I'm going to copy-and-paste the important bit in case nonsubscribers need to read it. I wouldn't normally do this, but I figure it's an important announcement rather than a creative work:
On Oct. 31, 2015, one of economist.com’s vendors, PageFair, was hacked. If you visited economist.com at any time between Oct. 31, 23:52 GMT and 01:15 GMT, Nov. 1, using Windows OS and you do not have trusted anti-virus software installed; it is possible that malware, disguised as an Adobe update, was downloaded onto your PC.
This is one of the most impressive security disclosures I've ever seen. They identify the precise window of exposure; they identify the systems which could have been affected; and they provide details which may help people determine if they were attacked.
I'm also impressed with how quickly they fixed the problem: Apparently it only took 83 minutes to discover and shut down the malware distribution.
Just to be clear, you should be impressed with pagefair, not the economist. The PF blog has even more information with a no BS mea culpa that would make your grandmother proud:
"If you are a publisher using our free analytics service, you have good reason to be very angry and disappointed with us right now. For 83 minutes last night, the PageFair analytics service was compromised by hackers, who succeeded in getting malicious javascript to execute on websites via our service"
Agreed; the pagefair post is great and described the exact nature of the attack. The economist should have linked to their original post. Until I read your comment, my main question was, "How would I know if I was infected?" Was it a silent drive-by download/install? Or would I have had to click a dialog? Did it require manual installation of a downloaded executable? In fact it required all those things, so it's very unlikely the average HN reader could have been infected without their knowledge just from having visited the economist during that window. From the economist post though, there's no way to know. In the extreme case, someone could end up spending a ridiculous amount of time changing all their passwords and financials completely needlessly.
Compare this to Symantec's response to issuing signed certificates for google.com[1], where they downplayed the issue and said they only found 3 instances when back over the last decade with a fine tooth comb. Followed by Google finding many more instances just using the certificate transparency logs, answered by Symantec with more doublespeak.
Thanks for the link. I agree, it's a very nice disclosure.
I do find it somewhat ironic that that page links in javascript from 5(?) other domains according to noscript.
One of which is good old s3.amazonaws.com - which if this allows CORS in general is basically allowing any random person to inject js in your page? (I believe any bucket in the standard US east region is reachable as s3.amazonaws.com/example.com/example.js ?)
(The other being an ad network, disqus, google analytics (now that is ironic) and "add this")
To be fair, this incident demonstrates the danger of sourcing external scripts from little-known {1} providers providing a contentious {2} service. Yes, they may have better security than your own domain's server, but, if that's true, they're also more likely to be a target (all else being equal).
1. (Well, I'd never heard of them before)
2. Trying to subvert ad-blocking, albeit in a less intrusive manner than a 'real' ad, possibly.
EDIT: asterisks don't work for footnotes, do they.
I would rather say we should be not so much impressed with pagefair.
Running stuff on an externally managed CDN without 2FA is simply stupid and dangerous. And even more as they are a third party script used by dozens of news papers.
PageFair's entire product is circumventing the software I've installed for my security and privacy. I don't think there's any way to do that responsibly. Coming clean with how they infected people with malware while bypassing their security software is the least they could do.
That's true, but not what I was thinking of. Even big websites of some repute (like The Economist) are in the habit of letting a multitude of external agents run unrestricted JavaScript on their pages. As in this case, that power can be used to distribute exploits.
I have a paid Economist subscription but it's less hassle to not login and use a combination of expiring cookies, self-clearing cache, and some specific AdBlock rules to read their content...
I've spoken to some devs who used to work for them. They have said the working environment ther for devs is terrible and retention of quality is a big issue.
Their site is awful and has been awful for ages. Theh are also usually a good 3 to 5 years behind the times with their magazine technology. Late to deliver apps, poor user experience on the site, terrible mobile pages, etc.
I say this as an avid reader (andnow listener) to their magazine for over nearly 15 years.
Another attack that unplugging your computer and going to live in the woods would have defeated.
More and more of the web is built on javascript, so opting out of a chunk of what the web runs on will naturally limit your exposure to the dangers (and joys) of the web.
