Hacker News new | past | comments | ask | show | jobs | submit login
“We're considering banning domains that require users to disable ad blockers” (reddit.com)
521 points by Hjugo on May 9, 2016 | hide | past | web | favorite | 257 comments



As noted other comments, this would only apply to the /r/technology subreddit. The general feedback is in favor of blocking these types of sites.

I'm pretty amazed at the current state of ads. With multiple ad exchanges, private sellers, and static brand deals, the entire serving process is a mess and users are paying for it. I don't think publishing websites are being malicious; they're incentived to make money and just haven't figured out how to do it at a high enough margin while keeping users happy. I just think the entire internet ad industry is in shambles and nobody really knows a solution that makes everyone happy.


Of course they are malicious. They're serving the high-profit ads, which obviously includes malware, where they could be serving low-profit, safe (but boring) ads.

That's equivalent to pharmacists selling illegal drugs (heroin, cocaine) simply because they obviously make them more profits.


It's not that simple. At any one time, a publisher can be serving ads from a few exchanges, a few different private sellers, and custom built ads for brands. And these all are served in different combinations across several different ad units on multiple pages. And some of those ad sellers may be backfilling with other ad networks, or maybe the publisher is backfilling certain ads from the ad exchanges at certain CPM prices.

I'd liken it more to a hardware product being shipped with faulty materials when multiple manufacturers are involved and it's extremely difficult to identify the responsible party. Sure, they're responsible for the end product, but it's not so black and white.


> At any one time, a publisher can be serving ads from a few exchanges, a few different private sellers, and custom built ads for brands. And these all are served in different combinations across several different ad units on multiple pages. And some of those ad sellers may be backfilling with other ad networks, or maybe the publisher is backfilling certain ads from the ad exchanges at certain CPM prices.

So, don't do that.

> It's not that simple.

It is absolutely that simple.

Your argument is basically, "Their process is so complicated they can't avoid serving up malware." But that's not a justification for serving up malware. If your process is too complicated to avoid serving malware, then you need to simplify your process until you can avoid serving up malware.

You don't get a free pass on ethics just because ethics are inconvenient for your business model.


But it's not the publishers process or business model that is causing the problem - it's the process of filling ad space that is broken. Sure, you could pick one ad network and micro monitor it, but you wouldn't make enough money to sustain quality content. CPM optimization is a requirement of the field if you'd like to profit enough to sustain quality journalism and not be the next you-wont-guess-the-top-10-craziest-things site.

Yes, I think publishers have a responsibility to monitor their ads and keep their users safe. But I still don't think it's a black and white ethics situation. The exchanges and other ad providers need to fix their business model and not depend on publishers to filter the malware ads they're sneaking onto their page.


You're making 2 arguments here:

1. Publishers can't compete if they behave ethically. If this is true, then the solution is simple: if you can't run your business ethically then close your business. However, I believe that it's entirely possible for publishers to compete ethically; there are, for example, plenty of business models besides selling ad space.

2. Publishers are only accomplices in serving malware. We can't ignore publisher's role in serving malware and blame the ad networks. Both the ad networks AND the publishers are to blame.


Especially when an ad network that only serves images is easier to make than one that can serve scripts and sometimes attack the user.


It isn't that simple, but it should be... This is a space ripe for "safe networks" and self-serve ad platforms to take hold.


Isn't that space already occupied by sites like Facebook?


I mean safe ad networks, and self-hosted ad platforms, that are served via first-party.


What would that look like for, say, a small personal blog that includes a few ads to cover the hosting costs?


Well, it wouldn't be the target for your small personal blog... once you approach it at a small business level, it means running server-side code do deliver ads injected into your content that reports what data can be reported upstream.

It does mean more limited analytical data, but it would also mean better privacy constraints... it means moving the delivery to first-party servers, that can use other SaaS behind that.

As to advertizing, it means delivering an image url, and a target url... no more leaps and bounds of JS, or for that matter layers of iframes..

TBH though, if browser vendors simply disabled JS, and iframes more than 3 layers in, and limit JS files to 3 max (100kb size limit) within an iframe, the advertizers would probably successfully self-correct..


What it also means is more publishers cut journalism/content, transition to buzzfeed style "news", or go out of business. Or really some admixture thereof.


Why would it mean that?


Because no-tracking image ads served publisher-side with no verification are worth a small fraction -- perhaps 10% at most -- of what with-tracking ads are worth.


There are other ways to make money besides ads.


Yes, paywalls / subscriptions. Which this thread is notably dedicated to bitching about.

Other than that, not really. As demonstrated both by personal experience (I've worked for a large pub; many acquaintances work for large-ish pubs) and the utter lack of success of the majority of publishers attempting this.


Netflix? Amazon? HBO? Spotify?


subscription, subscription, subscription, subscription + ads


So, I guess that effectively disproves the "utter lack of success of publishers trying this".

I have no qualms about paying subscriptions, and you won't find a post in which I'm "bitching about" subscriptions.

Instead of trying to create an alternate reality in which I'm somehow demanding things for free, how about you respond to my actual arguments?


So stop going to those sites. Really; you voluntarily visit those sites. To quote you, "It is absolutely that simple."


Some of those sites have good information that you'll miss out on.

I think there's an even simpler and more realistic solution: someone needs to make a Chrome extension that is like uBlock Origin, but unblockable.

It should be:

* an adblocker that also blocks tracking scripts

* ...with no "acceptable ads" whitelist like Adblock Plus

* ...open source

* ...with workarounds for ad-blocker-blockers

Here's how I think we can do that: we maintain a list of domains that are using ad-blocker-blockers, and for those, rather than blocking ads at the HTTP request level, the user agent loads them and simply doesn't display them.

In principle, you can do this in a way that is completely undetectable by the site owner. There doesn't need to be an "arms race" between ad-blocker-blockers and the workaround developers--you simply win outright by having DOM look exactly the same as if it had ads, but rendering, say, a box with a tasteful light grey smiley face instead of the ad. (You can even make it so that canvas.getPixelData returns the ad that the page thinks it drew, but the actual screen output doesn't show it.)

At that point, sites are actually incentivized to stop using ad-blocker-blockers, because the only difference they'll make is that site will load slower, since the user agent has to load and pretend to display all those extra resources. The user never actually sees the ads either way.

--

For extra credit, this hypothetical browser extension can also simulate a click on YouTube's "Skip This Ad" button as soon as it appears, etc.

You could even keep per-domain blacklists of bloat resources and simply not load those. That would make the internet feel a lot faster. A user with this extension would visit The Verge and instead of getting a janky 5 megabyte page load, they'd get a near-instant load with just the text and images.

Finally, this extension could keep a mapping of desktop sites to auto-redirect to the lightweight mobile equivalent, with a body{max-width:800px} thrown in to keep things readable.

I know I'd install this hypothetical extension immediately and never go back.


I already understand that you neither want to pay these publishers or see ads.


> Really; you voluntarily visit those sites.

That's an assumption you're making, and not a correct one.

This solution also doesn't in any way address anything I said: it is still not ethical to serve malware to your users.


Agreed! That's why I support this move by reddit.


You don't get a free pass on ethics just because ethics are inconvenient for your business model.

I think calling this an ethical issue is quite a stretch. In many cases, we're talking about visitors who are not only enjoying the content from someone else's site completely for free, but also employing tools that actively modify the intended presentation of that content to the detriment of the host site's operators. And now you're saying that not only should the site operators make their content freely available and accept that some visitors will circumvent possibly the only way they have of generating revenue, those operators should also be actively responsible for vetting any third party content they incorporate within their site in case the third party is hostile and those visitors know enough to run ad-blockers but not enough to run anti-virus software? That seems a very short-sighted and one-sided position, entirely in favour of the party who isn't actually contributing anything in this scenario, and I see no ethical basis for that.

Edit: For those who are downvoting, please consider that I did not disagree with the original premise I quoted. Obviously unethical business models are still unethical even if the ethical ones are inconvenient.

What I'm asking is why we should consider it an ethical requirement for someone who is already generously offering their content for free and accepting that a significant fraction of visitors will circumvent their intended ad-funded model to also go to unrealistic lengths to vet any third party content they include for safety against arbitrary unknown threats that could change at any time without notice, all for the benefit of a visitor who is offering them nothing. I'm not sure whether someone operating a web site really owes their visitors anything in this scenario, other than perhaps a basic "good citizen" principle of not negligently serving up malicious content, and I don't see how operating within the same infrastructure as a huge number of other web sites could reasonably be considered negligent in this respect.

Unless you think we should also close down all third party CDNs, image hosting services, caching services, web font services, and so on, the web is fundamentally a linked medium where sites can usefully be built by combining resources from other services, and naturally those other services will retain control of what they are hosting themselves. Making Joe Blogger responsible if some massive service's CDN version of jQuery got hacked doesn't seem like a good way to encourage Joe Blogger to spend their time sharing their writing with the rest of the world.


