Why does El Reg keep using Scripts from 'googleapis'
As a champion challenging tech Giants on everything from Slurp abuses to lack of Play-Store Malware checks, its puzzling... Reg-https took ages too!
The hijacking of CPU cycles through crypto-mining JavaScript code has surged over the past few days, according to security biz Trend Micro. The reason appears to be a distribution campaign that piggybacks on Google's DoubleClick ads that appear on YouTube among other sites. "We detected an almost 285 per cent increase in the …
The are doing that only for their font. A large percentage of visitors will have that font (served by that url) stored in their local cache, thus speeding up the initial site load. Nothing wrong with that.
However, El Reg also links to a googletagservices script, which is specifically mentioned in the article as being a vector for this crypto-mining thing.
> Trend Micro suggests disabling JavaScript in browsers
I would like to Whitelist Sites, and disallow Javascript by default.
Sadly NoScript isn't supported by Firefox 57 :(
And the UI of uMatrix is beyond confusing, what a mess. Well uBlock Origin has a bad UI too, but at least I rarely need to interact with it, it works fine most of the time. But uMatrix needs serious work on the UI side. NoScript is so much better and worked superb (previously).
And what about WebAssembly!? Can we get the browser creators to disable WebAssembly? It's a hot mess of untrusted bytecode, on-par with Java applet and worse than Flash applet in terms of a security loophole. Since Meltdown, Spectre WebAssembly should be marked as dead-end and disabled by default. And WebAssembly basically makes it possible to simply compile their CryptoMiner to the web. What makes it worse that Chrome 63 doesn't allow you to disable WebAssembly anymore, a big step backwards Google!
> UI of uMatrix is beyond confusing
Confusing?
It's a dropdown list that lists the sites (and the specific activity - cookies, XSS, frames, etc) that are trying to load. You just toggle to green (allowed) if you want to enable the scripts and other resources from that site (and hit the padlock if you want to save that permanently).
That's pretty much all there is to it unless you start delving into advanced usage like, e.g. allowing a site only allows specific subsets, e.g. no frames even if site allowed unless you also toggle the frame for that site to green (allowed).
I used NoScript for years, then moved onto Policeman then, on Vivaldi (which is a chromium-based browser), I went to uMatrix, after which I moved to that instead of NoScript on FF prior to 57.
And if those people had used adblockers then I doubt anything would have happened.
I've mentioned this recently, I'll do it again: adblockers should be placed at the same level as anti virus software. You may trust a website (or its owner), but you cannot know up front where the ads are coming from, as well as any associated extra garbage such as these mining scripts.
"And if those people had used adblockers then I doubt anything would have happened."
Yeah, no ad revenue would have happened . The internet would stopped turning.
on the other hand, Like ShelLuser said , ad sites should be treated as hostile.
How about you whitelist every site you go to , as go (scriptwise) , leaving the adsites restricted?
I guess there is a place for adblockers , once were the cowboys of the digital wild west letting people trample roughshod over the economic principles of the net , threatening the very freedom of free stuff etc . I see them becoming the policemen - keeping ads under control by resticting them to a jpg , or bit of html maybe.
I think adblock already comes with "Let the nicely behaved ads through" by default now.
Why do adverts need JavaScript? Why can't they just be static images like in the early days of the Internet? People are using Ad blockers because the adverts take up huge amounts of bandwidth and slow the computer down. Flash based ads are the worst. Those who use Pay as you go mobiles have to pay for every megabyte of data. So of course we are annoyed to be paying for the adverts that we don't want. Imagine those in other countries who are being bombarded with those adverts as well and have a hard limit on the bandwidth they can use.
So for those who insist on us to stop using Ad block technology, we are doing it to protect our computers. If you stick to static visible images with a link that does not follow you as you scroll down, then we will consider disabling ad block technology. Until then, we won't stop.
But if you stick to static visible images, how are you going to make your paid-for advertisement stand out over the paid-for content? And in the case of YouTube rather a lot of it seems to consist of "influencers" persuading their gormless peers to buy products they themselves were given free. I don't think you can expect any form of voluntary commercial moral restraint to survive in that environment.
It's a pity that HTML doesn't have a single-origin model where all content on a page has to come from the same source - it wouldn't eliminate abuse, but it would at least make the content-providers responsible for the advertising that appears on their sites and the costs of serving them.
"It's a pity that HTML doesn't have a single-origin model where all content on a page has to come from the same source - it wouldn't eliminate abuse, but it would at least make the content-providers responsible for the advertising that appears on their sites and the costs of serving them"
Ahh, but then you have the issue that you end up downloading the same jQuery/Angular/Whatever todays framework is javascript file for every site you visit rather than downloading it once from a CDN..
you end up downloading the same jQuery/Angular/Whatever todays framework is javascript file for every site you visit rather than downloading it once from a CDN
Good. I can then hold the publisher of the site responsible for any nasties in their code and not have to rely on the probity and security of some entirely unconnected third party.
But that would slow things down, you cry? Well, perhaps that might persuade the site authors only to include the code they actually need and can test and verify.