The "joys of the web" consist more often than not in moving the text I am trying to read to show some ads, messing with the scrolling of the browser (try scrolling news.google.co.uk on an ipad!), overlaying popups to tell me to register to some newsletter or give some feedback, etc. I actually find the web much faster and nicer without javascript. A couple of blog websites will only show complete gibberish without javascript but I think bloggers massively overestimate how keen a typical user is to read what they have to say.
I think it needs to be said that while external ad networks can increase the surface area of a hack like this, the major issue is email security and having tight access controls and MFA in place for all major services.
The same thing could've easily happened to economists own website and CDN.
There have been dozens of stories including major studios, politicians and the CIA that show how losing access to an email account can cause major damage or even cripple a business, if not get them shutdown completely.
It's something that seems to be overlooked a lot but with the prevalence of email access everywhere on mobile devices and the amount of phishing attempts and surveillance, this should be one of the highest priority security issues.
Just like cable TV? Just like any sports broadcaster that charge for tickets AND have billboards?
How long is it going to take people to realize that ads vs paid content is not an either/or proposition, and that we should get rid of any ad-supported economy?
How long is it going to take people to realize there is nothing wrong with an ad supported economy and many products, services and media would go away without it, even if relying solely on subscriptions.
- The ads are almost never useful for the consumers
- Companies keep shoveling money into ad campaigns just so that marketing teams can justify their budgets
- Ad publishers are incentivized to completely undermine the idea of private data
- Thomas Watson is often mocked for saying "I think there is a world market for maybe five computers". If we look today at Google, Facebook, Amazon, Microsoft and Apple, we are not that far from that reality. The "ad economy" is at direct odds against an open web.
I'll give you that Google's breakthrough came because they could find a way to revenue, and that without ads they would never bring many useful things for fruition. But the best way to justify their wealth creation is that they manage to make the social function of advertising (connect producers and consumers) and make it more effective.
There was almost zero progress in that regards afterwards. It is just a race to the bottom. I can actually bet that we would be better off without these products, services and media if they were gone. Case in point: one of the links on the front-page right now is http://www.thedailybeast.com/articles/2015/11/04/no-spooning...
> The ads are almost never useful for the consumers
My favorite thing about this is that I occasionally see an ad I am interested in, just as the page is reloading. I go back to try to see it again, and I get a different ad. I refresh several times, getting more ads but not the one I saw first. Oh well, I guess I won't buy that after all. :D If it makes them feel better, I'm probably most interested when it's a promotion, so they didn't lose as much money.
I've heard all this arguments and more a 1000 times, it's nothing new and usually based on emotions and opinions rather than any objective study.
1) Ads are useful for consumers as it leads to them solving their problem. Whether that's a discovering a new service or buying a product, they needed something and they got it. It's still ultimately their decision.
2) Do you know the best thing about digital ads? It's the data. These aren't billboards that are bought without any idea who's seeing them or giant print ads bought on ego, we can tell exactly who's clicking on what and what they do after all the way to purchase. It's not just money thrown around, it leads to real bottom line results. The ad industry is one of the biggest data-driven industries in the world, contrary to what many might think.
3) Not sure how you came to this conclusion. There is no such thing as the "ad economy"... it's just a business model and industry, not some major paradigm of society. It will always exist because it works and serves and need, and outside of the direct monetization, it's the best form of payment there is. It's quick, passive and requires no decision willpower and is the primary reason for so many websites and such a large open web. We wouldn't have nearly as many sources on the internet if it weren't for ads. The monopolies you mentioned exist in every industry because that's the most efficient way to scale and run a business, it's got nothing to do with ads specifically.
4) I don't get the last point - are you saying that article isn't worth anything? Why? because you don't like it? So you're the judge of good content? I'm not a fan of celeb news but it's a huge market and draw for readers online so who am I to judge? There are billions of people with their own interests and needs, nobody get's to just set the baseline here. Yes there are scams and fraudulent stuff and arguably 'low-quality' bits out there but this exists in every field and is a constant battle. It doesn't mean we devalue everything because of it.