> And now you're saying that not only should the site operators make their content freely available and accept that some visitors will circumvent possibly the only way they have of generating revenue, those operators should also be actively responsible for vetting any third party content they incorporate within their site in case the third party is hostile

No, I'm not saying that. I'm saying it's unethical to have ads with malware on your site. I didn't propose a way not to have malware on your site.

The way you propose, by vetting ads, has been used successfully, but it's not a particularly imaginative solution. What about donations, freemium, PWYW, subscriptions, grants? Or what about giving your work away for free and using that reputation to get jobs?

> Making Joe Blogger responsible if some massive service's CDN version of jQuery got hacked doesn't seem like a good way to encourage Joe Blogger to spend their time sharing their writing with the rest of the world.

It's utterly ridiculous to claim this is about Joe Blogger. Joe Blogger is quite often happy to do his blogging as a labor of love and let blogspot/livejournal/whatever reap all the ad revenue. And small-time bloggers who do make money are frequently more sensitive to their readers' complaints and explore alternatives to big add networks that serve ads. The problem is big content providers who are under shareholder pressure to produce growth each quarter, so they try to squeeze out every bit of ad revenue with no concern for users. They're also too risk averse to try alternative monetization strategies to ads. It is well within the capability of those players to provide ads without malware, but they don't because it doesn't hurt their bottom line enough.

Serving up malware to your users and readers is unethical. I'm all for supporting content providers; I donate to NPR and to artists on Patreon frequently. But if you can't run your business ethically, then you should shut down your business.

If you really think serving up malware to finance content is okay, then why don't you propose that content creators just hack some small percentage of their users and sell the data online? The effect on users is the same, but it cuts out the middlemen so it's more efficient.


The way you propose, by vetting ads, has been used successfully

For businesses running large enough sites to operate their own scheme, sure. Facebook ads are pretty safe, for example. Unfortunately, this isn't a realistic option for smaller sites, and neither are any of the other things you mentioned in most cases. Alternatives like donations or PWYW have been tried and they almost always fail. That's why ad-funded web sites are still so common!

I don't think this discussion is going to go anywhere useful. You're objecting to a behaviour that is widely useful -- incorporating content served by third parties as part of a site -- on the basis that site operators with little if any revenue aren't operating to an impossibly high standard of safety checking at their own expense to prevent a small risk of third party malware being served by their site without their knowledge or consent. Furthermore, you have offered no plausible better alternatives for most of those site operators. In a world complying with your rules, most of the modern web doesn't exist, because no-one would "ethically" be allowed to contribute to it without falling short of your standards.


> Alternatives like donations or PWYW have been tried and they almost always fail.

1. Most businesses fail, period. I think you would be hard-pressed to prove they failed because they doesn't have ads.

2. You conveniently ignored half the alternatives to ads that I listed, probably because there are numerous examples of successful subscription-based content providers.

> In a world complying with your rules, most of the modern web doesn't exist, because no-one would "ethically" be allowed to contribute to it without falling short of your standards.

This is true, but I'm not sure why you see this as a bad thing. Most of the modern web is noise that makes it harder to find signals I care about. Sites that get their money from me are more likely to give me content I want than sites that get their money from ads and malware.


1. Most businesses fail, period. I think you would be hard-pressed to prove they failed because they doesn't have ads.

Well, if a business used to make enough revenue to turn a profit through ads, and then you take that revenue away and it fails, it seems likely that the failure was caused by the loss of ads combined with the lack of any alternative revenue stream(s) to replace them. Occam's razor and all that.

2. You conveniently ignored half the alternatives to ads that I listed, probably because there are numerous examples of successful subscription-based content providers.

From direct personal experience, getting a site to the point where someone is willing to pay real money for access -- even if you have lots of original content that gets very favourable comments and a lot of interest -- is hard.

If you're running a huge brand whose site people really do visit often -- a good quality news site, say, or perhaps a service like Netflix or Spotify -- then sure, someone might consider it worth paying a few dollars a month to subscribe.

If you're running a smaller niche site that someone might find very useful but only visit occasionally, unfortunately it is a different game entirely.

Just to be absolutely clear, so you don't think I'm ignoring any of your alternatives:

Donations: Known to generate negligible revenue in most cases.

Freemium: Possible in some cases, but only if there is something useful to upsell to.

PWYW: See Donations.

Subscriptions: Possible in some cases, but only if the site is big enough and/or updated often enough to attract regular visitors.

Grant: From where, exactly?

Sites that get their money from me are more likely to give me content I want than sites that get their money from ads and malware.

Really? I find sites that show up for the search terms I'm using and hold my attention for more than 5 seconds when I click through are often very useful.

However, I'm not going to subscribe to every one of the 150+ sites that my browser history tells me I visited today while researching something, or even the 10-20 of them that actually did have very useful information.

Nor am I realistically going to go through the hassle of making a card payment or using some donation service I've never heard of and don't necessarily trust just to give each site some fraction of a dollar, even if I considered the material they'd given me on that occasion to be worth it.

I would happily donate to such sites if an immediate and non-intrusive method for handling the micropayments existed, but sadly we haven't solved that problem yet. Until we do, I don't begrudge sites that are ad-funded, nor do I think they owe me anything if they block me because I then block those ads.

So as I wrote before, I don't think this discussion is going anywhere useful. You still haven't suggested any viable alternatives for many sites that are currently ad-funded, and you still seem to think all the responsibility for safety on the Internet belongs to the only people actually contributing anything in your scenario, i.e., the people running the sites.


> already generously offering their content for free

If they're attempting to make money from ads, they're not offering it for free.


If a visitor is using an ad blocker, they're getting it for free anyway. As an ethical principle, I don't think you can have it both ways. Either the site operator is commercial, in which case ad blockers are unethical because the visitor is depriving them of revenue, or visitors are free to browse the content without obligation including blocking any parts they don't want to see, in which case why does the site operator owe them anything?

In any case, even in a commercial transaction, there is an element of reasonableness to what is expected. If I buy a $50,000 car and it breaks down on the second day of having it, that's obviously well below a reasonable standard. If I buy a $10 toaster and it breaks after a couple of years because the crumb tray didn't quite fit? Maybe that's more reasonable. If I buy a $10 toaster and it catches fire and burns my house down after a couple of years because of a design flaw that the manufacturer knew about but didn't fix? Again, not so reasonable.

In this case, we have a content provider who is making at best a tiny amount of ad revenue from a visitor, yet some people here seem to think there is an ethical obligation on that content provider to provide a literally impossible standard of monitoring of the behaviour of the ad networks anyway. As I've mentioned elsewhere, even the argument that they just shouldn't use an ad network in the first place doesn't really work, because logically you'd also have to apply the same ethics and accept responsibility in the same way for any other third party content, such as scripts hosted on CDNs. By the time you've finished knocking out any sort of third party hosting just in case a rare instance of malicious content slipped through the net, the web would be a much worse place.


Yes, we're in a thread dedicated to complaining about site owners who offer a choice: view ads or pay us money, and we're complaining about the ads they show. Where the giant screaming subtext is wah wah wah, I want this for free to me and with no ads.


It takes a special kind of arrogance to make accusations against people you don't know anything about.


Strongly disagree since I feel there is misinformation and a very strange perception as to where the onus of protection should come from.

The reason that the bad advertisement issue is such a big problem is that very often the anti-virus programs simply don't work on the malware being served. The exploits used either aren't in the definitions database or the AV has a blindspot.

It's also very difficult to be running without an anti-virus on a modern computer. Windows Defender doesn't always rank the strongest, but it's certainly competitive with other AV solutions, and Windows will nag-nag-nag if you don't have what it considers to be an active AV installed. It's not the early 2000's anymore when you had to find a good AV - for the most part, if you buy a modern computer, there are AV protections in place already.

As is such, these aren't users thumbing their nose at safety and running around unprotected, these are people who have a reasonable expectation to not be served malware by reading an article at Forbes.

Simply put, regardless of how you're doing it, you should not be serving malware to people. If your site is the vector, you have a responsibility to deal with it, and ignoring this, as many sites have done, is an ethical breach. Malware can and does do harm, sometimes in the form of lost data and lost money. Ensuring you're not serving up malware isn't just in the lines of "good citizen", it's a duty to not harm - the people affected by the malware have no recourse in virtually every situation. If it's ransomware, they either have to hope that it's poorly made and gets broken, if their machine is otherwise unrecoverable, that data is lost.

Forbes and the other sites that are proposed to be blocked may be getting fingered right now, but the complaint is a larger complaint about advertising; as participants who are not working to clean it up, I think users have every right to be upset and to call it unethical - the response that they're receiving is, well, no response. The websites don't care.

