In this particular case, I suspect a trademark complaint against Google would make sense.
Google misrepresented the ad as the product of the Gimp project, and were paid as a result. They usually use an "obeying the law would not scale" type argument in court, but that would clearly be bullshit in this case. They have a business relationship with the ad buyer, and should have verified their affiliation with gimp.org. Also, a simple string match on the URL would expose the attempted fraud on Google's end.
I'm not sure how to check if Gimp is a registered trademark in the US. This page kind of implies it might be (or that the author of the page does not understand trademarks):
Having the actual url be completely different from the displayed url simply shouldn't be possible. Allowing that invites scams like these. At the very least, they need to be the same domain.
Redditor RawPacket writes[1] that it's probably an IDN homograph attack[2]:
the g, i, m, or p are replaced with characters from a different character set. Looks right, but the domain is registered with a different character.
Example: * gіmp.com is fake. * gimp.com is real.
They look the same, don't they? But if you click on the fake gіmp.com, your browser will take you to the domain xn--gmp-jhd.com as it is using the і from the Cyrillic character set.
For a moment I was thinking "But then the second screenshot would read "xn--gmp-jhd.com", not "gilimp.org" -- but that would be easily hidden by making the former immediately redirect to the latter.
(Mostly I mention this because someone else might be thinking at as well.)
That's a good theory, but I don't think it's what happened here. The ads are gone for me now so I can't verify, but when I did get the ad I checked the network monitor and I'm pretty sure there were no redirects via lookalike domains. Also, I'm pretty sure I copy and pasted the display URL and it was plain ASCII.
Modern browsers won't show those characters in the address bar, exactly to avoid this issue. Which is maybe why the ad points to gilimp.org instead of the gimp.org lookalike.
They might work for BigCo, but rather than have the ad point to bigco.com/product they instead have the ad point to tinyurl/bitly so they can track how many people click the ad and repoint it to another URL easily.
There is a whole industry of these redirection services that gather stats, direct users different directions based on mobile/desktop or country. It isn't rare to bounce a user via a whole chain of them.
To support all those users, ad networks have to allow the apparent URL and actual link target to differ.
No, ad networks don't have to allow any of that. And they shouldn't. Ad buyers should either not track, or do it properly. Demanding massive security holes because you can't be bothered to learn the right way to do it is unreasonable.
If google gave a shit (obviously they don't) they could whitelist a few tinyurl/bitly/etc sites then follow those redirects themselves to verify they eventually landed on the displayed domain.
It's a "feature". So you can link to blafoo.advertisinganalytics.com/weird-looking?tracking=link but what the user sees looks like normal and "safe" brand.com
It may be true, but why a judge or jury would accept it as justification is beyond me. "My business model requires me to break the law." is a condemnation of the business model, not a justification.
The problem is that the legal system is flawed in such a way that the wronged parties rarely have the time & resources needed to actually put the issue in front of a judge. If it actually does get in front of a judge (in reality it would get settled out of court if it actually gets anywhere close) I would indeed expect their argument to fall apart.
This is something that ideally the government (its consumer protection branches like the FTC) should be policing proactively, filing suits preemptively against systems that are trivially exploitable.
Definitely agreed. I think it also stems from laws that define explicit and measurable harm as the only types of harm. For false advertising and fraud, it usually requires proving that they was financial harm done as the result of the false statements. Because creating an environment in which fraud is cheap and easy doesn't count as "harm". Because false advertising doesn't count as "harm" in itself, even as imposes the burden of scrutinizing all claims from previously trustworthy sources.
Because if you tried to actually police this then everything in life would grind to a halt. It would be like expecting the government to deal with every single crime.
It's particularly problematic when a business is providing a platform for other entities to post a message. We don't hold the post office liable for transferring copyrighted/trademarked content, do we?
This case is more akin to a TV network, since the ad is publicly broadcasted based on what people are watching/reading. It’s not private correspondence.
Now I take a rather dim view of the dmca. But the general concept is to move enforcement of the law out of the normal slow bureaucratic channels. Now enforcement is handled directly by the injured party. Much more efficient.
If you immediately see how ripe for abuse this system is. congratulations. you are now more far sighted than the originators of this system.
Now to it's credit, the dmca limits the enforcement(I think, I have never read the law) to a formalized version of "if you stop doing it we won't press charges" however this is still widely abused.
Internet scale companies like Google happily embrace intellectual property laws when it's their IP on the line, they just don't care about anyone else's. And it's not an issue of "can't scale": Google's ad revenue is bigger than the entire GDP of Kentucky--they could literally hire 1% of the US population to work in fraud management and still turn a profit.
It's absolute BS. If a citizen were to come into a court and were to express the quantity of state and federal laws, those which compete with each other, and beg the court forgiveness based on, "There's so many laws I can't possibly be made to keep track of them not to mention the laws that are no longer actively exercised in courts" they'd laugh at you.
A corporation like Google does it and the court agrees. Corporations are not people in the worst way possible.
Which is also weird, because it is a far better reason for an individual than for a corporation. An individual is limited to their own time and expertise, whereas a corporation is only limited by their willingness to hire additional workers and expertise.
Indeed. Saying: “Obeying the law doesn’t scale.” is an admission of guilt with pre-meditated intent to break the law. I keep hoping the courts will drive that point home at some point.
If you lead with the big ask, you frame the entire conversation around it. One should always start one's argument with question-begging, and disqualify people who don't accept the question begging as not serious about having a discussion.
"The laws are impossible to follow at scale. How do we fix that."
Or as a thinktank feeds it to a speechwriter to a politician: "Our antiquated laws have failed to keep up with the speed of technological development, and are now becoming an active handicap on progress. We need a set of laws that are as forward-thinking as our best selves hope to be, and a set of legislators that are responsive to the energy and creativity of the young while respecting the intelligence and hard-earned wisdom of the old."
If you tried to buy ads claiming to be Google.com but pointing to shadyweb.xyzjsiebsk.net you'd find out real quick that Google's legal ability scales just fine
I think politicians might even be willing to try to do that, but I doubt that regular people would be on board with that. This would most likely involve permitting a lot of things in society that we consider immoral right now (or at least objectionable to some extent).
That's still the exact same dystopian take: complying with the law is too hard for Google so the law should change to the detriment of smaller entities.
There is a whole genre related to this kind of dystopias, cyberpunk. Its predictions from 1980s and 1990s turn out to be increasingly true, sometimes in the grim parts, too.
Google does not allow trademark infringement in ads [1] and provides tools for trademark owners to prevent their trademarks from being used improperly.
The issue here seems to be that the Gimp team does not have a registered trademark for "Gimp" (at least not in the U.S). This can be verified at the USPTO website [2].
All ad companies need to respect trademarks and allow opt-out of reserved terms as a first class feature.
It's disgusting that a competitor can buy an ad for your brand on Google, Apple, etc. and place their result before yours. This is especially harmful for new, up-and-coming companies.
I've had competitors buy ads in our name before. It's a shameful tactic.
It's beyond unfair when these monopoly-like ad companies spent hundreds of billions to co-opt the web and personal mobile computing and shackle us to this fate. It's the nightmare Microsoft and AOL once envisioned, yet now it's actually come to pass.
We already pay for domains and trademarks. We shouldn't have to keep paying protection money to defend ourselves when we're already having to jump through the platforms' obtuse rules and pay their outrageous taxes.
Trademarks should be sacred, and no company should be able to profit off of yours.
> Also, a simple string match on the URL would expose the attempted fraud on Google's end.
I feel like your general argument is proving too much: Google clearly indicated this is an Ad, and you couldn’t reasonably hold Google or any other publisher of ads responsible for every claim made in every ad. However, I agree that the domain part is troubling, and even seems like a potentially misleading representation by Google — I’m surprised you’re able to set this arbitrarily. However, as discussed in a thread below, maybe you can’t and this is exploiting an open redirect in gimp.org? I think some details would be needed before you can jump to assigning blame so quickly.
This simply ends advertising, and publishing generally. I’m not saying that gross negligence is okay, but I don’t think verifying every claim is a reasonable standard (it would be impossible).
How can anyone argue against blocking ads when this argument is used literally in court as explanation for why they are unable to police the ads they're putting on their own platform?
GIMP is not a registered trademark anywhere in the world. Unfortunately. Which made it possible for a number of scammers to be really bold (and be punished in the end, on one of the occasions).
