Window Pain 223
Occasionally while I'm surfing the web and a pop-up ad opens, my Norton Anti-Virus will alert me that it blocked an "attack" on my computer, and then in Norton's logs of recently blocked attacks, it gives the URL of the content inside the pop-up ad that was blocked. Sometimes it indicates whether the "threat" was blocked under the category "scareware" (an ad that mimics a program scanning your PC for viruses and then claiming to find "infections," which you have to remove by purchasing the advertiser's software) or "malware" (an advertiser's page that tries to infect your computer directly by using JavaScript tricks to get around the browser's security features). I'm glad that Norton blocks the malware attacks, since even though I always have all the latest security patches installed for Internet Explorer, it's always possible that an attacker could be using an exploit that hasn't been patched yet. I don't really care about blocking the "scareware" ads, because I'm not going to fall for an ad that claims to be scanning my PC for viruses, but most Norton customers probably appreciate blocking those ads as well.
The problem in both cases is that it's hard even for an experienced user, and almost impossible for a novice user, to know where to send a complaint about the content in a pop-up window. You can usually figure out the URL of the content in the pop-up window (just right-click the window content and pick "Properties" in Internet Explorer or "View Page Info" in Firefox), but often the content itself is being served from an IP address in a jurisdiction like China or Cyprus where malicious operators are hard to shut down. What you really want is for them to stop serving their dangerous ads on reputable websites through the ad network. You could complain to the owner of the website that you're browsing, and say that a pop-up ad window from their site got blocked by Norton as a "virus," but if their site rotates ads from different providers, the site owner would have no way of knowing which advertising network served the ad. Even if you know the URL of the malicious content that was in the pop-up window, that's not enough to tell which advertising network it was served from (because ad networks typically don't serve the ads from their own domain; they just serve a redirect, which causes the browser to load the pop-up ad's contents from the advertiser's domain).
And even if you know which advertiser network served the ad, and the URL that the malicious pop-up content was served from (say, http://www.evilsite.cn/popup.html), so you can take your complaint directly to the advertising network, that may still not be enough information for them to figure out which of their advertisers served the malicious content and needs to be booted out of the network. Because all the advertiser network has is a list of ad pages for their different advertisers (http://www.advertiser-1.com/ad.html, http://www.adveritser-2.com/ad.html, etc.) — the advertiser buys the right to show ads, and the ad network displays ads that load content from those ad content pages. If one of those pages — say, http://www.adveritser-2.com/ad.html — redirects the user's browser to http://www.evilsite.cn/popup.html, the advertiser network has no way of knowing which advertiser is doing that. They would have to go through and check the ad-serving pages (http://www.advertiser-1.com/ad.html, http://www.adveritser-2.com/ad.html, and so one one at a time) for each of their advertisers, to see which of those pages redirect to http://www.evilsite.cn/popup.html — and by the time they do that, the advertiser might have altered the page so that it no longer redirects to the malicious content. While it's pretty straightforward to figure out what URL the malicious content is being loaded from, it's very difficult to figure out the chain of events that redirected you there, and who the responsible parties are.
So here's an idea for a simple browser feature that would make it a lot easier to hold malicious advertisers accountable, and get them kicked out of honest ad-serving networks. Simply give the user a way to right-click on the top of a browser window, and pick "View window origin" or something similar. This would display the sequence of redirects that opened the window, something like this:
Browser was visiting http://www.cnn.com/
http://www.cnn.com/ loaded JavaScript from http://www.advertiser-network.com/ads.js
http://www.advertiser-network.com/ads.js redirected browser to http://www.advertiser-2.com/ad.html
http://www.advertiser-2.com/ad.html redirected browser to http://www.evilsite.cn/popup.html
Then, if the user views an ad that is obviously scareware (or if Norton blocks the contents from loading and gives that as a reason), then the user can just right-click on the window and see the list of redirects. The user could then e-mail that to the website owner with a suggestion to do something about it ("The ad network on your page, has been infiltrated by an advertiser who is using the ad network to serve malicious content"), or the user could take the complaint to the advertiser network. The advertiser network would be able to see from the log, exactly which of their advertisers' ad.html pages served the malicious content.
(Yes, this comes on the heels of my article arguing that we should allow more intrusive ads as a way to help pay for services that can't finance themselves with normal pop-up ads. This may strike some people as "ironic" who haven't thought about it very carefully. Getting users to give larger amounts of their attention in exchange for premium service, is an honest and mutually beneficial transaction; scaring users with deceptive ads, or using ad space to try to infect their computer, is not. I think that Starbucks has the right to charge whatever they want for coffee; that doesn't mean they have the right to pee in your coffee.)
In order for this window-history-tracing feature to make a difference, at least the following two conditions also have to be true:
- The advertiser network has to be honest (honest enough to kick out advertisers who they know are serving malicious content), or at least, be located in a jurisdiction where they have to worry about being sued or prosecuted if they don't kick bad apples out of their network.
- When the malicious ads are served, enough users have to complain about them that the advertiser network takes notice. You wouldn't want the advertiser network to take action just based on a single complaint, since then anyone with a grudge could file a phony complaint against an advertiser in order to get them shut down, but if complaints start coming in from several sources, then they should investigate.
Fortunately, these would be likely to be true in many if not most cases where malicious pop-up windows are being served. With regard to the first condition, I've dealt with several advertising networks to find ads to serve on the proxy sites that I run, and they were all based out of law-and-order countries (the U.S., Canada, Israel, i.e. not China or Kazahkstan). As for the second condition, the advertiser would probably have to serve the ad to many different users in order to achieve their goal -- whether their goal is to infect users' machines, or to get them to buy the advertiser's fake anti-virus software, or whatever -- and as long as a fixed percentage of users viewing the malicious ads are inclined to file complaints about them, then the more the ads are served, the more complaints will come in until the ads are taken out of rotation.
Of course, if the URL that's actually serving the malicious content, is located in a law-and-order country, you could always just complain to the admins of the network where the content is being hosted. But that's likely to be less effective, since (a) the actual URLs that I've seen serving the malicious content, usually are located in cybercrime-infested nations like China, and (b) even if you get one of those sites shut down, the advertiser can instantly rotate in other sites with the same content, and make that the new URL that users are redirected to.
It is also of course true that some pop-up ads are spawned not by websites, but by malicious programs that actually infect your machine and force your browser to display pop-up windows. If some browser maker adopted the feature I'm suggesting, and stored a user-viewable "history" associated with each pop-up window, then a malicious program running on your machine might even be able to spoof the history associated with a pop-up window, so that the user would right-click on it and think it came from http://www.cnn.com/ instead of being spawned by malware. Once the user has their machine infected by a rogue program, nothing that any other application tells them can really be trusted after that point. So an advertiser network would have to be careful not to take action against an innocent third party, just based on a flood of complaints that were sent in by people whose machines were infected by malware that spoofs the origin of the pop-up windows. Fortunately, if the allegedly malicious ad is still in rotation, it would be easy for the advertiser network to check the validity of the complaint, by simply going to the advertiser's ad-content page, and seeing if it redirects to the malicious content. If it does, then you have grounds to boot the advertiser out of the network.
(You'd want to check the page's content from some anonymous IP address not affiliated with the advertiser network though. Otherwise, the advertiser might try to fool the ad network people, by showing "innocent" content when the page is loaded from the IP addresses associated with the ad network's office, and serving the scareware content to everybody else. Just trying to think of everything here.)
I'm sure there are other counter-strategies and counter-counter-strategies that would have to be taken into account, and kinks to be worked out, but probably not fatal to the whole idea. If a pop-up window opens on the user's computer that is possibly illegal, it is probably a good thing to give the user the tools to figure out where the ad came from, and which advertiser network to complain to. Right now, the ad window just floats there, and it's maddening not to have any way of knowing which ad-serving network put it there, or even if you can identify the ad-serving network, which of their advertisers created the content.