All that being said, I'm actually fine with them putting up an ad-wall, as it kind of forces them to put their money where their mouth is. Part of the change that will need to happen is to show the sites that consumers don't want to put up with dangerous ads and to prompt action, and ad-walls pretty much force a boycott if users want to continue using adblockers. This will give them the metrics to see the effect that bad advertising has, and hopefully prompt change.

But, I still think that you have an obligation to ensure your website is not a hazard, regardless of how it became one. "Everyone else is doing it" isn't a defense, especially when it causes real and immediate damage to potentially thousands of people.


I'm still waiting to see an argument for why a content provider who is making something available to others for free and without obligation has any obligation in return, either legally or ethically, beyond the same basic decency that we all owe to each other. I think a site that is neither actively malicious nor grossly negligent has satisfied that basic decency requirement.

Ultimately, it's just not realistic to expect every little store and niche blogger to either monitor every third party service they depend on full-time just to protect the users who are giving them little if anything in return or to discontinue using any third party services that are technically capable of distributing malware. The former is demonstrably impossible anyway, and if you take the latter to its logical conclusion you undermine substantial parts of what has made the modern web so successful, far beyond using ads as a revenue stream.

Put another way, malware writers themselves may be the scum of the earth, but I don't see why someone writing a blog about how to bake cakes and using a well-known and generally reputable ad network to fund the hosting costs is any more ethically responsible for the consequences of a malware incident than, say, a browser developer whose also freely offered product had a vulnerability that could be exploited in the first place. I don't see anyone calling for any browser with a track record of serious security vulnerabilities (which is all of them, of course) to be banned to protect users from malware, though.


an argument for why a content provider who is making something available to others for free and without obligation has any obligation in return, either legally or ethically, beyond the same basic decency that we all owe to each other.

A grocery store handing out free samples still has an obligation to make sure it's not contaminated, and I really don't buy idea that "don't send people malware" is significantly less a part of a common decency than "don't feed people tainted food" is.


If the malware was created by and distributed by the site hosts, that might be a reasonable argument.

But of course, it isn't. In fact, there is no way the site owner can guarantee to avoid the indirect distribution of malware without ceasing all use of third party resources on their site.

Given the usefulness of third party resources (not just ad networks) and the relative rarity of malware being distributed through those channels, I don't think the argument that the only decent choice is to eschew all the third party functionality of the modern web is reasonable here.


Your description doesn't show why a pharmacist selling illegal drugs is dissimilar to a website selling ad space to illegal ad-space buyers. Any time where you've got multiple producers and multiple retailers, you get middle people like those you describe that must juggle demand and supply. Pharmacists have an equally complex path from producer to customer as ads have from ad-space buyer to website visitor. However, let's instead look at the chain of events:

An innocent gets malware from an advertisement. The publisher blames the ad-network who in turn blames the criminal. The ad-network claims that they can't curate the advertisements or the margins becomes to small. In the end, the innocent has to take the full fallout of the crime.

An innocent gets mistreated by a fake doctor. The hospital blames the hiring agency, who in turn blames the criminal. The hiring agency claims that they can't do background checks and verify CVs of applicants or the margins becomes to small. In the end, the innocent has to take the full fallout of the crime?

Why is there such discrepancy between the two cases? Why can one agency do curation and still function, while the other can't? Why can the publisher get away with using a bad ad-network while a hospital is fully legally responsible for using a bad hiring agency? Those seem to be very simple questions, ones that should have very simple answers.


> Why can the publisher get away [...] while a hospital is fully legally responsible

The word "legally" gives it away: because there are laws.

But we don't like dem laws here on teh intertubes, so far-west it is.


There are laws agains hacking though. If I visit a website and the website willfully (i.e. it wasn't hacked) serves me malware... that sounds like hacking!


I'm not aware of any legal action taken over malware served up from add on a website.

But if it were to happen, the website is who is sue, because it is within their responsibility to ensure that ads and/or content should not cause harm to a visitor.


> it is within their (the website) responsibility to ensure that ads and/or content should not cause harm to a visitor.

I don't think that's been established. With the current state of advertising on the internet, it's not even possible to do this.

In general, websites use advertising networks which do not allow them to proactively vet the content. Even if they did, no amount of vetting can guarantee the content is benign (active content can do naughty things only some of the time or on some platforms, or things not yet recognized as naughty - this is also why antivirus isn't reliable). So, clearly the solution is to not allow Javascript or flash, right? Nope - exploits in image parsers, font parsers, video parsers, audio parsers, etc. come out fairly often.

This could maybe be dealt with by contracts between websites and advertising networks specifying that the advertising network will be liable for malicious content, but I don't see that happening.


>exploits in image parsers, font parsers, video parsers, audio parsers, etc. come out fairly often.

Exploits in jpg/png are very rare.

At worst, all you have to do is make the ad network [re]compress the image.


Exploits in jpg/png are very rare.

A major security issue with probably the most popular automated image processing toolkit in existence came to light just the other day. That particular one would be used for attacking servers, but there have been client-side vulnerabilities in other common resources such as fonts before too. Assuming that just because a format is common the software processing it won't introduce any vulnerabilities is not a great idea.

In any case, the relative rarity isn't really the point. Either it's ethically and/or legally correct to assign blame for malicious advertising to the final host site that the user actually visits, or it isn't. That's the principle we're really debating, and the rest is just a degree of risk.


>A major security issue with probably the most popular automated image processing toolkit in existence came to light just the other day.

Because of all the weird formats it supports. That's why I said jpg/png, not 'images'. Any software that supports 200 formats probably has severe bugs on the rare ones. Doesn't matter for making a secure image server where you can dictate the format.

>In any case, the relative rarity isn't really the point. Either it's ethically and/or legally correct to assign blame for malicious advertising to the final host site that the user actually visits, or it isn't. That's the principle we're really debating, and the rest is just a degree of risk.

Whether they are being negligent is relevant. Allowing known-risky formats that keep failing over and over is negligent.


Allowing known-risky formats that keep failing over and over is negligent.

But if you look at this from the opposite direction, you're essentially arguing that we should only use technologies that are known, or at least reasonably expected, to be extremely safe.

Given that in general humanity hasn't yet figured out how to create such technologies, and that numerous formats we use every day on the web to great overall benefit would not qualify, that seems a tall order.


> But if you look at this from the opposite direction, you're essentially arguing that we should only use technologies that are known, or at least reasonably expected, to be extremely safe.

No I'm not. Go ahead and use a new technology. But don't use a proven-bad technology.

If you tried a reasonable amount and don't know about security holes, that's one thing. If someone shows you the security holes, and you don't fix them, that is where you're a bad actor.


Go ahead and use a new technology. But don't use a proven-bad technology.

But the "proven bad" technology you're talking about here is just incorporating any third party content in your site. Obviously that is a security risk if the third party isn't perfect about policing what they host.

On the other hand, billions of resources are served in that way every day, and the web is a much better place for it. Only a tiny fraction of those third party resources are hostile, and most of the ones that are will be closed down rapidly by the third party service themselves once discovered.

So is this really in "proven bad", "known-risky" territory, or are we actually talking about "very rare" dangers and a lot of hyperbole here?


The problem is incorporating third party content that is neither screened nor sanitized. The proportion doesn't matter as much as the fact that there is nothing stopping attacks. They only get cleaned up afterwards. You don't expose your users to attack without warning.

I think very few websites allow one person to embed arbitrary scripts that will be shown to another person.


The problem is incorporating third party content that is neither screened nor sanitized.

It is impossible to screen or sanitize third party content if the third party is hosting it and the user loads it when your page refers to it. The third party can change that content at any time, without your knowledge or consent. This is how almost all ad networks work. It is also how almost all CDNs, web font services, image hosting services, etc. work.

I think very few websites allow one person to embed arbitrary scripts that will be shown to another person.

Every single site on the web that hosts jQuery via a CDN does exactly that. This single example alone represents many millions of sites.


Why are you conflating individually-trusted CDNs with the servers of some random guy? And allowing only images, like most embeds do, is a form of sanitation.

I'll repeat myself. "I think very few websites allow one person to embed arbitrary scripts that will be shown to another person." This is not happening as a result of you using an image host. No scripts are involved there. This is not happening as a result of the site using a CDN. No user triggered that load of jQuery.

It's fine to load jQuery from a specific server that you trust. It's also fine to load ads from the ad network's server, as long as they are policing uploads properly. The problem is they usually don't.


It's fine to load jQuery from a specific server that you trust. It's also fine to load ads from the ad network's server, as long as they are policing uploads properly. The problem is they usually don't.

You keep saying they usually don't, but billions of harmless ads are served every day while only a tiny fraction of the served ads are malicious. I just don't see how it's reasonable to assume depending on a third party ad network for content is fundamentally risky yet depending on some other third party service is not. CDNs and other hosting services get hacked and serve malicious content sometimes too, but that is also very rare and also usually gets fixed very quickly if it does happen.