Turns out uBlock Origin is the best anti-malware software there is. For some reason friends and family just don't seem to get malware anymore after I installed it on their browsers.
As soon as you realize how much of Google's bottom line is scam and malware distribution, it becomes really hard to view the company as anything but crooks.
Google's other big line of business is shaking down businesses for cash by selling the top result for someone's own brand name unless they're paid for protection.
Even if ads were 100% legit verified links, they would still be scams. Advertising is inherently untrustworthy. Why do people trust anything a corporation says about their own products? In the best case scenario, they're highlighting the pros and omitting the cons. Usually they're just straight up lying.
I want real opinions written by real people with no conflict of interest. People who are't getting paid by the corporation.
Advertising is not meant to be educational, it's meant to make you aware the product exists. Of course you're don't have to trust what the company is saying, but now you know their product exists and what it does. If it was something you were looking for, you can now research it and ask for opinion.
Advertising is manipulative by it's very nature. Being made aware that it exists is manipulative in a somewhat forgivable way, but often the words and message are intended to motivate people with various forms of emotional manipulation.
Advertising is pretty gross.
And maybe that wasn't always the case, and maybe it's also using advertising in place of another word, but that's where it's ended up in my understanding of the world.
It's become lifestyle sales, of you buy this, you'll be this. They use that technique just about everywhere now. Used to be just cars and fashion. Like someone else said, emotional manipulation, narcissistic [my add].
Most people don't think with logic, but with emotions, so they're easy targets. Which makes me sad, because frankly no one deserves to get scammed and lied to.
I'm the type of person to appreciate direct and frank discussion. Many don't like this, especially people having power ambitions.
I agree, but the fact that even if you hold the view that ads are beneficial to society, Google is still a bad actor and a net negative to all of us, is particularly noteworthy. We all pay for Google via folks paying ransoms and other scams, having to indirectly pay for high ad budgets every company has to pay off Google to avoid their own search result being squatted by a competitor, etc. There is no company on the planet that the world would benefit more from being shut down.
But the incentives for advertising remain the same, so another similar competitor with similar evilness would emerge to replace them.
I don’t believe the problem is “Google is evil”.
I think the problem is that the incentives create evil, and there is little effective effort (that I have seen) to fix Google’s incentives through legislation or other means.
I worry that many other major companies we interact with are heading down the same path.
TVs are one canary warning us.
Another example: Apple seems to be getting keener on advertising revenue, and I’m not sure that opposing incentives (within Apple or by their customers) are strong enough to overcome the financial temptation. That temptation leads to eventual sin (to use a religious metaphor!) Apple already commits egregious harm through many kinds of “free” apps.
A large chunk of this websites user-base is working for ad companies like Google or Facebook. Another large chunk earns money from putting those ads on their apps.
> Linking to company websites so people looking to buy stuff that company makes can find it is a scam, because company websites are biased in favour of that company
This isn't a faithful interpretation of the argument. Most people don't use Google to look for things to buy. They use it to find accurate information.
Most people clicking on a link to a company website - ads or otherwise - do so because they want to hear what that company has to say about themselves and their products, not because their childlike grasp of the world makes them expect every result to provide utterly impartial information.
I wasn't even talking about paid links specifically. It's advertising in general that's the problem. Call me a child all you want, I don't care. The simple fact remains that they have an inherent conflict of interest. It's not an absurd argument at all. People who want to sell you something have every incentive to distort the truth and only fools believe them.
It's actually just my opinion. I'll even say it again: advertising is inherently untrustworthy, a nuisance and of negative value to society. I think it should be illegal.
If you think I'm trolling, report me. If dang tells me to stop, I will respect his decision. Don't accuse me of "baiting" otherwise. This isn't 4chan.
Oh it gets worse: Google has the gall position themselves on the authority on malware on the web [0], which they of course do with the same dedication to quality and support that they are known for in their other offerings. So they distribute malware themselves while defaming others with accusations of distributing malware.
I put PiHole on a Raspberry Pi as the home's DNS and every time it blocks these links. I still click on them thinking they're taking me to the correct site, but then I realized PiHole "saved me". I configured my wife's computers to use the Pi too and she loves it.
Of course, back then you could just disable javascript in your web browser to protect yourself from malicious sites and annyances, and practically all sites would work perfectly fine.
