Revealed: The naughty tricks used by web ads to bypass blockers Netizens may choose to block unwanted content – such as intrusive and misbehaving ads – but some advertising companies do not to accept that choice. Instart Logic describes itself as a content delivery service and much of that content happens to be advertising. The California-based biz is determined to help its clients present …
Actually, I'm fine with sites containing adverts. I think it's reasonable that they do! My problems with it are the tracking and also auto-play video (which is irritating by itself, and doubly so if like me you open a row of tabs to queue up what you'll read).
I want the sites I like to make money. I just don't want Google et al. having a big profile of "went to this site at this time, bought product Y last week" for me or having to close pages unread because they're blasting crap into my headphones from half-way down an unopen tab.
I agree 100% - especially regarding auto-playing videos. The other part I'd add is that I do not want ads that significantly harm my viewing of the underlying content. I've seen some sites that load and scroll very quickly and simply with ad-blocking enabled, but which run awfully when I turn it off and allow the ads (pages taking 5-10 seconds to load, content jumping around as ads appear mid-article, sluggish and jerky scrolling due to masses of Javascript, etc). If you're making your site perform like crap with ads, then you're doing it wrong and are just inviting people to block them.
And to note, sites that use sensible and reasonable ads (such as GHacks), I do disable my ad blocker for these.
I can see this war having some beneficial effects. Maybe even this attempt to get round ad blockers.
I want publishers to make money. I'm happy for them to run ads. Sadly for them I just don't see them anymore. I just filter out those bits of the screen. But if they're getting paid anyway, I guess we're all happy.
But the publishers need to take responsibility for their content. Try surfing most sites on a tablet now, and it's miserable. The page load times are long, because of the all the Javacrapscript and ads popping up from slow third party servers. Which mean the page starts bouncing around like a 4 year old on Sunny Delight. Which on a PC is annoying, but on something with a touchscreen is incredibly fucking frustrating. As you wait for the action to stop, put down your finger to scroll and an advert magically appears right underneath your finger!
On a tablet that's really annoying but on a phone with slower load times, when you're on the road and in a hurry, it's really, really, really, REALLY fucking annoying! Stop it!!!!
I've complained to El Reg about misbehaving adverts, and their response has been, "sorry it's down to our ad network". That's not really good enough. My relationship is with you. It's you that are pissing me off. It's you that I'm going to blame if malware gets onto my PC because your ad network served something horrible. So in an ideal world I'd just connect to the publishers' server - and then they'd deal with all the ad crap. The result would be a more secure internet for users and publishers having to take responsibility for what turns up on our screens.
Obviously the Ad industry would have to change how it runs its networks. And have to plug their networks through the publishers' systems - which would have the side effect of making everything more transparent - as they'd have to run their tracking code in cooperation with companies like El Reg.
the advertisers might learn to piss their users off less too. And publishers could no longer just shrug their shoulders and say, "not us guv". Because now, it would be.
Again, I think everyone wins here in the end, except the real scumbags.
"Therefore Instart=Malware."
My thoughts precisely as I was reading the article - and not just for the detection of those two tools; I came to that conclusion by the third paragraph of the article, where it said "The company's technology disguises third-party network requests so they appear to be first-party network requests."
If you have to mask where your stuff comes from to get it to work on my system, your stuff is malware, pure and simple.
""Instart's code also detects network analysis tools Wireshark and Charles Proxy.""
And the fact that it can presumably is an "information leak" security vulnerability. What browsers is this applicable to? It doesn't seem to make that clear in the article other than implying Chrome is effected.
"What browsers is this applicable to?"
If you follow the link in the story (and read the sentence) it was reported by a Brave browser developer because it affects Brave. Brave is based on Chromium, so it may apply to both. How Wireshark and Charles Proxy are detected is under investigation – it's looking like RPC via JavaScript so may be cross platform.
C.
I visited several of the sites on the list the dev of uBlock Origin (and its companion addon to thwart this attack, called uBlock Extra) using Waterfox, and I didn't see any ads on any of them. A couple of them are on my regular reading list, and I had no idea they were supposedly up to such chicanery; it's not showing here.
I use uBlock Origin, but the Extra supplement is only available and necessary on Chrome and derivatives, according to its author, so it appears that FF (and derivatives) already are able to defeat this.
I also use NoScript, but even when I set it to "temporarily allow all," I still saw no ads.
Unless a NoScript user was prepared to block essentially all js for the site, I don't think NoScript would help, given what has been presented about the way this exploit works. The script that monitors the ads and uses alternative means to download them and inject them into the DOM would have to be served by the first-party domain, or else it could be blocked just as easily as any other ad server domain. The article says that third-party cookies will masquerade as first-party also supports this... the first-party server-side script downloads the ads, trackers, and cookies from the third party servers, encrypts the data stream, then sends it to the script running in the first-party domain's name space on the client, which decrypts the data and presents it as if it were first-party content.