They don't have a system that makes malicious uploads impossible (outside of hacking, of course). They could implement such a system, without much trouble. They choose not to.

Using a third party ad network is not inherently risky. But most specific third party ad networks are risky, because of bad practices.

That most ads are harmless is enforced through social norms and after-the-fact takedowns. They could do better, but don't. Negligence.


OK, so let's be constructive. What reasonable, practical alternative do you suggest for someone who is just running a small site and wants to cover their hosting costs?


Look really hard for an ad network that either uses only jpg/png or puts at least half an effort into security, I guess.


I would be very interested if you are able to find one. I do not think this is a think that exists, or if it does, it probably pays very little.


You can use a theorem prover like Coq to generate software that proves an image parser correct.


Existence proof of a 100% safe image parser built using a formal theorem prover, please.


For an image parser all you really need is to use a language without buffer overflows.


There are other potential attack vectors than buffer overflows, though that seems the most likely source of vulnerabilities if you're going to limit images to JPG or PNG.

Of course now you're not only prohibiting third party resources except images, you're even prohibiting modern image formats like SVG, which is a little ironic since SVG-based ads might be smaller and/or look cleaner than equivalent bitmaps.


> Exploits in jpg/png are very rare.

I would like to introduce you to libpng: https://www.cvedetails.com/vulnerability-list/vendor_id-7294...


The answer: we accept a far higher cost of medicine and medical treatments in exchange for regulations. Go compare costs between us and other countries.

We don't accept paying for content to avoid ads that may be dangerous.


> The answer: we accept a far higher cost of medicine and medical treatments in exchange for regulations. Go compare costs between us and other countries.

The countries that pay less than us often are at least as highly regulated when it comes to medicine, medical treatments, and their delivery, so while we certainly are paying a lot more for those things, I don't think that the argument that we do so "in exchange for regulations" is particularly defensible.


https://mises.org/blog/how-government-regulations-made-healt...

>Today, the U.S. and Canada have less than 25 doctors and 30 hospital beds (per 10,000 population), compared to over 35 and 50, respectively, in most countries in continental Western Europe. Mark Pearson, head of Division on Health Policy at The Organization for Economic Co-operation and Development (OECD), discussed possible reasons the U.S. spends more than two-and-a-half times per person more than most developed nations in the world, including relatively rich European countries: “The U.S. has fewer physicians and fewer physician consultations relative to its population. The U.S. also has fewer hospital beds for its population size and shorter average stays in hospital relative to other countries. Indeed, the lower numbers of physicians could help explain why they cost more; there is less competition for patients.”

Are the specific things pointed to there as a cause of a US doctor shortage all found in other countries, but without a shortage?

Definitely tort law which increases malpractice costs is far more of a factor in the US market.


It absolutely is so black and white. If I buy a computer from you and you send me a parcel which explodes in my hands, no amount of hand-waving is going to get you out of this -- this even holds if you just distributed notes "Call this number to get your own personal computer free of charge!".

And just as a computer reseller/free-computers-for-everyone-distributor has an obligation not to send bombs to people who asked for computers, a website owner has an obligation not to serve malware to people who asked for content.


If I sell you a computer and it has adware on it, we just call that "normal state of affairs" because OEMs have been putting adware and shit on their computers for decades.


Whatever the combination, I'll blame the site I visit. I've seen bad ads on imgur one time I used the Internet without blocking ads. The ad just started downloading "Firefox patch" without me clicking anything.

It is not black and white but it is pretty close.

Edit: I have to give Firefox credit here. It actually just prompted me whether I'd like to save the file. I did and uploaded it to virus total. Probably not a good idea if you do anything sensitive on your computer.


I don't think most ad networks are intentionally serving ads like that. Occam's razor, etc.

Doesn't make them less culpable for the damage they cause, I'm just saying I don't think it's something they make additional money on, I think it's something that gets slipped under the radar by a few bad actors.

They obviously aren't incentivized enough to stop it though so why not implement a more direct compensation? If a user gets a malware program on their machine and it can be traced back to a given provider, that provider should be billed accordingly for the cost of the removal (including if the user can do it themselves, they should get paid for that anyway) as well as lost productivity time.

Currently any ad network serving malware just gets to ¯\_(ツ)_/¯ and keep on making money, and considering how damaging some of this shit can be I'd say that's the first point that needs addressing.


There's a subtle difference: pharmacists are regulated by statute and are legally liable if medication they dispense on prescription causes injury. (Source: I used to be a pharmacist -- in the UK, > 25 years ago, precise regulations vary by jurisdiction.)

Ad networks are utterly unregulated. In terms of this pharmacy metaphor they're snake-oil salesmen.


All industry's are regulated. The general case is normal laws. Ad networks serving links to compromised websites is likely already illegal.


I'm talking about professional registration (exams, licenses to practice, supervisory body, jail sentences for impersonation, forefeiture of registration for ethics infractions), not bog-standard trade law.


In the case of Ad networks serving up malware I don't know if that's a real defense. Yes, proactive regulation is often far more effective, but reactive regulation can often catch the worst offenders.


In this case, high-profit ads include dynamic content (JavaScript or Flash). Safe (but boring) ads would simply be an image or text link with no tracking capabilities that doesn't use CSS hacks to interrupt your page reading. It just sits up there saying, "If you want it, check this out."


Tracking still happens with "safe" ads. Generally "image pixels" as they call em are actually server side scripts that then pretend to be an image that way they can still track the users IP and what they were doing at that point in time.


That data is already sent to the server. This doesn't give the server control over the user's hardware.


Javascript and Flash ads are the more immediately dangerous ads, but you can still distribute malware over image and text links. You just move from exploiting browser vulnerabilities to exploiting user trust, like all of the imitation VLC download pages that have popped up over the years.

We'd be better off with only static image/text ads, yes, but malware distribution by means of poorly vetted advertising wouldn't totally vanish.


Yes, and they'd be burning image library 0days in the process. Security would improve overall.


I can honestly say that I've clicked on quite a few static ads with the intention of learning more. Dynamic ads, however, I refuse to click.


Same, and in a few cases I didn't realize they were ads because they were so non-intrusive.


You've clearly never worked with ad networks. Even Google serves up malicious ads every once in a while.


There's a difference between merely malicious ads ("Click here for free stuff!"->takes you to a site that exploits your browser) and ads that actively exploit the browser. Any ad network can fall victim to malicious ads but only ad networks that allow embedded scripts can be abused to actively exploit browsers.

The solution is dead simple: Don't allow embedded scripts in ads. Period. End of story. Problem no longer a problem. "We're all done here."


I don't know about "only applies to /r/technology" - we've been there before. Remember when ad blockers were mostly prevalent among techies and visitors to tech sites? Yeah, well, that changed. It may start with /r/technology, but I'm pretty sure it won't end there...


This discussion is specifically from the mods of /r/technology.

Will other parts of Reddit follow suit? Maybe. But right now it's just /r/technology.


A mod of /r/sports (~6M users? is that right?) said

>Send me your automoderator rule once it's done, we'll add it our sub as well.

Seems likely to spread pretty quickly.


Well, yeah. Things tend to have origins. And if those things are good they tend to expand from those origins...


The other side of the story is that most users don't want to pay for anything on the internet. Not making this up - I've had people tell me they pay for the internet connection, so they don't see a reason to pay for any services on top of it :( So the same person who wouldn't think twice about dropping $5 on a cup of starbucks coffee every day will not pay $5 per month for email (without ads).

Not defending the shitty ad scene online. Just want to point out that most people don't want to pay for anything online, they are at least partially responsible for this mess.


> nobody really knows a solution that makes everyone happy

Impossible and usually the worst approach to have. The best thing is to have a visionary that blazes the path for the rest to follow. Sadly the vast majority of visionaries will fail.


I think the problem here is that regardless of the "visionary"...

  * You make an ad network that makes advertisers happy.  In reality this will pretty much *always* make users *unhappy*.
  * You make an ad network that makes users happy.  In reality this makes advertisers *unhappy*.
There's not much middle ground there. The only possible win-win scenario is you make an ad network that makes users happy by only allowing users to advertise to other users. AKA classifieds.

...or you could just have one ad network that advertisers hate that users are happy with but because there's only one the advertisers just have to live with it.


If it expanded to the rest of Reddit then it might be the impetuous for the news industry to clean up their act.

And no, that's not a mistake. It's not advertisers I direct my ire but those who should know better and who apparently are meant to exist for the greater public good: The Press.


I think you mean impetus rather than impetuous?


Oops. Dratted iPhone autocorrect. On another reply I was forced to hit edit because I told someone that most editors on HN "unstalk" uBlock Plus.

I have no idea under what context I made my iPhone learn that word.


