Hacker News new | past | comments | ask | show | jobs | submit login
Show HN: Ad Network for Sideprojects (tinyads.io)
218 points by ezzato 12 days ago | hide | past | favorite | 78 comments





I'm very selective with the external scripts allowed on my websites. Ad networks are notorious for running malicious JavaScript on popular sites like NYTimes[1] and Yahoo[2] home pages. Any plans for an API so sites can receive ad content as JSON and display it without ever executing your external JavaScript? I might consider it for future side projects if I could npm install your client library instead of including an external script tag.

[1] https://www.nytimes.com/2009/09/13/business/media/13note.htm...

[2] https://www.washingtonpost.com/news/the-switch/wp/2014/01/04...


> Any plans for an API so sites can receive ad content as JSON and display it without ever executing your external JavaScript?

That will be a very easy target for faking impressions...


That's trivial to solve though. Just don't pay per impression for users who opt for that method of delivery. Pay for clicks instead.

That will be a very easy target for faking clicks...

It's the same JavaScript running, just hosted on your domain instead of externally. The JS shouldn't support eval, which is unfortunately a common way to display ads in networks with embedded external scripts. Version updates can go through your review too.

The current state of the art in ad fraud detection has basically become "here is a bunch of weird random stuff, lets see if you get the right answer." That stuff is delivered by dynamic JavaScript.

What you are proposing is AMP Ads and is universally hated by advertisers and publishers.


Speaking as someone who knows approximately nothing about ad fraud, what additional protections exist? The scheme you described could be easily thwarted by appropriately sandboxing their script to modify a shadow DOM instead of the real one (and countermeasures like checking the page once in awhile would just as well apply to a JSON approach).

Ad fraud takes a number of different forms, including:

* Buying a low-value ad (like a banner) and cramming a high-value ad (like a video) in there, and lying to the ad server about the visibility, sound, etc, using JavaScript. Sandboxing is typically stymied by a number of cross-domain limitations in real-browsers we can detect server-side.

* Buying installs for a older/hacked browser (or browser extensions) that has been scripted up to load the ads. People would embed these in screen-savers making real users visit these ad pages when the pc owner was unlikely to be around. They won't have the protection real browsers have, and so can trivially modify the network profile.

* Making a headless browser call ads on pages. These pages "look" valid, and you can visit them to see the ads, but the headless browser has collected cookies from various shopping sites, and uses a number of home/DSL proxy services to obscure detection. For any single impression, they look indistinguishable from legitimate traffic.

These are detected in different ways: JavaScript helps some for the first two, but in the second it's mostly that you're looking for bugs in the implementation (and it's just JavaScript gives you a wider search area). Usually these things are "home grown", so if you've got a wide view of the industry, and can change your scripts frequently, you can "detect" them being built in real-time.

However that last one is tricky, and outside of bugs[1], you're left with timing attacks which I won't enumerate because their obscurity is the strongest protection for continued utility, but in general they work on the principle of leaking some identifying data in HTTP and DNS responses, and relying on the fact that that headless browser needs to call lots of ads to pay for the electricity and Internet that it uses, so we get lots of opportunities for a collision.

[1]: https://geocar.sdf1.org/browser-verification.html


If I have control over the code that displays the ads, then I can fake the impressions. The past 20 years of development in the ad tech space didn't happen just because, it happened because there is a real problem that needs solving, a problem that constantly evolves.

I've built an ad network that supports exactly this: I give you (the publisher) a bag of JSON or XML that tags up the content, and you decide how to render it. I typically pay on click, but I have paid impressions in some cases where the publisher and I can reach a level of trust. I don't think wakatime.com would be an appropriate publisher for me, but maybe you have other sites that are more appropriate.

My original goal was avoiding ad blockers: By having the publisher render the ad themselves, it doesn't look obviously an ad, and as long as the publisher doesn't make the page itself an ad farm, users do not tend to block with custom CSS (that might end up in popular blocking tools). It seems to work okay- we've been operational for over five years at this point, and I've not seen one of the publisher domains or CSS show up in ublock.


I used to do ad scheduling 10+ years ago and at least in those times the ads has NOSCRIPT tags.

But for it to really work you would need to store a cookie to correctly redirect the user.

I like your idea of rendering the ads on the server side, but I would hope they would have super low responsive times. Or at least low timeout on your side.


You can render client side too, the key is no external JavaScript is being trusted to run on the page.

That ofc means the common practice of advertisers pasting a JavaScript snippet, the network doing a review process, then rendering that snippet as an advertisement on some property would not be allowed on this Ad Network.


It seems like iframes may be a better solution. They provide quite strong isolation of inside to outside communication. I worked in the ad tech industry 5 years ago and everything was iframes.

Don't they take a toll on cpu & rendering times?

What do u think of images rendered on the backend?


Yep, they definitely have a performance impact. Plain old image tags are really lightweight and secure. Unfortunately these simple methods are highly susceptible to ad impression fraud. Really, all online advertising is susceptible to fraud, but if you're paying for clicks or impressions, you can tame the fraud with mass amounts of JS, browser sniffing, data collection, aggregate analysis. This is what the large ad networks like Google do and it's a large industry with many actors.

