I don't understand enough about the ad business to answer this myself. If there's a legitimate reason to allow 3p scripts to run code - it would seem like creating a domain specific language that Google safely translates into JS would be so much better. Allowing 3Ps to run arbitrary JS just seems so shockingly wrong.
No amount of manual auditing can catch malicious code. It's way too complex for a human to parse.
Is there a legitimate business need that anyone's aware of to have code run in Ads? If so, why not use a DSL?
I used to work for https://www.interpolls.com/ in 2007 so tech may has changed quite a bit but here's how the business worked then:
We were allowed 30kb of JS file to load which could (depending on the ad network) serve ~300kb of a Flash SWF file. We ran Cold Fusion hooks in the SWF to radio home to our JS file to trigger 1x1 pixels for 3rd party trackers. We scraped our raw Akamai HTTP request logs after the fact on a CRON job to create our reporting system. There was a small cluster of FreeBSD servers that crunched the HTTP request logs. Every mouse-over / click was registered via these pixel HTTP GETs. We had timers too that would trigger every few seconds. The reporting system probably had a 2-3 hour delay due to the immense amount of traffic we received.
We specialized in "polls" which were plain old HTML radio buttons overtop of the SWFs which after you answered gave you a quick answer and sometimes had digital takeaways in the popup answer window (Icons, Wallpapers, etc..)
At the time all of our ads were handmade, we had a design team and a programming team that would create these together and code them specifically to the clients request. By the time I left we had started to automate it into a drag+drop system for clients.
Sidenote: Biggest job screw up that I've ever done was not putting in the correct 3rd party tracking pixel into an 300x250 that ran for 1 day on AOL.com homepage. It ended up being fine since we got the results back for the typo from the raw logs, but it could have been a $200k mistake!
I don't know anything about JS-based cryptomining, but I wonder if you can't stop such ads without breaking 90% of legit ads.
I mean, it's all probably boils down to number-crunching? So DSL you are envisioning should block really basic language parts, like cycles and math operations.
If I'm wrong and mining actually could be easily blocked on language level using some DSL, I'm all ears.
It would be nice if things could be blocked by CPU usage... even if you’re not mining cryptocurrency, if your ad uses more then 5% of my CPU it should be killed.
Interesting, just noticed that watching a Udemy course uses %98 CPU (in Activity Monitor on a MBP). This even if playback if paused. Wonder if they're doing something similar or it's just a lame implementation?
I've seen some software video decoders do that at times, though if it's happening even while paused it's a little unusual (maybe decoding buffered frames?).
Once a widget has run say 100 million instructions, suspend it if it comes from a different domain than the main page, mark it visually and provide a button on it to enable high CPU usage.
We used to do something like that with Flash: make the user click it if they want it to run.
That's exactly the reasoning that is the root cause of all these problems. You designed a website and you don't want it to be broken. Fair enough. But as a user, I don't really care about your website - what matters for me is if I can prevent it from taking over my CPU or not. This option should be there and it should be configurable. The browser makers already figured this is a problem and have some rudimentary mechanisms preventing total abuse ("this window/tab became unresponsive...") but if users have more control over it, it completely changes the rules of the game. Having a configurable option "if a script consumes more than N% of CPU, turn it off" would save many people the time spent on looking for the culprit, sometimes hidden between tabs. Fortunately many people have an auditory clue when the JS is abused: the fan noise.
Designers and developers need to understand that allowing them to run their code on my computer is a privilege, not an absolute right. As every right, it must not be abused. If it's abused, it will be terminated. Google finding and disabling these Coinhive miners on YT is just treating the symptoms, not the root cause.
I've come to decide that the only ads I consider "legit" are where the site owner strikes a deal with another business that is interested in advertising on their site, the site owner hosts the ad on their own server, as a picture banner or text or perhaps a nice block in a side column that says "sponsored content" or whatever, and just links to the other business.
Site owner controls all the content. Any tracking will be done mainly via server logs, if the site owner wants to they can use a bit of script to quickly shove in a redirect onmousedown, in order to track exactly when the user clicked what link. But frankly I've found even that technique a privacy insult ever since I noticed Google doing this in their own search results.
This is analogous to how paper newspapers used to manage their ad space. No third party shit, and if the magazine was proud of itself it would curate the ads to only deal with advertisers that wouldn't annoy their reader base (too much).
A bit of a hassle maybe, but it shows your readers that you actually care about what content is displayed on your site (let alone what code is run). But most importantly, no adblocker will block these kinds of ads. Because they're just image links, after all. Adblocker can't see if that's an ad banner or just a thumbnail linking to an external domain. And I would maybe even bother to whitelist those if they did (right until one shows me crap I don't want to see, like being confronted with nudity or sex when I'm not in the mood for it).
>I've come to decide that the only ads I consider "legit" are where the site owner strikes a deal with another business that is interested in advertising on their site, the site owner hosts the ad on their own server, as a picture banner or text or perhaps a nice block in a side column that says "sponsored content" or whatever, and just links to the other business.
I agree. When it comes to ads for niche content (blogs, forums, etc). The ad industry sells online ads like they're TV commercials but the companies buying the ads should be looking at them like partially sponsoring a race team in exchange for your logo showing up in front of people who are interested in your type of products/services.
However, mining is useless without a way to send it back out to the network. I doubt ads need networking capabilities - so just prevent that bit. That should do it, as far as I can tell.
Ads absolutely need networking capabilities, for tracking stuff like "viewability", or "anti-fraud, brand safety and independent measurement" by some third-party provider. In fact, you can't get serious marketing budget from reputable brand without having your, err... their ad wrapped inside some JS which does networking calls. Brands want to audit each impression you, as ad-tech firm, will serve on their behalf.
Part of what I find frustrating as a user is that I don't like ANY of those features :)
While I'd prefer a model without any advertising (and am willing to pay for it), I can put up with unobtrustive ads, without tracking, like Daringfireball uses.
I've worked in adtech before, and I know that these techniques make money, and are important to advertisers. But as a user, I find them intrusive, and they are why I run adblockers.
Yeah, race to the bottom. Fraud in online advertising estimated to be tens of billions USD yearly, so brands require more and more "brand safety" and "measurements", each ad calls, like, 4 different vendors calculating some metrics, and this, in turn, fuels adblockers growth.
Interestingly enough, "walled gardens", like facebook, are big and important enough to bully advertisers into playing by facebook rules, accepting FB measurement standards, without calls to 3rd party vendors.
It's only open web which is polluted more and more each year.
Well, it's a complicated question, and I'm not that well educated.
To my best knowledge...
1. You can't make a single cent if your bot visited facebook.com 100 million times. You can make some serious money if your bot visited some-exciting-domain.com, which belongs to you, and there was 5 ads displayed on each visit.
With this incentive you have all the reasons to make your bot very human-like (think headless chrome, realistic mouse movements, having old cookies, etc) so fighting fraud gets extremely hard.
It's easier to serve the ads and let advertiser figure out anti-fraud measures by himself. Being responsible for measurements and lack of fraud on open web is a huge PITA without clear path to huge uplift in revenue.
2. Facebook optimizes UX (or claims to), and calls to other servers make site slower, especially on mobile, lowering user engagement. This argument obviously does not work for some-exciting-domain.com. So, you can call whatever your want from your ad on some-exciting-domain.com, but on facebook.com you play by facebook rules.
In fact, some-exciting-domain.com can probably ban ads which call other domains, but it will just kill his revenue (programmatic systems will label him as "non-performing", because nothing is properly measured and stop buying ads there).
I do not think that metaphor holds at all, if "water" is open web and "chugging" means spending advertising dollars there.
I don't have a link on hand, but GOOG and FB captured something like 95% of digital advertisement growth in 2017. In other words, out of each new 1$ shifted to digital from TV and print, 95 cents went to duopoly.
And advertisers which are still "chugging" open web, installing more and more "filters" and "purifiers" (different anti-fraud and measurement providers).
People from digital media are talking about digital media crash. [0] Buzzfeed failed their revenue goal and fired 100 employees. [1] Mashable was sold for peanuts. [2] Business Insider, granddady of ad-monetized clickbait, pushing more and more articles under "BI Prime", which means paid access.
A lot of people were clamoring for death of ad-supported publishing on open web. Well, the future is almost here.
Chugging means, the general public is not at all concerned about what it's being subjected to - be it privacy / tracking or the visual pollution of ads.
If the market is the decider then I think the market is saying - quite loudly - the water is great to drink.
As a user I love all of those features. Every single one of them makes my adblockers more effective, not to mention they drive more people to use adblockers. :)
The audience is clawing back their rights using ad blockers and the browser vendors are already limiting tracking by eliminating apis used for tracking and limiting cookies.
Ultimately the browser vendors and the users make the rules, not advertisers.
but one of the biggest browser is owned by one of the biggest advertisers in the world. you'd expect dive conflict of interest at best, and anticompetitive behaviour at worst, from them.
It was only last week or so when I read some security researcher pulling some tricks to bypass part of caja's sandbox (while looking for something else, even). Sure this was a whitehat researcher and they got a (very) nice bug bounty from Google Project Zero. But if they use this to secure the 3rd party scripts that are apparently allowed these days on Google Ads, they're being hugely irresponsible.
I never heard of Caja until a few weeks ago, but apparently it started in 2007, could be that I forgot when I heard about it though. Back in 2007 though I was still a frontend web developer with a very keen eye on JS security and all the XSS/CSRF problems of those days. Back then JS/ECMAScript did not have sufficiently advanced features to properly sandbox code. This was a bit of a fool's errand back then. By now it's gotten a lot more of these features, mainly revolving around protecting the super-flexible fluid JS objects from modification and abuse. But I really kind of wonder if that locks everything really watertight? Because browsers are going to have unofficial/proprietary features, and you need just one to accidentally get this slightly wrong, get a reference to a non-sandboxed Window object via-via-via, and it all falls apart.
You don't let untrusted people run code on stuff you serve. Code is just too slippery, turing complete etc, and ECMAScript perhaps even more so than many other languages. Can't we just take that for a given by now, instead of trying to be cleverer than the previous smart person that failed at it?
Sort of: I don't think it's meant to restrict time/space usage, just access to capabilities. If you don't give the ad-code access to the network, it'd have no way to access the blockchain, but it could still chew up your CPU cycles.
Ultimately, it's because the advertisers don't trust Google or other middle men and insist on running code from third party vendors that grabs more information and promises better metrics, or to determine if the site or user are in some way fraudulent.
This is very common, and isn't just Google Adwords. Advertisers, or rather the ad-tech companies they user, want to do this to verify that ad views are 'legitimate' and gather extra data to help them bid. Without this advertisers have to trust ad exchanges to play fair, which of course they don't have any incentive to do.
This is just yet another reason "Ads pay for content on the internet" hurts everyone.
Oh, I know the other ad networks used to do this since forever. But Google's ad network used to pretend to be better. It started way back when they initially served text-only ads, which were perceived by many users as much more pleasant (and even more likely to click) than distracting banner ads (let alone animated ones).
Most people (that care about this kind of thing) already knew that many of the other ad networks allowed this sort of thing. The more shady, the more likely.
Google wasn't like that. And this gained them a lot of goodwill, for providing a good clean ad network without all the dancing monkey scams. They just did the tracking with their own scripts, providing a dashboard/control panel with stats to the advertisers.
I'm really curious since when they started allowing 3rd party scripts to be included in their ads. And I am not at all surprised if the "big announcement" of this feature was kind of a quiet affair. Because this is the first time I hear Google Ads allows this and I'm just,... yeah. Surprised? Disappointed? Mostly just very pissed off.
I was already blocking most ads, but if you ever expect me to whitelist anything ever again, you better host the ad yourself and not use a 3rd party network, because apparently all of them are scum. Funny detail: if you host the ad yourself you don't even need to ask me to whitelist it, because most adblockers simply don't block these things as they are not distinguishable from a thumbnail link to an external domain :)
Flash wasn't open, they should had made their own browser when they still had the chance.