The main obstacle standing in the way of a major browser maker implementing this, may be that it doesn't bring any particular benefit to the users of that browser. When Microsoft adds SmartScreen to Internet Explorer, they can now claim that IE users are better-protected than users of other browsers. On the other hand, if the Mozilla Foundation adds the pop-up window right-click-history feature to their browser, they can't legitimately claim that Firefox users are better protected, since this feature wouldn't actually block anything. Firefox users would simply be better equipped to complain about malicious pop-up windows, and increase the chances of those rogue advertisements being taken down, or at least kicked out of ad networks where they would do the most damage. However, the benefits of that increased policing, would accrue to all Internet users, not just Firefox users.
Still, abuse desks get so many complaints about spam and spammers, that there are apparently plenty of people out there who get enough satisfaction from complaining about net abuse, that they would make use of the pop-up window-tracing feature if they had it. I know that when I see a stupid ad pretending to "scan" my computer for viruses, I get unreasonably disgusted, not from seeing the ad itself (which I can easily ignore), but from knowing that the advertiser has probably fleeced people of thousands of dollars with that ad. It would be nice to be able to help stop them before they cheat the next person.
Ad-Block Perhaps? (Score:5, Insightful)
I mean did you really need to write this long-winded meaningless rant? just download firefox and ad-block pro.
File a feature request with Mozilla (Score:3, Insightful)
Re:LONG!!! (Score:3, Insightful)
It's by Bennett Haselton, so it's safe to say no, don't read it,
Re:Firefox + NoScript + Adblock Plus + FlashBlocke (Score:5, Insightful)
There are loads of machines out there being infected today by doing normal browsing on reputable sites. With the current industry practice of n-number of redirects through n-number of networks for 3rd party ad serving it makes it near impossible to track down those of nefarious intent on an incident level.
Once again it is not the
I for one agree, something must be done; and "open letters" like this are often how the conversation starts.
A change (Score:4, Insightful)
I've noticed recently that many websites I visit are starting to use those huge overlay ads OR, even worse, those fuckers that appear right over a link just as you are about to click on it.
I WILL NOT buy products advertised in this fasion.
Re:Out Come the Wolves (Score:3, Insightful)
remind the audience to please be gentle.
Maybe we need a new section for speculative fiction here. We could call it soundingboard [merriam-webster.com].slashdot.org, and everyone can go there and post their "Wouldn't it be cool if..." rants.
We can even simplify the comment section by just having one big "NO!" button.
Re:Ad-Block Perhaps? (Score:2, Insightful)
Shoot: Safari, IE, and FF block nearly all the ads I encounter in their default configurations. Kinda a non-issue these days.
Re:Firefox + NoScript + Adblock Plus + FlashBlocke (Score:2, Insightful)
It doesn't take an "expert" to install the portable version of Firefox.
Really. The dumbing down of the user base has gone a little too far here...
Re:First (Score:5, Insightful)
One, he's using Norton, which anybody knows is ripe for ridicule in this particular forum.
Two, as has and will be mentioned numerous times, Noscript, adblock, etc. make all this very academic (which, I know, is the point of Bennet's writings here, to explore concepts in theory).
So while I'm sure his opinion is interesting to whatever eggheads here like to digest his cromulent but otherwise semantic ramblings, the rest of us will do pretty much what parent has done and say "who gives a fuck?"
What's a pop-up? (Score:2, Insightful)
Re:Ad-Block Perhaps? (Score:2, Insightful)
I think we've found Rolland Piquepaille's successor.
Patronization (Score:5, Insightful)
Here's a solution, don't patronize any site that uses those types of advertisements. There is NOTHING on the site you can't get elsewhere with less crap. NOTHING.
I don't go to sites that have crap splashing all over my screen. I'll do without thank you very much. If a site expects me to use IE, I won't go. If a site wants to bombard me with flash for no reason other than to look ...well flashy, then I won't go. If a site wants to use javascript to do all sorts of stupid stuff to "look pretty", then it isn't getting me to visit again.
