As a mid-sized US manufacturer that recently went through a ransomware scare, we contracted with FireEye for remediation and cybersecurity consultation. I was shocked that they recommended we install ad-blockers as a corporate policy. I remarked ads are sometimes useful and that many local companies rely upon them (e.g., the local newspaper). I use an adblocker just to make the internet more useable, but I was reluctant to make that a corporate policy. I couldn't imagine there was any meaningful threat from malware in ads as every company from the Journal to the Times to Nordstrom would be screwed without ads. But FireEye insisted and we now have adblocking installed with the usual image. Wild times. I have to believe this is truly disruptive to the internet as we know it. It seems to me the ad providers would have a huge incentive to counter this narrative and to make damned sure ads are safe. I have no idea why that's not happening.
> as every company from the Journal to the Times to Nordstrom would be screwed without ads.
The ad industry had the opportunity and the ability to address this problem, but (for short-term reasons) they decided not to. This is the long-term result. They did this to themselves, and now they deserve to suffer the consequences, up to and including a fiery death for the industry as a whole.
Nordstrom, etc. don't need to suffer as a result of this, they can simply observe the online ad industry and make a decision about when to stop using it -- perhaps in favor of something new and different, or perhaps not. Print ads still work just fine.
The Times, etc. charge for access, are happy to sign you up via web form, but then force you to call them if you want to cancel. As far as I'm concerned, they shouldn't be running online ads at all anymore. If ad blocking becoming prevalent hurts them, too fucking bad.
Wasn't there some regular company who decided to delete all adsense/ad networks from their sites for a quarter and at the end of the quarter found no difference in ordering/sales, etc.
> Wasn't there some regular company who decided to delete all adsense/ad networks from their sites for a quarter and at the end of the quarter found no difference in ordering/sales, etc.
> Online ads is snakeoil
No doubt in my mind. I helped start a webshop in 2009 and got to see it first hand:
We used a service called Kelkoo and according to their dashboard almost every customer we had came through them.
We were suspicious so we cut them out for a couple of weeks.
Turned out sales hardly dropped at all.
We had good luck with Google ads back then but I don't for a second think Google doesn't happily fleece advertisers:
As I've said a number of times before I have been targeted for scammy dating site ads for a decade, more specifically from around the time I started dating my wife and until our youngest was about a year old.
Google knows fairly well I'm a conservative Christian who has had no problem getting a date the usual way, but has had no issues showing me these ads, probably because they pay most pr impression.
This was back when I felt I owed site owners to not enable adblock all the time so I tried a number of times to report the ads as irrelevant. Problem is, when I reported Polish girls as irrelevant, the next ads was for Ukrainian girls, then Thai girls, Chinese girls, Taiwanese girls, Filipino girls and I don't know what else until it went full circle and started on Polish girls again.
Not a bad word about people from those countries, but I was already married and Google know very well since I look for family
holidays, toys and food ideas for families with kids.
Point is it seems that relevancy doesn't count anything now that advertisers pay for impressions instead of clicks.
>Google knows fairly well I'm a conservative Christian who has had no problem getting a date the usual way...
>...I was already married and Google know very well since I look for family holidays, toys and food ideas for families with kids.
It's interesting you describe Google as "knowing" information about you. Google may have the data, but a human did not read it to develop some understanding of who you are as person. They just ran it through some software based on the targeting criteria they have.
I would guess that advertisers didn't set their ads to exclude married men who are Christian with children, just because that's a very specific profile to care about--they might just set it to target men of any age and be done with it. Or it's possible that married, Christian men with children are one of the most profitable targets for scammy dating sites, and either the site creator or the targeting software are going after them specifically.
Or it's possible someone else in his close circle was using a computer on his network that was looking for things that would trigger those types of ads. Cable DSL routers usually only have 1 dynamic IP.
It's just as likely that nobody was bidding for his target demographic, so the bottom feeding dating sites that take the cheapest of the cheap ad slots bought the top 20% of his screen for millipenny CPCs.
I have given it a thought, but it doesn't make sense to me:
Nobody wanted to target a well paid dev with small kids and holiday plans except the cheapest of the cheap?
The explanations I find more likely is either
- my account got grouped up with a demographic 14 years ago when I worked in an environment that certainly did have those kinds of signals and that signal was too strong.
- scammy dating sites like expensive credit cards pay extremely well and Googled fudged their data to make me fit the criteria.
Lived with my wife and 5 kids, not many visitors, protected metwork. This went on for a decade even despite me trying to trigger other alternatives (search for WordPress hosting).
Thats part of the snake oil. The dating site spent X dollars on ads and the expect people to see them no matter what. Google wants to pretend they have something better than simple TV/Radio mass advertisement campaigns but they don't.
The idea of targeted/effective/meaningful ads and taking as much as you can in advertising dollars from a customer are fundamentally at odds with each other.
I convinced my company with some custom dashboards I made to show with some adjustable slider reports (first react project I think i did) that even with favorable metrics the cost/value ratio just wasn't there. They ended up stopping the spending and of course no change in sales. Saved the company a couple million a year.
Even better than this, large sites have found they actually made more from non-targeted ads [1]. Same for the NYT - revenue continued growing after turning off ad exchanges for European visitors [2].
There's also the question around whether the levels of fraud mean companies buying targeted ads are ever getting what they paid for [3] - Uber cut $120m of $150m ad spend without any impact on installs (which is what they were trying to drive)
It was Uber in it's early days. I recall a blog post from their chief marketing officer(?) at the time.
The gist of it was - they accidentally disabled digital advertising for a few months and found that disabling it had no effect on the metrics they were tracking.
I’d imagine results like yours would vary wildly industry to industry.
For example, any old-people products would greatly benefit from the typical inability of the old to install ad-blockers in the first place (nothing against the old, of course).
I wouldn't be surprised if over the time span of a decade, companies which invested significantly into online ads would have gone out of business entirely, and those that didn't even use online ads would still be around.
As a conjecture, it's possible that online ads is anti-commerce - as in those who put money into it die. Over the last 10 years, it's very obvious that internet focused non-tech companies do very poorly in the long run.
> The Times, etc. charge for access, are happy to sign you up via web form, but then force you to call them if you want to cancel.
Check your state and local laws. It is illegal in California. If they have the means to provide signing up for service via online, they are required to provides the same way for cancellation under California law.
Change your address to California and you should see a section to cancel your subscription.
Advertising is a gross inefficiency on the economy. To achieve market balance you need to make sure consumers are aware of your product - back in the day this was rather difficult since there was no central repository of all knowledge. Now that we've got the internet though... this is unnecessary to achieve a healthy level of company growth.
However, if you want to cannibalize an industry's profit margins to squeeze in front of your competitors advertising in many forms will remain productive. I think we almost need a cartel-like system that says "Okay video card manufactures - enough with the advertising... nobody impulse buys video cards so each sale you gain through advertising is just coming from one of the other company's pockets (or your own)."
If we actually had powerful consumer-laborers (imagine if employers applied to you! Or there was an central labor marketplace and the market cleared! What a foreign world.) companies would have no money left over for ads as they were too busy competing on product quality with low margins.
I'm pretty convinced the marginal value of ads to most companies is shit, but this is a rat race that chronic low aggregate demand has forced them to partake in.
As someone who worked on/with the ad serving stack, I agree with FireEye's stance on this one.
The problem is this: ads are basically browser-injection-as-a-service, as in injecting code into websites of your choice, targeting audiences of your choice. Browsers mitigate this problem somewhat by sandboxing cross-site stuff in the webpage, and ad networks theoretically scan the payloads for malware like miners, but those tests aren't hard to work around. So ads can basically run whatever they want within the little aperture of an iframe that they get.
If there's a zero-day like the Internet Explorer JPEG renderer zero-day (https://www.kb.cert.org/vuls/id/965206), then the ad networks are basically broadly targeted zero-day-as-a-service.
Ad blockers aren't a bad first line of defense for this.
>It seems to me the ad providers would have a huge incentive to counter this narrative and to make damned sure ads are safe. I have no idea why that's not happening.
In the current model they have last second auctions with the ad going to the highest bidder. It's hard to reliably screen them in that kind of situation. I find it quite scary to have someone not very tech smart download software without an ad blocker - you get one proper download link and about 10 ads saying download here linking to malware.
> I find it quite scary to have someone not very tech smart download software without an ad blocker - you get one proper download link and about 10 ads saying download here linking to malware.
Non-tech smart users? It's hard enough on some sites that your average cybersecurity researcher with a decade of experience is going to have a hard time!
FWIW after Sourceforge was sold around 2016 does not have malware anymore and they added scanning to downloads. Also they do not show any ads if you are logged in (though i do not know if this was done before or after the sale).
Good! Unfortunately for them, the world moved on, negative reputations are hard to shake, and they missed the ball WRT keeping up with the status quo of open source community repos.
The last piece of software I occasionally visited sourceforge to get was WinScp, and actual SSH on windows means I no longer need to do that (I was only ever using because it was the easiest way to do it given no CLI option). 15-20 years ago quite a bit was on there though. It was the proto GitHub which wasn't in any position to respond when GitHub came to prominence.
I don't see why it's hard. You screen admission of an ad to the auction "floor". Shady javascript/links? You don't get to compete.
Admittedly, this means you need an army of ad moderators, but that's not a hard problem. Social media giants already use an army of underpaid moderators for moderating their platforms, so seems like it's just table stakes for running a platform. Screening ads should be a cakewalk compared to moderating social media.
That's not how it works. It's hierarchical. Someone with an ad to show doesn't send the ad to the web site that wants to show the ad. Instead it just tells that web site "I'll pay $.005 if you show my ad", then if it wins it serves the ad it wants to show. There's no time at that realtime auction to do analysis. The ad doesn't even need to exist as a fixed thing. It can be dynamically generated tailored to the specific user (think of "Come back and shop with us" ads where they show you things you've looked at).
There is a lot more middlemen involved... and at any point they could make a rule that you can only use a certain set of HTML tags and image formats for your ads (none of which include scripts of course).
That would prevent not only most exploits (especially once you re-encode the images), but also simple badly written ads that drive up CPU usage. But it's easier, and allows more middlemen, to simply allow the next party to hand you arbitrary code that may or may not be put into an iframe that may or may not be sandboxed.
> Someone with an ad to show doesn't send the ad to the web site that wants to show the ad
In fact, they do. Creative review is part of most ad platforms. Contextual categorization isn't possible without knowing what the ad is about (and the content it's going to), to various degree.
In a perfect world yes and any good IT department will lock down systems appropriately. But every sufficiently sized org, and many small ones will have shadow IT. There is also the issue of much of the ware pushed through these channels actively tries to circumvent controls. Its not uncommon to find hapless users with adware on their system that managed to get around UAC and group policy. You can always lock down more but security has to be balanced with productivity and user education will always be an important part.
The ad industry has known about their fraud problem for years, at least since 2015--and they did little to nothing about it. I don't have much sympathy for them.
If the threat you're seeking to mitigate is malicious ads ("malvertisements,") then you could easily pass that burden to the ad networks themselves. I think it's extraordinarily rare for a website to sell "banner space" instead of just throwing in an AdSense snippet or similar.
"They don't have sarcasm on Betelgeuse, and Ford Prefect often failed to notice it unless he was concentrating."
-- Douglas Adams
It turns out that sarcasm is sometimes not obvious to everyone. My apologies.
You are correct. They cannot be trusted. The entire history of advertising and advertisers is evidence that they cannot be trusted. They cannot be trusted to self-regulate, to follow voluntary codes, or even to form an industry regulating body (sorry, UK, you know it's true).
And yes, Google is an advertising agency... which spends up to $20MM a year on federal lobbying.
> I was shocked that they recommended we install ad-blockers as a corporate policy.
It's solid policy. The problem with ads in this regard is really that they allow random strangers to run code on your machine. That's never a good security practice.
Imagine I only visit websites like the New York Times.
If an evildoer with a browser 0-day wants to target me, without an ad blocker any of a thousand companies can pay a few cents to have their javascript served to me. If I run an adblocker, there are a lot fewer ways to get their code in front of me.
A statistical argument, in other words - that being exposed to code from 10 vendors is safer than being exposed to code from 1000 vendors.
Yes, it is. Which is a pretty large problem, and is why I don't allow JS to execute by default. I do whitelist specific things if the need is great enough.
Do you supposed it is possibly more true for ads? There's "well, technically, yes" and then there's "which is the more realistic threat, an ad network or the JavaScript that the NYT serves up?"