1) What I was talking about Google being one exception to the rule. The thing is that at least with AdWords you get related to your search. When I am reading some news, the last thing I care about is if I could be missing some opportunity to buy a car, or if be bombarded with ads from Coca-Cola, or some possible tourist destination.
Ultimately, there is no problem to be solved when people are visiting whatever source of content they are going for. That people that tolerate ads in web pages do it only because they think it is the only way to get the content for free, not because of the value-add of the promoted advertisement.
2) Yes, the best thing about digital ads is the data... for the marketers. The producers get very little real benefit from it and in the end are put in an arms race by the marketing companies that tell them that the only way to keep their market share is by outspending the competition.
3 and 4) "We wouldn't have nearly as many sources on the Internet if it weren't for ads." That would be great, actually. We need more quality, not quantity. What you list as qualities ("quick, passive and requires no decision willpower") is exactly what brings the quality of the content down.
And yes, I am saying that the linked article is worthless. Not because I just don't like it, but because I seriously doubt that the "huge market" would actually vote with their wallets to get that kind of content produced.
We don't need ad money to fund something like Wikipedia. Conversely, ad money is what makes Buzzfeed, Gawker and Jezebel to pass for journalism nowadays. And these are not even the worst around.
--
I truly believe that people accepting ads as a way to get content is one of the largest disgraces for society in the digital age. I like to make the analogy with the corn industry and the government subsidies since the 70's. People wanted to get "cheap" food, and all they got was externalized costs. Years later we got an obesity epidemic, huge costs in healthcare and corn-ethanol, which is energy net-negative. The Advertisement industry does the same thing for our culture, our education, our civic values (slacktivism) and the economy at large. This "just a business model" is morally bankrupt.
1) Ads work whether you care about them or not. Google isn't an exception to anything, they run ads and you either have a problem with ads or you don't. You're just more accepting to ad suggestions when searching since you're in a natural discover mode and Google is extremely relevant because you type your intent right into the search box, that's about as good as it gets.
2) The producers/manufacturers get all the data they want. Don't you think they know who's buying their stuff? The money comes from them to the agencies and ad networks so they will always know the most. And yes, marketing is a race because it works. They have to spend to get people aware and interested in their products and services. There's always a user acquisition cost, especially if you're competing with another company for the same user. It's not some made up thing. These companies aren't stupid. If they could do it without it they would.
3) Have you read the journalism that Buzzfeed puts out? They have an acclaimed hard news section and are partners with even the White House. They have several levels of content in depth and coverage, much like many other media companies. Again YOU are not the judge of quality and the mass market already spends lots of money on tons of things that are similar to what you claim is low quality media. It's just not that simple to suggest that certain things somehow don't value to someone else.
4) Wikipedia isn't a business. They don't do anything except host servers and have some developers building features. ALL of their content is user generated. No real business can work that way.
---
It's FAR better to have democratic and free access to content rather than tying it to direct payments and vastly limiting access and amount. That is going backwards to the entire intent of the internet and the spread of information.
You misunderstood what I said about Google. I still don't care about the ads shown by Google (I run my ad blocker just the same). What I meant is that at least you have a point that Google can be more effective, for the reasons you mentioned. And if that is "as good as it gets", why should let other business take for granted that all they need is to get eyeballs and the ad money will come? It makes no sense.
Also... please, Buzzfeed partnering with the White House is a sign of "quality news"? The quote "If you want something in the paper, that’s advertising; you want something kept out, that’s news" comes to mind.
> It's FAR better to have democratic and free access to content rather than tying it to direct payments and vastly limiting access and amount. That is going backwards to the entire intent of the internet and the spread of information.
That is a false dichotomy. You can get free access to content without relying on ads as your revenue stream. Wikipedia is not a business and does it. Stackoverflow is a business and uses the careers site as the main revenue source. We don't need an "Ads industry" to have quality content.
They have writers from NYT and WSJ amongst others on their staff. Put aside your prejudice and actually see for yourself.
3) Wikipedia isn't a business, but their business arm Wikia makes all their money on advertising. StackExchange makes all their money on advertising (those job postings are ads and other banners on their site). However both companies are not in the content business because all their content is user generated. That's why they have no costs other than technical upkeep.