One can still do some aggressive fingerprinting using new browser technologies.
For ads it makes a certain amount of sense... you can put animations in the ads that are driven by JS, or make the ads interactive. Calling this "script injection" is perhaps misleading, because the JS wouldn't be running in the security context of the page it's in.
Why the hell are YouTube ads allowed to run 3rd party javascript, and since when??
That's the biggest question not answered by Google. Why wasn't there a big outcry when this became possible? They can do all sorts of shit, not just mine crypto.
This used to be the single biggest thing not to do. The possibility of running 3rd party Javascript in Google's ad networks used to be one of the biggest nightmare scenarios if it got exploited, but the article (or the Google rep) doesn't mention anything about an exploit, it's as if 3rd party javascript running on their ad network is expected behaviour, just the fact that it's running a crypto miner isn't?!
There's no way in hell I am ever going to not block Google's ads after this. "Youtubers" and "Content Creators" can cry all they want over whitelisting their channel or site in particular because of all the hard work etc, but not if they want me to run a hostile ad network's code.
Cool, thanks :) But I'm actually even more interested since when Google started allowing 3rd party javascript, because the moment when it first got exploited maliciously was just a matter of time. I mean I seriously want to read Google's announcement of this "feature", because I'm honestly scratching my head "wtf were they thinking??".
Just so I got this right: You can buy a particular type of ads on Google's ad-platform, that will appear on sites and things depending on your target criteria. AFAIK you used to be able control these aspects of the ad: The text shown if it's a text ad, a picture if it's a banner ad, where the ad should link to, and probably a few cosmetic details. Any tracking cookies and analysis would be done either by generic Google Ads javascript (the results of which you can query in your Ads dashboard/control panel) and by whatever additional tracking javascript you set up yourself on the destination site the ad links to.
But apparently, at some point, advertisers got the ability to run their own (3rd party) javascript that will get executed on any site that displays your ad. I'm assuming they use a clever subdomain/iframe trick so that the security context of the JS is just that one domain and doesn't UXSS the world. And sure let's assume this is perfectly watertight. If it wasn't we would be talking about worse stuff than crypto-miners.
Then still this script is apparently not prohibited from doing whatever calculations (for mining or whatever), accessing whichever browser fingerprinting variables, mouse tracking and whatnot, you can load and execute remote scripts based on this fingerprinting and easily sidestep any of Google's scrutiny whether your script is up to no good. Not that they do this "because it doesn't scale", but it would be useless any way. And then, this script is able to ex-filtrate all this tracking or mining data. I'm aware that disallowing these abilities strictly and securely is just not really possible in JS, there's too many strange ways to access objects and functions, weird tricks, etc.
Did I get this right so far? Because I'm really a bit with my jaw on the floor, how the hell did they approve this and not realize it's a landmine?
I'm nearly certain that it must be possible to do other nasty tricks besides consuming 80% CPU for inefficient crypto-mining. If it's that many people (by now let's call them zombie nodes or a botnet, which is what Google Ads apparently gives you) all running your code, you can also use them to DDoS a site. But if you're just a dick, you can also attack the people themselves. Most browsers have the cross-domain security down tight, but nearly all of them have multiple "vulnerabilities" that DoS the browser itself, make it unresponsive, make it crash (yeah multiple tabs, even if they have their own threads) or even make the whole system (yeah outside the browser) unstable, unresponsive or crashy. Maybe not your tweaked/bolted down Linux system, but the average user's mildly clogged up Win10, easy.
Can these scripts also track and log keypresses or is that somehow separated because of cross-domain / iframe protection? (it's been a while since I got real deep into JS security) Because that would be a vulnerability.
The problem with crusaders on either side is that they conveniently ignore or deny the trade-offs. Advertising based business models come with certain dangers and annoyances. Paying for content and services directly also comes with dangers and annoyances.
The reason why I don't use ad-blockers (yet) is that I fear complete loss of anonymity and even greater censorship powers for governments if everything becomes a pay service. Payments are the most tightly regulated and monitored thing on the planet. At the same time you're exposed to credit card fraud and identity theft.
