveillance blockers would let them through. When I read an
analogue newspaper or magazine nobody is knowing if I read the ads or not.
They only know whether they get results from advertising in that outlet. And
they know that by tracking. They could run ads that don't spy on people. I
always use surveillance blockers. I never shut them down for anybody. It is
especially offensive when sites that are hardcopy outfits which have gone
digital to keep up with the times complain about surveillance blockers. They
certainly know how to run ads that are just ads. There is no technical
difference between the ads and the rest of the page. The layout is the thing.
They have experience with this and professional advertising people know about
tracking results.

~~~
manigandham
Ad blockers dont block ads. They arent even "ad" blockers but just filters -
browser extensions that block anything on a page from loading if its coming
from a blacklisted domain. Whether it's ads, trackers, social widgets or just
an image - it gets blocked by canceling the network request.

Surveillance is not the leading cause for adblock, it's because people don't
like ads and a 1-click install to remove them is incredibly easy.

Advertising online will always have some sort of tracking because that is the
benefit of advertising online - to know the real metrics of who has seen and
clicked and engaged with an ad. If you're worried about real privacy issues,
you should focus on Facebook/Google and government agencies.

~~~
genedickson
I don't use facebook or google. I use startpage a a google proxy on rare
occasions, but mostly search with ixquick. My representatives know what I
think about government surveillance and privacy issues, for what its worth. I
agree and disagree about online ads always having interactive features. It
makes sense, but the controversy around this does make for the possibility
that some will go for straight ads. For me surveillance is the main reason I
use blockers. History shows that corporations are more of a threat than
government. Hitler could never have made it absent the Krupp family. They put
him in power. I don't know about Stalin. He did have help along the way, but
since he ruled till he died there is a lot less information available, and it
is spotty at best. Of course in America the corporations run the government,
and it isn't just from campaign contributions, though at this time that is the
biggest thing. Europe to. Most of the world's governments are run by
corporations behind the scenes. The big possibility to force ads to be non
interactive is to seriously call newspapers and magazines that predate the
internet on this. I do this pretty regularly. An ad that does not have any
interactivity cannot be filtered without removing the article one is reading.
That is easy to do. And the incredible amount of publicity waiting for the
first newspaper or magazine to require advertisers to eliminate interactive
ads should be really tempting. If their publicity department doesn't see this
they need to hire me! Given the resources that publicity outfits have I could
get the ball rolling and keep it going for long enough that it would be
remembered for a while after the boom. The only thing to filter would be the
graphics. Alt text would deal with this. If on has use of the advertised
item(s), one will check out the pictures. However, I noticed when I "upgraded"
my firefox that they don't have the option to block images in the new version,
or at least they make it difficult by completely removing the tool bar that
held that function. I've looked and looked, but not found. In any event, I
utterly lack sympathy for interactive advertisers and the websites that allow
them. I'll happily do without them as they go out of business, and I hope they
do!

------
zwetan
and again Flash is the scapegoat

"By converting unsafe flash-based ads to safe HTML5 ads, they lower the risk
of infection from a hostile ad." is laughable at best

An Ad Network is one of the fastest way to deliver a payload to a lot of users

Don't fool yourself, Operating Systems, Browsers and HTML5/JS also have a hell
lot of CVE that can be exploited

It's funny how a company like Google making Billions from ads, having ton of
smart engineers, have never figured out during the last decade how to "scan
ads for malware".

It's not like anyone can upload an ad to those big network, or that they don't
QA the ads before delivering them ...

