×

Announcing: Slashdot Deals - Explore geek apps, games, gadgets and more. (what is this?)

Thank you!

We are sorry to see you leave - Beta is different and we value the time you took to try it out. Before you decide to go, please take a look at some value-adds for Beta and learn more about it. Thank you for reading Slashdot, and for making the site better!

Ad Networks Lay Path To Million-Strong Browser Botnet

Soulskill posted about a year ago | from the your-computer-is-broadcasting-an-ip-address dept.

Botnet 105

jfruh writes "Every day, millions of computers run unvetted, sketchy code in the form of the JavaScript that ad networks send to publishers. Usually, that code just puts an advertiser's banner ad on a web page. But since ad networks and publishers almost never check the code for malicious properties, it can become an attack vector as well. A recent presentation at the Black Hat conference showed how ad networks could be used as unwitting middlemen to create huge, cheap botnets."

Sorry! There are no comments related to the filter you selected.

Disable JavaScript? (0, Redundant)

zippo01 (688802) | about a year ago | (#44431411)

Done.

Re:Disable JavaScript? (1)

Skapare (16644) | about a year ago | (#44431449)

I just block the ad networks.

Yep, that. (5, Informative)

intellitech (1912116) | about a year ago | (#44431457)

Ghostery [wikipedia.org] and Adblock [wikipedia.org] FTW.

Re:Yep, that. (0)

Anonymous Coward | about a year ago | (#44431631)

Did not previously know about Ghostery. Thanks for that one.

Why are we not talking about W8? (-1)

Anonymous Coward | about a year ago | (#44432463)

According to Microsoft's annual 10-K report to the US Securities and Exchange Commission (SEC), published on Tuesday, their total Surface revenue for all of fiscal 2013 amounted to just $853m. That's nearly $50m less than the $900m charge Redmond took when it discounted its remaining Surface RT inventory by $150 per box.

And that's not all. That $900m writedown was related to Surface RT only, but the $853m revenue figure includes sales of Surface RT and Surface Pro combined.

Further down in its 10-K filing, Redmond reports that it upped its sales and marketing budget for the Windows Division in 2013 by a jaw-dropping $1bn, which included an $898m increase in advertising costs "associated primarily with Windows 8 and Surface."

Got that? Microsoft spent more in a single year advertising the Windows 8 and Surface launches than it took in from Surface sales that same year.

And remember, none of this was even spread over an entire calendar year. Microsoft's fiscal 2013 ended on June 30. It launched Windows 8, Windows RT, and Surface RT on October 26, 2012. The Surface Pro launch came later, in February. But whichever way you slice it, Microsoft managed to mow through an $898m marketing budget in just eight calendar months – and consumers still didn't take the bait.

Strangely enough, Slashdot does not consider this news...

Re:Yep, that. (0)

Anonymous Coward | about a year ago | (#44438127)

Yeah, it's made by an ad company and uses the information it gathers to sell to the highest bidder. So thanks for that.

There is a discussion on Reddit where the CEO goes off on some guy for calling them out, it's priceless.

Re:Yep, that. (0)

Anonymous Coward | about a year ago | (#44433001)

Ghostery [wikipedia.org] and Adblock [wikipedia.org] FTW.

You can't leave out NoScript [wikipedia.org] . It's a trinity thing: NoScript, Adblock, and the holy Ghostery.

Re:Yep, that. (1)

Somebody Is Using My (985418) | about a year ago | (#44434195)

Or Abine DoNotTrackMe [abine.com] , which I marginally prefer over Ghostery because the latter is run by the ad networks (of course, I'd prefer an OpenSource alternative...)

NoScript, Perspectives [perspectives-project.org] , Flashblock, BetterPrivacy [mozilla.org] and HTTPS Everywhere [eff.org] round out the package.

And occassionally PrefBar [tuxfamily.org] so I can change my browser UserAgent on the fly, just to mess with 'em...

Agreed, DoNotTrackMe is better. (1)

Burz (138833) | about a year ago | (#44441967)

Its independent and doesn't slow my browser down like Ghostery does. The latter isn't really written with users in mind... its primary purpose is to give the ad industry a 'self-compliance' fig leaf.

Re:Yep, that. (1)

Flere Imsaho (786612) | about a year ago | (#44441487)

Don't forget noscript. Very nice to have when you stumble across a compromised site directly serving malware.

Re:Yep, that. (1)

OdinOdin_ (266277) | about a year ago | (#44441493)

What can Ghostery do that RequestPolicy can not ?

https://www.requestpolicy.com/ [requestpolicy.com]

It Ghostery just targetted as abusers of 1x1 img pixel and tracking cookies ? As RequestPolicy seems to be a generic solution from any information not coming from the target website you are visiting.

Re:Disable JavaScript? (1)

Anonymous Coward | about a year ago | (#44431535)

I just block the ad networks.

If you're a content provider and are concerned about ad blocking hitting your bottom line then you need to be in your ad provider's face about this shit or I don't wanna hear any bitching.

Re:Disable JavaScript? (0)

Anonymous Coward | about a year ago | (#44431557)

Amen. I don't have a problem with supporting content makers and ads per se, but as long as they are an untrusted source and giant security hole, it's adblocker for me.

Re: Disable JavaScript? (1)

Anonymous Coward | about a year ago | (#44432099)

How do you disable Java or 3rd party ads on platforms like iPhone or iPad?

Re: Disable JavaScript? (0)

Anonymous Coward | about a year ago | (#44432391)

Come on, don't be ridiculous.

If you've wasted your money on iJunk, being ripped off by online scammers is a minor irritation by comparison.

Re: Disable JavaScript? (1)

oPless (63249) | about a year ago | (#44432675)

Java isn't support on iDevices.

You must be confusing Java with Javascript. Which ... ... IS NOTHING TO DO WITH JAVA AT ALL.

Please hand in your geek pass to the DHS official and make your way to gitmo. Oh wait. They only do that for leakers...

Re: Disable JavaScript? (0)

Anonymous Coward | about a year ago | (#44433003)

Java isn't support on iDevices.

You must be confusing Java with Javascript. Which ... ... IS NOTHING TO DO WITH JAVA AT ALL.

Please hand in your geek pass to the DHS official and make your way to gitmo. Oh wait. They only do that for leakers...

First they came for the leakers...

Re: Disable JavaScript? (0)

Anonymous Coward | about a year ago | (#44434759)

If you're going to pick on people, HAS not IS.

Re: Disable JavaScript? (0)

Anonymous Coward | about a year ago | (#44438177)

Where you're from maybe... there are many countries with English as their language and they have different grammars. Welcome the the world wide web.

Re:Disable JavaScript? (1)

FatLittleMonkey (1341387) | about a year ago | (#44431849)

If you're a content provider and are concerned about ad blocking hitting your bottom line then you need to stop using ad networks and host your own ads or I don't wanna hear any bitching.

FTFY

It stuns me that media operators who have run their own in-house advertising divisions for their dead-tree versions for decades, suddenly act like one-man amateur blogs for their online versions, needing third-party-hosted ad networks.

Re:Disable JavaScript? (1)

AlphaWolf_HK (692722) | about a year ago | (#44431965)

I think the reason for that is that they aren't just ads anymore - they're collecting intelligence on the visitors. It doesn't work as well when you host the ads on your own, you need a third party to be able to track what pages your visitors are navigating to when they navigate away from your own site (assuming of course the site they navigate to is within the ad provider's network) as the web browser isn't going to allow multiple domains to share information.

It's one thing to show sponsored messages to users, but it's even more profitable to find out what your users want. Self hosted ads aren't as good at the later.

Re:Disable JavaScript? (1)

foniksonik (573572) | about a year ago | (#44433889)

There are three metrics for ads online. Impressions, clicks and conversions. Ad companies get paid for each at different rates.

The ads may read a cookie set previously or will set a cookie using an iframe. It has a beacon gif to log impressions. The destination reads the cookie using an iframe with same domain as prior. It also uses a beacon to log impressions.

The cookie tells the ad network: this user came from campaign id xxxxx. That cookie will also be read again on an order confirmation or any conversion success page (a thanks page for sign up or whatever).

So you have a beacon on the content site (payee) for impressions, a cookie set to track click throughs across domains via a 3rd party iframe and beacons on the destination (payer) to log click throughs and possibly conversions.

The beacons will send back a set of data including the campaign id, user agent info, time stamps, and anything needed by the contract which is provided by the payer, eg If its an affiliate program then the order subtotal (no tax or shipping) will be sent to log a commission. The user agent and and uid are used for analysis and segmentation to do things like a/b testing an offer (will a 5% or 10% discount work better - 5% is often good enough to drive traffic and 10% may not convert to higher sales).

Re:Disable JavaScript? (1)

sjames (1099) | about a year ago | (#44443019)

And that is part of why people object to them (other trhan giving you cooties that is). No other medium has had the ability to automatically track people who read the ads and they have done fine. Some tracking for conversions can be done with discount codes or through the url in the ad.

I'll bet if the ad networks are held liable for malware they distribute, they'll suddenly be fine with those limitations.

Re:Disable JavaScript? (1)

CheshireDragon (1183095) | about a year ago | (#44431649)

adblock plus? done :/

Re:Disable JavaScript? (0)

Anonymous Coward | about a year ago | (#44431953)

Unless you're using the next Firefox. Then you don't.

Question from the less tech-y (1)

Camael (1048726) | about a year ago | (#44432057)

From TFA:-

“Basically, when a web browser goes to a page, that page can force the browser to do whatever it wants – make web connections, download illegal files, attack other Internet sites, make illegal searchers – whatever,” Grossman told me in an interview last week.

Assuming you're using the latest Firefox with Adblock and Noscript, how true is that claim?

Would it, for example, stop the ad network attack vector mentioned in TFA?

I used to assume running Noscript is sufficient protection, but with all the news of exploits floating around, I'm no longer sure.

Re:Disable JavaScript? (1)

UltraZelda64 (2309504) | about a year ago | (#44433527)

1. Disable third-party cookies
2. Install Adblock Plus + Element Hiding Helper
3. Install NoScript
4. Install DoNotTrackMe
5. Turn on the worthless "Do Not Track" header, if only just to further get the point across.
6. Clear cookies if you previously went to sites before disabling them, because you've likely got some Facebook tracking garbage on your machine.

Done.

Re:Disable JavaScript? (0)

Anonymous Coward | about a year ago | (#44436057)

A sandbox comes in handy, for browsing or everything related to temporary files/data.. just have a properly configured base os, then "opt-in" everything you need when running programs in your sandbox, when you've finished, "null" the sandbox, done. Such an environment is simply a fine addition to whatever os you use.

No Script (1)

Anonymous Coward | about a year ago | (#44431429)

For Firefox fans there is an add on called "no script" that prevents Javascript from running automatically. There should be an equivalent for Chrome folks too.

Re:No Script (1)

Anonymous Coward | about a year ago | (#44431485)

For Firefox fans there is an add on called "no script" that prevents Javascript from running automatically. There should be an equivalent for Chrome folks too.

It's called NoScript [noscript.net] .

And there's no "NoScript equivalent" for Chrome folks [informaction.com] , sadly.

Re:No Script (1)

Bigbuzzman (1721282) | about a year ago | (#44432967)

The equivalent on Chrome is "ScriptSafe [google.com] ".

Re:No Script (0)

Anonymous Coward | about a year ago | (#44435433)

Did you actually read his link? ScriptSafe is not functionally equivalent to NoScript.

Re:No Script (3, Interesting)

akeeneye (1788292) | about a year ago | (#44431489)

The equivalent on Chrome is "NotScripts".

So...... (0)

Anonymous Coward | about a year ago | (#44431441)

is this that staticlib.net crap that's been making the rounds lately?

This is nothing new. (0)

Anonymous Coward | about a year ago | (#44431443)

Been happening since the beginning of broadband.

calculations (0)

Anonymous Coward | about a year ago | (#44431479)

I wonder what the cost of doing this would be compared to renting a super-computer time.

Huh? (1)

real-modo (1460457) | about a year ago | (#44431481)

You mean there are other attack vectors, too?

Seems to be the main source of malware... (1)

Anonymous Coward | about a year ago | (#44431517)

From what I've seen, it seems like ad networks are either the main form of malware vector, or at least close to it. It isn't true proof, but I have had no issues with infections when using AdBlock and an add-on blocker (even if it is Chrome's "click to play" item), but if I fire up a VM and go browsing without those utilities... all hell breaks loose. Antivirus utility? Yeah, right. Those are OK for maybe scanning an infected machine's HDD that is mounted on another box. However, rootkits, especially RAM based ones will still be a gotcha.

I see nothing good about ad servers. They are a vector for malware at worst, at best, are a constant source of behavioral tracking and monitoring. At best, they throw a few bucks a month at sites that use them.

I like the idea of a subscription clearinghouse and micropayments, but there are issues of privacy and anonymity to be worked out.

Somewhat scary (1)

mendax (114116) | about a year ago | (#44431519)

Well, it's scary enough to make me want to turn off Javascript (unless I'm running Firefox—and I'm not—and can't turn it off). But Javascript provides to web pages features and abilities that I'd rather like to keep. For example, I love AJAX and how it allows a sufficiently sophisticated browser to do something like what Google did with Gmail. When I first saw Gmail my jaw dropped. "WOW!" I knew then that the thick client's life was limited. But as things get more and more nasty I'm wondering if perhaps the thick clients are not a safer approach for some applications.

Re:Somewhat scary (2)

Splab (574204) | about a year ago | (#44431743)

Thats the reason why I use adblock, I only block the adnetworks, not the local site served stuff.

If site operators want me to view ads, then they bloody well can vet them and host them themselves.

Re:Somewhat scary (3, Insightful)

Opportunist (166417) | about a year ago | (#44431751)

The problem is less that I need all the bells and whistles. The problem is more that a sizable portion of webpages simply doesn't work without its bells and whistles.

Re:Somewhat scary (1)

BenoitRen (998927) | about a year ago | (#44433069)

It's even worse than that. Basic navigation even breaks without JavaScript enabled.

Yesterday I tried visiting the websites of two electronic chain stores (owned by the same parent company) with JavaScript turned off. I couldn't get past their language selection page as the cookie that saves your selection is set by a JavaScript onclick handler!

Bitcoins! (-1)

Anonymous Coward | about a year ago | (#44431543)

Obligatory bitcoin mining comment.

This is why... (1)

klingers48 (968406) | about a year ago | (#44431559)

...I blanket-block all ads. As much as I don't like ads, I'd tolerate them if they had the trust they need to _earn_ to run Javascript/Java/Flash content on my machine.

A whitelist of safe ad servers? (1)

ScottCooperDotNet (929575) | about a year ago | (#44431575)

You trust Oracle Java and Adobe Flash enough to run them on your machine?

Re:A whitelist of safe ad servers? (1)

sqrt(2) (786011) | about a year ago | (#44432081)

I have Java on my machine but it's not exposed to the web. Javascript is enabled on a site by site basis with the default setting being to deny all scripts. Usually sites will at least render well enough to read an article even if the layout is garbled. I can still get the content so that's good enough. None of their ad/tracking scripts get to run, ever. Sites like Slashdot get to run Javascript but right now I look and there are four domains on this page which have their scripts blocked: google-analytics.com, googleadservices.com, rpxnow.com, and doubleclick.com. Three of those are outright blacklisted across the entire internet in my browser.

I'm worried that one day they'll start running ad/tracking scripts from the same domain, then it'll become much harder to allow only some scripts on a page and deny malicious ones (I consider the activity of advertising to be malicious by its nature).

Flash gets to run, but I have a click to play plugin so flash objects don't run by default except on a few sites like Youtube.

Re:A whitelist of safe ad servers? (0)

Anonymous Coward | about a year ago | (#44436079)

:/

Like hell they do (4, Informative)

WD (96061) | about a year ago | (#44431633)

If you care about security, you're running NoScript. And they do not run.

Re:Like hell they do (0)

Anonymous Coward | about a year ago | (#44431793)

Exactly. Why would any sane individual "... run unvetted, sketchy code in the form of the JavaScript that ad networks send"?

Isn't that kind like letting random strangers into your house to do pretty much anything they feel like? Why would somebody do that?

Re:Like hell they do (0)

Anonymous Coward | about a year ago | (#44433883)

Not just strangers.

Would you let someone in your house who is going to use any sales tactics they can to sell you something, all the while taking pictures of the inside of your house, using voice stress level meters on each answer you give them?

Same with ad networks. At best intrusive. At worst, a major security threat.

Re:Like hell they do (-1)

Anonymous Coward | about a year ago | (#44432865)

Yeah, because that is SO effective, when the very sites where this is most likely to happen are the big sites that where you need it to be disabled the most. Sorry, but NoScript never was more than security theater and a way to delude yourself. Which sucks, I know.

Quick side node to shock you: HTML+CSS are actually Turing-complete. ... Yeah... FUCK! ;)

Re:Like hell they do (2, Interesting)

tgd (2822) | about a year ago | (#44433261)

If you care about security, you're running NoScript. And they do not run.

Why bother using the web, then? Most sites won't work with scripting disabled to any usable extent.

If you want to be safe from evil ad networks, just don't use the web. Problem solved.

But saying "just don't do it" in reference to things that the overwhelmingly vast majority of people need or want to do is not solving the problem, and is distracting to the need to actually solve the problem.

Re:Like hell they do (0)

Anonymous Coward | about a year ago | (#44433445)

Apparently you haven't used noscript. You can (temporally) enable scripts from domains. The harmful/irritating/... scripts usually don't come from the site you wish to view but third parties. Enable what you need and enjoy the site. It is sometimes quite disconcerting how many unknown third party domains are listed...

Re:Like hell they do (0)

Anonymous Coward | about a year ago | (#44433511)

For any given value of "most sites"?

I disagree.

Whilst of course YMMV, most sites I use run fine with NoScript and those that don't only require one or two (from lists of upto 20!) domains being whitelisted before it becomes usable.

Re:Like hell they do (1)

tlhIngan (30335) | about a year ago | (#44435475)

Why bother using the web, then? Most sites won't work with scripting disabled to any usable extent.

If you want to be safe from evil ad networks, just don't use the web. Problem solved.

But saying "just don't do it" in reference to things that the overwhelmingly vast majority of people need or want to do is not solving the problem, and is distracting to the need to actually solve the problem.

Most javascript that aren't site related are third-party. So you can allow the site level javascript to run without allowing the evil infected (and most likely from Google*) javascript through.

If it wasn't for the craziness of some websites (eBay, Amazon, Google (and its properties - YouTube, etc), most news sites), you could get a pretty decent experience with enabling first-party only JavaScript. But most sites also seem to need stuff like jquery and the like.

It's why Flash or plugins is a bad idea over HTML5 - you cannot get the same amount of control through the plugin. Like how I can prevent my browser from loading up Google-owned DoubleClick javascript but only through an HTML web page. If the webpage has an embedded Flash object then that flash object can pull in javascript from anywhere, including blocked sites.

* - Remember, Google owns the vast majority of online ad networks out there, and from a branding perspective, you won't see something like "DoubleClick - a Google-owned company", So it would eventually be Google the one serving up the ads via one of their companies.

Re:Like hell they do (1)

Flere Imsaho (786612) | about a year ago | (#44441585)

You teach NoScript which sites you allow scripts to run on, or use the "allow this time" option. It takes a few weeks for it to learn your trusted sites, but once you get in the habit of clicking "allow this time" for one-off visits, it becomes second nature. As is frequently the case, there's a trade-off between usability and security.

NoScript is invaluable when you access a site that's been compromised and is directly serving malware via scripts.

For sites you have allowed in NoScript, filter out marketing-scum-ware with Ghostery and AdBlock. Security is like an Ogre, it has layers. Defense in depth!

Uninformed (1)

Anonymous Coward | about a year ago | (#44431637)

Nice to know BlackHat has finally caught up with 2007 when malvertising was publicly identified as an issue (see https://isc.sans.edu/diary/Malvertising/3727). Strange that people actually working in the anti-malvertising world have never heard of these researcher's work.

I guess we can ignore RiskIQ and Twitters purchase of Dasient. The tens of millions a year spent on prevent malvertising is clearly "nothing". The methods being used might not be as effective as some want, it isn't due to a lack of funding. After 42 years we still can't reliably stop malware.

Re:Uninformed (1)

Opportunist (166417) | about a year ago | (#44431741)

BlackHat ain't what it used to be...

Re:Uninformed (1)

NJRoadfan (1254248) | about a year ago | (#44433601)

What surprises me is that it was publicly identified in 2007. It was a problem for years before that.

good thing (0)

Anonymous Coward | about a year ago | (#44431723)

noscript

not necessarily "broken by design" (0)

Anonymous Coward | about a year ago | (#44431727)

I don't really have much of a problem donating some of my resources to a free web worker pool, as long as it doesn't adversely impact my own use. Some people already do this with various online distributed computing platforms.

As far as "servers being attacked" and "cracking passwords" goes, I think web security is important and will continue to become more so. I guess this might raise costs, but its money well spent if it makes the internet a more secure, robust, free, and useful tool in the long run.

And they're wondering... (4, Insightful)

Opportunist (166417) | about a year ago | (#44431737)

...why we use adblock and noscript, whining that we deprave them of income.

It's not that your ads are obnoxious, albeit even that alone would suffice as a reason. They're dangerous to us.

Re:And they're wondering... (0)

Anonymous Coward | about a year ago | (#44432943)

I use Adblock Plus, No Script and Ghostery. I also look at it this way. When the ad companies start paying for using a portion of my bandwidth... well, that'll never happen.

Re:And they're wondering... (1)

Neil Boekend (1854906) | about a year ago | (#44433477)

They pay for the use you have of the sites. Do you really think Google's servers run on unicorn farts?
Do you pay Google for the electricity for their servers? And their bandwith?

Separate from that crappy scrips are not required to display an ad. Noscript is necessary and sufficient to prevent what the article is talking about.
Adblock isn't required and could be considered theft. If you don't want the site owner to be paid for the service he provides you then you can always choose not to use that site. Using the site but preventing them from getting paid is dodgy at best IMHO.

Re:And they're wondering... (1)

JazzLad (935151) | about a year ago | (#44434945)

Do you ever go to the bathroom during the commercials of a TV show? Because, you know, that's dodgy at best & could be considered theft.

Re:And they're wondering... (1)

John Bokma (834313) | about a year ago | (#44437625)

The people who have a bathroom break during each and every TV commercial are non-existent. The people who read each and every ad on each and every web page are non-existent.

Re:And they're wondering... (1)

JazzLad (935151) | about a year ago | (#44438225)

So where is the line in the sand? It's ok to mute commercials and go get a bite to eat, but using a DVR to skip is stealing? Skipping w/ DVR is no different than adblock.

Re:And they're wondering... (1)

John Bokma (834313) | about a year ago | (#44438835)

Yes, I think it's OK to go to the bathroom during commercials, or prepare some food for the same reason I think it's OK to turn a page and not read an ad or not scroll all the way down to read all ads on a web page.

Where to draw the line? No matter were it's drawn there will be always people who consider it their right to block each and every ad. Like there are people who think it's OK to have a dog barking the whole day in their backyard while they are at work, etc.

Re:And they're wondering... (0)

Anonymous Coward | about a year ago | (#44439465)

Dude, you got issues if you think blocking ads is the same as a dog barking outside all day ... my guess is you've got a crappy webpage with declining ad revenue.

Re:And they're wondering... (0)

Anonymous Coward | about a year ago | (#44436241)

Go to hell, I'll paste a past post of mine because I'm tired of giving your type the glory of a response.

-------

I'm a developer who writes free "apps". The developers who think that their website, program, or whatever is a privilege and deserves to advert the hell out of people for viewing it are the real ignorant ones. Add a donation link, if you don't like that route then remove your website or program from the internet while users find a better alternative not written by arrogant people. I prefer you didn't use stupid generalizations and say that all free programs earn money by tracking/ads. The programs written by shortsighted people are like that, perhaps.

Your website or program is not an awesome epitome of software. It's a tool that people may or may not use depending on their whims. If you don't want people using your stuff for free, don't make it free in the first place.

Re:And they're wondering... (0)

Anonymous Coward | about a year ago | (#44438141)

What about the poor advertisers. If they are paying per impression and i have no intention of buying the product it seems like theft to make they pay for a potential sale they will never see. If they are paying per click then since I'm not going to ever click an ad except by accident it seems like theft to make the advertises pay for my mis-click, and if i don't click the ad at all then its pointless to see the ad since no one has lost money.

Re:And they're wondering... (1)

HybridST (894157) | about a year ago | (#44434159)

For now adblock and noscript work well enough. What about after the other side develops NoBlock and AdScript?

Soo (0)

Anonymous Coward | about a year ago | (#44431765)

Massive class action?

The author is lying (4, Informative)

SpicyBrownMustard (1105799) | about a year ago | (#44431785)

I've worked with several ad networks, on a number of issues, and can say with absolute confidence that the author has no concept of how the technology actually works, which results in an outright lie in his thread-starter.

The JavaScript code originates with the ad delivery platform (DoubleClick, OpenX, 24/7, etc.), sometimes outsourced to the ad networks -- DoubleClick is a white label delivery platform for many ad networks. The JavaScript is tightly controlled and constantly subject to real-time auditing by several providers such as The Media Trust. The advertisers simply provide the assets -- the banner creative -- that is delivered by the ad network, optimization systems, and ad delivery platforms.

Currently, yes, it all sucks and is why we have had blockers, but is also the only option to monetize free content -- for now.

Re:The author is lying (1)

mrbester (200927) | about a year ago | (#44431981)

Audited by whom? Not developers with any care or consideration to best practises and standards. Or are you seriously suggesting that document.write and blocking code is just fine?

Re:The author is lying (1)

gishzida (591028) | about a year ago | (#44432129)

From your comment I'd say you have no clue how the ad networks are being used as a malware delivery system and since any number of the readers here have already attested "mouse over" attacks do exist....What I am hearing you say the ad networks have done absolutely nothing to prevent their networks being used as an attack vector... say something like vetting the URLs provided for the "banners"... I can tell you that at least 6 years ago I had a "mouse over" attack from a banner served on TheRegister.co.uk... talk about biting the hand that feeds IT!

On the other hand since installing ad block plus and NoScript on the systems on my network I have not had one single pop-up malware attack or other browser related malware / trapdoor / ransomware infection... Script blocking add-ons seem to be the only protection against the ad networks failure to keep virus free advertizing.

Re:The author is lying (2)

Dynamoo (527749) | about a year ago | (#44432431)

The assertion that ad networks do not check code is certainly untrue overall. But some networks check code more closely than others, and the bad guys use all sorts of techniques to evade detection (geotargetting, for example, or changing the behaviour of the ad when it is being examined on the ad network's own IP range). The lengths some bad actors go to are impressive, and be in no doubt that there is a state of war between most ad networks and the bad guys.