A real content business requires people to actually create that content so your examples aren't relevant. Sure we can replace everything with direct subscriptions but that doesn't scale and severely limits the access to and quantity of content available. Those are the facts in the industry, there's no denying that, no matter how much you hate ads.
I did. Sorry to tell you, but they seem as "hard news" as CNN. It is infotainment. Most of the topics are still about what is popular, what can generate clicks and what can polarize. There is nothing in there that I feel I would pay to see investigated, studied or analyzed.
(1) and (3)
The point I am trying to get across is that any kind of business is supposed to exist to support some kind of need for society. The "advertising industry" only fulfills any social utlity when it manages to efficiently connect producers to their target consumer.
If to do that, it needs to steal attention from people, it is not doing its job properly.
If the "advertising industry" ends up providing a system that makes people consume only things from the producers with more capital, instead of the best product, then the industry is not doing its job properly.
If the "advertising industry" ends up creating by collateral a huge mass of well educated people that depend on this "meta-work" of producing content that can be pass for journalism or entertainment, then it fails to fulfill its social function.
>> Wikipedia isn't a business, but their business arm Wikia makes all their money on advertising.
Society benefits from something like wikipedia. I can donate $25/year like I do to Wikipedia, and hope that enough people will contribute to it to keep it running. Good thing that Wikia can bring some funds and not have to rely on many more people. But if Wikia ceased to exist, people can still find ways to keep wikipedia around. If society loses wikipedia, we would lose a lot.
Now, if for some reason Wikia was not being profitable, do you really think society would be worse off? Perhaps for historical and cultural reasons, it would be bad to lose it - just look at all the work from the archive.org people. But look at Geocities: do you think society is that worse off without it? Would we be worse off without Wikia?
>> Eyeballs = attention = what advertising is all about.
To come back to my point: I do believe that there are cases where business manage to provide the social function of advertising (establish a communication channel between producers and consumers), but this "produce content and try to monetize it" with ads is not one such case.
- The content that gets produced is of dubious quality (because the focus of the content producer is not in the quality of the content, rather how much of the people's attention it can grab)
- There is no real connection between content producer and the producer paying for ads. So content producers may end up becoming crap-pushers without even knowing.
- It makes for an uneven field for smaller producers. We live in an era where the cost of producing, processing and distributing information is almost zero. The balance of power could be completely in favor of the people. We HAVE the means of production of wealth in our hands. But because of advertising, we give this power back to the Capital owners. You describe your work as a "marketing platform for top brands". Let me tell you one thing: I WANT BRANDS TO BE DESTROYED. There is no real value in brands, except for the brand owners. They stiffle innovation. They created consumerism as a lifestyle.
I am all for free-market and minimal intervention on business. But you state a equation like this one where "attention" as something that can be extracted value from WHEN IT IS NOT FUCKING YOURS! It is immoral and you don't even see it.
I'm sorry but at some point I can't take it seriously if you just discount everything as bad. So what's "good" quality then?
You also seem to have some idealistic idea of what advertising is. It's not some efficient marketplace to connect people. It is an industry about attention. And no it's not "stealing" as everything in the world competes for attention. It's more of paying to capture that attention as best it can. There is no greater "social function" here.
Society benefits from all things. Again YOU cannot judge this based on some random questions about Wikipedia vs some entertainment publication. The careers of those mentioned in that publication and their livelihoods and families certainly benefit from it so it's all relative and there's no right or ideal.
There might be misaligned incentives for some publishers choosing to maximize revenue (that's not the bad thing since they are businesses) by focusing on improving ad load rather than content. That doesn't mean there's something wrong with advertising, only that that business has become focused on selling ads rather than producing content.
The whole last part of your statement makes no sense to me. Destroy brands? Why? What's that do? Do you know what brands are? They are just reputations, but at a higher level for corporations and product lines. You should read this: http://www.economist.com/news/business/21614150-brands-are-m...
Attention can absolutely be extracted, it doesn't have to "belong" to someone because it's an abstract thing in itself. There is no "attention" tangible good. You have as much of it as you want. It's just a way to think of the value exchange. I'm not sure what you're so confused about but calling others immoral certainly isn't the way to prove your point.