I think people are missing the actual issue here. Google used to have a clear distinction between what's an ad and what is organic.
In these screenshots you have to pay good attention to see the top result is an ad.
To keep their conversion numbers up they had to constantly reduce the difference between the ads and everything else. The fact that they can do this and we are so used to it that we don't first identify that as the culprit is quite interesting.
I have ran a few Google ads in the recent years and the people who come through them, some of them, clearly have no idea that they have clicked on an ad. This might be good for business but I think it does more harm overall.
I see people do that all the time - inadvertently click an ad because it's one of the first few results that pop up. Not only that, the number of ads shown before the real result has increased too! Just the other day, my boss did a Google search for a common product and was shown at least FIVE ads before the first real result and had to scroll to see that result. I remember the days when you would see one or two ads and the real result as the first thing you saw after a search, not seeing only ads until you scroll down.
It's not enough. I used to always skip the ad of the canonical site I was looking for to avoid incurring them a cost when I knew what I was searching for.
But it's often no longer possible. The actual search reasult you want is the ad and the link is no longer duplicated in the organic search results.
they used to have a yellow background, then a blue button with a white "advertisement" text in it, and it just got more and more subtle over the years. Now it's two characters of text
The actual issue for me is Google allowing an ad to say gimp.com that is not gimp.com. Even if you see it's an ad and are interested, you are now at risk on Google.
The ad's ID is DChcSEwiPvfuL-YX7AhVmkmYCHUXQC1wYABAAGgJzbQ (displayed when reporting it), the display URL is https://www.gimp.org/ and the final location after clicking the ad is https[:]//gilimp[.]org/ (with no intermediate redirects via gimp.org).
The Reddit user says the ad's display URL was different from landing page URL. If that's the case it is particularly concerning. I believe Google Ads only allows the advertiser to set the path component of the display URL, and takes the domain from the landing page (real) URL; so it's unclear how the mismatch could happen.
Maybe the Reddit user took the screenshot on a separate occasion from when they clicked the malicious link, and the ad changed in that time (currently I can see an ad for GIMP, and it links to the official domain, and the linked Twitter thread linked by @pmoriarty says the attacker is actively changing things). The only other explanation I can think of is that the official GIMP website has an open redirect vulnerability.
Yeah Google Ads lies about the destination URL, it always has. Which is why the correct choice is to consider Google Ad links malicious by default. There's actually no way to be sure where clicking them will send you, and tons of fraudsters have put scam ads with the official legit domain listed.
I've seen both Amazon and Best Buy URLs on scam ads.
The entire hackjacking of the URLs needs to stop. It is destroying the web. From Safari hiding the full path in the browser in the name of "minimalism" to AMP and all the other bullshit.
URLs are sacred. Please don't fuck with them. Please.
> From Safari hiding the full path in the browser in the name of "minimalism"
That was never the intent of hiding the path, it was and is to help users identify what a site’s domain actually is. To distinguish malicious sites with recognizable domain-like strings in/overlapping their paths as well as malicious sites with recognizable domains as subdomains. It’s not a panacea, but it’s effective. Chrome (and IIRC Firefox) also experimented with similar approaches before ultimately splitting the difference with higher contrast text for the domain.
Just to avoid no confusion, the issue here is that the URL displayed in the ad (and also when hovering over it) has a different domain from the page the user lands on when they actually click the ad. It's not about whether the advertiser owns the domain.
That's what I thought too, but I managed to get the malicious ad and confirmed that it's a destination mismatch in Google Ads rather than an open redirect (no requests to gimp.org in the network monitor).
I had to search for "gimp.org" to get the ad to be the first result; just searching "gimp" doesn't return the ad.
The scam ad says "gimp.org" but if you follow it, the landing page is hosted at gimp.monster. It's a clone of the proper gimp.org with a the download instead pointing to who-knows-what .exe on Dropbox.
WHOIS gimp.monster has WHOIS-guard, but the Icelandic "privacy" address turns up a bunch of Reddit links about scam sites. Namecheap is the common thread, but that's hardly a lead.
IMO checksums more or less offer a false sense of security for users if they're stored/shared on the same page/domain as the download, since it'd be trivial for a bad actor to change them if the files are compromised.
OpenPGP signing keys have similar problems. Web of Trust is useless if you don't know any developers to begin with, dates on public keys can be forged, and false signatures can be forged by creating a large number of other false keys. False keys can be made more misleading using 32-bit short Key ID collision (and don't blame OpenPGP for this, OpenPGP is notorious for its complexity but at least it tried, meanwhile alternative tools like OpenBSD's signify does not attempt to address this problem - these tools of course are simpler).
Surprisingly, I think no attacker has ever forged a OpenPGP signature in a real-world security incident, likely because there's a lack of overlap between crypto nerds and crackers.
Though, public keys do not change often and leave somewhat of an "audit trail". I usually search the key fingerprint on the web to see if it has been mentioned elsewhere as a quick check. Some projects store signing keys in an official upstream git repository. It's somewhat of a higher guarantee, but one can still creates a false upstream page for phishing... But I guess it's too much of an effort so nobody has tried to do this, yet.
Thankfully, for distro users, it's only something for packagers to worry about, end users always receive verified packaged via the distro package manager.
The big advantage of an OpenPGP signature over a checksum/hash is that you only have to verify the identity once. The identity can be used to verify the signatures of an unlimited number of files. That is as opposed to requiring each file to have a separate checksum/hash. Much more opportunity for deception on the smaller scale.
A perhaps less appreciated advantage is that in practice the identities are stored offline with each entity that will be verifying the signatures. So an attacker has to justify the use of the new identity to what would normally be a large number of entities. That might explain why that sort of attack is so rare.
A hash method would quickly run out of disk space before it could be used to verify every single file. Hence hashed b-tree for xfs (or is it jfs? I forget), and stuff like that.
A verify once used many times method is more efficient on a large scale.
I'm no maths expert, heck i don't even know calculus.
> Surprisingly, I think no attacker has ever forged a OpenPGP signature in a real-world security incident, likely because there's a lack of overlap between crypto nerds and crackers.
I suspect in the real world almost nobody validates PGP keys of software downloads manually. They might do it automatically (for example via a Linux package manager), which a fake key wouldn't fool. Thus, faking the key isn't necessary because 99% of users that could be fooled won't bother checking.
> it'd be trivial for a bad actor to change them if the files are compromised.
But it's trivial for responsible members of an organization to set-up a continuous, automated verification of the checksums listed on a web page. It wouldn't be practical to do that with the ISOs, directly.
Of course if the organization is lazy or incompetent, and chooses not to do so, then they have only themselves to blame. But if you fail to compare your downloaded files to the listed checksums, that's all on you.
My solution to this when designing Homebrew’s binary packages was to store the checksums for the binaries in Git but the binaries themselves elsewhere (inspired by Homebrew already storing source checksums in Git).
On Homebrew, therefore, you’d have to compromise both the binaries and the Git repository.
These are both nowadays on GitHub but the binaries in GitHub Packages are addressed by their checksum and the Git repository has a good audit log.
Put the checksums in a separate system such as the DNS. Use DNSSEC on your domains. Manage your DNS system as an isolated system (don't mix your HTTP/Email/Other stuff with your DNS provider). Now, users may verify the downloads you provide at your website by getting checksums from the DNS.
In particular, it's crazy that I can't just stick a public key for my email address in the DNS record for my domain, and have email auto E2E encrypt to it.
(No, that wouldn't scale for gmail, but they could do a two level thing, where the gmail key signs the public key for each mailbox -- assuming people bothered to set up their own keys, or that gmail just silently opted them in to server side encryption.)
Remind me why Google even allows ads in rank 1 on brand terms? I remember when "don't be evil" Google would talk about how ads are in a different color on the right sidebar.
Not only do they allow it, they actively encourage it. They tell businesses that it's really important to buy ad space on searches for your own brand name so that a competitor doesn't.
The way they say it really comes off like a protection racket. "Nice number one spot for searches for your brand name you have there, would be a shame if anything were to happen to it."
They make people feel better about it by giving a steep discount over normal ads, but that doesn't make it less of a racket.
Experienced this as someone doing ads for SMBs. The Google advisers call and after messing up the configs for your campaign (to your disadvantage that is) they advise you to include your brand name as keyword. No matter that 3 out 3 Top results are already for your company.