Imagine this unlikely scenario: malware delivered by HTML5/JS

I guess we'll all have to run for the hills if that happen

~~~
hackerfactor
"and again Flash is the scapegoat"

Truth hurts? Adobe Flash and Microsoft Silverlight are common exploit paths
because they have new critical exploits every few days. Here's the CVE list
for Flash -- notice how many critical exploits there are? It averages to about
1 every 3 days. [https://www.cvedetails.com/vulnerability-
list/vendor_id-53/p...](https://www.cvedetails.com/vulnerability-
list/vendor_id-53/product_id-6761/Adobe-Flash-Player.html)

In contrast, JavaScript itself has been pretty stable for years. I think the
last vulnerability related to JavaScript ES5 impacted old Firefox browsers.
[http://www.cvedetails.com/cve/CVE-2015-4516/](http://www.cvedetails.com/cve/CVE-2015-4516/)
[https://www.cvedetails.com/vulnerability-
list/vendor_id-452/...](https://www.cvedetails.com/vulnerability-
list/vendor_id-452/product_id-3264/cvssscoremin-7/cvssscoremax-7.99/Mozilla-
Firefox.html) (Two JavaScript exploits for Firefox in 2015, both low risk.)

And HTML5? Extremely stable. There may be specific plugins or specific
browsers that are vulnerable, but the underlying HTML5 specifications are very
safe and have been safe for years. [https://www.cvedetails.com/google-search-
results.php?q=html5...](https://www.cvedetails.com/google-search-
results.php?q=html5&sa=Search)

If you know otherwise, then please cite the specific CVEs. Otherwise, you're
just spreading false information. You wrote, "Browsers and HTML5/JS also have
a hell lot of CVE that can be exploited". I say: Prove it. Cite your sources.

Edit: Adding links to Firefox exploit CVEs.

~~~
zwetan
OK, remember you asked for it

"If you know otherwise, then please cite the specific CVEs. Otherwise, you're
just spreading false information"

man, you are so full of it

want proof ? no problemo

1\. CVE are organised by vendors and products

HTML and JS does not show as products, only browsers

see
[http://www.cvedetails.com/top-50-products.php](http://www.cvedetails.com/top-50-products.php)

look #3 Firefox, #4 Chrome, #8 IE

that explains why you will never see a specific HTML and/or JS CVE, that does
not mean they don't exists.

Also in term of volume, browsers have more CVE than Flash, it's all here in
the numbers: Firefox 1320, Chrome 1216, but no let's ignore them and focus on
Flash 713 CVE.

Just that it make your whole argument biased, the part "JavaScript itself has
been pretty stable for years" is ridiculous, search for JS blackhole exploit,
Rowhammer.js exploit, Heap Overflow exploit in JS, etc. you don't see them in
CVE but they are here and exploitable.

It's better to think than JS is secure looking at that
[http://www.cvedetails.com/vendor/10288/Javascript.html](http://www.cvedetails.com/vendor/10288/Javascript.html)

yeah no exploit in JS, none, we are all safe LOL

this for example
[http://www.cvedetails.com/cve/CVE-2015-0817/](http://www.cvedetails.com/cve/CVE-2015-0817/)
[http://cve.mitre.org/cgi-
bin/cvename.cgi?name=CVE-2015-0817](http://cve.mitre.org/cgi-
bin/cvename.cgi?name=CVE-2015-0817) [https://www.mozilla.org/en-
US/security/advisories/mfsa2015-2...](https://www.mozilla.org/en-
US/security/advisories/mfsa2015-29/)

you don't see it show up under the tag "JavaScript"

2\. Number of CVE listed do no equals CVE exploited in the wild

so you say "It averages to about 1 every 3 days", that's completely false

1 vendor patch for a particular product can close numerous CVE at the same
time so it's more like "we squashed 50 CVE in 1 day"

look at
[http://www.cvedetails.com/cve/CVE-2015-8449/](http://www.cvedetails.com/cve/CVE-2015-8449/)

follow up on [https://helpx.adobe.com/security/products/flash-
player/apsb1...](https://helpx.adobe.com/security/products/flash-
player/apsb15-32.html)

that's 1 patch, it does not indicate 1 CVE every 3 days, look at the details

"These updates resolve use-after-free vulnerabilities that could lead to code
execution (CVE-2015-8050, ..." that's more than 50 CVE of the same type
patched and closed at the same time

Also look the "Acknowledgments", numerous security team reported all those CVE
for them to be patched, there is no indications they were exploited in the
wild.

Saying such things as "oh 30 CVE discovered in 1 month, so that means there
were 1 CVE per day" is totally misleading, even more misleading to assume all
those CVE were exploited by default (eg. "could lead to").

At best it indicates that they (Adobe and other security team) are more
serious about discovering and patching those CVE and so they close more of
them more often.

------
eva1984
Or a third way, everybody hides content behind paywall, hail the new web 3.0.
Maybe not a bad thing, subscription could bring the old qualified journalism
back the in the print era.