Nearly every site has a script for the first-party domain, and disabling that one (while possible with NoScript on a per-site basis) is likely to break most sites as completely as simply turning JS off. I don't think NoScript is going to help with this one... but it doesn't seem to matter. FF already handles this content with the regular uBlock adblocker, and the version for Chrome apparently will with the Extra addon (and I would expect the core browser to be modified to block this exploit soon enough, because it IS an exploit, regardless of what the sleazeball ad company may want to call it. If it can be used by them, it can be used by straight-up malware slingers too).
Exactly my complaint. I'm willing to have advertising on sites I browse, but they're going to have to settle for the OLD method of advertising, which is to determine sites & content likely to be of interest to me or others like me, and place ads there. If they want to specifically trget *ME*, then nope, not acceptable. They want an ad that plays a message? **ONLY** if I specifically request it should it be allowed to play audio. Heck, even the visuals should require an active click, as auto play videos even without sound are sucking up bandwidth and CPU.
I specifically do not run the heavy-handed ad-blockers because I recognize sites need to pay rent and bandwidth, etc. But I do block tracking cookies, and any site that bitches about THAT will receive a coarsely-worded missive from me. I will go out of my way just to hunt down the appropriate parties to complain to.
I want the sites I like to make money. I just don't want Google et al. having a big profile of "went to this site at this time, bought product Y last week" for me or having to close pages unread because they're blasting crap into my headphones from half-way down an unopen tab.
^ ^ ^ ^ This.
If someone has gone to the trouble of blocking ads and they find a way to get round it, then they are likely to be pissing people off and losing all goodwill, so there is not really any benefit to doing it surely?
It's like closing your blind and someone outside reaching though and opening the blind so they can peer in.
"If someone has gone to the trouble of blocking ads and they find a way to get round it, then they are likely to be pissing people off and losing all goodwill, so there is not really any benefit to doing it surely?"
You need to distinguish between the advertisers, those with products or services they want to sell and the advertising industry that delivers advertising to potential customers.
The latter want to push the adverts at you regardless of whether or not it injures the reputation of their clients because they're not selling their clients' products, they're selling their own which is advertising. For them it's profitable to get round ad-blockers. For their mugs clients it's money spent on alienating existing and potential customers but don't expect the advertising industry to tell them that.
John Wanamaker, one of the pioneers of marketing is reputed to have said “Half the money I spend on advertising is wasted; the trouble is I don't know which half”. Presumably he'd have welcomed ad-blockers because they'd have instantly cut out a lot of his wasted - and very likely counter-productive - spending.
... because most of it is not worth paying for.
It seems that Content® manufacturers can't take a hint, even when it's flashing in ten-foot tall neon lights.
Really, how stupid/arrogant do you have to be to think that replacing a compulsory payment method (paywall) with an opportunistic payment method (advertising) will magically make your precious Content® more desirable?
Shockingly, it turns out that people only bother looking at mediocre Content® because it's free. As soon as it stops being free, or imposes some other unacceptable restriction that can't be circumvented, they lose all interest in it.
I don't suppose Content® manufacturers have considered the possibility that maybe they should be producing something that's actually worth paying for, then charge for it, instead of whingeing when the junk they leave out in the open is only partially read, skipping the adverts.
Sorry but no, you will not force me to read those parts of your freely published Content® that I have no interest in. Ever. Period.
Want my money?
Sell me something worth paying for!
I don’t even think it’s as complex as people only read it because it’s “free” as in money vs explicit payment eg “paywall”.
I suspect a further major contribution is that many other sites generally have the same content in a slightly different form (although not even that sometimes) so why would I pay site A to read content I can also read on site B, C, and D.
If you’ve ever used a news aggregation app you soon realise they’re not useful because you get every article 10 times... and not in a way where you are getting substantially different views or angles on a piece.
So really, why would I pay?
Well, you can do that, but personally I don't like aggregation sites, and the sites I do subscribe to via RSS/Atom tend to have vastly dissimilar content, e.g. The Guardian and El Reg, the former of which I have a paid subscription for, and the latter I would happily pay a sub if they had such a thing, because they're both worth it IMO.
But there's far too much on the Web that simply isn't worth a damn, most of which I end up reading simply because I followed a link, not because I actually subscribe to those sites. If those sites and their content disappeared off the Web, I wouldn't really shed any tears.
That doesn't stop them overvaluing their content and demanding I read their spammy adverts, though, but if it came down to a choice between enduring their spam or not reading them at all, I'd drop them without the slightest hesitation.
