> I find it quite scary to have someone not very tech smart download software without an ad blocker - you get one proper download link and about 10 ads saying download here linking to malware.

Non-tech smart users? It's hard enough on some sites that your average cybersecurity researcher with a decade of experience is going to have a hard time!

And that's before you see the link is to sourceforge.net and it triggers a brain fault through recursive reasoning and rationalizing.

FWIW after Sourceforge was sold around 2016 does not have malware anymore and they added scanning to downloads. Also they do not show any ads if you are logged in (though i do not know if this was done before or after the sale).

Good! Unfortunately for them, the world moved on, negative reputations are hard to shake, and they missed the ball WRT keeping up with the status quo of open source community repos.

The last piece of software I occasionally visited sourceforge to get was WinScp, and actual SSH on windows means I no longer need to do that (I was only ever using because it was the easiest way to do it given no CLI option). 15-20 years ago quite a bit was on there though. It was the proto GitHub which wasn't in any position to respond when GitHub came to prominence.

I don't see why it's hard. You screen admission of an ad to the auction "floor". Shady javascript/links? You don't get to compete.

Admittedly, this means you need an army of ad moderators, but that's not a hard problem. Social media giants already use an army of underpaid moderators for moderating their platforms, so seems like it's just table stakes for running a platform. Screening ads should be a cakewalk compared to moderating social media.

That's not how it works. It's hierarchical. Someone with an ad to show doesn't send the ad to the web site that wants to show the ad. Instead it just tells that web site "I'll pay $.005 if you show my ad", then if it wins it serves the ad it wants to show. There's no time at that realtime auction to do analysis. The ad doesn't even need to exist as a fixed thing. It can be dynamically generated tailored to the specific user (think of "Come back and shop with us" ads where they show you things you've looked at).

There is a lot more middlemen involved... and at any point they could make a rule that you can only use a certain set of HTML tags and image formats for your ads (none of which include scripts of course).

That would prevent not only most exploits (especially once you re-encode the images), but also simple badly written ads that drive up CPU usage. But it's easier, and allows more middlemen, to simply allow the next party to hand you arbitrary code that may or may not be put into an iframe that may or may not be sandboxed.

> Someone with an ad to show doesn't send the ad to the web site that wants to show the ad

In fact, they do. Creative review is part of most ad platforms. Contextual categorization isn't possible without knowing what the ad is about (and the content it's going to), to various degree.

Google (and others) do screen ads; I think most of the insecure ads are served by smaller, less scrupulous ad networks.

If you want to make money on display advertising, you will grasp for whatever pennies you can get

Google Adsense is not always the highest-paying option for a given impression

There are entire companies that do nothing but figure out quietly, without the publisher's having to do anything, what will pay most at a given moment

I agree with what you're saying, but want to clarify that you're talking about 'AdSense' (the display advertisements), not 'AdWords' (the search ads).

Oops.

I had already edited my post to change "DoubleClick" to "Google Adwords" and I got the product name wrong!

Google serves ton of malware ads, they seem to consider it the responsibility of the users to report them.

IT: We are literally serving viruses to our potential customers.

Sales: We cannot change our processes, Bro! I mean Mr. CEO you don't want to lose money do you.

CEO: I like money. IT go see HR for your mandatory teambuilding course for harassment of the sales teams.

Sales: Thanks for taking care of that sir. See ya at the club tonight.

i would expect in a corporate environment, users aren't downloading and installing software

In my personal experience, you would be incorrect in that expectation.

In a perfect world yes and any good IT department will lock down systems appropriately. But every sufficiently sized org, and many small ones will have shadow IT. There is also the issue of much of the ware pushed through these channels actively tries to circumvent controls. Its not uncommon to find hapless users with adware on their system that managed to get around UAC and group policy. You can always lock down more but security has to be balanced with productivity and user education will always be an important part.

depends on the corporate environment and the users.

As a developer in a corporate environment? I'm always downloading, installing, etc...

This is a weird narrative, aren't they approved ahead of time?