> You also seem to have some idealistic idea of what advertising is.
When I mention a "social function", I don't mean a "public service". I mean in the utilitarian sense. Every economic activity has a social function. If you consider yourself to be living in a free society, for every kind of activity you do you are expected to provide some kind of good or service that is of interest of others. If it is considered to be beneficial only to one of the parties, it is not going to happen (unless it is done by force, but then we don't have an actual free society)
From brick layers to gas stations, from restaurant chefs to prostitutes, from Venture Capital Fund Managers to shoe makers to Hollywood. That is the case even to advertising. Advertising's "social function" is to inform the consumer public about what is available in the market at large, and to give to producers a chance to showcase their offerings. This may sound "idealistic", but it shouldn't be.
You seem to be focused on the "business" part of the things. As in "how to make money to keep that activity?" For society, this doesn't matter. If there is any other way to fulfill that need, the business is obsolete and can (should) go extinct or adapt into something else.
You have the arrows reversed: you want society to accept that the business needs to exist, and that it should change to support it. In fact, it is the business that needs to change to always support the needs of society.
Yours is the corporatist view. This view is what brings us the continued influence of RIAA and MPAA and DRM. It's what brings us poor-quality American cars. It is what brings "Food, Inc" thanks to subsidies in the corn industry. It is what brings us a society that is so drowned in "cheap" entertainment that leads to this dystopia we live in (https://en.wikipedia.org/wiki/Amusing_Ourselves_to_Death)
> Destroy brands? Why? What's that do?
I don't say in the sense of setting corporate places on fire. I mean in the sense of being able to convince people that most of the time, there is a "brand-free" version of a product that is of equal or superior quality but that costs less.
Think of things like consumer electronics: most of the audio equipment or LCD panels can be virtually the same, yet people are so bombarded by ads from the "reputable brands", they can't even conceive or looking for an OEM factory.
Another example: at least in São Paulo I remember going to the mall and seeing "designer" jeans that would cost $100. Those jeans were produced in many different small shops around the city, spec'd by the "designer". The uncle of a friend of mine ran one of those shops. He would sell the "unbranded" version of the jeans for $15.
Another example: Go to any supermarkets, and you find "white label" products that are sometimes produced by companies that produce the very same "branded" version. The contents can be the same, yet the branded one will cost more.
What is the benefit of "brands" in these examples? How are the advertising companies helping people in making better informed decisions?
Well, there's ads in the paper version as well. There aren't many ads, but they're there.
I believe that The Economist once explained that the digital and paper version of are equally price, even if digital distribution is cheaper, simply because online/digital ads are worth less, a lot less.
There must be an error on that page. It is missing the part where they apologize and explain how they'll make sure that this never happens again.
Oh, that part isn't there? Well...
For the Economist, yes. The attack on PageFair was by spearphising an employee's email, so there isn't much owning your own infrastructure can do for that.
Sure it is... their external CDN account was compromised - no 2FA in place. Proper 2FA (read: 2FA reset key stored offline and safe, not done via mail) helps against spearphishing.
So for a business with their traffic needs, you'd recommend they do what? Buy up a bunch of physical locations all over the world and get some of OC lines?
I'd be shocked if they could stay out of the red, even at their size. Your proposal would also kill virtually every startup that needs a website.
No, that is not what I would recommend, so please don't label it "Your proposal".
My recommendation was already stated: if you use any external CDNs, make sure you don't fuck up those accounts. 2FA is one thing to safeguard against account compromise. Subresource integrity would be the next step, it's coming soon or is already here.
The problem with subresource integrity is that it ties you to one version of the code. That's fine for something like jQuery, but doesn't work in this case where you expect the code to change relatively frequently.
That's not really relevant here. Any company with compromised access to an important email account stands to have lots of trouble, regardless of tech or industry.
On Oct. 31, 2015, one of economist.com’s vendors, PageFair, was hacked. If you visited economist.com at any time between Oct. 31, 23:52 GMT and 01:15 GMT, Nov. 1, using Windows OS and you do not have trusted anti-virus software installed; it is possible that malware, disguised as an Adobe update, was downloaded onto your PC.