back to article Malware menaces poison ads as Google, Yahoo! look away

Online advertising has become an increasingly potent threat to end-user security on the internet. More hackers than ever are targeting the internet's money engine, using it as a powerful attack vector to hide exploits and compromise huge numbers of victims. Malvertising, as poisoned ads are known, is as deadly as it is diverse …

Page:

  1. Anonymous Coward
    Pirate

    Fuck us.

    Yet another illustration of why we NEED granular 1st/2nd/3rd party controls for all content/MIME types built into browsers. allow-all/allow-but-blacklist/block-but-whitelist/block-all preferences for images/canvas/cookies/scripts/video/whatever. Simples.

    This wilful, contrived ad-slinger sponsored browser/web privacy & security clusterfuck HAS GOT TO BE BROUGHT TO AN END

    Yes it'd allow us to "break" some "features" of some websites (which are doing it WRONG) - that's the FUCKING POINT. I WANT to be allowed the ability to "break" the bastards' shit, if I choose to.

    https://support.mozilla.org/en-US/questions/1002062

    https://bugzilla.mozilla.org/show_bug.cgi?id=94035

    etc..

    /EADON-mode

    (yes, watching (and sometimes, back in my more naïve years, bashing my head against) this "game" has been one of my pet hates for the last FIFTEEN FUCKING YEARS)

    1. Anonymous Coward
      Anonymous Coward

      Re: Fuck us.

      Until the malvertisers start using the actual source websites as proxies, making them indistinguishable from the actual desired content. Then what?

      1. Anonymous Coward
        Pirate

        Re: Fuck us.

        It's an accountability/liability thing. Always has been.

        GigaBEEEEELION ad-slinger corporation spending loose change on twisting the arms "sponsoring" every browser project it can find to fuck up their security designs is their glorious capitalist duty... and it's certainly not their fault if when random third parties then use the situation to fuck us all over.

        However...

        Should some gigaBEEEEELION ad-slinger corporation start forcing malware from its servers into my browser, then it's cla$$$$ action time.

        Problemoid solved.

        The advertisers/miscreants will and do use the MOST AGGRESSIVE (sadly i.e. effective) mechanisms available to them. That's inevitable. Human nature. It's a sort of arms race. Taking away their bloated-cow-corpse loaded trebuchets and giving them all fiendishly sharp guava slices instead would NOT be the end of the world. Much as they'd squawk about it at the time. They could and would all simply fight on heroically with those guava slices. And what bliss it would be.

        This clusterfuck is NOT how it must be.

        This clusterfuck is NOT how it could have been.

        This clusterfuck is NOT how it need be tomorow.

    2. BlartVersenwaldIII
      Black Helicopters

      Re: Fuck us.

      > Yet another illustration of why we NEED granular 1st/2nd/3rd party controls for all content/MIME types built into browsers

      As much as I admire and agree with you sentiment... don't hold your breath. What with recent events...

      * W10 private-info slurping on by default, almost impossible to turn off without using a separate firewall, even if you're prepared to pay for your OS

      * Continued erosion of Firefox, the most popular open source browser, at the expense of slurping Chrome. Add to that the soon-to-become-extinct extensibility features used by a great deal of the add-ons.

      * Native advert-loading and tracking features being built into most major OSes

      * Opera, which had pretty nice content blocking natively (allowing javascript/plugin content on a per-domain basis was a great feature) has gone the way of the dodo, Vivaldi seems to be carrying on the tradition of a browser with actual features but nowhere near ready yet

      * ISPs getting in on the act and modifying traffic to include per-user identification in HTTP headers

      * Numerous companies providing "free" wifi and either data-mining them or injecting adverts into unencrypted connections

      * Resistance to non-backdoored encryption and firmware from governments and corporations

      * Seeming complete inability for most customer-focused companies to ship firmware with security better than "don't look at it funny"

      Best case scenario: people finally realise that most people hate advertising and that it doesn't really work, at least not for the vast amount of money being spent on it. Result: ad companies security gets even worse, adverts and data-mining become even more aggressive.

      Worst case scenario: ad companies and sundry data miners somehow earn vast coinage from exploiting their knowledge of your private info, resulting in a big pool of money being available to websites that promote advertising and data mining and better techniques to do it. Much of the web becomes essentially impossible to use for people using ad/script/tracker-blocking software and such outcasts become the new "That Weirdo Who Doesn't Have A Facebook Account And For Some Suspicious Reason Doesn't Want The Police Putting A Camera In His House".

      Now that all the pieces are being put in place, I think advertising and privacy is going to turn into a war zone soon.

      This unhealthy dose of paranoia brought to you by Fukitol Antidepressants.

  2. oldtaku
    Meh

    Thanks for this in-depth look. It's the reason I run Ublock and NoScript even on sites I like, no Java, no Flash. Can't trust their ad network at all - not their fault, but whoever they're using for ads is less cunning and evil than the Russians (even Google) and nobody's really doing much about it because they just don't care that much. This article just really drives that home.

    In addition, even the non-malware ads are so bad as far as terrible scripts and bloat (like the Verge's 1000:1 crap:content ratio) that whenever I run without blockers on other people's crapboxes it's a whole new, terrible ghetto web. How can you people live like this?

    So subscriptions and Patreon are all I'm willing to do. Think about it, Reg.

    1. Neil Barnes Silver badge

      Exactly.

      There are half a dozen sites I'd cheerfully pay some small token value to use, and a hundred million I'd not miss if they never showed again. Twenty two billion in lost advertising revenue? My heart bleeds... I suppose they could always get a proper job?

      As before: shouting at me doesn't make me want to buy your product. If I want something, I'll search for it.

      1. Stuart 39

        Such tech already exists

        This long standing problem was fixed in a way by Flattr. Basically you load up your Flattr account with the amount of money you wish to spend in a month to reward sites. Each site that supports Flattr has a "thing" where you can decide what percentage of that monthly payment you want to go to the site in question.

        At the end of the month, the money in your accounts gets apportioned on the % allocated. Good idea, but it doesn't seem to go big because at the end of the day people are not prepared to pay if they don't have to. Sad but true. Someone has to pick up the bill for all this lovely content written by the authors or they would starve.

        1. asdf Silver badge

          Re: Such tech already exists

          >Someone has to pick up the bill for all this lovely content written by the authors or they would starve.

          Or they can do what most modern media has done and become TMZ click bait 7 reasons why Justin Beiber ass humps your mom. Cost is much lower (because no real content).

    2. Anonymous Coward
      Anonymous Coward

      "In addition, even the non-malware ads are so bad as far as terrible scripts and bloat (like the Verge's 1000:1 crap:content ratio) that whenever I run without blockers on other people's crapboxes it's a whole new, terrible ghetto web. How can you people live like this?"

      Because more and more websites are making them a requirement just to see the content. They'll either redirect script-blockers to "TURN JS ON, DAMNIT!" pages or simply make the scripts a prerequisite to loading the actual content, leaving you a blank page instead. Sure, one can always walk away, but if it's the ONLY source of the content you want (say, an obscure driver), that means going without which may not be an option.

      1. GrumpenKraut Silver badge

        > ...ONLY source of the content you want (say, an obscure driver),...

        Use one browser with crap turned off for daily surfing, have another browser with settings at "fuck me harder" to download from terminally stupid vendors. That's what I do.

        1. Anonymous Coward
          Anonymous Coward

          And that becomes the proverbial foot in the door, according to the article. One little slip, one necessary evil and the dark side comes rushing in. It's increasingly becoming a case where the ONLY way to get what you need is to bend over.

          1. Doctor Syntax Silver badge

            "And that becomes the proverbial foot in the door"

            Run it from its own VM that you fire up for the purpose and hose down when you've finished with it. Of course you still have to trust whatever you downloaded from it but you had that problem any way.

            1. Anonymous Coward
              Anonymous Coward

              And of course there's the possibility of a hypervisor attack that can break out of a VM...

              1. Destroy All Monsters Silver badge
                Paris Hilton

                And of course there's the possibility of a hypervisor attack that can break out of a VM...

                From JavaScript to out of the VM?

                This is like worrying about Iran's quasi-nonexistent self-repudiated nuclear program that is being inspected anyway.

                Not all attack paths are realistic. For more on this, see "Independence Day" (Roland Emmerich, 1996)

  3. Anonymous Coward
    Anonymous Coward

    Any industry that uses "creative" ad a noun can die in a fire as far as I am concerned.

    And yes, echoing oldtacu, if El Reg were to solicit subs, I'd pay up. But it hasn't, so I don't.

    1. Bronek Kozicki Silver badge

      I'd pay as well, and there even is one thing that ElReg could offer me in exchange for my money: a daily copy of all articles in the form of Kindle news subscription, just like I receive other newspapers. Just something to read on my commute to work.

      I know it sounds like favouritism towards Amazon, however I have nothing against such a daily news delivery mechanism made available on other platforms/vendors where such paid-for news subscriptions are available. It's just that I already happen to use Kindle for my daily news review. I also know I could use Instapaper to scrap ElReg articles and copy them to my Kindle, but I'd rather let ElReg earn some money by preparing this for me - and making it appear just as a regular news from one source (called "The Register", rather than Instapaper).

      Even better if sister site ThePlatform implemented such a mechanism as well, they have some very interesting articles which I'd very much prefer to read on an ebook than from large screen (and I do not like wasting paper on printouts). Preferably at different time of the day than ElReg one, giving me something to read on the other direction of my commute ;)

      1. Ledswinger Silver badge

        I'd pay as well,

        That's as maybe but there's two problems here.

        First there need to be enough people who will actually pay - the evidence is that many won't. And with the Reg, half the value is from the joy of being an unpaid member of the Commentariat. If they think I'm paying for the privilege of writing and reading stuff like this, they've got another think coming.

        Second, you need the content owner to stick by their side of the bargain, and offer you completely advert and spyware free content. I'm not sure I can claim any evidence here, but I'll wager that very quickly you'll be seeing "content from our trusted partners, tailored to your interests", and then you're in the bind of both paying for the content, and having the malvertising hosed even more specifically at you. I very much doubt that the content behind Murdoch's paywalls is advert free.

        1. Bronek Kozicki Silver badge

          The thing is that Kindle edition of a newspaper is quite limited format - it would be difficult to put any ads into it. Well, at least in the edition that I can read on Kindle Paperwhite. And if they do that after all, I can cancel my subscription, shed a tear or two, and go back to reading on large screen.

        2. Antonymous Coward
          Gimp

          OK Ledswinger, I'l bite...

          "And with the Reg, half the value is from the joy of being an unpaid member of the Commentariat. If they think I'm paying for the privilege of writing and reading stuff like this, they've got another think coming."

          So, if you refuse to pay for things that bring you joy, what DO you pay for?...

          (moot curiosity: upvoted regardless)

          1. Ledswinger Silver badge

            So, if you refuse to pay for things that bring you joy, what DO you pay for?...

            To be fair, I'm paying at the moment by not blocking adverts too aggressively, and in smaller part by my written contributions (as you are). If the Reg weren't making money they'd go bust, and there'd just be a "For Sale" sign up on the domain. But its difficult to have sympathy with those content owners who unfortunately have happily embraced the dark side of the force, preferring to take the money and ask no questions.

            What do I pay for? Anything that I value and need to pay for. But not always financially, and sometimes the price paid is low. You will follow that, as will all commentards, but we're the minority. In the case of Windows 10, punters are lapping it up because either they mistake a £0 price for free, or because they set no value on their own privacy. Microsoft, on the other hand, must have a very good idea of the worth of a user's privacy - and based on prior OS pricing it must be a present value of around £70.

            1. bep

              Paying for content

              My views on this have changed in recent months. Partly it's to do with the Playstore, where you pay a couple of bucks for the 'Pro' version and the ads go away (not talking about tracking etc here, just the ads) Google has prepared the ground by getting people to pay a little so we don't see ads, and in that respect they may have done everyone a favour. I think sites like El Reg should have another look at the subscription model, but the price has to be right and the quid pro quo is strictly no tracking and no ads.

            2. J 3
              Mushroom

              To be fair, I'm paying at the moment by not blocking adverts too aggressively

              I was too, until recently. As said in the bootnote to the article, and I agree, these sites need some revenue source. But I got fed up with The Register locking up my Firefox browser, sending RAM usage through the roof, stuff like that. I don't visit the site too regularly, so I can't estimate when it really started, but I first saw it happen in mid-August, I believe. If I loaded an article an very quickly pressed ESC to stop the loading, whatever code that was going to be loaded did not have time to load, and I could read and not have the browser lock for minutes at a time (until it showed a dialogue about that, which was useless). If I wasn't so agile, then I was screwed. In all article pages here.

              So I installed NoScript, and that problem disappeared. The footer bar right now says that it blocked 20 scripts. Really? WHT? I know some are for El Reg's own operations (the page looks and behaves differently in some little aspects), but come on...

              My daily online newspaper of choice (where this locking problem sometimes also occurred) is even worse: I see between 50 and 80 blocked scripts reported by NoScript. This MUST end, really.

              "The Register for its part goes to some length to pull ads from reputable entities."

              OK, but even if they are "reputable", in the sense that they are not serving purposeful malware... do they know how to code, or are their scripts going to lock my browser if I have the misfortune of trying to read an article here??

        3. Androgynous Cupboard Silver badge

          +1 for "Commentariat"

          Work "democratic" in there and you can have another.

  4. Pascal Monett Silver badge
    Holmes

    Looking at the problem backwards

    From this article I gather that the ad system is basically anyone foisting a program on ad companies who then push it out via Google (mostly).

    This is the easy way to do it, and puts all the tools in the hands of the entity making the ad, giving scum the possibility to wreak havoc like they are.

    So take the tools away from the ad makers and put them in the hands of the ad companies. Create a PHP-like ad-creation language. Ad makers will have to submit the code and content for their ads, and the ad company will be in charge of vetting and "compiling" the two into an actual ad before pushing it out. Simulators can be made to allow the ad maker to be sure that it will display as intended.

    In doing so, we do away with every single security nightmare we currently have without having to change a major part of the current infrastructure.

    I'm sure it's not difficult to do.

    1. Ralph B

      Re: Looking at the problem backwards

      Maybe that's what we'll get from Apple after their content blocking tech comes into play. Maybe the iAds that they (presumably) won't block will be better vetted than the malvertisiing that Google currently let through.

      There's hope for this, since the iOS apps are certainly better vetted than Android ones.

      Google et al certainly need to get their houses in order on this. They could get away with it while no-one else is doing it better, but that time is running out. Thankfully.

    2. Anonymous Coward
      Anonymous Coward

      Re: Looking at the problem backwards

      But that will take, labor, and most importantly money. Try getting this plan past the accountants...

      Not to mention the legal department may be up in arms since doing it this way means they become the scapegoat and the potential target of lawyers if something goes wrong like a rogue insider.

      1. Ralph B

        Re: Looking at the problem backwards

        > But that will take, labor, and most importantly money. Try getting this plan past the accountants...

        But the same argument can be made for vetting the apps. Having apps that can be trusted not to contain malware is a good sales argument for the platform. Same for the ads.

        Developers pay Apple for vetting for entry to the App Store. Same for the ads. (Or it will be, if content blocking makes iAds the only show in town.)

        1. Anonymous Coward
          Anonymous Coward

          Re: Looking at the problem backwards

          "But the same argument can be made for vetting the apps. Having apps that can be trusted not to contain malware is a good sales argument for the platform. Same for the ads."

          No, because like with the ISPs as long as they're not acting in any kind of gatekeeping capacity they can always scapegoat and say, "Not our problem. Go after whoever made the ad." Remember, businesses carry a fiduciary duty to minimize risk, and legal responsibility is a risk.

          1. Ralph B

            Re: Looking at the problem backwards

            > No, because like with the ISPs as long as they're not acting in any kind of gatekeeping capacity

            And yet they (Apple) are acting as a gatekeeper for the apps, and are reaping the profits from having a more trusted platform. If they did the same for ads they would increase that trust and thereby increase their profits.

            1. Charles 9 Silver badge

              Re: Looking at the problem backwards

              The counter is that only a company like Apple, who has a uniquely sirenesque appeal (Apple's sorta like the Carrot Ironfounsersson of the computing world; you can't help but like the guy even with his strength and other quirks), could pull something like that off. Anyone else, and as Detritus would say, "We look in gutter for our heads..."

          2. td97402

            Re: Looking at the problem backwards

            "No, because like with the ISPs as long as they're not acting in any kind of gatekeeping capacity they can always scapegoat and say, "Not our problem. Go after whoever made the ad." Remember, businesses carry a fiduciary duty to minimize risk, and legal responsibility is a risk"

            I dislike people who spout legal premise like they're lawyers. Be that as it may, here are my two cents. ISPs get a pass as they fall under "common carrier" rules (at least in the U.S.). They are simply the "phone line" between you and the content publisher. Individual web sites and ad networks have no such protections. They are publishing the offending content and almost certainly can be held liable, Time will tell. Some greedy bastard lawyers are going to get the idea to do a class action lawsuit for negligence against Yahoo, Google et al. Once there is a $1 Billion verdict they will clean up their act.

      2. Sir Runcible Spoon Silver badge

        Re: Looking at the problem backwards

        "Schultz says should vet and load content from their own domain."

        I was thinking this all along whilst reading the article, and this really is the weak link in the malware delivery cycle.

        Ensure the code for the adverts is sent to the publisher to be published. They can then automate the screening of the code for re-directions (and embedded malware).

        No re-directions, no malware.

        If the industry doesn't start regulating itself, ad-blockers will become the default and their business model will never recover.

        If they won't listen to the warnings, they will be too late to fix it later.

        1. Frumious Bandersnatch Silver badge

          Re: Looking at the problem backwards

          Ensure the code for the adverts is sent to the publisher to be published. They can then automate the screening of the code for re-directions (and embedded malware).

          I was thinking of something like this myself. Recently I was bemoaning how Flash became such a cesspit because it allowed arbitrary code to be run, and how a more declarative programming language would have solved all the problems. That approach could still be the answer to the problem of "malvertisement". There would be sections for all the graphics "assets" and some basic scripting language that allowed for interactivity. In fact, SVG + this new scripting language would fit the bill nicely.

          The language spec and interpreter would have to be designed so that it was impossible to, eg, smash the stack or call itself recursively. As for redirects to an external website, these would have to be declared in a static part of the SVG file, so there would be no chance to modify them or obfuscate them. No other external assets would be loadable from the ad itself.

          Providing there's no underlying bug in the SVG or interpreter for the scripting language, then at least the ad itself would be easily vetted (both by the site that will embed the ad and the user who is being asked to view them). What happens after the redirect is, unfortunately, still beyond the control of the person showing the ad (if there is malware hosted there, it can be sensitive to context such as the HTTP referrer field or cookies stored on the viewer's machine) but at least the ad itself would be safe so long as nobody clicked through, and other means (such as black/whitelisting or some sort of trust rating) could be used to give some assurance that the target site won't be hosting malware.

          No re-directions, no malware

          Unfortunately, with a general-purpose language like ActionScript (ie, Flash) or Javascript, deciding what URL the ad ultimately redirects to is nearly impossible without actually running the code (thanks to their ability to obfuscate and 'exec' bits of code dynamically or implement self-modifying code). Further, even running through a simulator, if any external data/assets are involved, those parts can detect whether it's a real user (who they want to infect) or the simulator (in which case the malware side is disabled). So (a) ads have to redirect or else they're worthless to the advertiser, and (b) the current techniques or providing the redirect URL are fundamentally insecure.

      3. Pascal Monett Silver badge

        Re: Try getting this plan past the accountants

        Apparently, to get accountants to approve this plan, all you'll need to do is show them the trend in ad-blocking software.

        Yes, it will cost money. There is no such thing as a free lunch. But I do believe that something along the lines of what I said is the only viable solution to the problem the article outlined.

        Anything else is just going to cost more money for nothing. We have no way of tracking which ad shows up where, and if Google knows it ain't talking (as usual on this kind of matter).

        The industry urgently needs to inject some oversight on the whole ad publication process, and the logical place to put that oversight is where ads are accepted for publication. By removing the ad-creation tools from the hands of the ad makers, you straightjacket them into a scenario in which they simply cannot abuse the system any more.

        You nuke the problem from orbit. It's the only way to be sure.

        1. Charles 9 Silver badge

          Re: Try getting this plan past the accountants

          "Apparently, to get accountants to approve this plan, all you'll need to do is show them the trend in ad-blocking software."

          But that still won't appease the legal department, who could justify the additional expenses to keep it "Not Our Problem". The only way you can convince the legal department is to prove to them they can't keep the problem away from their desks no matter what they do, but lawyers are trained to prevents this.

          "You nuke the problem from orbit. It's the only way to be sure."

          That's assuming your problem is an Alien-type problem and not an Andromeda Strain (where nuking would only make it worse).

    3. Doctor Syntax Silver badge

      Re: Looking at the problem backwards

      An alternative - or maybe complementary - approach. The websites hosting the ads become liable. It's only fair after all, they want the income so they must accept responsibility. It would then be up to them to push the responsibility back onto the networks they allow to place the ads which then gives them an incentive to revise the whole technology involved so that either a kit approach, a trust system or whatever gets put into place. At present NOBODY has any incentive to do anything except the users who are actually aware of the problem. This needs to change and the only way to do that is to target the most easily accessible point.

      Maybe it could be handled by civil liability, maybe by criminal liability but somebody has got to be held responsible or no changes will be made until ad-blockers kill the entire advertising industry. Actually I wouldn't shed any tears were that to happen.

    4. Someone Else Silver badge
      Unhappy

      @ Pascal Monett -- Re: Looking at the problem backwards

      O, Pascal...

      Of course it's not difficult. but it would cost money. And you have to know that Google, YAY-hoo, et al, are strictly in the business of collecting money, not paying it out....

  5. Mystic Megabyte Silver badge
    FAIL

    No whitelist here!

    Not only the ads but also the "one weird trick" or "Sponsored Stories" links. Obviously they are bogus click bait and I can only assume that bad things will happen if I click through.

    My ad blocker is on permanently for all sites, the advertising industry cannot be trusted.

    1. Charles 9 Silver badge

      Re: No whitelist here!

      So what happens when you get a false positive and it blocks something you actually WANT (or worse, NEED) to retrieve?

      1. James O'Shea Silver badge

        Re: false positive

        If something I want is blocked, I'll know it, and unblock it, or I won't know it, and I'll live without it.

        I don't need anything associated with 'sponsored sites'.

    2. Anonymous Coward
      Anonymous Coward

      Re: No whitelist here!

      > Not only the ads but also the "one weird trick" or "Sponsored Stories" links.

      If you use ABP then "Fanboy's Social Blocking List" and "Fanboy's Annoyance List" kills most of these.

  6. naive

    Shooting the messenger feels good but does not help

    Perhaps Yahoo and Google should not be blamed for the problems with mainly fraudulent Flash ads to the extent as worked out in this excellent article.

    They do not have any part in the endless string of 9+ CVE's served up to an ignorant world by Adobe.

    They are not to blame for the fact Microsoft produces operating systems allowing rigged content of a website ending up as executable code in kernel mode.

    Going after the ad networks, or any other website, because user generated content abuses security holes in products SOLD by others is not helpful in solving the worlds issues with malware. The fact that this discussion even wasted the time of the honorable Senator McCain, is probably more an indication for effective lobbying by Microsoft, who successfully managed to divert the fire to others.

    Perhaps the only thing widely used websites could do is introducing a constant nag mode about outdated or unpatched software used by their users.

    1. Doctor Syntax Silver badge

      Re: Shooting the messenger feels good but does not help

      "Perhaps Yahoo and Google should not be blamed for the problems with mainly fraudulent Flash ads to the extent as worked out in this excellent article."

      Nope. They're part of the pipe-line. The whole foetid system, end to end, is the problem. Every part of it needs to do their bit, in fact needs to be made to do their bit.

  7. Zog_but_not_the_first Silver badge
    Devil

    Blurred boundaries

    It seems the boundary between legitimate organisations marketing stuff that you may or may not want, and criminals attempting to steal your passwords, log keystrokes etc., is becoming increasingly blurred.

    After all, they both want your money. And that's all that counts, isn't it?

  8. POSitality
    Big Brother

    Mitigating the problem for end users

    I keep a copy of Visual Studio running on a virtual machine. It's a fairly hefty program to load up and, if my main PC went down (hardware fault, hackers, etc.) at least I could still work even if that meant using a landfill tablet with a Bluetooth keyboard! VS runs fine like this as long as the VM and RDP can keep up with my typing.

    So, keep my work safe... from what? What is the most dangerous thing on my PC? I must have loads of programs that access the Interwebs, e.g. on-line gaming, but the web browser is now the number one attack vector by a very large margin.

    I've been isolating the wrong application.

    From what I've seen of VM Ware, Virtual Box and Hyper-V recently, performance has gone up dramatically certainly enough to play YouTube vids - with audio - even over a LAN RDP connection. Hell, Hyper-V has some Direct X support to run games. Web browser, no problem.

    Okay, so I relegate the browser to a VM and as a side effect I could run my main machine through a much tighter firewall (as it'll barely need 'net access) mitigating some of the privacy issues in Windows 10 et al.

    Any thoughts on choice of VM, operating system and browser for "a rich web experience" ?

    1. Bronek Kozicki Silver badge

      Re: Mitigating the problem for end users

      One way to do it, assuming you have the right mix of hardware (CPU with VT-d, enough cores and RAM, right kind of GPU) is to make your main machine a virtual machine with GPU passthrough, running on top of Linux hypervisor with stack kvm/vfio/qemu/libvirt.

      1. POSitality
        Happy

        Re: Mitigating the problem for end users

        Thanks for flagging that up. I'd looked at Hyper-V's GFX options for a project a while back, I may have a tinker with the Linux options for my main server.

        I was aiming to refine my idea to help out the sort of client who's paranoid about security but not capable enough to handle qemu and the like:

        - Download VirtualBox

        - Import Linux VM with Chromium or Firefox pre-installed

        - Don't surf from host machine

        - Profit!

        I'm looking at a minimalist Debian install and Chromixium, the latter also being an excellent choice for recycling old laptops.

  9. Doctor_Wibble

    Online Ads Not Malware???

    Much evilness is in the URL-rewriting (hover shows ultimate destination until you right-click and it is rewritten and you can see the ad/redirector/logging service URL, you never see the original URL again unless you click and it's 50-50 if you actually go there) which seems to happen on legitimate sites but as per the article is actually just an ad frame sold to someone who rented it out to someone else who did a short-term lease deal with that supplier of useless clickbait crap for bored people.

    It's partly a browser problem though - third party scripts are always going to be dependent on an entirely undependable chain of trust all the way down to whoever (re)wrote it.

    On the other hand, if ads help pay for the running costs of a site we can either put up with them or we can give the banks a transaction fee (at whichever end, to pay or receive) for every single website we end up subscribing to.

    The web ad industry just needs to stop blaming everyone else. Why blame anyone? Just get on with it.

    1. Frumious Bandersnatch Silver badge

      Re: Online Ads Not Malware???

      Much evilness is in the URL-rewriting

      Google search results also do the same thing. Check it out and see.

      As a user of Google search, I've made the decision that letting them store (most of) my queries is an acceptable price to pay for the usefulness of the search results. I draw the line at them knowing which link(s) I've chosen from among the search results. To stop this URL-rewriting I use Greasemonkey and the "Google Link Cleanup" script.

      URL-rewriting is evil, Google.

  10. James O'Shea Silver badge

    I advocate the nuclear option

    I'm typing this on Firefox running in Win 10. I have a 3rd-party firewall installed (Kaspersky) just to annoy Microsoft. Before I installed it, I turned off all the spy features I could, also to annoy them. I have AdBlockPlus installed. I have Ghostery installed. (Currently blocking DataPoint Media, DoubleClick, and Google Analytics. Naughty, naught, el Reg.) I have Privacy Badger installed, (Not showing anything. Better, el Reg.) I also have modded the HOSTS file heavily to blackhole certain notorious sites. Between them, I no longer see ads, 'sponsored sites', or any of that nonsense.

    Certain sites have complained about my blocking ads on them. I have ignored them. Some sites have gone so far as to block access until I whitelist ads on their site. I have declined to go back.

Page:

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2019