Remember when Google ads were considered not too bad? Just boxes of text when everything else was flashing and making noises. That was a big part of Google becoming popular and now it's gone.
This is why I run an adblocker, even for so-called "trustworthy" sites. When even top-tier networks like Doubleclick aren't doing the necessary due diligence to prevent malicious ads, what can I do as a user but block all ads, even while knowing this hurts the content creators who use those ads for revenue?
It feels like someone telling you that if you don’t let strangers stick you with dirty needles, you’re letting everyone down. Well maybe we are, but I’m still not letting this crap in! Truth be told, most of what ads fund is deeply underwhelming too.
Then once you live on the ad-blocked net, it’s pretty much torture to go back. I swear I can feel my energy, attention, and time being wasted by ads; either the ads themselves or the need to constantly engage critical thinking resources to manage the misinformation.
> Truth be told, most of what ads fund is deeply underwhelming too.
Quite an important point not to miss:
The vast majority of advertising actually just funds the low-effort mass-generated clickbait farms of the "you won't believe this celebrity XYZ"-type and similar crap.
I don't have numbers but I would be surprised if actual quality[0] content producers took more than 5% of total Internet-wide advertising income.
So, in order to "support quality content producers" like everyone is always talking about, not only are we supposed to put up with all these shitty ugly dirty-needle-stabbing ads, but ALSO we're directly supporting and funding the clickbait linkfarming spam industry several times the amount of ad funding that ultimately end up with the "quality content producers".
The highest quality content usually has the least intrusive ads any way. I remember when we just hosted a bunch of banner links for local businesses that we personally contacted and asked if they wanted to advertise. They'd pay a monthly fee and that was it, no shady practices, no tracking and no 3rd parties. If that was too much work, or you couldn't get good deals, the alternative was putting up your content for free, for the love of it, for the fame, for shits'n'giggles, for whatever what drove your passion.
That was the Internet nearly two decades ago, and there honestly was no shortage of free, quality content. And webhosting costs were quite a bit higher back then.
[0] regardless how you would define "quality", let's agree that clickbait farms aren't it.
Came here to say the exact same thing. I'm sympathetic to the difficulties of funding a site that doesn't have a subscription option, but no way in hell am I trusting any ad network to keep malicious junk out of my browser. I may nominally trust the people who run the site, but the ad networks... never.
It's never been your responsibility to run that code. If it had never been allowed, ad-tech would have found another way. They built an industry on a horrible assumption and now it's their job to fix it. Everyone can still fall back to affiliate links if they want, but I doubt most will any time soon.
This! It their job to fix this mess, the burden of finding a better alternative doesn't lie with us.
I have no once of guilt related to blocking ads, if you can't pay the upkeep of your website and you haven't found any meaningful way for user contributions then that's on you and if you still serve ads because that's the only sane solution for your monetary problem then you should expect some users to block those ads and conclude that both parties did what they thought was best given this horrible situation.
Affiliate links are great and more people should really consider going back to this model.
let me play the devil's advocate and argue that ad supported content is responsible for somee of the biggest chunk of the internet, and if it hadn't been for such business model, the internet would not have been as amazing as it is today.
sites like 9gag, 4chan or Reddit, or other such sites is where net culture breed. these sites are not going to have the same feel if it had been subscription supported, as large swarves of users who have no money to contribute, but have content and creativity would've been locked out.
I give directly to paypall and patreon to support creators. I couldn't give a damn about Google itself making money at that point. i block all ads, no discrimination. If you want me to support your site, ask for a donation, like the Guardian does. I don't accept ads anymore in my browser.
re hurting creators on youtube: I just sub to youtube red, it's relatively cheap and I believe they still pay out even if a video is demonetized, which happens way too much to innocent channels.
At the very least I'm sure the script checks a few simple conditions before unleashing the miner, such as current date, ip, language prefs, possibly a "go/no-go" boolean hosted on some random webserver, to evade any pre-screening before being accepted into the ad rotation.