I don't think that someone could actually use your brand name and get away with it long-term (though, short-term, as the original post evidences, isn't guaranteed) but a competitor can absolutely buy ad space trying to steal your customers.
Like, if you search for "Nike" and Nike hasn't bought the branded ad space, you might get an ad for Adidas as the top result, with Nike's homepage the fourth item in the list.
This is a particularly egregious case, I've never seen a fake domain slip through like that before.
However, I have reported dozens of phishing sites for the company I worked for. The phisher would simply buy ads for $BRANDNAME and create a convincingly similar site and phish users. I would report the website to "safebrowsing" and report the ad. Typically it would take 1 to 3 days for the website and/or ad to be removed, which would give them enough time to do countless damage. Then they would simply register a new domain, and repeat.
At some point the only thing you can do is outbid phishing sites for your own brandname?!
It's a shame google can not self-regulate such evil behavior, but it's clear that it should be illegal for google to allow people to buy ads on brandname searches.
Why is this allowed? I know Google will do anything for money, but why is Google allowed to signpost a link to gimp.org which actually takes you to g--imp.org (sanitised)?
I mean, if nothing else, how do they not share the liability for damages done by the spyware they're literally promoting? For the businesses squatting on the names of more notable ones? AdWords goes too far.
The point is that Google should not be allowed to let those malicious ads through and be held accountable for the damages, both to the GIMP project in this case as well as to whoever may have clicked on the malicious link and installed the malware.
Ban? They shouldn't need to look for bad actors or ban anyone†, they just shouldn't let people spoof the domain on an advert. At all.
What's happening is Google would rather accept the cash up front and keep it if and when someone reports an ad. No forethought is given to people tricked by this.
† Obvious exception for unicode squatters but even they should be filtered out entirely automatically. Invisible or misleading characters in your domain should be automatically blocked.
That is a lot of red but don't be fooled - it doesn't actually say anything. Those are mostly generic machine-learning results which are prone to false positives which neither the AV vendors nor the operator of VirusTotal (surprise: it's Google again) care to do anything about.
Of course whoever went to the trouble to create the scam sites and ads probably also did modify the executables in some malicious way.
Well, it just took me to "giipm.org", a remarkable 10 hours after this was originally posted. It shows "gimp.org" in the status bar when I highlight it with the mouse, but of course "copy link address" just gets a link going through www.googleadservices.com/pagead/ with some long hashes at the end.
It looks like the Dropbox file at least 404s now. IDK if that is the attacker bailing out or Dropbox actually doing something faster even though it arguably didn't do anything wrong. But Google, the enabler is still sitting on its hands.
Scammers also create ads with fake support contact phone numbers for businesses. People call the scammers and they act like the company and run their scam.
Google also allows many deceptive AdSense ads, I constantly have to block ads that run on my website that are nothing but a big "Download Now" button which lead to some malware.
Another variation is for scammers to update the number on google maps to their premium number. Calling it still forwards to the real call center. You can often spot people complaining about a free call to X org costing them hundreds of dollars in google reviews of the company.
Reported to Google, for whatever that's worth. Currently (12:42 Eastern, 29 October) the ad is #1 hit and links to www...giimp...org which further links to some very sketchy looking downloads off the discord CDN.
I've been using Bing for a year now. Not perfect, but 1) never seen something like this on it and 2) if Google feels less like an invincible monopolist, perhaps they'll have some incentive to provide an acceptable service.
It's just a setting in Google AdWords. The display URL and target URL are not related. You can also play tricks like a "tracking URL template" that is a URL that can be on another domain and receives the "target URL" as a parameter. It is expected to redirect to the correct URL, of course nothing enforces this other than a manual review.
I can't believe that Google allows this but tracking is clearly more important to them than user security.
I don't have as much a problem with them hiding the display url, but what shocks me is how it also masks the URL in the status bar. If I can right-click and copy the correct URL, then why isn't Chrome* showing me that URL down below?
*Yeah, I know, I kind of answered my own question. So I guess it's rhetorical, and less shocking in retrospect.
They should not allow this. At the very least, the actual and the displayed url need to be on the same domain, and preferably the displayed url needs to be a substring of the actual url. That way they can still pass parameters for all sorts of statistics.