If you don't think anti ad blocker is a problem, where is this article coming
from? Hmmm, afraid that more websites would follow the trend so less content
to read? The attitude that this is only websites and advertisers' problem is
not as constructive as the author might presume.

~~~
anexprogrammer
Yet the news sites demonstrate how utterly clueless they are with the amount
they set their online subscriptions to.

£1 a day for The Times - very nearly the cost of the actual paper. $1 daily to
access Wired. Don't make me laugh. No one consumes all their news from a
single source any more.

If my usage pattern is anything near representative, 2-5p a day for the Times
and .5p a day for Wired, based on how often I visit equivalent sites and how
many stories I read whilst there.

Seems like unless it's something very specialised (medical journal or
similar), or the FT charging as though it was our sole news source just
demonstrates how out of touch they are.

Sure, charge me £1-£2 a day for consumption, but that would have to be spread
across 50-100 sites daily, some of which I've visited just once in the last
year, for one article. AND, if I am going to be willing to be micro-charged I
want a way to NOT pay a specific site (perhaps I visited and the content was
poor). Make that happen I'll subscribe today.

Ask me for £1 for your shitty site daily and you'll wait forever, but good
luck with your greed - that's what caused the adpocalypse in the first place.

~~~
eva1984
Hmmm, so you now understand advertising is not a evil business really, right?

It is effectively a way to price the information, how much should be paid for
your view. Note in print days, you still pay your subscription, yet you get
shit loads of ads. And you have a variety choices of publishers.

So why this is the worst model ever?

The article is laughable that it gives no solution, but asks publishers to
evolve into oblivion, which I think they won't.

Some people are so pissed that publisher got anti ad blocker in place, yet
claim they won't pay to their shitty articles whatsoever. But then again, if
you don't read those shitty articles that much, why are you so pissed in the
first place?

After all you need to pay what you consume, and ad is one way of it. It is not
perfect, nor evil. Your call then.

~~~
commentzorro
_> Some people are so pissed that publisher got anti ad blocker in place ....
if you don't read those shitty articles that much, why are you so pissed in
the first place?_

I'm not pissed about the anti ad-block. I'm pissed because the sites show up
when I'm searching in the first place. I'm pissed because I go to the site
thinking I can get the information I was teased with in my search only to find
out I've been tricked. I'm forced to do something (unblock the ads), accept
some fake implicit agreement (you agree to look at our ads), and be spied on
(all the trackers) before I can get to the content I was lead to believe was
there.

The fix is to remove all blocked content from the search so we won't even know
it exists in the first place. We won't get upset, we won't get blocked, the
sites won't get content "stolen" by those who won't view or click the ads to
being with. Everybody's happy. Win Win.

~~~
eva1984
Even paywall article get indexed and showed， I dont think anti ad block
justify the cause.

------
tempestn
"I think that we need to hold the web sites accountable for the content that
they display. If browsers get infected by ads at Forbes or people buy knock-
off watches from ads at Yahoo, then we need people to sue Forbes and Yahoo.
Remember: these web sites authorized the placement of the ad on their web
page."

So effectively what you're saying is that we should eliminate ad networks.
There is no reasonable way to screen every ad before it is shown when using an
ad network. So in order to be safe from lawsuits, publishers would have to go
back to directly contracting with advertisers for every ad. Certainly there
would be some benefits to that in terms of reduced low quality ads. The
problem is, the added overhead of doing so would put many small publishers out
of business. Dealing with individual advertisers is a huge job, with massive
economies of scale; it just doesn't make sense for websites that are orders of
magnitude smaller than Forbes and Yahoo.

~~~
sdrothrock
> So effectively what you're saying is that we should eliminate ad networks.
> There is no reasonable way to screen every ad before it is shown when using
> an ad network.

Or you could have ad networks that only circulate carefully vetted/curated
ads.

Imagine if you had an ad network that was picky and only allowed ads that were
clever/interesting, short, not annoying, and didn't lead to malicious/fake
products!

~~~
zwetan
"Or you could have ad networks that only circulate carefully vetted/curated
ads."

No, you make it simpler than that

you simply forbid ads to be interactive or to contain any code

eg. you do only static ads like text, image, video

no code, no way to hide nasty stuff

~~~
hackerfactor
Your proposed approach will stop direct risks to browsers, but does nothing
for ads that link to web pages that are hostile. E.g., you click on an ad
because you are interested in the product and get directed to a phishing site
or a site offering counterfeit goods or a site that has malware and infects
your browser.

It's not just the graphic used by the ad, it's also the ad's destination.