Reducing this data collection and turning to simpler methods like images increases fraud, which decreases the amount honest publishers would earn (likely hugely). So it's definitely doable, but tends to not make much economic sense at large scale.


Pretty cool idea! We did something similar when we launched ads on Read the Docs, which we call Community Ads: https://docs.readthedocs.io/en/stable/advertising/ethical-ad...

Basically, we show ads for OSS projects & conferences in the ad spot on a small percentage of our traffic. It's a nice way to give back, and in the past we've shown ads for many Pycon's around the world, the PSF's annual fundraiser, and a bunch more worthwhile community projects.

The hardest thing has actually been finding projects that are well targeted for our community, and getting design assets for them. A lot of OSS & side projects don't have this stuff, and the ones who do probably don't need much promotion.


Love ethical ads! I guess finding OSS through an ad is not the right way.

Thanks! We looked at adding similar concepts to our new ethical ad network (https://www.ethicalads.io/) but it’s trickier when we aren’t the publisher for all the sites. Still something we’re looking to add at some point.

Creator here. Tiny ads is my attempt to create a cross site ad network for hackers and side projects.

It's more an experiment than a serious business venture. The idea is simple. We place a little ad on each others page with a link back to ones side project.

It privacy respecting (no user tracking) and will work in the beginning by me judging which project to include into the ad network.

I hope to create a positive sum game and give cool projects a new platform.

(The ad will start showing on March 15th)


I can't help but think of web rings on Geocities.

Same. Which I think is great, the real spirit of the early web.

I was waiting for this comment.

Can we bring these back?

> will work in the beginning by me judging which project to include into the ad network.

A solution to this problem that doesn't take your time is to ask projects to put down a deposit. Bad/spam projects don't get the deposit back. https://repowcha.com solves this.


Please stop making your sample ad wiggle.

Nice one. I believe it was tried before: https://en.wikipedia.org/wiki/LinkExchange

Getting a 404 after adding the script tag to my page, just to confirm this is the expected behaviour for now?

Yes, the ad endpoints are locked right now. Doors are opening on March 15th. I wanted to give this a slow start to have a credible amount of projects to show.

Only ads with the script tag will be included to the ad network.


I believe this is a typo on your home page:

"No specific version numbers or IP addresses are saves."

Should be "saved".


I like this.

It reminds me of the old internet :-)


Nice site -- Good luck! I suggest having a native speaker of English do a once-over of your materials for editing help.

Some copyediting help:

FAQ:

Is Tiny Ads GDPR conform? -> "conformant" (or more naturally, "Does Tiny Ads conform to GDPR?"

No specific version numbers or IP addresses are saves. -> "saved"

How does the blacklisting works? -> "work"

It could distract our user when they want to decide to try us out -> This is a statement not a question ;)


Thanks. I fixed the typos.

Did you build this with Tailwind? If not, what UI framework did you use?

Yes. Tailwind mixed with alpinejs.

The subtile tilting of the example ad is slightly dizzying.

Wow... you're right. I saw your comment and is like "what's this asshat complaining about now"

I went there and moved my eyes around the example ad and immediately got vertigo and my stomach turned.

Possibly it's from the dots...?


I think it's that it's just subtile enough that you question if it's moving at all, and that disagreement between expectation and observation creates a sense of unease.

Agreed. If you're going to start an ad business today, it should feel the least amount "sleazy," gimmicky? as possible. In case that was done on purpose to get more of your attention, that is.

I thought I was having a serious neurological issue for minute there. Maybe don't make your product make prospective users nauseous, eh?

Never noticed that while coding the frontend xD I will change the animation to something else. Maybe a little bounce. Haha

+1, instantly felt unsettling in my stomach.

I noticed something off about that ad too.

I like the idea but putting a script to the home page is probably too invasive. Can you make it into a single static image or JSON/static HTML based?

I really like this idea, and I’m someone who hates disrespectful ads. A small, non-animated tile—ideally advertising something I’m interested in—sounds like something I wouldn’t mind seeing.

One thing: I really hope you don’t plan on making these things wiggle or anything. That’s exactly the sort of obnoxiousness that prompts me to block ads, and I think that would defeat your stated goal of unobtrusiveness here.


No I don't. The ads must be respectful and unobtrusive.

Edit: typo


Ad networks are entering a period of great consolidation and distress. Brand this as a community, not an ad network.

Very nice idea - exactly what I was looking for!

I just uploaded my own side project (http://spot.gifts) but the image I uploaded is showing as broken (was initially .svg). I tried to upload a .png and delete my previous post but that didn't work. Just thought I'd give you feedback. Keep going!


I experienced the same issue and posted it elswhere on the page. I am writing here just in case the owner catch this thread !

Have you considered accepting bitcoin?

I did but couldn't find a simple solution to implement that. The plan right now is to integrate flurly as a payment solution in the future.

Better yet, create a new side project shitcoin, we hackers each get a handful, and when the whales come in and pump it, it will #moon. (Release a white paper, fill it with lorem ipsum, those whales don't actually read the white papers, they only care that they exist.)