If Facebook were to do this, I would agree, but traffic from the vast majority of subreddits and pages is not as substantial as you may think. Some publishers might take notice but I do not think it would stir any kind of immediate action response across the news world.


Agree: companies will sell what others will buy.


The nub of the thread is: these sites have put up ad blocker blockers, so you can't see the content without disabling your ad blocker. And yet when you do you are either exposed to full screen or video auto play ads, or in some cases, malware: http://www.extremetech.com/internet/220696-forbes-forces-rea...

Given that Reddit is a large source of incoming referrals this stance (if implemented) might be a sufficient lever to send a signal to get those sites to improve their environment.

In any case since the sites are still able to use curated self hosted ads (ie not JavaScript redirects to externally hosted providers) they are able to sell static ad space to make money even with adblockers enabled.

It might be worth seeing what the outcome for the experiment is (if it goes ahead) and then seeing if the same logic would work for HN.


"In any case since the sites are still able to use curated self hosted ads (ie not JavaScript redirects to externally hosted providers) they are able to sell static ad space to make money even with adblockers enabled."

Ad blockers don't just block external ads, they use CSS rules to block internal ads as well. So the only way to avoid ad blockers is to make advertisement completely indistinguishable from content.

Imagine if Google did that, if they made sponsored results competent indistinguishable from organic results. The uproar would be loud.


In what ways do ad blockers block internally served ads? I'm perfectly happy with static ads served from the same site as the content. If seems adblockers should have an option to block only the "bad" ads, I.e anything referencing one of a list of known ad nets.


Go to the reddit homepage. Look at the very top link (that's highlighed with an outline). That's an ad, but it's hosted by reddit and contains no scripts or iframes, in fact doesn't even contain offsite images. Its div has the CSS class promotedlink. If you look in the default list used by Adblock Plus https://easylist-downloads.adblockplus.org/easylist.txt you will see that it blocks this because it contains the line

    reddit.com##.promotedlink
But Adblock Plus actually contains a second list of "Non-intrusive advertising" that actually allows ads on reddit. Many people are very angry about this list because many companies pay to get their ads put on it and allowed.


Yea it was after Adblock Plus was sold to an unknown 3rd party who refused to reveal themselves, obviously after the anger everyone switched over to uBlock Origin including me.


> because many companies pay to get their ads put on it and allowed

Is this 100% verified, or just speculation? AB+ has always stated that they whitelist suitable ads, not ones that are paid. In my experience, this is true; only static text and image ads ever get through, and it's pretty rare. I think this is desirable as it incentivises the use of better ads.


Small companies get on the list for free. Big companies have to pay. But they all get vetted by their "non-intrusive" guidelines.

https://adblockplus.org/about#monetization


Using an adblocker that takes money to whitelist seems like a bad idea.

In any case: I'll make sure that my ad blocker allows non intrusive ads. That said, "non intrusive" must not be deceptive either. It should be clear that it is an advert.


This thread and the Reddit thread amaze me with the level of ignorance, but complete confidence in that ignorance, displayed in relation to how ads and ad blockers work.


Bryanlarson is correct. The adblock plus extension also will block any image file with "advertisement" in the filename for example.


In response to ads, people install ad blockers.

In response to ad blockers, sites install ad blocker blockers.

In response to ad blocker blockers, Reddit adds ad blocker blocker blocker.


Personally, I place my bets that if enough content providers start deploying ad blocker blocking, then clients should be able to respond.

I think in a war between ad's trying to assert a user has seen an ad, and clients trying to view content, so long as the client owns the computer, the client will win. That's why I hate walled gardens so much. I'm convinced it was a preemptive shot in this war.


> so long as the client owns the computer

Is Moore law against this?

A possible future scenario could be one were technology becomes so cheap that Apple/Google/Facebook .et all, starts "lending" their own hardware for free so people can access their _open_ walled-garden flavored internet.

Projects like of RPi/Arduino bring me hope that this wont ever happen, at least to us.


The first response should have been people install link removers to sites with invasive ads and paywalls. Ill-behaved sites would change a lot quicker if they knew lots of people weren't even seeing/posting links to them. Something like that would effectively remove junk from a users entire internet experience. A natural search result to wsj.com wouldn't appear, a link in a web based email reader wouldn't appear, a link in a web based RSS reader wouldn't appear. They would hate that.


This would never work in practice though. Ad blocker users want the content, they just don't want the junk. They don't want to have to go out of their way to find content elsewhere. The point is to just get it done. I'm barely willing to exert extra effort to find content in a format I'd prefer and my less technical parents for example certainly aren't at all. If we didn't have ad blocking, they'd just be dealing with ads and I'd be dealing with a lot more malware infections. I'm not going to suggest someone use something that breaks so many common interactions.

It's already at a point where I have to add Anti-Adblock Killer to prevent them from turning off ad blockers. Please don't ask to make it worse.


3 should be:

In response to add blocker blockers, ad blockers install ad blocker blocker blockers.

then onto your number 3

:)


At step 2 the site gets their JS disabled. :)


sites will probably install ad blocker blocker blocker blocker blocker, i.e., prevent referrals from reddit.

it's an arms race!


The problem is that sites with advertisement are shooting themselves in the foot. They produce valuable and high quality content attracting readers and increase revenues by providing more advertisement. The amount of advertisement drops the efficiency of advertisement, so price drops and you put more advertisement. None of these people really considered the user experience on their site, except google on the google search result page.

This is like thinking that you would increase a crop yield by increasing the amount of fertilizer you put on it. There is an optimal balance beyond which you burn the crop with too much fertilizer.

I would suggest to significantly reduce the amount of advertisement on the site. Sell the add space with auction. Less advertisement increase the add efficiency. Increase the quality of content to increase the number of readers. Select high quality none intrusive adds that don't disrupt people's experience on the site.

In short take back the control of your site advertisement. Prohibit tricks your readers don't like (e.g. tracking), etc.

This is not much different from companies and hallmarks selling unhealthy food. The difference with adblocks is that people have a tool filtering out unhealthy food from their view. Who is the bad guy ? The client with its filter or the companies providing unhealthy food ?

Regulation doesn't work. We should know it by now. We have to take things in our own hand because the system is not able to keep a sane course by itself (cf. liberalism).


Nice shot at liberalism at the end there. I almost took you seriously, appreciate the heads up.


Sorry. I was referring to food and health regulation services. The link with advertisement is that it could be tempting to imagine a regulation system, but this is known to be easily subverted and corrupted. In fact letting users freely control the amount of advertisement they get and letting the market adapt itself is liberalism. But that is a totally different subject. Sorry for the digression.


Maciej (HN handle 'idlewords') has an interesting take on this that I'm struggling to find in my history right now. The basic idea is that all of the data these companies collect is still ultimately useless in practice. We still don't have advertising that is even close to being relevant.

But the data retains its toxic qualities (of being a database of every action I take on the Internet and some in the real world).

I fire up the YouTube homepage and all of my recommendations are for UK daytime TV. Celebrities, 'Jeremy Kyle' (the UK Jerry Springer), etcetera.

YouTube sends me adverts for female hygiene products and dog food. (I am male and I own no dog.)

Even when I get advertising that's not selling me stuff that would require I buy something else first (sex change, dog) it's invariably for something vastly overpriced or some sort of megabrand.


He fleshes out the toxic waste metaphor most fully in this talk, which he gave, rather boldly, at a big data (Hadoop) event. It's text and images but there's a video link at the top to the actual talk if you prefer it that way:

http://idlewords.com/talks/haunted_by_data.htm

That's quite a good talk. The takeaway is to treat data, especially personal data, as a liability rather than an asset, to discard data by default, and to retain only with a very specific goal in mind, and even then to transform the retained data into some kind of useful aggregate and discard it.

It doesn't contain the YouTube metaphor, which is included in this http://idlewords.com/talks/internet_with_a_human_face.htm


Do you use YouTube while logged in?

In my experience, the content recommendation on YouTube is the best. I've been learning about electronics and watching a few videos about it. Now YouTube recommends me new content and channels that are extremely relevant.

My brother is into guitars, and his frontpage is all about that.


They're not great. About 40% of the recommendations are things I'd never watch, 40% are things I've already watched.

YT has trouble figuring me out because I watch a lot of gamers that also appeal to a younger audience (eg Yogscast). I get recommended a lot of terrible stuff targeted at that audience that I have no interest in (eg PewDiePie and Markiplier).

I have no idea why they recommend stuff I've already watched.


I too can not figure out why YT wants me to watch things again. Or also common, the last 10 seconds of a video is just links to the user's other videos, so I move on. Then YT wants me to "finish watching" it. No, I don't want to finish watching the last 5 seconds of an outro.


> Then YT wants me to "finish watching" it. No, I don't want to finish watching the last 5 seconds of an outro.

I have this issue with Netflix. I have tons of movies on "continue watching" that the only thing left to watch is the credits.