However, it is true that certain ad networks do very minimal checking or even seem to be in league with malware pushers. But publishers soon drop ad networks like this and they end up being relegated to the scummy tier of publishers only.

Oh.. it's hardly new anyway. Here's a report from 2004. [theregister.co.uk]

Re:The author is lying (1)

zwei2stein (782480) | about a year ago | (#44432949)

The only option?

Hardly.

You can accept donations. You can have freemiums. You can offer merchandise.

Re:The author is lying (0)

Anonymous Coward | about a year ago | (#44432977)

BULLSHIT.

1. There is no such thing as "free content" with ads. When it has ads, IT IS NOT FREE ANYMORE. It costs the most valuable thing I have: The freedom to think my own thoughts! You should read up on "mirror neurons" (the ability to put yourself in the shoes of others) and how the primitive parts of the brain can't tell the difference between imagination (like ads) and reality. But working in advertisement, you must already know that, and use the other thing everybody in advertisement is an expert in: Lying.

2. If your website got something of *actual value* (=not abundantly available for free everywhere else), then you can *always* do the same thing every other *service-based business (model)* is doing: You ask a fair price for it in *advance*. If the only way to "monetize" your site is via advertising, then you have to face the fact that YOUR HAVE NOTHING OF ANY WORTH TO OFFER WHATSOEVER! In that case, please just go bankrupt, and quit ripping us off with your meaningless worthless shit. And most of all: Quit bitching about it!

Re:The author is lying (1)

RabidReindeer (2625839) | about a year ago | (#44433037)

BULLSHIT.

1. There is no such thing as "free content" with ads. When it has ads, IT IS NOT FREE ANYMORE. It costs the most valuable thing I have: The freedom to think my own thoughts! You should read up on "mirror neurons" (the ability to put yourself in the shoes of others) and how the primitive parts of the brain can't tell the difference between imagination (like ads) and reality. But working in advertisement, you must already know that, and use the other thing everybody in advertisement is an expert in: Lying.

2. If your website got something of *actual value* (=not abundantly available for free everywhere else), then you can *always* do the same thing every other *service-based business (model)* is doing: You ask a fair price for it in *advance*. If the only way to "monetize" your site is via advertising, then you have to face the fact that YOUR HAVE NOTHING OF ANY WORTH TO OFFER WHATSOEVER! In that case, please just go bankrupt, and quit ripping us off with your meaningless worthless shit. And most of all: Quit bitching about it!

Get over yourself. This is the 21st Century. Lower Prices Every Day. Information wants to be Free.

Unless you have a very vertical product where you have limited competition, people are not going to pay to visit your site. You local ISPs and utility companies haven't got the memo yet, so they still expect to get paid, and they do have limited competition. Ergo, ads.

Re:The author is lying (0)

Anonymous Coward | about a year ago | (#44436515)

Unless you have a very vertical product where you have limited competition, people are not going to pay to visit your site.

So you have to ask yourself, punk, is your web site really worth anything to the world at all? If not, do the world a favor and shut it down. If you're just running the web site for ego boost, then suck it down and pay for it out of your own pocket.

Re:The author is lying (0)

Anonymous Coward | about a year ago | (#44434217)

f-f-f-faggot

Re:The author is lying (0)

Anonymous Coward | about a year ago | (#44436461)

but is also the only option to monetize free content

Aside from this being a flat out lie (tip jar, anyone?), it misses the point. You either want to give content away free or you want to make money. If the latter, put your damn content behind a paywall -- or are you worried that it isn't good enough to attract customers?

I don't have a problem with web site owners offering their own stuff for sale, but the third-party stuff is insulting.

They Finally Notice. (2)

John Sokol (109591) | about a year ago | (#44431801)

We were using java, flash and javascript to do this sort of stuff as early back as 1996.
Massive DDOS attacks were generated this way.
Even played around with Distributed computing all from banners place on various web sites.
We were able to run stuff in browsers that was next to impossible to remove.
And with browsers restoring all the windows most common users would never figure out how to kill these things.

Re:They Finally Notice. (0)

Anonymous Coward | about a year ago | (#44442399)

It's 2013. You're allowed to put more than one sentence in a line now.

We have Adsafe & Caja for that (0)

Anonymous Coward | about a year ago | (#44432011)

It's a solved problem, really.

Good thing Firefox makes javascript obligatory (1)

Anonymous Coward | about a year ago | (#44432033)

Damn good thing that Firefox 23 makes javascript obligatory:

http://news.slashdot.org/story/13/07/01/1547212/firefox-23-makes-javascript-obligatory [slashdot.org]

Re:Good thing Firefox makes javascript obligatory (1)

Neil Boekend (1854906) | about a year ago | (#44433525)

Blanked disabling Javascript means large portions of the internet become useless, so NoScript is a better solution IMHO anyway.

Ignorant masses (0)

Anonymous Coward | about a year ago | (#44432071)

All of you who are so smart, that you will not be part of the botnet, you do not matter. You are an insignificant amount of people compared to the ignorant masses, that the botnet exploits.

Good luck with that. (0)

Anonymous Coward | about a year ago | (#44432087)

Adblock, noscript, flashblock, giant hosts file.

And you guys wonder why everyone hates you... You're a bunch of annoying amoral lying assholes.

/. - JavaScript? (0)

Anonymous Coward | about a year ago | (#44432227)

Can ./ finally stop requiring JavaScript, then? I don't want to hear about xyzblock -- they don't work for me. I don't enable Java or Flash either.

Re:/. - JavaScript? (2)

jones_supa (887896) | about a year ago | (#44432713)

The old non-JS discussion system is still there. To enable it, follow these steps:

- Click your user name at the top of the page
- From the pop-up menu, click on Account
- From the pop-up dialog's top bar, click Discussions
- Select the Classic Discussion System (D1) radio button
- Click the Save button

Was this answer helpful: yes or no? Would you also like to send all information from your computer to assist us in improving the performance and responsiveness of our product?

Eeep (0)

Anonymous Coward | about a year ago | (#44432313)

NoScript
http://noscript.net/

orealy (0)

Anonymous Coward | about a year ago | (#44432445)

Film.
At.
Eleven.

It's been 20 years wth (1)

Impy the Impiuos Imp (442658) | about a year ago | (#44433035)

Why don't they fix javascript, limit it to a handful of requests so it can download its data but not spam requests in a loop? Disable its popup ability, too. I have never needed it, and if I did, I'd be happy to click an open window approve box.

Paper trail (1)

morgauxo (974071) | about a year ago | (#44433691)

Unless they are paying for their ads using anonymized Bitcoins couldn't the ad company be served a warrant and the perpetrator found through the payment records?

Re:Paper trail (0)

Anonymous Coward | about a year ago | (#44434981)

Yeah, 'cuz there's no way they's use a stolen payment method.

Some Porn sites probably do it in the main pages (0)

Anonymous Coward | about a year ago | (#44435281)

I'd be Shocked, yes Shocked to hear that some of the free Porn sites do this kind of "using your computer in the background from a supposedly idle web page".

It is the perfect target audience: People go to the sites, linger on the pages longer than random readers, and don't like to admit they went there (so it helps hide any such usage. Also completely immune to anti-virus protection, vs. say exploiting the machine.

Custom hosts files do a BETTER job (0)

Anonymous Coward | about a year ago | (#44439245)

Since they do more with less (a single file) & at a faster level of privelege (ring 0/rpl0/kernelmode) than browser addons (that slow up already slower ring 3/rpl 3/usermode browsers) by acting as a filter for the IP stack itself (written in C language & starts with the OS + 1st request to the internet, with over 45++ yrs.of optimization refinement put into it) - how do I gather, sort, deduplicate, normalize, & filter them? Easy:

---

APK Hosts File Engine 9.0++ 32/64-bit:

http://start64.com/index.php?option=com_content&view=article&id=5851:apk-hosts-file-engine-64bit-version&catid=26:64bit-security-software&Itemid=74 [start64.com]

---

Using that app by "yours truly"? So can you!

(More specific details of its operation & what it does for you are in that link (which if you're like me, that site *may* just "interest you", since it features & hosts 64-bit wares galore since that's the "wave of the future" & not just for Windows users either mind you...)).

* It also does FAR more than AdBlock ("souled-out" to GOOGLE, & crippled by default) or Ghostery (Advertiser owned) do, by FAR - especially considering they're "Foxes guarding the henhouse" now.

APK

P.S.=> Custom hosts files give users of them great benefits in added speed (blocking adbanners & hardcoding your favorite sites into them - faster than remote DNS lookups), added security (vs. known malicious sites/serves/hosts-domains that serve up malware or are malscript bearing), added reliability (vs. Kaminsky bug vulnerable DNS servers, 99% of which are STILL unpatched vs. it & worst of all @ the ISP level), & even added anonymity to an extent (vs. dns request logs + DNSBL's you may not like too)...

... apk

Load More Comments
Slashdot Login

Need an Account?

Forgot your password?