The common root case?
JavaScript. We know this. <truism>Running untrusted code written in a language with no effective security model is not a good idea</truism>
Thank goodness for Noscript.
Clickjacking, which came to the attention of security types more than a decade ago, continues to thrive, despite defenses deployed since then by browser makers. Boffins from Microsoft and universities in China, South Korea and the US recently looked at the Alexa top 250K websites and identified three different clickjacking …
Just block 3rd party scripts by default.
I've used NoScript. More use than AV. I use uMatrix now.
Also Waterfox or Firefox. Firefox + uMatrix works on Android as well as Windows and Linux.
Also a risk is people not changing default pass etc on the Router. Drive by malware in JS in an advert can rewrite the DNS settings. Then you are open to man in the middle attacks.
Adverts should ONLY be a static image and a link. It's the attempt to be clever and track (steal private info) that means ads even on CNN and BBC can serve malware.
There are also sites (usually links in spam or adverts) that are entirely dedicated to pawning you. Or stealing your usage.
None of this is new.
Another vote for NoScript, although I do get annoyed at websites complaining about you using an Ad blocker, when they are detecting NoScript in action.
I also get annoyed at websites that use one script to hide a dozen others; so enable one script to try and get the page to work correctly, and a shit-load of other scripts suddenly want to run.
"I also get annoyed at websites that use one script to hide a dozen others; so enable one script to try and get the page to work correctly, and a shit-load of other scripts suddenly want to run."
Newspaper websites seem to be the poster-child for that nasty trick.
THen use uBlock Orgin to get rid of that element, and all "We use cookies" BS. Then put uBlock Origin in advanced mode, and have at every script you don't like. By default it lets a good # through that make no sense. It even tells you the # of scripts that would be blocked if noscript wasn't blocking any.
I've started to use Cookie AutoDelete for Firefox. (I believe it also available in Chrome.) I whitelist sites I need, and then set it to autodelete cookies -- it calls it autoclean -- any cookies not in the whitelist after I leave a page or close a tab. Between that and NoScript and uBlock, it is a life saver. (I turn uBlock off for the Reg, but never ever turn off NoScript.)
I also blacklist really really bad websites at the router. Sites like nervoussummer.com and unequalbrake.com. I see a lot of websites with two unrelated words like that and when you go to the website you get a landing page about DMCA checking. The reality is, however, those websites are checking for adblockers.
@Wade Burchette,
uBlock Origin, uMatrix, and Cookie AutoDelete here (recently made the switch to uMatrix from NoScript) also, only there are no cookies whitelisted, in Waterfox. I also have a manual cookie delete button in the status bar for quick one-step eradication of cookies and local storage. It's a good thing to use before and after dealing with anything Google.
The sites that complain about my blocking of their ads miss the point. It's not just a way of cutting page load times in half and browser RAM use in half and de-cluttering my display, though that's certainly all wonderful. It's also an act of self-defense to block that stuff, as the article demonstrates. As you say, I may be convinced to whitelist a site in the adblocker, but script blocking stays on, and for the most part, it has the same effect. Most ads never load even with uBlock disabled.
If a site wants to sell some ad space, that's fine, but don't expect me to permit you to run scripts on my hardware that (at best) aims track my usage and slurp up personal data against my will, and with the possibility of doing things that are even worse. Advertising doesn't require analytics; people were advertising centuries before web analytics became possible. There's no script analyzing what articles I read, which sections I read the longest, and where I direct my gaze in a newspaper (the actual printed hard copy kind). They've always had to settle for apparently inferior methods like considering whether business picked up following the beginning of an ad campaign. Oh, the huge manatee! <g>
The web needs ads to pay for all this lovely content ala el-reg.
Ads need analytics to prove they actually do anything, otherwise its just "my pretty picture is better than your pretty picture".
Are ads the root of all evil? No.
Is JavaScript the root of all evil? No - everyone knows its Flash.
Ultimately its people who are the problem. If there were more accountability in the market and more relationships rather than more blind ungoverned and cheaper to run programmatic the whole thing would work a lot better and be a lot harder for Ivan and his pals to take the jimmy riddle with.
Failing that I've got some ad supported ad-blocking, JS blocking, Flash blocking, CSS blocking, Cookie eating Onion routed NSA endorsed browser extensions guaranteed to solve all your problems. Shame all the sites you used to visit with it closed eh?
Then the user is already making the first mistake. The only extensions you need are NoScript and uBlock Origin. No one needs a toolbar, they are all malware and have no other reason to exist than to hijack your browser for nefarious purposes.
The second mistake is not running a JS blocker.
The third mistake is not running an adblocker, or a browser that does not handle ads properly (like Brave).
FlagFox is very useful, even my elderly mum picked up on a redirect to a Lithuanian based server and not the regular UK server for Natwest banking login a few years ago.
Natwest CLAIMED it was all good, but after all their catastrophes, who would believe them.
... a cybersecurity and ad fraud researcher who advises companies about online marketing...
So, himself one of the frauds.
All ads are malware by default, trying to hijack you into buying something you don't need. So those scripts/extensions were doing just what they were supposed to do: make money for someone. As long as they didn't get the money from the person visiting said sites, who cares?
Just let the frauds steal from each other.
"...to US."
But seriously, if you want to stop this, there are two complementary ways to do it. Thing is, both require a way of thinking contradictory to today's business practices.
First, strip down HTML rather than add onto it. It should only contain tags and functions pertinent to itself as a page. CSS can be permitted as long as the rules and so on remain local. Which goes to the second point.
Second, Web content needs to be strictly hierarchical. Content can only be served relatively: from the same directory or from a subdirectory. This would have the added benefit of making the content containerizable: easier to archive AND to assign legal liability.
You really have no idea where they will lead you until you click on them and let it unwind. You could even end up on a Child Pron site totally by accident but that won't help you when your collar is felt by the Law because as you know just visiting such a site is illegal and make you liable to prosecution.
I refuse to click on any of them.
Sorry, I call bollocks.
And bollocks again.
Like a paedo in every bush (which does sound like a depraved election promise, I grant you) this fairy tale notion that the web is awash with child porn that anyone might stumble on is one of those tropes shit newspapers rely on to whip the masses into more and more privacy busting laws.
Also, any investigation into a person suspected of viewing any form of illegal pornography starts with rebutting any danger the suspect can say "I accidentally clicked on a link". A successful prosecution needs to show the defendant knowingly and deliberately sought out the offending material.
Generally true.
Though they might cart off all your internet connecting stuff with screens. Just to check. Then some months later you'll get it back.
Maybe.
I'm a writer of SF, Fantasy, Spy/Adventure/Detective. I'd struggle if all my gear was seized even if I bought a new laptop.
Also a lot of the saved web pages might be suspicious for anyone not a journalist or writer.
Depends which country you live in too!
Not quite sure why ? I have a 5TB cloud backup service (cost $60 for two years) which is backed up daily. Includes all the configs of my machines (Linux, of course). And is in another jurisdiction.
If I could really be bothered, I'd look at renting a couple of VMs in AWS/Azure/GoogleCloud and just use an old machine as a terminal. Much as I did 35 years ago when dialling into the University computer centre.
Unless you've been asleep these past few years, UK plods SOP seems to be to fuck peoples shit up for the fun of it. So it makes sense to ensure they're pretty neutered in that respect.
They are free to trawl through the walls of dead-tree books I have, if they like. But I bet they don't.
There might be 10 to 30 versions of each novel
There might huge number of archived articles, all my photos and saved websites etc going back to 1996.
Also email.
All the important stuff does fit on about 300 GBytes. Obviously on a daily basis only new stuff and changes are backed up.
Forget Cloud for backup if you only have DSL speeds. My VDSL is barely faster than my 2006 Fixed Wireless link.
Forget Cloud for backup if you want privacy and security.
* * *
The Garda are not stupid. They even have specialists. I suppose the UK does too now, though they didn't when I lived there. They'll want all the passwords and accounts.
I make offline backups. Obviously any competent investigators will want to know where a retired IT expert is putting the off-site backups no matter if cloud, tape, USB sticks or HDD/
"Also, any investigation into a person suspected of viewing any form of illegal pornography starts with rebutting any danger the suspect can say "I accidentally clicked on a link". A successful prosecution needs to show the defendant knowingly and deliberately sought out the offending material."
Absolute fucking bollocks. I know, first hand, someone who was accused of having images of child sexual abuse. He was involved in a custody battle with his ex, and she told the police the he had such images on his laptop. He didn't, but it utterly ruined his life. There was no "successful prosecution", the "defendant" certainly didn't "knowingly and deliberately sought out the offending material". They were just falsely accused from jealously, and their life was ruined.
So whilst "A successful prosecution needs to show the defendant knowingly and deliberately sought out the offending material", a mere accusation is enough to ruin someones life, and "I accidentally clicked on a link" will not save you.
In similar circumstances, I know someone who was prosecuted for an indecency charge and during the investigation the shared family PC was found to have porn on it. Timings showed that some of the porn was downloaded immediately after a piece of school homework was uploaded, however the police happily ignored this and presented the 'evidence' regardless. The result was that the accused had a choice: say nothing and look guilty in the jury’s eyes or blame his son.
Never forget that if the police have a choice between being fair or being a cunt, they will choose the latter.
Just to underline the comments above - you cannot trust the police or the prosecution services, ever. They are not there in your interest, whether you are the accused or a victim. They exist *only* to serve their own interests and the interests of the governmental department they fall under. This *may* have been different at some time in the past in some places, but not now.
I hate it that I want to trust these bodies, but I can't.
Not really. But having a healthy distrust of authority can be a bonus.
Certainly for myself. anything submitted to any official body is always done via a scan, and a properly page-indexed document. If (or when) the "lose" it, they can have another instantly.
Using a mobile phone makes call recording a doddle. Which can prove useful when disputes arise (nothing funnier than being told they can't find a recording and being offered yours ...).
But because they're digital, they can just counter, "You're faking it, you edited it, and you faked the signature because you have the key somehow." Plus what if the device in question crashes or gets hacked. Thus why anything important I keep hard copies. It's a LOT harder to hack paper (you basically can only resort to arson at that point). And it's easier for me to record a landline call thanks to the answering machine, which thanks to it being offline, can't be countered with the hacking excuse.
"Not really. But having a healthy distrust of authority can be a bonus."
Which becomes a liability when the time comes when you REALLY need them (such as in dealing with misconduct versus a huge transnational firm); thing is, you have to trust SOMEONE at SOME point or you're just going to get plowed under by someone with the resources to just bully you into submission/to death.