Scroll to the end, let it spend 5-10 seconds to finish. Done.


My own daughter uses YT almost exclusively as a music jukebox so sure, here comes that Taylor Swift song again, why not.

IF YT even understands that different populations use their system in completely different manner, then perhaps they've miscategorized you.

Something interesting to think about is we may be raising a population who see personalized suggestions as mere spam, if it suggests it you should ignore it because its always wrong. A poisoning of the well. In that way the whole concept of personalized advertisement might disappear.


YouTube recommendations have been improving, and I do find a lot of material of interest, which says something as my interests are obscure.

But, and this is a big but: YouTube doesn't provide the options to either dismiss any given suggestion, nor to block specific channels. There's sufficient crap on YouTube that both are essential. I've been campaigning for both features for some time now.

Google's recently implemented an account-wide blocked-users manager. It applies now to G+ and Hangouts, though it may move beyond that. "Google doesn't comment on future plans", as they're fond of saying. I have hopes.


I use Youtube while logged in. The recommendations are total trash. It takes accidentally viewing one wrong video and all your recommendations become related to that one video.


That's the thing... There's one company that figured out that the way to make money on ads is by simply making them relevant to the user, and that's Google.

The majority of the other ad companies are still--despite all the massive dot-com failures during the boom--trying to just throw in ad referrals everywhere hoping something will stick, and trying to hand off those connections to the highest bidder... like, maybe if they just keep doing it for decades, somehow it will magically become profitable.


The related/recommended videos are very relevant and well targeted on youtube, if you are logged in.

Unfortunately, the adverts aren't.


It's not bad, but it doesn't seem get the hint if you don't care about something, even you go out of your way and click the "No interest" option. Clicked that 20 times for a channel, it still showed me suggestions from them.


I've been requesting channel blocking. As in "never show me anything from this channel ever again". I encourage you to do likewise.


I love Maciej's writings, though he hasn't published anything for a few months now. His last writing on advertising was this, might be what you're thinking of: http://idlewords.com/2015/11/the_advertising_bubble.htm

I agree with every word.


I wonder if you could sue a website for serving you malware.

Here's my idea for an ad company:

* People who want to post ads have to provide their name, address, verified email, and a security deposit(say $500). Larger volumes of ad purchases require either a long history, insurance, or a bank letter to vouch for you. If you load malware anywhere into the system, you get fined and your information gets turned over to the police.

* People who want to earn money with advertisements have to provide name, address, verified email, and a security deposit. The security deposit could be funded out of earnings(or not). Fraud is countered by randomly sampling websites and fining offenders if the ad isn't visible. Also they get their information turned over to the police if it was intentional fraud.

* Security deposits are returned within 1 month after the advertising relationship is terminated.

* Fines are paid out of the security deposit, and your access is restricted until you refill the account(possible with an even bigger deposit).

* People who are higher risk(from a shady lawless country, no history or background, etc.) have to pay a higher security deposit.

* Ads can be either text or banner ads. Anything Turing-complete needs insurance or a bank letter.

* If someone pushes through a porn ad to get advertised on the NYT by miscategorizing it, they get fined.

Now all the ads are guaranteed to be of high quality, and the websites you're advertising on are probably higher quality too.


My understanding of Facebook advertising is that it's somewhat similar to this. I believe you are limited to $500/day budget until you prove yourself a trustworthy partner by building a reputation as such. You do this by running ads over a period of time to establish trustworthiness.

It seems to work decently well, for some definition of decent that Facebook has.

The point is that it removes the upside for a scammer: low friction entry point (good for scammers!) but limited ceiling: you're not gonna be able to do this to very many people.

Remove the incentive by capping the upside, rely on reputation until that point. Feels like a pretty good service.


Sounds great, here's my deposit paid via bitcoin.

My business is at 123 fakenschaft, Zurch. My email is a newly created Gmail account.


* Require businesses to provide a tax id or registration number appropriate to their country.

* Require security deposits to be paid with a bank transfer, cashier's check, or money order from a country with strong anti-money-laundering laws.

* For countries like the US where business information is public, verify the provided business address against public records.

* Allow larger sites like the NYT to require higher standards of verification(maybe 6 months active history on your account), so even if you went ahead with your malware attacking(say, using a homeless person to shield you from the cops) it at least wouldn't hit the NYT.

Honestly, I think at least taking their security deposit would deter a lot of attackers. You're probably right that it wouldn't help much against targeted attacks at smaller sites.


All that would mean is that the malware authors will get paid slightly more for ensuring they have more pernicious and persistent malware. Considering the amount of havok the ransomware guys have been causing lately, do you think they'd really be bothered by being asked to pony up even a $50,000 deposit?

The real problem is very simple. The advertising companies need to stop publishing non-vetted media files (which means they can also no longer do a http referral to a site they don't control to save "bandwidth costs"). Many of them are not doing that because they're foolishly assuming a "deposit" or any other such arbitrary monetary penalty is going to be cost-prohibitive to a criminal organization. To the criminal organization, it's no different than any other bribe.


Your vector of attack doesn't scale very well.


* People who are higher risk(from a shady lawless country, no history or background, etc.) have to pay a higher security deposit

That sounds fine initially, but actually think about that for a minute. You want to give 1st world countries and established businesses lower barriers to entry than a random entrepreneur who happens to be from India?

Also, AdSense works in a similar manner with the deposits. You don't get a payout until you earn $100. That acts as a buffer for Google to determine whether you are legit or not, and stops people from earning low amounts on lots of different accounts.


Same should go for HN, really. Paywalls and adwalls are a great way to make me not even read the article and thread. Yet, they make frontpage due to buzz.


How do you propose content producers earn their income, if you think neither ads nor paywalls are acceptable?


There's nothing wrong with paywalls and ads. It's annoying when sites with paywalls are posted to public forums since any number of people are not going to be able to join the discussion, but this isn't the site's fault. I think sometimes people forget that they pay for certain websites when they submit. Plus it turns the forum into an advertisement which is not really the intended use.

Likewise, ads are fine in theory but the implementation is absolutely horrible.


Ads are fine, "ad networks" are (often) evil. Content producers couldself-host ads without tracking and do tgeir own ad sales and no one will block them.

Paywalls are also fine. Content producers choice. It's (un-annotated) links to paywalled content that is annoying.


Reddit, Mozilla, and Project Wonderful have pulled this off well.


Yea, it's horrible that high-quality journalists won't just work for free.


No one is saying "high quality" journalists should work for free (although their employers would probably prefer it), only that they can no longer depend on advertising for revenue. If companies want to remain on the web and continue making money they're going to have to be more creative, begging people to view their ads by blocking ad blockers (while understandable) probably isn't going to work in the long run.


The parent was railing against both adwalls and paywalls.

If you don't want advertising and refuse to pay for content, I don't see how that's anything less than expecting free journalism.



Fair enough, but there are valid reasons to object to paywalled content being posted to a news aggregator like HN other than wanting everything free. Content not available for everyone to read leads to low quality conversations dominated by complaints about the paywall. Unfortunately, people still complain even when there is a workaround. Showing partial content then asking for payment to read the rest seems like a dishonest tactic, and it kind of is.

If people don't want to pay for anything on principle, then there's not much sites can do about that either. Paywalls are a better option than advertising but sites are still probably going to lose a lot of revenue either way.


> Showing partial content then asking for payment to read the rest seems like a dishonest tactic, and it kind of is.

How is that dishonest? The alternative would be far worse (demanding payment without a preview of what you're paying for).

The problem with posting paywalled content isn't posting paywalled content. It's the entitled people who can't even be bothered to use well-known workarounds and instead completely derail discussions on political grounds.


>The alternative would be far worse (demanding payment without a preview of what you're paying for).

"dishonest" may be too strong, perhaps just misleading - paywalled articles are often designed to appear as free articles. With a proper preview the reader would know as soon as they arrive that they will be expected to pay to read. I understand why sites prefer to hook you with partial content first, but that practice can appear deceptive.

>The problem with posting paywalled content isn't posting paywalled content. It's the entitled people who can't even be bothered to use well-known workarounds and instead completely derail discussions on political grounds.

I agree with you there - no one can post content from Wired anymore without someone starting a thread about the paywall. If you're not willing to read the article you should just not participate in the discussion about it.


Except all of the media companies are scared to do that, because they fear that not enough people are interested in their 'content' to pay, and they don't want that point to be proven.

There's more content these days than most people care for - to be honest, if 99% of sites were paywalled, I'd probably be far more productive and not surfing 'information' that is free for the sake of just existing.


It may surprise you, but there are people here who don't mind these sites. It's already possible to flag links that you think have no place on HN. Please use that instead of trying to setup preemptive censorship.


I don't think you understand what censorship is.


I see nothing wrong in that usage of the word censorship. Please explain.