Kind of wild they don't require domain ownership proof in this case though, if I'm displaying one domain but actually linking to another, I should need to prove I own the original domain
This has been happening to a smaller project I am affiliated with for years. You can report it to Google - typically they ignore the reports. Occasionally they'll remove the offending ad, but they are just replaced with more ads the following day. I don't think it's preventable.
This is outrageous. We need to find a way to stop Google. Google invades our privacy. Google holds us hostages for more money. Now this? When is enough is enough?
Easier said than done. It seems like 40 precent of sites or better use some sort of google service. Even if you arent 'using' google, you are being used by google.
Yeah, that's true. But you cannot do much about what a site decides to use. Maybe block every connection to Google servers which may break them. Can also stop using those sites as a protest.
I was able to find this by searching for 'gimp download', and the gimp.org displayed ad redirected to 'gimp dot monster' and looked pretty good otherwise.
This is amazingly frustrating because I've wasted weeks of my life trying to deal with how google usually makes this impossible.
Ad-blocking just shows how "the digital naive divide" evolved without them.
I can't say enough nice things about gl.inet deviced and switched to a cellular model when ad-blocking on a 4G ipad was too much trouble.
I orginally setup a Spitz gl-x750v2 and removed the ec25-af lte and put it in an external enclosure and move it between better spec'd gl.inet routers to run adguard home.
"Halt" is a good browser on IOS to block all YT ads, but a portable router workes well with a dedicated sim or tethering a phone.
Not to defend Google but this has been against Ad Words terms for as long as I can remember. It’s surprising they found a way to evade auto detection for this.
Oh great, they'll get their account closed and need to make another one to continue scamming people.
How about Google fixes this by displaying the URL that the ad actually goes to?
Of course they don't want to do this because the URL with all of the tracking parameters looks ugly and it would hurt conversion rates. $$$ > user safety.
Terms is just a document Google uses to absolve itself of all responsibility. Look! On this document nobody really reads it says we don't allow this. See? Not our fault that our advertising platform linked you to malware or to scam websites.
The proper response is of course to ignore their excuses and block all advertising unconditionally.
> Most marketing urls have those long ugly urls to tell the advertiser what campaign/source etc you clicked on. So Google let's the advertiser display a fake url for ads.
I expected Google Search ads to be above this. But in retrospect I shouldn't be surprised that ads would lie to you.
Many years ago I found something similar with Firefox. I notified them (they had a legal category for bug reports, if I recall correctly), and they dealt with it quickly.
It's really important to report thibgs lime this to the developers and owners of the software.
yeah part of google worship has created common misconceptions like that things that appear in its automatic index are true answer to whatever question you have in mind (computers cant read minds). "this is the official link for some product" being only one possible question. then theres also the fact that a search engine cannot know the answer to "this is the right link for this software". i miss when search engines were just grep for the web and didnt pretend to be something more
this is a good example of how chicken shit design leads to security vulnerabilities. google probably lets the user post one link and make it lead somewhere else when you click it, as a "UX" feature. in reality it makes phishing much easier. this could have been avoided by not being a chicken shit and making links behave as one would expect, at the cost of 1% of use cases no longer working. the whole idea of treating URLs as a UX object is a misconception anyway, URLs should be opaque bit strings.
> a search engine cannot know the answer to "this is the right link for this software"
You would think keeping a curated list of well-known software projects (and others) would be low-hanging fruit. Instead, it is apparently better to throw money into complicated systems... that can't even catch the most basic form of linkjacking.
> this is a good example of how chicken shit design leads to security vulnerabilities. google probably lets the user post one link and make it lead somewhere else when you click it, as a "UX" feature.
I have always found a bit of subtle arrogance in this kind of thought process. It's like they've never bothered learning the basic functions of the web and how it is meant to work and think they know better than the original creators.
Google misrepresented the ad as the product of the Gimp project, and were paid as a result. They usually use an "obeying the law would not scale" type argument in court, but that would clearly be bullshit in this case. They have a business relationship with the ad buyer, and should have verified their affiliation with gimp.org. Also, a simple string match on the URL would expose the attempted fraud on Google's end.
I'm not sure how to check if Gimp is a registered trademark in the US. This page kind of implies it might be (or that the author of the page does not understand trademarks):
https://www.gimp.org/about/selling.html