If you go away, and don't return, and you find sites that give you what you want without all the crapware pieces then they will learn. As for idiots who don't understand, stupid should hurt.
Re:Firefox + NoScript + Adblock Plus + FlashBlocke (Score:4, Insightful)
I skip noscript, only use adblock plus on slower systems (I'd like to let the sites get ad impressions, but my netbook browses so much smoother when the ads are getting blocked) and use flashblock somewhat randomly across systems. Even with flashblock alone, some sites simply can not be made to function properly without whitelisting it and reloading the page. I don't know if there are funny overlays or scripts that trigger eachother or what but sometimes the little play button just isn't enough.
The average user is not going to go around whitelisting, reloading, and otherwise troubleshooting pages.
Norton? (Score:2, Insightful)
If you're using Norton I would wonder what kind of advice you are really qualified to give out.
Why should the advertisers help? (Score:2, Insightful)
Re:Firefox + NoScript + Adblock Plus + FlashBlocke (Score:2, Insightful)
Re:Firefox + NoScript + Adblock Plus + FlashBlocke (Score:1, Insightful)
Re:Firefox + NoScript + Adblock Plus + FlashBlocke (Score:3, Insightful)
The state of the industry is "broken". I'd argue fundamentally.
We depend on blacklists maintained by people we don't know but want our money to protect us from other people we don't know who want our money. We run crappy software (I'm looking at you, Symantec, but McAfee isn't far from my view) that slows down our computers and occasionally crashes then in an attempt to keep crappy software from slowing down our computers and occasionally crashing them. We freak out when Google knows our home address, then enter our unlisted phone numbers onto online forums.
The major player in the software industry has encouraged piss-poor security practices for so long that we assume those practices are the expected user experience, so as soon as they finally mend their ways people bypass it anyway because they don't know what it all means. When we start telling people that there are bad people out there and they should install locks on their electronic doors, there's a shitstorm about how hard it all is (if you can't replace the locks on your doors, you hire someone to do it for you. Same with computers, find a computer literate buddy and open the creaky old wallet and buy 'em a 6-pack fercrissake, most of us will spend a good chunk of the day with you for nothing more than a 6-pack and heartfelt thanks - a decent denomination gift certificate to a good local restaurant would also be an excellent choice, or a decent bottle of wine, or offer some services from your area of expertise in return).
Windows XP can be made to be secure, but a lot of the software that runs on it doesn't like it that way. Windows Vista or Seven are better choices for that, but you have to learn how they are trying to protect you, and work with them. Linux will protect you by default and makes it harder for you to mess it up. Linux can be complicated, but generally only during installation. Once there, it is as as easy to use as Windows. It's a tad different, expect to spend about a day getting used to where things are. You'll have many of the same problems when you go from XP to Seven, though, and Linux is free. There are hordes of people around you that will gladly install it for you or help you out. If you spend most of your time doing email and the web, chances are you won't even notice the difference. It's not for everyone, of course. But you may not need to buy new hardware or spend any money at all to make that crusty trusty old Windows XP machine run faster. In some cases, a LOT faster. So you might save some serious money while you're at it.
You can't run all of your Windows software on Linux (though a lot can run just fine), and if you're a gamer forget it and stick with Windows. However, if you need Windows, at least let someone have a look at it and install a few of the FREE tools that can help protect you.
Firefox is slightly different from IE, but you will hardly notice. Figure a 15-30 minute learning curve. And it does some pretty cool stuff. Windows or Linux, it's just a good idea.
NoScript requires that you intervene whenever you feel you can trust a web site and give that site permission to run stuff. It's a pain, sure, but so is putting on your seatbelt or checking your brakes from time to time. After about a week, it becomes a habit, and all the sites you frequent are whitelisted anyway. "Hey, this site doesn't look right, did any scripts get blocked - and is getting the site to look perfect worth the risk of unblocking them?"
Too many of us have been too complacent about security for too long. The computer is an appliance, but we also keep really important data on it and other people want that data, and we need to start acting accordingly.