~~~
jarcane
So disable linking.

The clickthrough rate on internet ads is execrable. Frequently in the
fractions of a percent at best.

No other advertising space operates on the assumption that linking represents.

Eliminating linking and leaving pure visual ads would be in line with every
other form of advertising in existence, and eliminate the "problem" of click
fraud, link-bait, and actually fraudulent links.

Do we really need a business model that exists largely to enable ad networks
to defraud each other and consumers? We have advertising standards bodies that
are meant to prevent this kind of thing in every other form of advertising,
but somehow the internet is "special"?

~~~
marvy
So you end up with ads that say: copy/paste this URL. What have you solved?

~~~
jarcane
I think realistically, the friction against such a method is strong. People
can scarcely be arsed to bother with QR-codes anymore. It could still happen,
but this sounds an awful lot like a "perfect is the enemy of the good" sort of
argument. Is not some X% of the problem better than the 100% that we have now?

------
jug
The publishers aren't very innocent themselves. Clickbait articles are
nowadays not a dirty strategy to get ad views, but to be expected. Then you
have the endemic tracking going on, the tracking that has become intertwined
with viewing an ad. Being tracked and seeing an ad... it's the same thing!
Nowhere else in the real world but on Internet is this to be expected. And
it's a debate that is frustratingly only discussed in organizations like the
EFF, never lifted to the general public.

The mafia comparison feels much more like a stretch when talking of ad
blockers than when talking of the bulk of the world's news sites secretly
(unless inspecting network traffic or HTML code) using a common few
advertisement agencies.

I think the recent cookie laws feel pretty useless, especially since cookies
aren't nasty by themselves. "Hi! This site uses cookies! Click here to learn
more." It doesn't tell me anything. It doesn't imply that the site is evil nor
good. However, give me a law requiring web sites to say "Hi! We are part of a
tracking network where your behavior on this site will be registered." Then
we're talking. Where the link doesn't lead to an explanation by the publisher,
but be required to lead to a link on an external part with an easily
digestible, up front explanation of what an ad tracker does and can do. I'm
honestly quite fed up that this offensive behavior can keep going on behind
the scenes. All people see are photos of a new car model. A normal ad that is
anything but normal.

For as long as there is this World Wild West on the publishers' sides, I'm not
going to change my behavior on defending myself. Because I look at this as a
form of defense. It's simply like running antivirus tools on Windows. I
wouldn't want a trojan horse to be downloaded that uploads my browsing
behavior to some server either. The difference from what these guys are doing
seems razor-thin.

~~~
bigbugbag
It actually depends on the publisher, the french news site nextinpact[1]
listen to criticism of ads, looked into the issues and made their move: ads
are limited to display format, no behavioral targeting, no animation, no
mixing content and ads, no tracker on client-side (tracking is on server side
with a locally installed piwik).

The mafia comparison is targeting adblock plus for their "do your ads as we
say, give us a 30% cut of the money you make and we may whitelist your ads
(only if you're big enough as in at least 10m ad impressions)" feature[3].

[1]: [http://www.nextinpact.com/blog/97835-pourquoi-next-inpact-
ar...](http://www.nextinpact.com/blog/97835-pourquoi-next-inpact-arrete-
publicite-classique-et-passe-au-https-pour-tous.htm) [2]:
[http://www.nextinpact.com/publicite-
partenariat](http://www.nextinpact.com/publicite-partenariat) [3]:
[http://www.theguardian.com/technology/2016/feb/25/adblock-
pl...](http://www.theguardian.com/technology/2016/feb/25/adblock-plus-opens-
up-acceptable-ads-work)

------
tempestn
"But keep in mind: not everyone is Google, not ever web site has a huge amount
of traffic. With online ads, payment is usually tied to the click-through rate
(CTR). The CTR is typically around 1% (actual percentage varies by web site).
So if 100 people visit your web page, then 1 person will probably click on the
ad, generating a fraction of a cent. If each click pays $0.001, then you need
1000 clicks to earn $1. And if 1% of uses click, then that's about 100,000
visitors."

I'm not sure where these numbers come from, but unless you are in fact running
a spam site, and likely even then, revenue per click is going to be higher
than a fraction of a cent. As a random data point, it looks like the combined
revenue per click from Adsense on our sites is around 30 cents per click at
the moment.