I've heard of something similar whee drivers (partiularly graphics) trying to get WHQL cert will check for a special registry entry, and only if its present will do the ridiculous unsafe things like directly patching the IDT to get the performance they want, but will play nice otherwise so they pass cert.
Because then the ads would just do what viruses do and check if they’re in a prerelease testing environment before doing the evil thing. There’s no way to stop this completely without human examination of the ads, and at the kind of scale that Google and the other ad networks operate at, manual human examination of everything is not possible.
I was never at risk for this kind of attack due to my ad blocker, but I can't help but wonder why the ad was allowed to run in the first place. Surely Google of all people have the resources to do analysis of javascript code that is submitted by an advertiser, and not push it out to the platform if this kind of stuff is detected. This isn't even that hard to automate: does the ad use excessive amounts of CPU while loaded? Reject it!
Of course if the advertiser is allowed to load their own unverified third-party javascript from anywhere, these kinds of things can and will continue to happen. That's why I don't run third party embeds in my browser, and I don't think anyone should. (An unpopular opinion, I know.)
Cloaking is a hard problem. People have a massive monetary incentive to improve cloaking tools, meaning that basically every technique you can think of to detect malicious behavior dynamically has a finite timeframe to where it is no longer useful.
Ad networks almost certainly have a system to detect cloaking. It is almost certainly not detecting all malicious scripts.
I seem to remember way back in the day that you could advertise with Slashdot (and others, I'm sure) by giving them an image (static or animated GIF) of specific dimensions, the URL that image should lead to, and obviously some cash. That was pretty great because they kept it reasonably unobtrusive and there wasn't any javascript.
I seem to remember way back in the day that you could advertise with Slashdot (and others, I'm sure) by giving them an image (static or animated GIF) of specific dimensions, the URL that image should lead to, and obviously some cash
Right, direct advertising. IIRC, anybody who seriously suggests it is routinely shouted down as impractical.
If you hosted static ads like it sounds like they did wouldn't it then end up costing more work for less money? If you have someone else host the static ads it'll be the same amount of work but you'll get less money. The issue is that most people don't want to get less money
Well, the first problem is that only a relative few sites are big enough to do direct advertising. The harder question is how to keep web content decentralized by decentralizing means to revenue, a battle we are aggressively losing.
Somewhere, someone said to their business partners "Why, what if we decided to chew through the useful economic life of someone else's assets without telling them?" and the people in the room said "Sure, lets go get it done".
There is no reason why ads aren't just plain text, video or animated vector graphics. There is literally no reason to allow them more (read; execute javascript).
If anyone comes up with a valid reason I will invest all my life savings into garlicoin.
This, shortly after youtube went all JS. With JS disabled, it's just a blank page now. I'm glad I disable JS. Saves me a ton of data bandwidth and protects me from advertisers. There's just not a lot of upside to my using JS anymore these days. Some big sites might not work, but that turns out to my benefit.
These antics put the whole JS ecosystem at risk. Remember how normies figured out cookies were bad and turned them off? Even Tony Soprano was talking about turning off cookies. This can be much worse. Might actually kill the web and push everyone off to native apps for good.
Funny idea: a long form journalism site could intentionally and openly embed such a script, allowing readers to make "micropayments" of lent CPU time to the site while they read articles.
I'm pretty sure the factor five in your second point is in reality way worse than that, probably (wild guess) at least over 25x.
Mining is not only inefficient when implemented in JS (even with the web asm stuff, many clients have no support), or when it runs on crappy or old hardware, it also depends on what your electricity costs. Pro-miners put their farms in locations where electricity is super cheap, often in the middle of nowhere, perhaps near a hydro dam. Most clients are on a laptop or mobile in a city, where electricity is much more expensive, and their electric efficiency is made worse because they run it off battery.
Distributed crypto-mining for micropayments via embedded JS is such a huge waste, I'd probably have more problems if I knew the site was doing that, for the guilt of wasting that electricity while reading, just so the author can inefficiently receive a few fractions of a cent. I might even (gasp) rather watch a video ad instead.