Re:Enjoy pop-up blocking while you can (Score:3, Insightful)
I'd say a large fraction of this audience won't buy an iPad, just for starters. For another, I suspect a fair number who do buy them will also jailbreak them and recover their control over their own device. Call me crazy...
Regardless, it will be a very long time, even in Internet time, before the majority of devices used to read web pages aren't full-fledged PCs.
Advertisers Are Not Honest (Score:3, Insightful)
Advertisements are, by their very nature, not the least bit inclined to honesty.
Even if you could get users to agree to devote more eyeball time to, or simply abide, the more intrusive ads, you're still subjecting them to a flood of stuff they a) didn't ask for, or b) didn't want to see.
Remember, it was an advertiser that dreamed up the offensive popups; it was an advertiser that came up with the idea of spam; it was an advertiser that thought robo-dialers were a good thing. In fact, I can't think of any recent advertising advance that hasn't been intrusive, or invasive in some form or another.
Advertisers need to get off the high horse of "the world can't exist without us" and re-evaluate their entire approach to customer relations. Advertisers do not have a right to exist simply because they can create sales. If an advertiser chooses a business model using approaches that are hostile to a consumer's life experience, they should expect nothing more than a welcome to the world of Darwinian economics. Advertisers need to stop bitching about "why the customers won't do things our way..." and make a god-damned effort to communicate instead of dictate.
The poster has missed the point entirely (Score:5, Insightful)
Ads are being served to users that do not want them - but the advertisers are paying. Who exactly is the customer here? The end user viewing the ad or the advertiser? What the poster missed here is that there are four players here:
OK, so who is in control of what here? Well, the web site operator is selling "time" or "visitors" and might like to exhert some kind of control over the ads but isn't offered any such control. Try convincing Google that you do not want to see any ads for multi-level marketing scams on your web site. Go ahead, try. No good, huh? No, you don't have much control - maybe you can say no to "adult" ads.
The ad purveyor has complete control, but they are being paid plenty to post ads. All kinds of ads. They are heavily isolated from the end user, such that even if the end user finds out the CEOs phone number what exactly are they going to do? The end user is not paying the ad purveyor - the advertiser is.
You will never find the advertiser to complain, and even if you did it wouldn't matter. If you are going to advertise on the Internet you have to be immune to complaints. Someone is going to complain all the time. And it doesn't matter because the end user has no control whatsoever.
Sure, the end user can annoy the web site operator - who, by the way, is getting paid plenty to sit and take the complaints and do nothing. Even if the web site operator wanted to do something they have no control. They have two choices - stop advertising and stop the flow of money, or ignore the complaints. The "threat" of moving to a different advertising purveyor is hollow - there are no "different" or "better" purveyors - just those that pay less. The object here for the web site operator is to get as much for their "product" (visitors seeing ads) as possible. End user complaints have no meaning unless you have four visitors that just keep coming back.
Oh, and the advertiser just doesn't care what anyone thinks about this process. After all, they are the ones pushing misleading or harmful content, right?
It is all about control, power and relationships. If you don't understand that you need to sit down and think this stuff through. The Internet today is a fundamentally abusive relationship for the end user. They are the "bottom boys" being dominated and get to take whatever is coming their way. Don't like it? Try a different browser that (hopefully) blocks ads better. If you visit web sites where there are ads, you are going to be subjected to ads - abusive, misleading and harmful ads. Your ability to affect this is small indeed - you can try to block the stream of ads coming your way or you can avoid the more heavily ad-laden web sites.
Re:First (Score:3, Insightful)
For someone who calls himself an experienced user and has shown at least some level of technical competence in the past, I don't think Bennett Haselton uses IE and Norton because he thinks they're good. It could be a work computer or a test machine (nowhere does he state whether its his own personal computer or a work computer).
I think what he's saying makes a good bit of sense (for once). A feature like this would be really useful, especially for the less technically minded users. Combining it with a database of websites (similar to an online antivirus database - maybe Google's complaint registry?) would allow an inquisitive user to look things like this up.