All of this was started by a false accusation. The same guy that posted the tweet that went vial later said he was mistaken:

http://www.ghettoforensics.com/2016/03/of-malware-and-adware...

"Here is what is clear:

The advertisement was not malware.

Forbes is still whitelisted from my ad-blocker.

We have no evidence of what exactly created this pop-up."


That article is kind of saddening because it's incredibly naive.

At the very least the "ad" was being run by someone trying to create an air of legitimacy around events like... a random popup IN YOUR BROWSER telling you about host system software you might actually need and should therefore go right ahead and install.

Oh HELL no. If it's part of someone's malware campaign, it should be categorized malware. That some dinky piece of their campaign doesn't involve machine-executable code does not matter in the slightest.

The weasely logic needing to justify allowing deliberate attempts at mis-education is how one gets sites for which navigation is rather like attempting to defuse a bomb, blindfolded, while riding a stampeding buffalo.


The bottom line, though, is that ads DO serve malware. I work for an endpoint protection company and the most common traces we get from our customers are ones that originate from ads on legitimate websites.


Hmm; how about a +5 point boost instead for sites doing paywall innovation? Free content isn't the end goal. Don't we want people to make a living off content? I can't imagine anybody here wouldn't pay 1 or 5 pennies for the second half of a useful article.


AFAIK, reddit moderators aren't able to arbitrarily boost posts without the use of bots, which are obviously against reddit TOS.


In theory, it would work pretty well and there are startups in this space. The problem is that there is a number of different publishers and maintaining account with each of them doesn't sound very convenient. Unified payments system/interface might be better but it's a tough achievement to make.


Don't forget that the world does not only consist of rich Silicon Valley engineers.

How on earth should someone from Bangladesh use Reddit? They can't even access PayPal.


Agreed -- people in low-cost countries have barriers. They also have opportunities. The income from content goes a much longer way if rent & food are cheaper.


Tangentially, I would like Google to put a warning on navigating to a site that has served malware any time in the past month. This will increase the penalty of serving malware so much that sites will suddenly push back on the ad networks and improve quality dramatically.


The problem with Google is that they are labeling as malware a lot of software that is not malware just because they have an .exe. Source: it is happening at my company.

It seems like just signing the software is enough to remove this labelling but their policies are not transparent.

At the end Google is behaving like a vigilante.


When the IP for a shared hosting server is flagged, the result in search for all sites residing under that IP are saddled with an alt URL titled "This site may be hacked". Their solution to fix it for the dozens/hundreds of benign sites co-hosted on said server? Sign up for more Google services(Google Search Console).

In that way, they are behving like a typical corporation.


Sadly for your argument, what Google does there is the correct solution, because it is true.


I disagree. Subscription plays no part in the solution, regardless of what the problem entails. Google could post the reason they mettled in the results page in the first place and require subscription for their expertise in correcting said issue.


I don't use a shared hosting server.


Are they not doing that already (via their fraud blacklist)? thepiratebay.se was just recently blocked (yesterday?) for serving malware via an ad. Safari and Chrome use this list AFAIK.

I have first-hand experience with such a situation and you quickly loose faith in the ad network you're using. A month of blocking would be devastating to the site, considering it's not even their fault.

Repeat offenders could be handled differently though.


Which media company arranged that I wonder ...


In the United States Google runs one of the biggest ad networks, which has occasionally served malware, and they run the biggest search engine. Penalizing in the later sites that use a competitor to the former might open them to an antitrust lawsuit. They could probably do this in a way that avoids antitrust liability, but I think they would have to tread very carefully.


There needs to be some oversight. Can you imagine being mis-categorized by Google? No recourse. And they are not that good at machine inference yet, at least in this part of the company, in my experience.


They would have to block their own website then !


I genuinely wish HN did this, but with uBlock origin, you can block most of the scripts that ask you to disable adblockers. In a cat/mouse game, the techies are going to win.


I wish search engines would start banning Forbes too: very often they're one of the top results, but their implementation of interstitial is broken and lands you on their home page instead of the page which search engine links to. And I don't even use ad blocker!


Does the search engine have a relationship with the ad providers?


Have media companies ever considered something like the cable TV model? I'm thinking something like ten different sites form a network, and readers pay once (on a subscription basis) for access to the whole network instead of paying each site separately.

I definitely am not interested in subscribing separately to (e.g.) Wired, the NY Times, the Economist, WSJ, the New Yorker, etc. But I think I'd be totally down for a single rate that gave me ad-free access to some or all of those.


Attempts at that have been made, at least in poland. The "piano" system gives access to a whole bunch of local news publications, forbes, and a major national newspaper or two.

It costs ~4.5 USD a month, so ~2-3 hours of an entry level supermarket position pay. I don't know anyone who subscribes.


There's Google Contributor which you can pay monthly to see no or reduced ads on many sites that use Google ads.

https://www.google.com/contributor/welcome/


If they ever become popular, I'll make a site that scrapes and mirrors the content, then serve malicious ads. The advertising revenue will outweigh my morals.


This only applies to r/technology. Which is a large sub, but still a very small part of reddit.


Why are people commenting here, instead of in the reddit request for comments thread? It's literally a call for you to leave your comments on this matter for reddit to read, doing so here is in this case about as counter productive as it gets...


I have seen in the past when there is a split like this. That there are often different styles and topics of conversation on the subject. I find reading and sometimes participating in both to be worthwhile.


What consumers want is a combination of product or service (1) database, (2) curation by category + quality, (3) recommendation, and (4) discovery. As an odd category, there may also be product sponsorship, like with Kickstarter.

Advertisements suck at all of these.


Anything that expedites the process of moving from ads to paying "somehow else" for good content is good. But it falls on the technologists side to come up with something that replaces ads. Redditors are only curing a symptom.


No-one has a responsibility to keep Wired or Forbes in business. Either they'll figure out a business model that works, or they won't; either way it's not the redditors' problem.


Obviously redditors like their articles, so they will have a problem too. I don't think this is black-and-white "ads are bad/readers are good" issue.


I think you overestimate the value of random sources of entertainment. Take away one, people will cry for a day, a week later it is forgotten.

We have an incredible abundance of content.


Forbes will go out of business, and redditors might be mildly annoyed for a minute. All of the power is in the hands of the users, and users don't want to negotiate in this case.


"Obviously redditors like their articles"

Do they? Isn't being coated in ads a normal condition of clickbait? Is clickbait high quality content?


Ads have been fine for years until they started tracking you around, flashing annoying animations, auto playing sound or video or taking up the whole page.

I'm perfectly content with banner and text ads, as long as they're not animated.


I don't think that ads were fine for the past decade (I'd even say that they got better but that's just based on my memory).

What has changed is that adblocking reached mainstream.


Ads have never been safe. I got adware from an ad ~15 years ago.


I believe it was said about web experience itself, not security side of things


That was the focus, yes. But "ads have been fine" was a far broader claim, and just too wrong to ignore. One bloody ad cost me hours of unbillable time. I even invoiced the site ;)


Good for you being content. I am not. I do not want to see advertisement. I am willing to pay for high quality content. Now where are my options?


This industry is ripe for innovation. I agree that the state of malware being served through Ad Exchanges is grotesque and I fully employ my ad blocker everywhere.

Here is the thing I just dont get. Why doesnt some tech savvy organization create a white label solution that companies can either slap a subdomain on and invite "Customers" to fill ad supply. Self host the curated assets through said white label solution. Moderate with sophisticated computers that are not subject to the vast majority of mal ware (excluding 0-day obviously), and move on. Im sure someone could easily serve the ads off of the main domain anyway to circumvent all of the ad blockers on subdomains.

This is a perspective from the outside looking in, but people seem to just complain about the problem instead of looking for solutions.

EDIT: BAH, so there is a conversation from last year. https://news.ycombinator.com/item?id=10221859


Many adblockers use CSS to block ads, but that obviously wouldn't be terribly difficult to overcome. I just don't want to be that guy that lets everyone serve ads that can't be blocked by adblockers.


I honestly like the sites that block adblock. I only use adblock because it is so easy and has such massive benefits, but I still feel guilty than I am not supporting content creators.


You should really post np.reddit links to prevent non-users of said reddit community from voting. It's the standard practice -- https://www.reddit.com/r/NoParticipation/wiki/intro


It's an unwritten and unofficial rule, no one has to respect that, to me it only fuels the "omg our site that relies on linking to stuff on the internet has been linked somewhere on the internet" victim complex.


Since non-users would have to create an account anyway in order to vote, I'm not sure that this is an issue.


np is meant for Reddit users that are not subscribed to the subreddit. For example, when I am logged into reddit and go to https://np.reddit.com/r/technology/comments/4if65h/mod_annou... I don't see the voting arrows.


it originates from the meta subreddits ( subreddits that only crosslink to other subreddits, such as bestof ) completely derailed any meaningful discussion as soon as threads were posted in said meta subreddits.

its less of an issue if you link from here, as not everybody on this side will be a logged in user on reddit, but it should still be considered polite, considering that there is an actual 'best-practice' for linking


I would suggest a emoji based labeling system. Not too intrusive (grey scale) that somehow could signal if article is paywalled / blocking visitors with ad-blockers.