My Grandma has DNS level ad blocking enabled. Why? Because her ISP home page (her 20 year strong default as well as login for email/etc) used run ads when a page was left open for a while. She'd unlock her laptop to find full on porn ads running full screen with no way to click away without quitting the browser.
So now she runs ad blockers galore and pihole across all devices. So far no porn ads in her email.
And no I did not ask if any of her browsing behavior would lead to such ads. She's a tiny old blonde Christian lady that...wait also a church donation site gave her porn ads too. Maybe I should avoid checking her history.
So yes, do enforce ad blocking on your network, if able. It will save a few calls and probably embarrassment as well.
I laughed so hard when I read this post. And I assume it is all true. What a sad state of affairs! I can only imagine the amount of spam calls she gets to her phone.
I tried turning off my Adblocker in 2012 to better support newspapers and whatnot. One of the sites I visit regularly immediately loaded something that my antivirus quarantined.
Go to edge or chrome without an ad blocker and do a search for software or something. You will get adware, malware, and outright wrong suggestions for the first ten results. Google AdWords does not directly host malware typically, but the sites behind them do. Fishing is trivial to pull off. I believe, as a matter of actual national security, online advertising that is deceptive or leads to deceptive locations should be illigal. I want to see heads roll when I get fake "download" buttons when trying to actually download an image for work.
I couldn't imagine there was any meaningful threat from malware in ads as every company from the Journal to the Times to Nordstrom would be screwed without ads.
It's almost always not the big sites that have malware in their ads, but the shadier parts of the Internet --- which people may inevitably need to visit at some point, even deliberately.
I wouldn't be surprised if they started recommending you whitelist JS next. That would be really "disruptive to the internet as we know it" --- and might actually make things better overall, as in returning to static text/image ads and pressuring sites that have no business being a SPA to go back to static content. Of course, I suspect the huge company whose name begins with G would not like that at all and will try its hardest to fight against it.
Having client installed malware detection would be the step after blocking ads. Whitelisting JS would make 90% of the contemporary Internet, including essentials like Gmail and Office365, unusable.
It wouldn’t make Gmail and Office365 unusable because they would be whitelisted. Nothing on the top-20 list you can come up with would be affected because those things you can think of from the top of your head would be things IT would also think of from the top of their head and whitelist it. The long-tail of sites is where the real impact would be in my opinion.
I do this -- I use uMatrix and effectively whitelist js. The net result is that you realise how a) websites work, b) fecking annoying cloudfront and gCaptcha are z and c) Facebook is everywhere.
No way in hell I'd recommend this to anyone who isn't tech aware though.
Plenty of organizations run local DNS servers, you'd think it wouldn't be a big stretch to start adblocking at that layer (though doing it on the client does allow for more fine tuning).
> I have to believe this is truly disruptive to the internet as we know it.
Maybe so. And maybe I'm all right with that. The ad-supported internet has turned into the ad-on-every-square-inch internet. We get lots of great content for free, but the amount of ads are overwhelming, distracting, annoying, and eventually disgusting. (Not necessarily the content of the ads, just the volume.)
Back to security: We have come to the place where really interesting content that asks you to turn off your ad blocker is now a phishing vector.
True! But I also feel like local newspapers would be more likely to put the word 'ad' in the name of their advertising jpegs, in which case adblockers would still pick them up.
Why can't the site just show ads directly from their domain? It'd be hard to block ads without blocking content then.
Many websites used to just run ads that were directly negotiated and paid for by the company. eg: Plenty of Fish used to do that and they sold for $575M .
You can add the local newspaper to the adblocker whitelist, if it uses standalone ads like distrowatch, instead of an ad network. But keep scripts disabled there.
> It seems to me the ad providers would have a huge incentive to counter this narrative and to make damned sure ads are safe.
Ad providers? You mean Google which provides the majority of the ads. I’m really surprised Google hasn’t done more here when major security companies are recommending denying Google their primary source of revenue.
I have used Google Ads, and think the ads themselves are quite secure; I am less certain about the advertiser websites (though it seems Google does some sort of link-testing/screening). What are you suggesting Google has failed to do?
I think the problems with ad security are on smaller platforms/networks which are willing to host less-secure ads, and I'm not sure what Google could do about them.
They are the leaders in the industry. To my way of thinking, if the recommendation is to block the entire industry as a whole, they are simply not doing enough.