~~~
manigandham
Yes, much of the info in this article seems completely made up. The cheapest
clicks in the entire industry are probably around 2-3c and these are the worst
of the worst. Many are far higher, probably somewhere between 20-70c and going
up to $$ depending on ad quality and conversion ROI.

------
tracker1
I admit it, I look at linkbait articles and sites... The problem is that it's
crossed a line that there are so many intruisive ads, that the web doesn't
work without blockers.

If I happen to click on an article from facebook on my phone, the resulting
page shouldn't be something I can't even scroll/read because it's so riddled
with ads.

Another part is an extension of what TFA says... they should be held
responsible... current techniques are iframes, and when a timeout occurs or it
bounces to another ad network, another layer of iframe and tracking scripts
runs... if an average ad is 3 layers of iframes, and an average page has 5-8
ads, that'd 15-24 complete extra browser contexts just for ads...

------
anilgulecha
Just to throw out this idea I've been thinking about for a bit as a ad-golden-
rule: The other end of an ad has to have an identifiable person attached
(ideally a citizen or from a non-poor country): An ad-auditor.

So now the other end of the ad is not faceless/identiti-less. If the ad is
found to serve malware, there's someone to ban/take action against (like
banning from a good-paying ad-audit job for life). Ad-networks that require
the golden rule can be white-listed by blockers, and become trusted. Networks
that don't are considered malware haven.

Could this work? In the current ad-blocking war, the use of ad-blockers will
only rise-and-rise, and something has got to give.

~~~
tempestn
The problem right now is that it can often be difficult for anyone to tell
where an ad ultimately came from. A user will complain to a publisher about a
bad ad. So the publisher gets a description of the ad, maybe a url that it
points to. The problem is the url goes through various redirects, so the one
that the user ended up on isn't the one the ad points to, so it can't be
searched. But a bigger problem is where to even search. The unit housing that
ad will probably be served by multiple networks, with an algorithm deciding
which to serve from based on how many ads that user has seen, where they're
located, and various other criteria. Then if that network doesn't have a
sufficiently valuable ad to serve, they will either farm it off to another
network (and so on), or pass it back to the publisher's ad server, which will
find another network to serve an ad there.

This all happens in real time. So the point is, when you get a report of a bad
ad on your page, it's almost impossible to even know what network it came
from. The networks themselves don't know if they ultimately served you the ad,
because maybe they got it from someplace else. And no one can search for it
based on the url anyway.

Now, none of those things is unsolvable, although it would take significant
new regulation. For instance, when an ad is served through a network, there
should be a standardized way to add metadata to the ad to state that it was
served via that network. In cases where it is passed through several networks,
it would carry each of their metadata, in order from the original source
through the various levels until the network that actually serves the ad to
the publisher. That would at least allow savvy users to make an informed
report to a publisher when they get a bad ad. Something else to look at might
be requiring that either 1) the target url of an ad points directly to the
eventual landing page, or 2) if a redirect is made, the original url be
encoded either in the new url (as a fragment id perhaps) or at least as
metadata in the page. There are probably plenty of caveats there. But if a
user clicks on an ad and finds themselves at some page, there should be _some_
way to figure out what ad took them there. That isn't currently the case.

Identifying the networks an ad has passed through would be the responsibility
of those networks (with a standardized way of doing so). Avoiding or
identifying redirects would be the responsibility of the advertisers, but
networks would have to be required to periodically test ads for compliance.

~~~
anilgulecha
With the ad-auditor idea, the model itself changes. The middlemen go away, and
there's a person at the other end. Yes, the business of ads will change per
this new model.

An analogy is financial-auditors -- a human has to be present and sign even if
the report is for a company behind 10 shell companies.

------
xivzgrev
One point: by far most websites are on a pay by impression rather than pay by
click. More predictable revenue.

------
bigbugbag
The article misses a major point, ads are a form a surveillance and as such
more and more people prefer to block them out of privacy concerns.

~~~
hackerfactor
Actually, I intentionally left that out. I thought 4000 words was long enough.
Surveillance would add in another 4000 words.

------
Nano2rad
One solution. We will watch ads. The revenue will be taken by micropayment
site like Flattr and distribute to sites we visit.