And of course if all responses had to go to the single origin too, then the publisher would be responsible for all the data they hand over to dubious analytics and tracking organisations, which might make them think twice. Sounds like a win all round.
"It's a pity that HTML doesn't have a single-origin model where all content on a page has to come from the same source"
The worst offenders are the so-called media site, newspapers, TV channels and the like. Scripts, advertisers, trackers, CDNs, sometimes as many as 30-40 different ones on a single page, all having to be connected to and some small bit of data downloaded, making page loads so slow it's ridiculous. And I'm on a 100Mb/s cable package. I remember when I first got broadband. 512Kb/s and it was stonkingly fast at opening web pages.
I am sure Coinhive could do more to stop people misusing its service. They could put a 30 day hold on payouts so that if any abuse reports come in the account payout is put on hold. They could also block the use of the old version of the script that doesn't let the end user switch off the script.
The problem here is that the advertisers, yet again, are using a platform that we are expected to "trust" to run random unvetted third party scripting in the course of supplying the advert. This is one of the many reasons why script blocking and advert blocking is the only safe option for modern browsing...
why are ads allowed to use JavaScript in the first place?
I guess because an ad is just a mini webpage stuck into the page you are reading , and therefore is entitled to all the tricks and scripts and frameworks that a webpage is.
If you could think of a way to restrict ads to jpegs only , then the advertisers would just disguise their ads as pages ...
And here is the reason I never whitelist or disable my adblocker and why I install it on every computer I work on. Advertisers have spent the last twenty years proving they can not be trusted and this is just one more nail in the coffin.
The only adverts that I'll tolerate are pure text or pure image with zero script behind them, until ad companies start using that, I'll keep blocking.
For years now I have gotten used to browsing with ads and JavaScript disabled, only (temporarily) whitelisting a URL when I absolutely need to use a feature on that site. Lots of websites do however simply not work without JS enabled, often displaying just a blank page or something equally useless.
With Meltdown and Spectre we saw JavaScript-based PoCs which can (potentially) steal private data, including passwords and the like. JS is also a common infection vector for malware, which most recently saw this crypto-coin mining thing become popular.
The last time that I felt that I could browse safely around without having to install a lot of filters to remove all the (dangerous) crud from today's WWW was probably somewhere in the late 90s.
Did the advertising thing just go totally overboard? Is it time to treat JavaScript-based sites with the same disdain as we did with Flash?
Yes, I too have active content turned off by default and have noticed the increasingly agressive posture on "you want to see our content then you must take anything our advertises want to throw at you".
Until everyone boycotts those sites that demand you accept what you clearly did not want then I only see things getting worse.
Those sites that consistently serve content I do want to see would be better setting up subscription based ad opt out via some other country ( the demands for The Private Eyes subscriber list are evidence that websites need to think ahead of they want to capture the anonymous viewer).
Yes, I too have active content turned off by default and have noticed the increasingly agressive posture on "you want to see our content then you must take anything our advertises want to throw at you".
Until everyone boycotts those sites that demand you accept what you clearly did not want then I only see things getting worse.
Those sites that consistently serve content I do want to see would be better setting up subscription based ad opt out via some other country ( the demands for The Private Eye's subscriber list are evidence that websites need to think ahead of they want to capture the anonymous viewer)
"The problem Google faces is that those abusing its systems rely on cloaking techniques to conceal the nature of the code and fake accounts that can be abandoned without consequence. As with email spammers, it's a game of Whac-A-Mole."
OK Im not particularly familiar with how the Google advertising system works, but i know that people who want to post an advert have to pay for it. That means they need to give Google payment details, be it a bank account or credit card. If it's a bank account, Google has the persons details. I mean Banks do not give out bank accounts without full details being obtained. So if there is something dodgy going on, give the details to law enforcement and ban that person from future advertisements. OK potentially credit card details can be stolen, but then Google would be missing out on the funding anyway once the owner of the card gets a chargeback, so they should surely have some other means of identity verification if you want to pay by card alone. So again Google should have a way to get personal details here.
Anytime money changes hands through official channels, if one party wants to, it should be able to confirm who the other party is. Or it's not trying hard enough and doesnt actually want to do anything that might jepordise some revenue.
I'm a little surprised that Google isnt taking this more seriously. Its entire empire is built on internet advertising, and if people stop trusting advertising on top websites like youtube, then its whole revenue stream is endangered.
Google's entire operating model has been to maximize the accumulation of data and then to maximally monetize that data while minimizing their liability relative to the accumulation and monetization. This pattern runs a long-term risk of damaging the "free" internet, but it gets them lots & lots of $ in the mean time. In the event that ad blockers & company start to go mainstream, Goggle can easily put together a model that establishes an accountability chain. In the meantime, "No one ever went broke underestimating the taste or the intelligence of the American public."
I think if ad blockers become the norm, ad agencies will simply relocate to Western-hostile countries and offer blocker-proof proxy services whereby blocking the ads blocks the contrnt, full stop, by making the site look single-origin. Wonder if it'll be time to abandon the Internet at that point.