They use Coinhive, but using it this way seems reasonable. Their strategy is to be open about it, to let users know their CPUs are being used to mine, with care not to drain mobile user's batteries. They only use it on long articles. I'd much rather encounter this than ads. It's much more convenient than a micropayment service, and doesn't preempt additional subscription income. I expect to see bespoke variations that don't trigger antivirus software. As long as mobile users' batteries aren't drained, and users' CPUs aren't overly stressed, it seems an ideal solution to monetize websites.
Javascript was the bigest mistake to add to the web standards.
However, the web standards themselves are unnecessarily complex. W3C and WHATWG are partly to blame. Remember HTML was supposed to be a document that the user could change the styling of similar to how some gopher clients would let user change the look of how you viewed all content.
However, that is kinda ancient history these days. However, the web standards need to make a new format that breaks backwards compatibility. An app based format, and a document only format. Sadly, I don't see this happening.
--EDIT--
Also a lot of web designed don't care if their site does not work if JS disabled...
If I were to rework the standards. I would make any syntax for standard defined languages quite strict. Further, for document based content make sure content is always readable with out freaking stupid dynamic eye candy.
Google can build software that can autonomously learn how to beat humans at the hardest games in existence (or buy a company that builds said software), but it cannot detect malicious code in ads before serving those ads...
How would you go about deciding reliably whether a given Javascript program would perform a malicious computation on certain inputs? As the concept of malice seems somewhat hard to pin down, let's simplify the problem a bit: it's enough to decide whether that JS code stops at all or if it would just run forever. How to get that ad smasher written?
I'd love it if there was a way to monkeypatch JS functions in the browser (like we do for styling in userChrome.css) so that ones that BTC relies on become no-ops.
What strikes me about this is actually tangential to the specific issue the article addresses.
New technologies push the bounds of opportunity and risk. Folks trying to take advantage of the upside will exploit anything to achieve their goals. In the process, natural systems will emerge to combat them and close the exploits. This amoral process actually leads to emergent, unanticipated outcomes. You actually NEED the chaos upfront for society to eventually discover a stable equilibrium.
All the negative externalities from BitCoin / blockchain are really just a naturally occurring shake out of kinks. Much like the wild experiments and exploits of the 90s eventually led to the equilibrium we have for the current Web.
Well brave does intend on displaying ads at some point. Without knowing their exact implementation as to what ads will be displayed it might be possible eventually.
The hilarious thing about this is that so what why not? Can't I opt to let another co-opt my cpu while I watch videos so that I don't have to watch ads?
I'd much prefer people using my cpu to mine bitcoin than to render some shitty ad.
This is actually a fascinating development in this space.
The payoff isn't good enough for this to support add-free services, and the payoff gets worse as crypto becomes more popular. Then there's the fact that you might be browsing from a battery-powered device.
>The payoff isn't good enough for this to support add-free services
Hmm, wait. How it works, then?
Let's say I'm paying 1$ to display malicious ad which mines something. BTC.
If amount of mined BTC is lower than 1$, the whole operations becomes unprofitable. Why should I pay 1$ to mine 90 cents via ad?
If people are running this operation on scale, it should be profitable. But then payoff is by definition good enough to support ad-free service. Instead of taking 1$ from advertiser, google can theoretically mine 1$ on my PC and let me watch video without ads.
you still get to display an advertisement. so it isn't "mined BTC > $1 --> success"; it is "mined BTC + expected value of running scam ad > $1 --> success"
I think his point was a hypothetical without the advertising component. Like if they just embedded bitcoin miners in every page that displayed a youtube video.
PS: Also, I wonder what other sites could be affected. Requirement is "user spending a lot of time on a page", so maybe blogging services with long posts, or shady sites with online sports broadcasts. Ugh, adblocker slowly becomes a requirement for modern web.
Cut out the middle man. YouTube itself can mine cryptos while videos are playing instead of displaying ads. At least then you know the trade off and have a single company to complain to when they are draining your CPU too much.