For a subset of users (either detected or by user preference), there might be another useful symbol as well for indicating if a website is not tor friendly.


PLOS uses this logo for open access: https://commons.wikimedia.org/wiki/File:Open_Access_logo_PLo.... (an open lock) Based on that Wikipedia uses a closed lock to indicate paywalled sources: https://commons.wikimedia.org/wiki/File:Closed_Access_logo_a.... So how about these: [Closed lock] [Open lock]? (TIL HN doesn't support emoji) I think reddit also allows image use via CSS.


I would prefer not reusing closed lock since it represents encryption in most browsers.


Hmm that's a fair point even if it's in a different context since ideally each symbol would retain its own meaning. I'm not sure what a better icon would be then that would be intuitive unless one was decided upon and widely used.


Its a recent user training issue, so, if it wasn't so soon I would be all happy, but finding a better icon would probably be better.

A book with a lock might work.


I think HN should automatically penalize the scores of paywalled sites. Although I'm not sure HN's pro-corporate politics would ever allow it.


I just disagree. It's up for the community to decide what's useful and what's not by voting on it.

If you don't like the link - don't vote. If enough people like it, then it's fair for others to see it. That's how communities work, you can't change rules to please everyone because you never will.


You cannot down vote links on HN. You can flag them but doing so on otherwise legitimate articles might be frowned upon and could lead to voting penalties.


I don't think HN could ever do this as long as it's associated with YC. It would be hypocritical of YC to be against paywalls and advertising if they have funded, or will fund, a business model that relies on it.


I think that in practice this happens through the normal voting process.


Why is this sufficient for HN but not for Reddit? If opinion is less divided on Reddit I'd also expect it to be less of a problem and thus less likely to require (auto) moderator input.


Scale. Reddit is bigger with hundreds, if not thousands, of subcultures and norms.

While HN has a single stream of stories being voted on, the guidelines for story submissions limits the scope for what can be submitted. The people who read HN are pretty much all technically astute, so when they see an article behind a paywall they don't vote it up - heck, many probably just flag it on principle.

If the article is chock full of intrusive advertising, it gets flagged pretty fast. If it is an interesting article that gets to the front page I guarantee you that there will be vocal complaints about the advertising. But most of us here, I would hazard to guess, have installed uBlock Plus of some sort of ad blocker so we probably largely miss it. And the things we find interesting are usually from sources clueful enough not to be so stupid as to employ anti-adblockers.


> Scale. Reddit is bigger with hundreds, if not thousands, of subcultures and norms.

But the link is about /r/technology only, not reddit as a whole.


If /r/technology has a lot of paywall and ad-filled links, and HN does not, yet both sites have similar moderating technology, then either dang et al. are seriously better admins, or HN is frequented by a better class of person.

There, you done gone made me say it.


> “We're considering banning domains that require users to disable ad blockers” (reddit.com)

It should be obvious before I click the front-page link on HN that it's about /r/technology only, not reddit as a whole. That means there's still room for admin improvement here on HN.

You made me say it!


How about they bugger off and not censor my content.

Power hungry censors from either the government or forums piss me off.

People who own forums have a right to regulate content, true.

But bullshit like this aint cool, I and the users are not babies, bugger off, we'll decide with votes.


arguably, they are deciding with votes. There appears to be massive support for the idea, and it's getting lots of upvotes.


I second that.

I also don't like those sites that require JavaScript to read plain text content. Forbes is an example of both cases, with a twist. The text of the article is embedded in a script tag inside the HTML page and then added to the visible DOM. I could understand a SPA getting JSON from the server but here the content is already in the page.


You would think, if they have the ability to detect that a user has an ad blocker in place, they could just as easily redirect them to a subscription form for an ad-free experience, rather than block people and lose revenue completely.


That works only in theory, subscription has a cost which is above and beyond whatever price listed: it's the mental cost tied to renewing, cancelling and tracking it.

Single subscription multiple website model may work, but as soon as buy-in ramps up for that model expect everyone jumping in with me-too services, killing it.


All subscriptions I have on internet websites have been some of my easiest "mental cost". Sites that I visit often, have great content and allow subscription for full ad removal (not partial) - I'm there with my money.


"We're forcing our users not to post sites that would force them not to force the sites to not force the user's viewing habits by posting ads".

You know an arm's race is in progress when...


I share the sentiment of the proposal, but what I really don't understand is why user moderation fails to suppress those sites despite their tactics angering so many people.


Often the demographic that votes on stories can be quite different from the demographic that comments on stories and forms the "community", especially for default subreddits.

The majority of people voting on the story may only be reading the headline.


Reddit is also routinely gamed by bots or paid upvoters.


Sidenote: we should call it ad-company blockers, not ad blockers


Ive actually implemented this locally. I reached a breaking point with some of the intrusive ads, so I block ads. If a site(such as Wired) asks me to turn that off, I add it to simple blocker and dont go back. The funny thing is a) I have a print subscription to wired but I cant access the site without turning off ad blocking, and b) I dont miss the online version. If Im just being honest with myself, its doing me a favor by preventing procrastination.


I also have a print subscription to Wired. I don't pay for it directly. I use the airline miles I occasionally get from any company that puts me on a plane at their expense, just to keep the remaining balances from expiring due to inactivity.

I usually don't even take it out of the plastic overwrap, because my eyes don't have ad-blockers installed.

I guess next time, I can spend some miles on a cheapo flashlight keyfob, or something. I guess I was just sort of throwing them a bone out of 90s nostalgia, anyway. If they don't want me looking at their website on my own terms, I won't do it. And if I stop looking at their website, I don't have much use for their inky paper, either.


uBlock Origin and enable the anti-adblock killer under 3rd party options seem to usually work great. I also run Privacy Badger add-on which allows me to disable certain scripts and trackers from pages. Works great. I'll subscribe to sites that I visit on daily basis if they offer it with option to disable ads. I have no problem with this. I don't want to be served idiotic malware from some ad-exchange.


Banning these sites altogether would be too much. Assign a pre-defined downvote so that the hurdle for ad-driven sources is higher to overcome.


I don't think it would be too much. Why would it? I'd like to see those ad-laden pages dropped from HN also. As well as sites with paywalls. There are plenty of other pages on the web that can be featured instead.


Genuine question: do you think all journalism should be done for free?

I can somewhat an understand an opposition to advertising or paywalls. Opposing both is unconscionable.


For free? I'm not sure those gossip-mongering petty scribblers would do anything for free.

But you have me wrong on paywalls: I'd fully support them going paywalled. In fact, I fully support them going off the Web onto their own proprietary network (like the Compuserve and AOL of old) and charging thousands (if not millions) of $CURRENCY a year for access. That would be great.


I have no problem with advertising but I don't want to be tracked. So often these are talked about as a single entity but they really aren't, or at least don't have to be.


you could argue that you support either or both, but draw the line at free publicity for paid journalism


Maybe a simple tagging system, like AD for AD-blocked sites, and PW for paywalls. Tags should be community assigned as well so that there is no central authority involved.


They don't have that option as moderators of a subreddit


I agree that banning all these sites would be a bit much, but sites like Forbes that have actually served malware should be treated accordingly.


I should think flair would be enough. The community would naturally downvote those links when they thought the content wasn't worth it.


One easy way I have found to get around some of these site's blocks is disabling javascript in the chrome console and then reloading the page. it works a good amount of the time. you can also wget the page and pass in headers that your a google bot to bypass paywalls on sites like economist and wsj. (this was documented in a previous hn post exactly how to do this)


I wrote a bookmarklet that catches all scroll events in the capture phase and cancels them. It seems to work pretty well.


Make it a user option -- sites really shouldn't be in the business of globally blocking domains. And then let me add sites to the .ignore file too, please.

Anyone got the list of sites HN currently blocks/penalizes/rewards? I'd love to tweak those options, and add marco.org and buzzfeed to my personal blocklist.


I'm not sure this would be possible via normal subreddit admin tools but I'd like to see this done as an user opt-in feature. Let people post those link if they choose to but also let users choose if they see them or if they get a notice when they try to post a link to one.


This week I noticed that StackOverflow has voting on ads. Hover over an ad and it shows thumbs up/down. I disable my ad-blocker on sites I want to support and just noticed this.

Seems genius to me.


I personally do not mind the "Deck" ad network. To me that is ads done right.

I learned about the deck from daringfireball.


A simple solution to publishers:

Curate your ads and serve them statically.


and still get blocked via CSS selectors.


at least that is something you can control.


Applications are open for YC Summer 2019

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact

Search: