from the do-not-run-YOUR-code-on-MY-machine dept.
Mainstream websites, including those published by The New York Times, the BBC, MSN, and AOL, are falling victim to a new rash of malicious ads that attempt to surreptitiously install crypto ransomware and other malware on the computers of unsuspecting visitors, security firms warned.
The tainted ads may have exposed tens of thousands of people over the past 24 hours alone, according to a blog post published Monday by Trend Micro. The new campaign started last week when "Angler," a toolkit that sells exploits for Adobe Flash, Microsoft Silverlight, and other widely used Internet software, started pushing laced banner ads through a compromised ad network.
If you haven't installed a good ad blocker on all your friends' and family's computers, now is the time.
takyon: The article includes an update from Malwarebytes, which found malvertising on the likes of msn.com, nytimes.com, bbc.com, aol.com, my.xfinity.com, nfl.com, realtor.com, theweathernetwork.com, thehill.com, and newsweek.com.
Related Stories
Reuters has reported that, in a defeat for the publisher Springer, the German Supreme Court has ruled that ad blockers are legal.
Germany's Supreme Court on Thursday threw out a case brought by Axel Springer seeking to ban a popular application that blocks online advertising, in a landmark ruling that deals a blow to the publishing industry.
The court found in favor of Adblock Plus adblockplus.org, an app marketed by a firm called Eyeo that has been downloaded more than 100 million times by users around the world seeking protection from unwanted or intrusive online advertising.
That is followed by some analysis by Rick Falkvinge on the court's decision over at the Private Internet Access blog.
Related on SN:
Ad-Blocking Brave Browser Will Offer Free Cryptocurrency to All Users
Malvertising Campaign Finds a Way Around Ad Blockers
Ransomware Spreads Through Advertising on Major Sites
and many more ...
(Score: 5, Funny) by isostatic on Wednesday March 16 2016, @07:48AM
I'd love to see the user story that says
As an Internet user
When I'm browsing a website
I want my web browser to download an executable program, execute it in a non-sandboxed environment, and let it edit all my files
(Score: 5, Funny) by Anonymous Coward on Wednesday March 16 2016, @08:02AM
A more realistic version...
As an Internet user
When I'm browsing a website
I don't know what the magic box actually does
(Score: 3, Insightful) by coolgopher on Wednesday March 16 2016, @09:09AM
FTFY.
(Score: 4, Informative) by isostatic on Wednesday March 16 2016, @09:47AM
These ads affected a forum site I visit (in the old days we used usenet, sadly everyone's migrated to a webpage now *sigh*). This site isn't served by https.
Browsers were flagging it up as google had flagged the site as a phishing site (due to them having a single banner advert FROM GOOGLE)
Here's one quote:
I had the message, ignored it and got a red bar at the top of the page with an option to report it to Firefox as incorrectly flagged
And another:
had the same alert on chrome - ignored it also.. :D
l use a Mac and Safari and l've just had to click 'lgnore.'
Switched over from Chrome to IE11 when I saw this thread....no problems on IE11
So basically people just ignore the warnings. Until now I used to grumble at firefox everytime I visited a site with a self-signed https cert (ilos for example), now I see why they do it.
(Score: 2) by zocalo on Wednesday March 16 2016, @10:57AM
UNIX? They're not even circumcised! Savages!
(Score: 5, Insightful) by maxwell demon on Wednesday March 16 2016, @11:07AM
And I'm sure that forum site itself is, indeed, a legitimate site, not a phishing site.
Thus it was obviously incorrectly flagged.
Of course: The site they visited was known to them and was definitely not a phishing site, so they correctly concluded that the claim in the warning ("this is a phishing site") was wrong, and then incorrectly concluded that it was therefore safe to visit that site. Morale: It's not sufficient to put up a warning, the warning also has to warn about the correct thing. Had the warning been "the site you are trying to visit currently has malware in its advertisements and therefore cannot be visited safely" I'm sure much fewer people would have clicked the warning away without thought.
The Tao of math: The numbers you can count are not the real numbers.
(Score: 2) by LoRdTAW on Wednesday March 16 2016, @11:52AM
There are some very technically inept people who will heed those warnings. Here at work a guy calls me for every single pop-up and error message which he hasn't encountered before.
You just found all the dumb dumbs. These are the same people who stick their hand in a fire to see if it is hot.
(Score: 3, Insightful) by bitstream on Wednesday March 16 2016, @12:37PM
They lack rational, analytic and critical thinking. It's not about knowing. It's about being able to use what is known and inquire for more information for pieces that can be had by thinking.
(Score: 5, Insightful) by Anonymous Coward on Wednesday March 16 2016, @01:18PM
Specialization. You know virtually nothing about the body you are currently inhabiting. Likewise you can't expect a physician to know the latest little frills about malware. Imagine if you don't drink, don't smoke, eat healthy and end up having a kidney tumor in your 30's. Now imagine if the doctor just laughs at you and calls you a dummy for not knowing this was a possibility? In the same vein you can't expect someone who doesn't spend their life around computers to know everything. He regularly updates his machine, has antivirus software, doesn't open attachments or visit dubious websites - he expects everything to go smoothly. Don't laugh at him or call him irrational if his box gets pwned.
(Score: 2, Insightful) by bitstream on Wednesday March 16 2016, @03:00PM
There's plenty of information out there to know that Microsoft is a bad security choice. Still many people select it by choice. Same goes with smoking and bad food. Plenty of information to do informed choices. Doctors are supposedly smart people. They ought to be able to do some basic research even into unknown territory.
But you have a point in so far that decision makers of software design better start applying secure by default to avoid these completely unnecessary havoc. So it just-works for people of other professions.
(Score: 4, Insightful) by butthurt on Wednesday March 16 2016, @12:15PM
What does malvertising have to do with self-signed SSL certificates?
(Score: 2) by Pino P on Wednesday March 16 2016, @12:50PM
What does malvertising have to do with self-signed SSL certificates?
I'm guessing that malvertising uses a large collection of domains. And before Let's Encrypt, the first large-scale CA offering domain-validated TLS certificates to web server owners without charge, each certificate cost money.
(Score: 2) by WillR on Wednesday March 16 2016, @02:11PM
(Score: 5, Insightful) by Phoenix666 on Wednesday March 16 2016, @01:40PM
Well, sure they do. When the picture on your TV flickers a bit when you switch it on, do you jump up and take the thing into the repairman, or do you experience minor annoyance that passes when the picture starts working OK? (See, I avoided a car analogy)
Few people understand the tech around them in depth. They just hope it will do the main thing it's supposed to do. As long as it appears to do that, they muddle through. If it doesn't, they call the government or a lawyer. There is no, "Hey, let's troubleshoot the problem!"
I'm a technical guy, more so than 99% of the population, but I don't understand the alpha and omega of network security because I know enough to know that's an entire realm of endeavor unto itself that I don't have time to master, and that I also don't have the spare $250K lying around to pay a network security consultant to take care of. So I run a firewall, run regular updates of my systems, and hope for the best, knowing that eventually my luck will run out, I'll be compromised, and I'll have to restore from backups.
Can we really blame the non-technical people out there for falling prey to stuff like this?
Washington DC delenda est.
(Score: 2) by isostatic on Wednesday March 16 2016, @09:01PM
Depends, flatscreen or CRT? Could indicate a failing capacitor, oh the days of discrete components.
(Score: 1, Funny) by Anonymous Coward on Wednesday March 16 2016, @03:53PM
Including upgrade to win10.
(Score: 3, Insightful) by bitstream on Wednesday March 16 2016, @01:07PM
This is THE problem. Undiscriminatory download of all kinds of executable code without any proper sandboxing or even a proper permission scheme. Some browsers won't even let you disable javascript.. Letting non-technical people have influence over technical decisions is a big mistake.
Apart from bad code. There's the issue of bad but valid certificates. Where entities like China Internet Network Information Center could issue a valid certificate for your American bank in a MITM attack. There's no mechanism to restrict their signing to *.cn and so on.
Tip for browser makers:
* Enable the user to allow or deny permissions to make use of Javascript, Java, Flash, valid CA etc.
* Permit both per host and per url regex permission evaluation.
* Specific permissions for each technology. Like letting a site rename the title bar but not open a new window.
* Make use of sandboxes whenever possible.
* Learn to f*ccking program. Unlike the bad example Oracle has set for Flash.
The whole issue is like adults that wrestle in the mud pool and then wondering why their clothes got filthy,
(Score: 2) by Pino P on Wednesday March 16 2016, @04:14PM
Enable the user to allow or deny permissions to make use of Javascript, Java, Flash, valid CA etc.
Firefox provides UI to make Java and Flash click-to-play and to distrust CA certificates, and it provides an about:config setting to disable JavaScript entirely. The biggest missing thing is, as you mentioned, restricting a CA certificate's scope to one or more hostname suffixes.
Permit both per host and per url regex permission evaluation.
Firefox provides an extension mechanism to allow NoScript, uBlock Origin, etc. to do so.
Specific permissions for each technology. Like letting a site rename the title bar but not open a new window.
Security with unusable UI is no security at all. Good luck training end users in creating a set of (origin, permission) tuples for each of the dozens of sites that an end user might visit in a given day.
Make use of sandboxes whenever possible.
The JavaScript virtual machine itself is supposed to be a sandbox. What would differ from present practice?
Unlike the bad example Oracle has set for Flash.
Flash is Adobe; Java is Oracle. Or did you mean Oracle has set a bad example that Adobe chose to follow?
(Score: 4, Interesting) by bitstream on Wednesday March 16 2016, @04:32PM
Firefox provides an extension mechanism to allow NoScript, uBlock Origin, etc. to do so.
Some basic stuff should be available in the browser. So one can add "Block (*.|)doubleclick.net/ads/*". That enables visits to www.doubleclick.net but denies any ads. These techniques could also be used to filter for the same URL request by looking from where the request originated.
Security with unusable UI is no security at all. Good luck training end users in creating a set of (origin, permission) tuples for each of the dozens of sites that an end user might visit in a given day.
Use a decent default permissions. Marketers and special use sites will learn to adapt..
But this will at least enable people to block specific requests from reckless sites.
The JavaScript virtual machine itself is supposed to be a sandbox. What would differ from present practice?
JavaScript currently facilitate automatic downloads of hostile code etc. It has access to vulnerable attack surfaces and is thus often a part of the malware paradigm. It needs to be standardized in practice and reined in security wise. Preferably replaced by something with a decent programming language.
Flash is Adobe; Java is Oracle. Or did you mean Oracle has set a bad example that Adobe chose to follow?
Sorry, confused them. Oracle Java is the one that really has become junk since Oracle took over. Users better look elsewhere for a Java engine. (and Flash should perhaps the relegated to its own process space..)
(Score: 2) by tibman on Wednesday March 16 2016, @05:43PM
JavaScript can tell the browser to download something, yes. That is a critical piece of functionality that you should not remove. Your browser could add the download to a queue for you to approve, that would be fine. But there are many times you want javascript to trigger downloads. For example, you click a link to download a PDF report or something. Maybe that PDF doesn't technically even exist yet because it pulls data in real-time. So an ajax call is made and a progress bar starts (using websockets or something). When the PDF generation is done a real link to the new file is returned to the browser where javascript tells the browser to download that file.
Flash didn't require javascript. Just the html object tag. Many 3rd party plugins that are exploited work that way. Most of the time JavaScript is used to gather information about the target machine to determine which exploit to use. So it is certainly involved. But any and all languages you could replace javascript with would have this issue. Being able to determine if a specific client supports a specific technology so that you can deliver the correct content to them is very important.
The only browser that is not standardized very well is internet explorer because the damn thing is baked into the OS and can't be easily updated. That has nothing to do with JavaScript. Security wise JS has been pretty decent. The junk about letting it access local files is thankfully long gone. Is there something SPECIFIC that you feel is a security issue?
JavaScript isn't going to be replaced. Let's not start a "my language is better" argument. I remember when people were trying to replace html with xml *shudders*
SN won't survive on lurkers alone. Write comments.
(Score: 2) by bitstream on Wednesday March 16 2016, @08:04PM
JavaScript can tell the browser to download something, yes. That is a critical piece of functionality that you should not remove.
I want to be able to simply tell the browser. "Only allow automatic downloads from site superbank.com, disallow anything else".
JavaScript is used to gather information about the target machine to determine which exploit to use. So it is certainly involved. But any and all languages you could replace javascript with would have this issue.
A script language has some good uses. It's just the choice of language, inconsistency across browsers and poor implementation that makes it so bad. But the real point is that the script language in this case is allowed to fiddle with things it perhaps shouldn't be allowed to. And because it's a executing thing it can be used for buffer overruns etc.
The only browser that is not standardized very well is internet explorer
That is unlikely to be fixed.. ever ;-) It can be done, it just is unlikely to be done.
Is there something SPECIFIC that you feel is a security issue?
Not at this time. It's just lockups browsers time from time.
JavaScript isn't going to be replaced. Let's not start a "my language is better" argument. I remember when people were trying to replace html with xml *shudders*
There are better script languages and it could be implemented as a plugin. But I will not think about which one is the better right now. A interesting html replacement is perhaps sgml where the roots are. Or perhaps TeX, but that is more likely to complicate things beyond reason.
(Score: 2) by tibman on Wednesday March 16 2016, @08:30PM
The reason this hasn't been done (and may never be done) is because a lot of sites cache their files in random places. Content servers might not even have a domain name since nobody will actually navigate to them.
JavaScript has a specification. If Python, for example, was the language used instead then you would still have the same issue with every browser having their own slightly different implementation. I don't think there's much we can do here.
The only things JavaScript can fiddle with are the things it explicitly has access to. What exactly can JavaScript access that it should not? That would be a serious security concern.
Plenty of companies have tried to replace JavaScript. None have succeeded. Which scripting language did you have in mind?
SN won't survive on lurkers alone. Write comments.
(Score: 0) by Anonymous Coward on Wednesday March 16 2016, @10:47PM
Considering web browsers are turning into pure HTML+CSS+Javascript environments and all your programs are turning into web apps, it won't be long until a virus on one site can control your entire computing experience without having to touch a single file on your computer. We're taking all the security, maturity, and time spend creating usable desktops and throwing it all out the window just to get around software installation. But we've got all the issues of software installation again in the browsers and their plugins, so we've throw it all out for nothing. I'm planting my popcorn so I'll have barrels of it to pop on the upcoming emacs vs browser OS flamewars.
(Score: 3, Insightful) by Sir Finkus on Wednesday March 16 2016, @07:50AM
What I don't understand is why websites don't host the ads on their own servers and on domains they control. It'd solve a lot of the problems with sneaky redirects and targeted attacks.
I suppose that wouldn't let the advertisers track you across sites though, <sarcasm>which would be a tragedy.<sarcasm>If The New York Times, MSN, and all these other sites actually respected my security, they'd adopt this measure (and some standards ie: no video etc), I'd honestly consider unblocking ads on their sites. Until then ABP it is.
Join our Folding@Home team! [stanford.edu]
(Score: 3, Insightful) by Capt. Obvious on Wednesday March 16 2016, @07:59AM
In fairness, it also would be difficult for the advertisers to verify that they are getting an honest count of eyeballs. Fraud in which was an issue earlier.
(Score: 2) by Pino P on Wednesday March 16 2016, @12:53PM
True, perceived reliablility of reach metrics is part of why advertisers trust established ad networks. But print ads in newspapers and magazines don't even have an eyeball count. Or is eyeball counting a big part of the reason that advertisers switched from print to online?
(Score: 2) by maxwell demon on Wednesday March 16 2016, @02:38PM
However they have a circulation, which is roughly proportional to the number of eyeballs, as both printing too many and printing too few costs the publisher money (in the first case the additional printing cost, in the second case the cost of lost sales).
The Tao of math: The numbers you can count are not the real numbers.
(Score: 2) by Pino P on Wednesday March 16 2016, @03:58PM
The proportionality constant between circulation and eyeballs is hard to predict, as not every reader reads every page of a publication. Some pages get skipped more often than other pages.
(Score: 2) by Capt. Obvious on Wednesday March 16 2016, @08:38PM
Yeah, but there is a lot of research that let that become approximated. In much the same way that not every ad served is an eyeball.
Also, it's easy to verify the number of WSJ's printed/sold. Even for little town papers. It gets a lot harder to verify the numbers of "some guy on the internet" on orders of magnitude more sites.
(Score: 3, Interesting) by isostatic on Wednesday March 16 2016, @08:05AM
Because that's not how the advertising networks work.
The bigger question is why Google, which relies so much on advertising, allows these rogue adverts. They must know that it drives adoption of advert countermeasures.
The vast majority of ads, certainly on mobile sites, are scams that try to trick you into clicking on any case.
(Score: 5, Informative) by Anonymous Coward on Wednesday March 16 2016, @08:05AM
What I don't understand is why websites don't host the ads on their own servers and on domains they control.
Because it's cheaper and less hassle to outsource it.
It'd solve a lot of the problems with sneaky redirects and targeted attacks.
There's no legal liability, so no one cares.
(Score: 2) by c0lo on Wednesday March 16 2016, @09:55AM
Maybe the ad-agencies don't trust the owner of the website (e.g msn, nytimes, etc) which delivers the ads in regards with:
* the exposure
* the click-throughs
Also, hosting the ads by themselves may result in a lower price as charged by the delivery site - the later needs only to deliver the link, all the traffic related with the actual ad delivery hits the agency's site (probably hosted by a CDN cloudy thingy) - buy hosting in bulk from the cloud, save the cost with the delivery site.
https://www.youtube.com/watch?v=aoFiw2jMy-0 https://soylentnews.org/~MichaelDavidCrawford
(Score: 2) by maxwell demon on Wednesday March 16 2016, @02:43PM
Since click-through necessarily leaves the site, it should be trivial to measure that even in case the ad is hosted locally: The ad just has to link to a redirector of the ad network, instead of directly to the advertised site.
The Tao of math: The numbers you can count are not the real numbers.
(Score: 2) by mcgrew on Wednesday March 16 2016, @11:25AM
What I don't understand is why websites don't host the ads on their own servers and on domains they control.
It's simple. They have no financial incentive to clean up their act so they're certainly not going to spend money or effort to. Bottom line: THEY DON'T CARE.
No ads or scripting at all on my site.
mcgrewbooks.com mcgrew.info nooze.org
(Score: 2) by Pino P on Wednesday March 16 2016, @12:55PM
Say you want to advertise on 30 sites, and researching sites costs time, and time is money. Do you A. find 30 sites to advertise on, or B. find one ad network?
Say you want to sell your site's ad space to 30 advertisers, and researching advertisers costs time, and time is money. Do you A. find 30 advertisers to buy your ad space, or B. find one ad network?
Answer in practice: B. Ad networks lower transaction costs.
(Score: 2) by Whoever on Wednesday March 16 2016, @03:46PM
There was an article about this a little while ago. While the page is loading, the website runs a mini-auction to find the ad that will pay the most. It's done real-time every time a page is loaded.
(Score: 0) by Anonymous Coward on Wednesday March 16 2016, @04:39PM
> why websites don't host the ads on their own servers
Let's say Microsoft does that.
Then someone gives Microsoft a .jpg that causes libjpeg to exploitably crash on some architectures, but it's a 0-day, and no existing heuristic catches it. Or suppose they find that .jpg.html can be saved as an ad.
Now suddenly https://microsoft.com [microsoft.com] is signing and serving that malware as an image, or allowing xss via the .jpg.html.
Do you see, now, why this is more dangerous?
(Score: 2) by Capt. Obvious on Wednesday March 16 2016, @08:43PM
I gotta say, if a major ad network doesn't notice the ad serves malware, "Betty's Favorite Pie Recipes" is not going to notice either.
(Score: 2) by el_oscuro on Thursday March 17 2016, @01:29AM
To use a car analogy, some websites like thirdgen.org [thirdgen.org] do. That tirerack ad gets past my /etc/hosts, adblock, ghostery and everything else I use to keep shit out of my browser. That is because it is a link to the ACTUAL tirerack site, not some shitty 3rd party adwarez.
This would work for every other site that specializes in any subject. Sites that serve malware like washingtonpost.com and cnn.com could use it too, as local DC businesses could contract with the Washington post and national chains could contract with CNN. But that would break the "track everyone everywhere" model of the adwarez sites.
SoylentNews is Bacon! [nueskes.com]
(Score: 5, Insightful) by bradley13 on Wednesday March 16 2016, @08:20AM
As I see it, the underlying technical problem is simple, and easily solved: advertising networks should never allow ads to include any sort of executable code.
As long as we have such a litigious society - this is a place where it could solve a problem. If you can prove that www.big-website.com infected your computer with ransomware - sue them for damages. The websites can them hold the ad networks liable for their damages, and maybe, just maybe the whole mess will get cleaned up.
Meanwhile, none of these sites has any reason to complain about ad blockers.
Everyone is somebody else's weirdo.
(Score: 4, Interesting) by MostCynical on Wednesday March 16 2016, @08:49AM
See comment above: most people don't know what their computer ("magic box") *does*. They have no idea how it works, or what happened just before it crashed/locked up/started telling me I need to deposit bit-somethings in some hash-thingy..
How would they prove which site they were eyeballing just before it "broke"?
IIF someone can unlock the infected computer, AND find a log of web-related activity AND do it all in a secure, admissible-as-evidence way, AND there was only one site being visited at the time of the infection, then you could look at taking someone to court.
Rules of evidence being what they are, proving the pc had not been 'tampered with' is pretty much impossible...
"I guess once you start doubting, there's no end to it." -Batou, Ghost in the Shell: Stand Alone Complex
(Score: 2, Insightful) by anubi on Wednesday March 16 2016, @08:51AM
Shouldn't that be...
...the underlying technical problem is simple, and easily solved: our browsers should never execute arbitrary code from a website.
Because basically, you should not be trusting your stuff to whoever you visit on the "information highway", just as you cannot be sure anything else you pick up off the highway is clean either.
"Prove all things; hold fast that which is good." [KJV: I Thessalonians 5:21]
(Score: 2) by isostatic on Wednesday March 16 2016, @09:35AM
What's arbitary code? HTML is markup, sure, that's fine. CSS? Howabout CSS animation code? Javascript? Perl? Java? C source code? C binary? Howabout page redirections? for example
How are these drive by downloads actually triggered?
(Score: 3, Interesting) by anubi on Wednesday March 16 2016, @09:55AM
That's a good question. I note since I have used NoScript ( some fellow Soylentils turned me on to it ), I have had no more messes to clean up after visiting a rogue site.
Often the rogue site will simply refuse to work at all. They see right off I am not being a team player and giving them free unfettered access to my machine, so they will waste no more time with me. Often, these even look like they were respectable business sites.
Google already has hundreds of links, so I click on and never get the mess the site may have had lined up for me.
Its amazing to me how many people still surf the web letting in every tramp they land on into their machine.
No wonder malware is such an issue. Its like seeing a terribly unsanitary environment from the perspective of a microbiologist.
A child may not realize how filthy a spent prophylactic he found alongside the road is, and may play with it like a balloon. However Mom and Dad know what that is and make sure their child does not play with it.
The problem we techies have is how does one tell his boss just how filthy the web is? Highly important suit-guys seem to think they are above it happening to them.
"Prove all things; hold fast that which is good." [KJV: I Thessalonians 5:21]
(Score: 2) by Pino P on Wednesday March 16 2016, @01:07PM
Say you're using a web-based whiteboard. In order to draw a line without using JavaScript, you'd have to click-click-click out your line using an image input, the control that used to be called a "server-side image map". That'd be impractical to use and wasteful of bandwidth compared to just sending updates through AJAX as they come.
(Score: 3, Insightful) by bob_super on Wednesday March 16 2016, @07:26PM
Going online without NoScript and uBlock is like visiting random homes naked.
Need I spell out why the metaphor works?
(Score: 3, Insightful) by infodragon on Wednesday March 16 2016, @11:51AM
Connecting any computing device to the internet, without security in mind, is like unprotected sex with the world; you're gonna get many undesirable maleware infections. Having the best security in the world is still like having protected sex with the world; you're just gonna get many fewer undesirable maleware infections that should be much easier to deal with.
I do not like the idea of information being executable. The lines are blurred, complicating security greatly.
Don't settle for shampoo, demand real poo!
(Score: 2) by Pino P on Wednesday March 16 2016, @01:09PM
I do not like the idea of information being executable.
How do you expect to obtain new applications, other than by downloading information? And how do you expect it to work even if an application's author uses a different operating system from the one on your computer?
(Score: 3, Informative) by infodragon on Wednesday March 16 2016, @02:40PM
Technically you are correct. I should have been clearer...
Information for the intention of execution should be handled completely different than information intended in the classical sense. An application executes, typically, by consuming something and producing something else. An application consuming instructions for the purpose of action is an entirely different beast than an application consuming data for the purpose of production for use by a human. When WYSIWYG first came out it was abused by malicious actors because the new technology was executing commands for the purpose of rendering text/images. That new technology wasn't written properly, i.e. bugs, which were exploited by malformed documents.
In modern day we haven't learned from the past. The results of a web browser displaying the text of a document is entirely different than a web browser executing commands for the purpose of executing other code. The former is pretty safe (it will never be 100%) the latter is only as safe as the other code. If that other code can be executed it can obtain other code to be executed, which can obtain other code to be executed.... It's malware all the way down!
Don't settle for shampoo, demand real poo!
(Score: 2) by Pino P on Wednesday March 16 2016, @04:03PM
So how would you recommend to implement, say, collapsible comments or an online whiteboard? I can think of three ways, all of which have drawbacks:
(Score: 3, Informative) by maxwell demon on Wednesday March 16 2016, @05:22PM
Collapsible comments: Do it with CSS. [thecssninja.com]
The Tao of math: The numbers you can count are not the real numbers.
(Score: 2) by Pino P on Wednesday March 16 2016, @05:58PM
Collapsible comments: Do it with CSS.
Interesting. It disguises each expandable element as a checkbox. And that's fine if you already have the bodies of all comments. But for a comment scored lower than the breakthrough, you have only the subject and score, not the body. Expanding such a comment would reveal the following text:
How would you then implement "Load Comment"? By reloading the whole page with a lower breakthrough?
(Score: 2) by maxwell demon on Wednesday March 16 2016, @06:08PM
By loading the text of all the collapsed comments right from the beginning.
The Tao of math: The numbers you can count are not the real numbers.
(Score: 2) by Pino P on Wednesday March 16 2016, @11:08PM
By loading the text of all the collapsed comments right from the beginning.
Good luck with that once stories get into the thousands of comments like in the green site's glory days [slashdot.org].
(Score: 3, Insightful) by Pino P on Wednesday March 16 2016, @01:02PM
our browsers should never execute arbitrary code from a website.
Here on SoylentNews, would you prefer to have to reload all comments on a page when you click the little + or - to expand or collapse a comment in a comment tree? Or would you prefer that the operator of SoylentNews and each other web site develop and publish a native application for Windows desktop, a native application for Universal Windows Platform, a native application for X11/Linux, a native application for Android, a native application for OS X, and a native application for iOS?
(Score: 2) by Gravis on Wednesday March 16 2016, @10:38PM
no, i would prefer they use CSS3 like a gentleman. [realcombiz.com]
(Score: 2) by Pino P on Wednesday March 16 2016, @11:14PM
Another comment suggested the same checkbox hack [soylentnews.org]. But as replies pointed out, use of the checkbox hack would require sending all comments on the page to all viewers as if all viewers were browsing at -1. So if the user ends up not expanding the comments, the server ends up having spent usage fees to send, and the user ends up having spent usage fees to receive, possibly hundreds of comments that will never be viewed. At $5 to $15 per GB for mobile Internet, fixed terrestrial wireless (LTE or WiMAX) home Internet, or satellite home Internet, that adds up.
(Score: 2) by The Mighty Buzzard on Thursday March 17 2016, @01:06AM
Usage fees aren't an issue. Also, on a completely unrelated note, I swear, really, it's obvious neither of you pay attention to what goes on on our github repo.
My rights don't end where your fear begins.
(Score: 2) by The Mighty Buzzard on Thursday March 17 2016, @01:21AM
I should expand on why usage fees aren't an issue. Comments are just text and generally don't take up even close to a kilobyte each. Especially with gzipped transfers. Even an extremely heavily commented story for us is going to run well under one meg.
My rights don't end where your fear begins.
(Score: 2) by The Mighty Buzzard on Thursday March 17 2016, @01:04AM
Sheit, why do you think I wrote the API. FOSS. Write your own apps.
My rights don't end where your fear begins.
(Score: 3, Funny) by aristarchus on Wednesday March 16 2016, @09:27AM
As I see it, the underlying technical problem is simple, and easily solved: advertising networks should never allow ads to include any sort of executable code.
Ha!
Ha ha!
Ha, ha, ha ha! Javascript required for more "ha's" Please allow cookies and javascript and assraping. If you need help, just follow these simple instructions so you, too, can enjoy a modern Web 2.0 Unity Gnome Vista Hell on earth with people who will encrypt all your pictures of you cat, and charge you money if you ever want to see them again! Oh, my god, has it come to this?
(Score: 0) by Anonymous Coward on Wednesday March 16 2016, @09:47AM
Yes, it has gotten that bad. In comparison to how things were ten years ago, the WWW looks like a gigantic steaming pile.
Well, it's not even that 'gigantic' anymore, as more and more people are relying on fewer and fewer services. It's like a highly compressed, black-hole level of suck.
(Score: 0) by Anonymous Coward on Wednesday March 16 2016, @04:43PM
> advertising networks should never allow ads to include any sort of executable code
Is HTML executable? Awfully easy to hide JS in there (see the recent hilarious ebay character circumvention).
How about GIFs, not exec right? Oh, shoot, except for those exploitable gif parsing bugs.
Etc.
Binary numbers are binary; rename fun.exe to fun.bmp and it'll "display", and amusing carefully crafted executable images have existed before (iirc they had mangled magic bytes). There is no magic maxwell's demon sorting "executable, non exec, exec, non exec"
(Score: 0) by Anonymous Coward on Wednesday March 16 2016, @08:33AM
I have considered what I would regard as acceptable advertising on my website, in case I decide to add them in the future:
* Only served to those that turn them on (opt-in) [consent]
* Only served from its own hosting [security]
* Clearly marked (visually) and only at the end of the content [manners]
* Animation or sound to start only by explicit user trigger [manners]
Whether anyone wants their ads served under these principles is another matter.
(Score: 2) by Pino P on Wednesday March 16 2016, @01:15PM
* Only served to those that turn them on (opt-in) [consent]
Would "To read past the first paragraph, you must view an ad or buy a month's or year's subscription" be an acceptable opt-in or an unacceptable Morton's fork?
* Only served from its own hosting [security]
Say a website's operator wanted to sell ad space to be served from its own hosting. How could a site operator A. sell ad space to a wide selection of advertisers, and B. reassure those advertisers that the view and click metrics that the site provides to advertisers are not fraudulent?
* Clearly marked (visually) and only at the end of the content [manners]
Would treating the first paragraph as "the content" be an unacceptable abuse of the term "the content"? Because a free abstract and paywalled body is the standard practice of The Wall Street Journal and prestigious academic journals.
* Animation or sound to start only by explicit user trigger [manners]
Would "To read past the first paragraph, you must enable animation or buy a month's or year's subscription" be an acceptable user trigger or an unacceptable Morton's fork?
(Score: 1, Insightful) by Anonymous Coward on Wednesday March 16 2016, @08:43AM
Oh rats. BTC faucet sites -demand- ads for basic operation (its their "income" model), so the risk for malware from these must be astronomical. Everything else runs with blockers, but for these baboons... sigh. Time to find new pastures.
(Score: 0) by Anonymous Coward on Wednesday March 16 2016, @11:02AM
I thought BTC sites made their money by stealing all the bit coins.
(Score: 2) by maxwell demon on Wednesday March 16 2016, @11:14AM
You don't send BTC to BTC faucet sites, so there's no way for them to keep any BTC they didn't already have.
The Tao of math: The numbers you can count are not the real numbers.
(Score: 0) by Anonymous Coward on Wednesday March 16 2016, @09:15AM
honest advertisers have already lost
the entire internet advertising model is broken, and anyone that keeps paying the likes of google expecting any kind of return on their investment is a fool
(Score: 1) by anubi on Wednesday March 16 2016, @09:37AM
All it takes is a few really annoying door-to-door salesmen, who have been breaking into houses and locking up everyone's stuff, to get the whole neighborhood worked up and everyone gets German Shepherds, and won't let the salesman in the house!
The salesmen then return to their corporate headquarters to see what they can do about people using German Shepherds to keep salesmen out of their houses.
Pen waggin' time! See if we can't "work with" someone in authority, maybe animal control, to have these dogs licensed and penned up or something...
"Prove all things; hold fast that which is good." [KJV: I Thessalonians 5:21]
(Score: 0) by Anonymous Coward on Wednesday March 16 2016, @06:55PM
You know what they call those homeowners with German Shepards? That's right: "Leeches"!
(Score: 2) by bzipitidoo on Wednesday March 16 2016, @09:40AM
Problem I'm having now are these sites that have implemented adblock detection followed by refusal to display content unless you turn off the ad blocking. I respond by refusing to visit them. So I don't see Wired, oh well.
But other family members want their TV shows so much that they asked me to undo the ad blocking I had done for them.
Should we push for legislation on malvertising? Make it so that adblock refusal makes a site liable if any of their ads carry malware?
(Score: 0) by Anonymous Coward on Wednesday March 16 2016, @10:34AM
So far script blocking third parties still lets some ad blocked content thru. Once that gets too hard some content just wont be worth the bother.
(Score: 2) by maxwell demon on Wednesday March 16 2016, @11:18AM
Only effective if it comes with burden of proof reversal: Not you have to proof that you got your malware from their advertising, they have to prove that you didn't.
The Tao of math: The numbers you can count are not the real numbers.
(Score: 0) by Anonymous Coward on Wednesday March 16 2016, @05:19PM
Guilty until proven innocent? Look, I totally get where you are coming from and I really do sympathize. But ass-raping hundreds of years of legal precedent is not the answer. Or, so it seems to me.
(Score: 2) by maxwell demon on Wednesday March 16 2016, @06:06PM
Reversal of burden of proof is not as uncommon as you seem to believe. [alrc.gov.au]
The Tao of math: The numbers you can count are not the real numbers.
(Score: 2) by bitstream on Wednesday March 16 2016, @12:48PM
One solution could be to download to /dev/null. Then as far as they know.. you have viewed the ad ;)
(Score: 2) by Pino P on Wednesday March 16 2016, @01:21PM
You recommend displaying ads to an empty house. There are two countermeasures. One is what Solve Media does: its ads require the user to interact with them in order to dismiss them. Another is convincing ISPs to institute monthly download quotas, as satellite and mobile ISPs already do. A download but not viewed HD video advertisement still counts heavily against the user's quota.
(Score: 2) by bitstream on Wednesday March 16 2016, @03:03PM
Ads that require user interaction will most likely fail on that many sites have many of them. Users wouldn't get any time to do anything with the actual content. And then there's automation like AI. And download quotas apply regardless weather you read them or not.
(Score: 0) by Anonymous Coward on Thursday March 17 2016, @04:12PM
The downside to those is that, depending on how they are implemented, no one will interact. Something easily identified as an advertisement won't get clicked on by a large number of people because they don't want to get sent to a different page or deal with something like the pop up spam of yore. Many just won't risk it and the advertisers' internal studies have shown as much.
(Score: 2) by Grishnakh on Wednesday March 16 2016, @06:31PM
But other family members want their TV shows so much that they asked me to undo the ad blocking I had done for them.
This isn't a problem, as long as you grow a spine in dealing with family members.
Just explain to them that these ads frequently carry malware and will encrypt all the data on their devices, and then demand a ransom to unlock it. So if you turn off the ad-blocking, you're no longer going to help them with their computer if it has any problems caused by ads or malware.
Honestly, the easiest way to deal with family members wanting free IT support is to only help them out with Linux. If they want to use Mac or Windows, they're on their own.
(Score: 0) by Anonymous Coward on Wednesday March 16 2016, @10:38AM
There should be a "charge" for each computer that was served up an infected ad whether that computer got infected or not. If a burglar tries to break into your house it's still a crime. Even if they come on to your property and peek in the windows to see if they want to break in it's a crime.
The ad delivery networks should be charged as accomplices as well. If they aren't vetting the ads for safety then they are the driver who dropped the burglar off on my street even though they didn't really know him that well.
(Score: 4, Insightful) by richtopia on Wednesday March 16 2016, @10:43AM
Just wanted to point it out. No adds makes this site even better.
(Score: 3, Informative) by Pino P on Wednesday March 16 2016, @01:19PM
Not all sites in the business of information collection and publication are of the right scale to be organized as a charity (like Wikimedia) or a public benefit corporation (like SoylentNews). Just regurgitating what volunteer end users submit, as SoylentNews does and Slashdot does most of the time, is cheap. Doing original reporting and op-ed, as Slashdot attempted to do with Jon Katz and Bennett Haselton, is somewhat more expensive.
(Score: 2) by RamiK on Wednesday March 16 2016, @02:23PM
I find the odd ad keeps me on my toes and reminds me to think critically about what I'm reading. Just don't test anyone's integrity... Keep the comments section disabled on the puff pieces so no one will feel forced to speak out and remorseful for hurting the site's proceeds simultaneously.
compiling...
(Score: 2) by The Archon V2.0 on Wednesday March 16 2016, @06:12PM
En1@rge y0ur d0ng3r! Fr33 p111z!
http://example.com/totally-not-a-virus-for-realzies.bat.com.org.exe [example.com]
(Score: 2) by Grishnakh on Wednesday March 16 2016, @06:35PM
No adds makes this site even better.
It's also good that there's no subtracts, multiplies, or divides.
(Score: 2) by goodie on Wednesday March 16 2016, @11:54AM
How it got installed I have no idea (was in a hotel so wifi may have played a role in it....). But I was working on something with a tight deadline and all of a sudden I got this message telling me that I had to pay something like $500 to get a decryption key for all the files on my computer (which were being renamed with a .vvv extension). Thankfully I had a hard backup with me (I usually don't but this time I figured why not...) so I was able to restore everything save for a few new files. Now the interesting bit is that open files are not affected (can't rename them) so whatever I was working on did not get borked (that was a huge relief). But everything else was pretty much toast.
Anyway those things are pretty creepy, I felt a lot more violated than with a simple virus...
(Score: 3, Interesting) by bitstream on Wednesday March 16 2016, @12:45PM
What operating system and applications did you use at the time?
(Score: 2) by goodie on Wednesday March 16 2016, @02:32PM
Win7 (no choice there) and IE. I was just browsing for stuff , was using MSSQL, Excel and Word, nothing strange or out of place on top of that (looking up papers, reading news etc.). This is the second time I ever get a malware/virus in about 20 years. Last time was about 7 years ago... I did not open any unsollicited attachments either. I had MS Security Essentials which did not find anything at the time. Malwarebytes which I downloaded once I got the popup, found it and removed it but the files did remain encrypted. So I just restored whatever files were encrypted from the backup and removed all .vvv files created by the malware. That was about my only choice since I did not have previous versions or anything like that.
(Score: 2) by bitstream on Wednesday March 16 2016, @02:54PM
Confirmed suspicion ;)
I'll guess the strategy has to avoid any networking when doing critical stuff using Microsoft OS software. At least avoiding to use IE on any non-vetted site. One could perhaps browse the employer site but avoid everything else. And of course versioned backups to avoid backup up ransomed and thus encrypted file to the backup too.
(Score: 2) by goodie on Wednesday March 16 2016, @03:03PM
Yep, since then I've changed my habits a little ;). Thing is that it was all "regular" websites, not warez or anything like that. In any case, screw hotel wifis as well... As for my backup, it's a cloned git repo so everything is versioned, which was of help too.
(Score: 2) by bitstream on Wednesday March 16 2016, @03:12PM
The worrying trend is that now even Mac OS X [thehackernews.com] is targeted successfully. But they have also been kind of sloppy with security. Though not as bad as the evil from Redmond. However as more platform independent ways of distribution like documents and later platform agnostic platforms are exploited. Environments like the free Unix ones will have to deal with this eventually.
(Score: 2) by bitstream on Thursday March 17 2016, @12:06PM
What's up with the hotel WiFi that a secured VPN wouldn't fix?
(Score: 2) by el_oscuro on Friday March 18 2016, @01:23AM
Thing is that it was all "regular" websites
That might have been your problem. Those "regular" websites all serve up dozens of ads, trackers and shit from 3rd parties - and now some of that adwarez is ransomware.
With Microsoft installing all of the telemetry shit in Win7 now, they are basically a malware vector too. While I have run Linux for some time, I always wanted to keep a current version of Windows around so I could support it as well as run any software that I couldn't find on Linux. With this telemetry shit, no more. If you can't trust your O/S, who can you trust?
Of course ransomware is starting to target Linux too, so it is not like I am safe. Besides having a host file, adblock, ghostery, etc, I also have a browser which runs as n0b0dy on my machine using xwindows and ssh. That way, if CNN should deliver an ad which gets by all of my defenses and starts encrypting files, it will be encrypting those in n0b0dy's $HOME, not mine. Hopefully, Unix permissions should keep it out of the files I actually care about.
SoylentNews is Bacon! [nueskes.com]
(Score: 2) by tangomargarine on Wednesday March 16 2016, @03:07PM
Malwarebytes which I downloaded once I got the popup, found it and removed it but the files did remain encrypted. So I just restored whatever files were encrypted from the backup and removed all .vvv files created by the malware.
I hope when you got home you did a nuke and pave? Or if it was a company machine you got the tech guys to do so?
"Is that really true?" "I just spent the last hour telling you to think for yourself! Didn't you hear anything I said?"
(Score: 2) by goodie on Wednesday March 16 2016, @03:19PM
Nuke and pave. I was not sure whether there were any traces left other than Malwarebytes telling me so. The other thing is that my other machines are not windows (my main git repo/nas is a freebsd headless machine) so I am not too concerned with these sort of things. As far as I could tell there were no traces left anyway but that would be pretty vicious if they left something dormant just to wake up later and start another round.
When it actually happened I was in the middle of running a bunch of tasks, some of which were calling the prompt, which triggers the access request popup or whatever that is. Now there was one in the batch that I can tell was not the way it was supposed to be. In my haste of clicking yes to a bunch of legit ones, I clicked yes and at that moment things started to go to crap: CPU went on like crazy, computer got slow etc. because it was busy encrypting/renaming files. Another interesting bit is that it starts with My Documents, recent folders etc. to try and get to the stuff that you supposedly are using or used recently. But my stuff was on a different location so it did not get to it until a couple of minutes later. None of the open files were affected.
Anyway, after that I did not trust the machine. Got home a few days later, pushed my diffs on the repo (standard text files and so on, no chance of infection on those) and reinstalled everything after a format.
But it happened, I first had a sense of panic, then anger and frustration. I would have never paid anyway but it was the first time I was affected by ransomware. I felt like I was taken hostage, violated. Pretty unpleasant feeling... Since then I've been looking really more closely at having a BSD desktop with VBox to run Windows. What sucks is that I would always be running it because I have no choice for my work...
(Score: 2) by bitstream on Thursday March 17 2016, @12:12PM
I had this idea that one could perhaps have watchdog for opening of files. Especially some bait in the "My Documents" wich always has a recent date. Any process that tries to open or rename it gets copied to storage and halted.
The real home run would be to monitor all file openings and deduce if that operation was hostile. Like if a document was written and the contents lack any English words then the associated processes becomes halted and banned from the system. Another approach is a revision filesystem.
(Score: 0) by Anonymous Coward on Thursday March 17 2016, @04:17PM
That is how many antiransomware programs work already. But my understanding is that they are a bit more sophisticated and have different levels of hidden and known plain texts to help decrypt in cases of bugs and forensic analysis.
(Score: 2) by Grishnakh on Wednesday March 16 2016, @03:35PM
That's what you get for using Windows. Was it an employer-owned computer? If so, you can't be blamed for that, obviously, but then clean-up and dealing with the ransom is your employer's problem.
(Score: 0) by Anonymous Coward on Thursday March 17 2016, @06:19PM
You have nothing to fear! Today serving
Egg and bacon
Egg, sausage and bacon
Egg and malware
Egg, bacon and malware
Egg, bacon, sausage and malware
malware, bacon, sausage and malware
malware, egg, malware, malware, bacon and malware
malware, malware, malware, egg and malware
malware, malware, malware, malware, malware, malware, baked beans, malware, malware, malware and malware
Lobster Thermidor aux crevettes with a Mornay sauce, garnished with truffle pâté, brandy and a fried egg on top, and malware.