Nice product. Created an account and it's smooth. Two questions: - what's your plan of monetisation - how you will maintain the ads sanity? Not all side projects are worthy enough for ads.

back in the day we called these webrings. Still relevant but now that most content is surfaced through recommendation algorithms, and people are more adverse to ads its tougher. Still great idea. Good luck

I added my site nunino.com and added the script to the head.

What do I have to do to place the banner?

Would be nice a place inside the site to send you some feedback or questions.


Love the idea. Just signed up https://secalerts.co and added the script to our homepage.

Thank you!

Nice, super simple process! I've submitted an ad for my side project, rowsandtables.com. Looking forward to seeing how it goes.

Hey! I submitted my project with stories of "data hackers" ( https://datapeek.org/stories ) . Would you be open to an interview? Your project is quite ingenous it would be a great fit :)

What a great project. Love the idea. This might be a new game gerne. Developer Board Games or so. Haha

The web is hungry for a privacy respecting & scriptless ad network.

With several things that can be improved.


I added my project but on the dashboard,I can't see the picture and there is no edit button ?

Yeah, the first time I tried to add, I got an error message along the lines of it not being able to reach the product URL (which is absolutely available). It wiped out my competitor URL list, so when I resubmitted, they were empty.

So I created a second ad that did have the competitor list, it failed again, this time I re-added the competitor list and it seemed to go through.

This all because there was no edit button. But the icing on the cake is that the DELETE button doesn't work, either, so now I just have two ads up there.

I guess we'll see how this goes...?


I think we are all experiencing the same issue :/ . Let's give it some time I think.

Off topic I am watching your code generation video on nodewood https://nodewood.com/features/code-generation/ . It's seems clever, but I have some difficulty evaluating how much trouble it would save me for example. How do pitch that feature ?


I didn't see any way to send feedback in the app itself, so I figured I'd add to the discussion here in hopes they'll see it. The ads themselves don't launch for a few weeks, so there's definitely time to resolve this stuff.

On Nodewood, yeah, it's probably not the #1 time-saving feature that Nodewood offers, but it's similar to any other framework's scaffolding tools. It ensures that when you want to make a new API Controller, or UI Page, or shared Model, it's in the right location, follows naming conventions, and has the basics filled in for you.

I always find starting from a simple case and extending it to be a lot more-productive than starting from a completely blank file and trying to remember the basic implementation of the thing I'm trying to build.

Plus, Nodewood is a little opinionated about how to split up your code into "features" that makes building a reasonably well-organized Monolith a lot easier, and the code generation tools make it a lot easier to follow that pattern.


Thanks for the feedback. There are some issues left unsolved. I will take care of them.

I'm interested in adding this on mixerapi.com.

What software do you use to store impressions

I run postgresql in the backend. Right now most of the apps logic is written directly as postgres functions.

After experimenting with datalog and mongo I settled with postgres. It's flexible enough for most situations.


Lol gotcha. As someone who runs an ad network... good luck with scaling, RIP

> good luck with scaling, RIP

Why? Plenty of options to scale Postgres. What alternatives do you use?


The juice just isn't worth the squeeze.

I can't speak for Exuma, but I've built several ad networks and buying tools that needed to handle over as much as a trillion daily events, and that means lots of HTTP event collectors writing events down into a lot of otherwise independent streams that you need to merge-sort together into coherent reporting and deduplicate client retries.

In principle, anything with statement-replication (such as one of the multi-master plug-ins for Postgres) could be made to work here, but error recovery tends to be poorly considered (and users expect no downtime here) and so it's almost certainly easier to just write a log file (or let cloudfront or whatever do it), and write a custom log shipper. Dedup in a window is easy, but UPDATE on a tall skinny table even with an INDEX is slow.

If you want to materialise that in Postgres back at home-base, that can probably work. There are a lot of single-writer methods to scale Postgres. I've used Postgres for this and it's fine.

The other problem is configuration: Outside of naive impression counting, your HTTP "event collector" might also need to be smart enough to choose an ad. Naively relying on replication from your configuration database to all your nodes means it's easy to get split-brain, and you're still taking an (often unacceptable) performance hit asking the "local" Postgres server your questions -- Meeting hard-realtime guarantees consistently (usually 30-50msec) is hard for a bit of PHP and Postgres to accomplish. Usually I'll build the decision logic into the configuration payload -- actually pre-compile the decision tree (in one implementation, into C that was loaded by a openresty+lua driver every config-change) so that the code doesn't waste any time asking the database over and over for the same key that probably hasn't changed.

Erlang is also a good choice for adtech people, because it has this cluster-wide messaging, hot code reloading (good for config!), a built-in binary log (disk_log) with replication capabilities, and a in-memory database (mnesia) that is good for generating reports out of.


Thanks for sharing!

Do the ads wobble like that live?

No wobble, juggle, jumping in the live version. I'll remove the animation now. haha

Fan of Puff, puff, pass?

Tiny bit of feedback: I recommend changing the word "blacklist" to "denylist".

Is there a difference between the two?

Alternatively, "blocklist"



Applications are open for YC Summer 2021

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: