Window Pain

Frequent Slashdot contributor Bennett Haselton contributes the following piece on trying to get some measure of satisfaction in the struggle against pop-up ads, writing "The most annoying thing about some pop-up ads, is that you have no way of knowing which ad-serving network served them or who the responsible parties are. Could we reduce the incidence of illegal or deceptive pop-up ads, by giving users an easier way to trace their origin and figure out where to send complaints? Here's one way to do it with a simple right-click." Read on for the rest.

Occasionally while I'm surfing the web and a pop-up ad opens, my Norton Anti-Virus will alert me that it blocked an "attack" on my computer, and then in Norton's logs of recently blocked attacks, it gives the URL of the content inside the pop-up ad that was blocked. Sometimes it indicates whether the "threat" was blocked under the category "scareware" (an ad that mimics a program scanning your PC for viruses and then claiming to find "infections," which you have to remove by purchasing the advertiser's software) or "malware" (an advertiser's page that tries to infect your computer directly by using JavaScript tricks to get around the browser's security features). I'm glad that Norton blocks the malware attacks, since even though I always have all the latest security patches installed for Internet Explorer, it's always possible that an attacker could be using an exploit that hasn't been patched yet. I don't really care about blocking the "scareware" ads, because I'm not going to fall for an ad that claims to be scanning my PC for viruses, but most Norton customers probably appreciate blocking those ads as well.

The problem in both cases is that it's hard even for an experienced user, and almost impossible for a novice user, to know where to send a complaint about the content in a pop-up window. You can usually figure out the URL of the content in the pop-up window (just right-click the window content and pick "Properties" in Internet Explorer or "View Page Info" in Firefox), but often the content itself is being served from an IP address in a jurisdiction like China or Cyprus where malicious operators are hard to shut down. What you really want is for them to stop serving their dangerous ads on reputable websites through the ad network. You could complain to the owner of the website that you're browsing, and say that a pop-up ad window from their site got blocked by Norton as a "virus," but if their site rotates ads from different providers, the site owner would have no way of knowing which advertising network served the ad. Even if you know the URL of the malicious content that was in the pop-up window, that's not enough to tell which advertising network it was served from (because ad networks typically don't serve the ads from their own domain; they just serve a redirect, which causes the browser to load the pop-up ad's contents from the advertiser's domain).

And even if you know which advertiser network served the ad, and the URL that the malicious pop-up content was served from (say, http://www.evilsite.cn/popup.html), so you can take your complaint directly to the advertising network, that may still not be enough information for them to figure out which of their advertisers served the malicious content and needs to be booted out of the network. Because all the advertiser network has is a list of ad pages for their different advertisers (http://www.advertiser-1.com/ad.html, http://www.adveritser-2.com/ad.html, etc.) — the advertiser buys the right to show ads, and the ad network displays ads that load content from those ad content pages. If one of those pages — say, http://www.adveritser-2.com/ad.html — redirects the user's browser to http://www.evilsite.cn/popup.html, the advertiser network has no way of knowing which advertiser is doing that. They would have to go through and check the ad-serving pages (http://www.advertiser-1.com/ad.html, http://www.adveritser-2.com/ad.html, and so one one at a time) for each of their advertisers, to see which of those pages redirect to http://www.evilsite.cn/popup.html — and by the time they do that, the advertiser might have altered the page so that it no longer redirects to the malicious content. While it's pretty straightforward to figure out what URL the malicious content is being loaded from, it's very difficult to figure out the chain of events that redirected you there, and who the responsible parties are.

So here's an idea for a simple browser feature that would make it a lot easier to hold malicious advertisers accountable, and get them kicked out of honest ad-serving networks. Simply give the user a way to right-click on the top of a browser window, and pick "View window origin" or something similar. This would display the sequence of redirects that opened the window, something like this:

Browser was visiting http://www.cnn.com/
http://www.cnn.com/ loaded JavaScript from http://www.advertiser-network.com/ads.js
http://www.advertiser-network.com/ads.js redirected browser to http://www.advertiser-2.com/ad.html
http://www.advertiser-2.com/ad.html redirected browser to http://www.evilsite.cn/popup.html

Then, if the user views an ad that is obviously scareware (or if Norton blocks the contents from loading and gives that as a reason), then the user can just right-click on the window and see the list of redirects. The user could then e-mail that to the website owner with a suggestion to do something about it ("The ad network on your page, has been infiltrated by an advertiser who is using the ad network to serve malicious content"), or the user could take the complaint to the advertiser network. The advertiser network would be able to see from the log, exactly which of their advertisers' ad.html pages served the malicious content.

(Yes, this comes on the heels of my article arguing that we should allow more intrusive ads as a way to help pay for services that can't finance themselves with normal pop-up ads. This may strike some people as "ironic" who haven't thought about it very carefully. Getting users to give larger amounts of their attention in exchange for premium service, is an honest and mutually beneficial transaction; scaring users with deceptive ads, or using ad space to try to infect their computer, is not. I think that Starbucks has the right to charge whatever they want for coffee; that doesn't mean they have the right to pee in your coffee.)

In order for this window-history-tracing feature to make a difference, at least the following two conditions also have to be true:

• The advertiser network has to be honest (honest enough to kick out advertisers who they know are serving malicious content), or at least, be located in a jurisdiction where they have to worry about being sued or prosecuted if they don't kick bad apples out of their network.
• When the malicious ads are served, enough users have to complain about them that the advertiser network takes notice. You wouldn't want the advertiser network to take action just based on a single complaint, since then anyone with a grudge could file a phony complaint against an advertiser in order to get them shut down, but if complaints start coming in from several sources, then they should investigate.

Fortunately, these would be likely to be true in many if not most cases where malicious pop-up windows are being served. With regard to the first condition, I've dealt with several advertising networks to find ads to serve on the proxy sites that I run, and they were all based out of law-and-order countries (the U.S., Canada, Israel, i.e. not China or Kazahkstan). As for the second condition, the advertiser would probably have to serve the ad to many different users in order to achieve their goal -- whether their goal is to infect users' machines, or to get them to buy the advertiser's fake anti-virus software, or whatever -- and as long as a fixed percentage of users viewing the malicious ads are inclined to file complaints about them, then the more the ads are served, the more complaints will come in until the ads are taken out of rotation.

Of course, if the URL that's actually serving the malicious content, is located in a law-and-order country, you could always just complain to the admins of the network where the content is being hosted. But that's likely to be less effective, since (a) the actual URLs that I've seen serving the malicious content, usually are located in cybercrime-infested nations like China, and (b) even if you get one of those sites shut down, the advertiser can instantly rotate in other sites with the same content, and make that the new URL that users are redirected to.

It is also of course true that some pop-up ads are spawned not by websites, but by malicious programs that actually infect your machine and force your browser to display pop-up windows. If some browser maker adopted the feature I'm suggesting, and stored a user-viewable "history" associated with each pop-up window, then a malicious program running on your machine might even be able to spoof the history associated with a pop-up window, so that the user would right-click on it and think it came from http://www.cnn.com/ instead of being spawned by malware. Once the user has their machine infected by a rogue program, nothing that any other application tells them can really be trusted after that point. So an advertiser network would have to be careful not to take action against an innocent third party, just based on a flood of complaints that were sent in by people whose machines were infected by malware that spoofs the origin of the pop-up windows. Fortunately, if the allegedly malicious ad is still in rotation, it would be easy for the advertiser network to check the validity of the complaint, by simply going to the advertiser's ad-content page, and seeing if it redirects to the malicious content. If it does, then you have grounds to boot the advertiser out of the network.

(You'd want to check the page's content from some anonymous IP address not affiliated with the advertiser network though. Otherwise, the advertiser might try to fool the ad network people, by showing "innocent" content when the page is loaded from the IP addresses associated with the ad network's office, and serving the scareware content to everybody else. Just trying to think of everything here.)

I'm sure there are other counter-strategies and counter-counter-strategies that would have to be taken into account, and kinks to be worked out, but probably not fatal to the whole idea. If a pop-up window opens on the user's computer that is possibly illegal, it is probably a good thing to give the user the tools to figure out where the ad came from, and which advertiser network to complain to. Right now, the ad window just floats there, and it's maddening not to have any way of knowing which ad-serving network put it there, or even if you can identify the ad-serving network, which of their advertisers created the content.

The main obstacle standing in the way of a major browser maker implementing this, may be that it doesn't bring any particular benefit to the users of that browser. When Microsoft adds SmartScreen to Internet Explorer, they can now claim that IE users are better-protected than users of other browsers. On the other hand, if the Mozilla Foundation adds the pop-up window right-click-history feature to their browser, they can't legitimately claim that Firefox users are better protected, since this feature wouldn't actually block anything. Firefox users would simply be better equipped to complain about malicious pop-up windows, and increase the chances of those rogue advertisements being taken down, or at least kicked out of ad networks where they would do the most damage. However, the benefits of that increased policing, would accrue to all Internet users, not just Firefox users.

Still, abuse desks get so many complaints about spam and spammers, that there are apparently plenty of people out there who get enough satisfaction from complaining about net abuse, that they would make use of the pop-up window-tracing feature if they had it. I know that when I see a stupid ad pretending to "scan" my computer for viruses, I get unreasonably disgusted, not from seeing the ad itself (which I can easily ignore), but from knowing that the advertiser has probably fleeced people of thousands of dollars with that ad. It would be nice to be able to help stop them before they cheat the next person.

Firefox + NoScript + Adblock Plus + FlashBlocker

[Peter Simpson]

I can't recall the last time I have seen a pop-up ad with the above configuration. They literally aren't a problem for me. Oh, and I run Linux, so it doesn't matter anyway...the code won't execute.

LONG!!!

[kai_hiwatari]

wow .... i wonder if i should read this ....

Re:Firefox + NoScript + Adblock Plus + FlashBlocke

[meow27]

no-script alone should solve most of the problems

what ads?

[drDugan]

What ads?

> head -5 /etc/hosts
##
# Host Database
#
# This MVPS HOSTS file is a free download from:
# http://www.mvps.org/winhelp2002/ [mvps.org]

Re:Jon Katz, is that you?

[sunking2]

Oddly enough he actually had a book made into an HBO movie recently. It even had Jeff Bridges in it. So I guess he's still alive, although only seems to write about dogs because they'll tolerate anyone who has bacon bits.

Re:TL;DR

[iamapizza]

He basically wants someone to tell him about Fiddler.

Re:Firefox + NoScript + Adblock Plus + FlashBlocke

[jbezorg]

Firefox + NoScript + Adblock Plus alone does alright for me. NoScript has options to block embedded content under options so adding FlashBlocker is a little redundant for my taste.

Re:Firefox + NoScript + Adblock Plus + FlashBlocke

[clang_jangle]

That or privoxy with the browser of your choice.

But back to TFA, I can't believe it didn't occur to Haselton that sending email to a site that has these ads is a bad idea that will probably get you on more spam lists. People who have these ads are part of the problem for a reason, and the reason is usually greed.

Re:Firefox + NoScript + Adblock Plus + FlashBlocke

[jbezorg]

"Block pop-up windows" won't get rid of those stupid smiley face flash ads that shout "Oh No!".

Right details

[KevMar]

I have helped a few sites track down and remove scareware. give them as many details as you can.

My host name and IP from http://www.displaymyhostname.com/ [displaymyhostname.com]
The time I was on the page. What page you were on.

One thing I do is leave the site alone for a day so when I report it, I can tell them it was the last visit to the site. A detail like that helps when looking at logs. The hostname gives them where your located so if the add network uses locations to send adds, this will help.

part of the problem is that these sites will take real adds for real services and have them link to the real site. This helps them pass, then they push out a redirect script later or built in with a trigger to cause the redirection.

Its not often they can or take the time to track it down. But it sure feels good when they tell you they tracked it down because of your help.

Firefox + NoScript

[Anonymous Coward]

Agreed, I have NoScript in my FireFox, I haven't gotten any unexpected pop-ups.

My main problem is getting expected pop-ups, sometimes I forget to look at that little bar that appears at the top of the window.

Re:pop-up ads?

[krischik]

You don't even need AdBlock - every self respecting browser won't open even pop-ups windows any more.

Re:Ad-Block Perhaps?

[Sir_Lewk]

This guy wouldn't use adblock though. You see, he not only supports popups in general, he actually proposes even worse ads as a good thing. This guy is a certified idiot and slashdot needs to stop giving him attention.

Re:Firefox + NoScript + Adblock Plus + FlashBlocke

[Anonymous Coward]

Not at all. NoScript is too indiscriminate. If you allow a domain, it loads everything from it. If you prohibit Flash for trusted sites, you also block other things.

FlashBlock adds a bit more control.

Re:This explains a lot.

[rgviza]

So how do you know piss can't be tasted in American coffee?

Some of us actually do know all about how grind vs. flow rate and temperature affect extraction, and don't over extract our coffee. Some of us even know all about roasting, what arabica is, and how to hold a conversation about the differences in acidic content between Ethiopean and Sumatra Mandheling, and how their acidity affects the flavor. We know why french roast is used in presses, italian roast is used in espresso machines, and can set a grind and extraction time which will result in perfect crema.

There are several varieties of American coffee which are exquisite. Kona and Blue Mountain are just a couple which are highly sought after.
Not all of them taste like ass. It's poor roasting, brewing and dispensing practices that ruin American brewed coffee you may get in the united states. The coffee is fine. You just need to find a place that can consistently roast coffee correctly, then grind and brew it yourself or go to a coffee house that does it right. Chances are you are better off doing it yourself.

I think your statement should more accurately read "Most americans don't know how to brew and serve coffee". The American coffee itself is not usually the problem.