It's almost a step in the right direction. If you want to serve me ads then I expect them to arrive from the server hosting the main page being viewed as a static image. Nothing animated, no pop-ups, no dodgy javascript, just a good old img src tag. Do all the fancy stuff to select which image at the server end because I don't trust your third-party ad code. If you manage that then you'll probably defeat the ad blockers. Or provide me with a legally watertight agreement to clean up any malware mess at your expense, backed with a large sum of money in escrow to guarantee against unexpected bankruptcy as a means to get out of paying up.
"The company's technology disguises [...]"
"Instart Logic attempts to conceal the activity of its software [...]"
"[...] will detect when the developer console opens, and cleanup everything then to hide what it does"
> Isn't this what malware and viruses do?
"What we do is we work with publishers to help them create a better experience,"
> They all DID go to the same business communication course, now didn't they?
> Why didn't he throw in that they try to deliver a better "service"? Oh, wait...
"There are other reasons people cite, such as security, privacy, bandwidth, page load time, disinterest, a desire not to be manipulated [...]"
> "What Melchett? What are the plebs going on about..?"
"[...] does not guarantee the effectiveness of its product."
> Hmmm. Maybe they can help me? I've invented a really effective haemorrhoid generation
> creme. But nobody seems willing to use it, which greatly hampers its efficacy.
"We provide this tool and we let the publishers have a lot of control over how they use it," he said. "I don't really get into it. We give the publishers a bunch of options."
> Isn't this the same selfish, self-centred, chocolate covered reasoning that others, like for example
> the "humanitarian, self choice promoting" NRA, have been venting for years?
"If it keeps up, it's going to put publishers out of business and it's going to cost reporters their jobs."
> What, no reference to terrrorists and paedophiles? ☹
"Do all the fancy stuff to select which image at the server end"
It doesn't even need to be fancy. You know what page the user's browsing. You know what's on the page because it's your page. So you know what he's interested in. After that it becomes easy to add the relevant ad to the page. So easy, in fact, that the advertiser and publisher need very little in the way of middlemen to take a profit from. Now why do you think the advertising industry doesn't try to sell that solution instead?
<broken>
Because they rely on the inability (or sheer laziness) of some people to provide reasonable ad content on their sites, without simply plugging in some pre-written code over which they have no control...
</record>
And the funny part about this story is that one of the sort of ad slots which drives people to use ad blockers is right here on the Register comments page for this story. It's at the bottom of the right hand column and operates as an "onscroll" ad. There's another site which I frequent which has a similar ad slot, but has them on the main pages.
The problem with them is that they constantly cycle through new ads by re-opening the connection and pulling in new ad graphics, resulting in an almost constant use of bandwidth. Having them in one tab is bad enough. If you have a bunch of tabs open at once with them they suck up all available bandwidth and drag the browser to a crawl. If you''re on a personal ISP account and don't have an unlimited bandwidth package, they can chew through an amazing about of your bandwidth cap if you happen to walk away from the computer with a bunch of tabs open for an extended period of time. If you're not careful you could be handed a nasty bill at the end of the month for overage charges.
I don't use an ad blocker because I want publishers to get ad revenue. I have however been forced to disabled auto-play of video because of ads which abuse this feature (this is an option in Firefox). I've been dealing with the "onscroll" ads on The Register" and the other site by either opening a bunch of tabs at once and turning off networking while I work my way through reading the story, or by opening the browser debugging console and killing that one ad if there's only a few of them.
I've never used an ad blocker so far, but these specific types of ads are driving me towards installing one if I can't find another solution. These ads are a relatively new phenomenon on the sites that I visit, so I don't think that site publishers have seen the ultimate effects of this yet.
Publishers seem to like to throw up their hands over the issue and say that they have no control over the problem. The fact that these particular ads are only in specific spots on the page on the two sites that I frequent which use them shows this isn't really the case.
Ad vendors don't have an investment in your web site. To them, web sites are disposable, and if one gets killed by obnoxious ads they'll just move on to the next sucker. If a property owner decides to rent his house out to dubious characters because they offered him a really good price, then he shouldn't act all surprised and offended if it gets destroyed as a side effect of hosting a drug lab or biker gang.
To all publishers out there - it's your site, you are 100% responsible for all content on the pages, including the ads. Your lawyers might tell you that you can duck legal liability for what the ad vendors do, but your readers will vote with their feet (or ad blockers) and your investment in building up an audience will go down the drain. Remember that ad vendors do not have this same investment in your business, they will not shed any tears if they destroy it in the course of making money off your hard work.
This site has ads?
Sorry El Reg... but you forced me to block them by irritating the crap out of me with them, sucking up bandwidth, flashing/moving images... the only thing you weren't guilty of was autoplaying video/audio... But seriously, how long was it going to be before that happened.
For a site that claims to be 'biting the hand that feeds IT' you do spend a lot of time conforming and following along like good little sheeple.
Why for example.. Why are there 6.. YES SIX... tracking cookies attempting to add themselves on my system.
Clean up your act first... and perhaps more will follow... be a leader instead of a sheep.
El Reg displaying irritating ads on a site that has tech savvy readers is more irritating than, but akin to, the http vs https debacle whereby people were requesting it all the time and El Reg took forever to respond. They got there but at a frankly embarrassing pace for a tech site. We can only hope they clean up their shit with regards shitbag adverts. Until they do it is unlikely they will make much revenue from them given the readership.
That's actually bad business for the advertisers. If they're getting charged per page impression, the last thing they want is their ad being fetched and displayed on a tab that isn't currently being displayed. The javascript really ought to determine that the tab is not the top one and do nothing until it gets an event, not keep pulling in images that will never be seen. Of course, the ad-server benefits from the current model because they're getting paid for delivering the images regardless of whether they're being seen.
I agree. I think there is an underlying issue with people not wanting or, in a great many instances, not being able to pay for the information available on the Internet.
Peoples wages or salaries haven't kept up with the cost of living for about 40 years. Now, I know some of you make lots of money, but for most people the truth is that if their pay was equal to said job, or its rough equivalent, of 40 years ago plus realistically calculated cost of living increases (gotta watch that part as governments have been know to change how that's calculated to make the figures look better) they'd have more money. Then in terms of being able to pay for services or information, whether specialty magazines or other, there'd be less issue overall.
It seems that these large corporations that have worked so hard to subvert the taxation system over the last 40 or 50 years are paying the price through their own success and, as usual, we have to pay the price. Business as usual. :)
Well.. if they ask me to unblock and it's a site I want to visit for a specific reason, I do. And then reset the blocker. Between an adblocker and hosts file blacklist, I seldom see ads unless I specifically unblock them. Takes a bit of time to manage (and most users won't bother) but worth it to me.
Well.. if they ask me to unblock and it's a site I want to visit for a specific reason, I do. And then reset the blocker.
Better solutions that seem to work with most of the current generation of crapware:
(1) (getting less effective but still often works) Reload a page, and abort loading after the text has arrived but before other stuff.
(2) (usually does the job) Just paste the URL into lynx in a terminal.
I still do that. BBC website does not advertise... it does have (IMO) the reasonable need to show you other content it hosts (side bars of other news etc). However, it suddenly all became obtrusive and interrupting, then they added autoplay to their news/videos. So I stopped visiting. Goodbye.
Some sites I have start to let adverts through my adblocker, as I only update it when the adds get offensive/intrusive or stop my ability to read content. I'll let you guess how log they last, and how quickly I hit the "update/block" button.
This post has been deleted by its author
Almost as important as blocking ads themselves is the ability for adblockers to selectively eliminate whatever elements I want it to. There's all kinds of crap getting in the way... autoplay videos in the lower right corner, "chat with our virtual assistant" nags, floating share-button containers that expand to content-blocking size when I zoom in on the page enough to make the text easily legible... the annoyances are legion even when the ads are gone. Being able to hide any element is simply necessary to make the web tolerable.
I have a separate addon for removing those obnoxious "This site uses cookies" messages that every single site on Earth now has (thanks, EU, you sure solved that problem). Since the cookies the site warned me about will be gone within a few minutes, the site won't remember that I've been there before (you might get the idea that this was the point all along!), so naturally it has to warn me that it uses cookies again, and again, and again.
I remember that I stopped using Yahoo as a search engine (circa 2000 to 2001) and moved to Google because I got sick of the X-10 pop-under ads. (#)
Obviously there were other improvements once I started using Google, but I don't recall having been in a rush to switch until I was actively pushed away by that.
Once away, I never came back, except for occasional use of throwaway email accounts. They still love to throw shite like autoplaying video in my face using a contrived excuse like my inbox or junk folder being empty, so here's some sub-You've-Been-Framed toss you might like to watch. (Or rather, you're being given it to watch, you're not being asked- any wonder I still rarely visit Yahoo?)
(#) Remember those? Ads for home security systems (i.e. for catching burglars) that for some reason always featured scantily clad women.
Oh sure, blame the rise of ad blocking for the decrease in served ads. Remember when there were no adblockers except for tools like adzapper+squid? Yeah, those were terrible days with pop-ups, pop-unders, and punch the fucking monkey. Can't tell you how many times I was the Xth winner and won the prize of looking at an ad! And on a slow connection, the ADS would be the first thing to load, not content. So, publishers have only got themselves to blame for this terrible cat+mouse game.
Even today if I'm using a clean browser and doing general surfing, ads still make up 50% of a page's content. I'm reminded really quickly of why I use blockers.
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2024