Do we trust the competency of ad providers to normalize for low powered devices? If I read an article on some small news outlet or indie blog using my phone, will my hand get burned off?
A normal CPU probably won't mine enough to be profitable either, but since the users pays for electricity, not the advertiser, I don't see the incentive.
Many people just can't see the progress and the new possibilities offered.
Like you, I don't like ads because it distracts me. Mining on my CPU? I do not care. If it pays for bandwidth and allows me to get a ad-free experience, sign-me up!
I'm sure someone is already developing it if it's a good idea, but it seems that instead of ad revenue, internet content could be paid for by cryptomining while consuming their content.
Googling around a bit, it seems that Google's attempt to include everything under the sun into your YouTube Red subscription is to blame...
They could just give you ad-free youtube. But instead, they want YTR to include their YTR-only premium content, and also they want to throw in Google Music... all of that requires decyphering copyright laws and potentially registering as a royalties collector (IANAL). Typical Google behavior, an inflexible all-or-nothing approach.
I think you can actually do this without having a YouTube Red account - it's under youtube settings and then under playback (there's a checkbox for annotations).
I'm using the Red free trial (it's 3 months) and it's actually pretty nice to have more control over the experience and not have to deal with ads. I found the ublock origin wasn't perfectly effective on YouTube anyway.
If only FB offered a $10 a month no ad subscription it'd be a lot nicer to use too.
In addition to simply being rather pissed off about all of this, I was just wondering (don't worry--I'd rather just block ads than actually be arsed to implement it):
If your browser becomes a node in a crypto-mining network, it'll start number crunching and occasionally send the results to some central server for collection.
What if your browser doesn't play nice? What if it sends bad or misleading data?
I'm not sure how Monero exactly does its thing, but I know that for Bitcoin it goes a little something like this[0]: You start out with a quasi-random "salt", I think it comes from the previous block. Then you append a bunch of random bytes to that salt, and hash it (SHA256? or some popular hash function, anyway). The goal is to find just the right random bytes so that the hashed value has the longest run of ones as its least-significant bits. If the length of that run is equal or longer than the current "difficulty level", then you're the lucky winner and you just mined a block of bitcoin! These correct random bytes are hard to find, you have to bruteforce them, but super easy to check: just one hash and see if it has a long enough run of ones.
Because even on decent hardware, odds of personally mining a block are in the order of once-a-year-maybe, people often join mining pools that share the profit. I'm not sure how they make sure everyone in the pool plays fair and divide up the profit based on the amount of work they put in (or amount of hashes they checked). The crypto-miner obviously joins a pool because with the shitty performance of stolen CPU-time over millions of people visiting an infected site for a few seconds, they kind of have to if they want a payout more often than once-a-decade-perhaps-not-even.
Can you mess this up for whoever owns the pool account that the distributed cryptominers send their data to? I suppose if that miner's account tries to scam the pool and report way more hashes checked than they actually did, or something like that, would it ban the account and lose all profit up till then?
What if your browser just reports any bunch of random bytes as "nope, that's not it", without even bothering to hash it? What if one of those just happens to be the winning bytes and it gets discarded and never tested again? Does it even work like that or do the JS miners just pick a random value to append to the salt, hash and test (with the risk of trying certain values more than once).
Even then, I'm certain that you can bugger up whatever protocol these hostile JS miners use, and cause all sorts of "interesting" and costly misbehaviour in the pool. Though I should read up on how these things actually work, the above is just vague guesses based on what I know about bitcoin's crypto/protocol/algorithm (I actually did read the whitepaper once, but it was maybe a decade ago or so) and even vaguer guesses on how these mining pools work (that I haven't digged in to very much).
[0] I'm probably wrong about some details because it's been a while since I read that whitepaper, so correct me if they're interesting details :)
And talking about filthy ads, the one served by Arstechnica [1] tells me "Warning - Your computer is infected.. blah blah blah.. Download Free Antivirus..blah blah..".
No amount of manual auditing can catch malicious code. It's way too complex for a human to parse.
Is there a legitimate business need that anyone's aware of to have code run in Ads? If so, why not use a DSL?