[nopriorarrests]

I don't know anything about JS-based cryptomining, but I wonder if you can't stop such ads without breaking 90% of legit ads.

I mean, it's all probably boils down to number-crunching? So DSL you are envisioning should block really basic language parts, like cycles and math operations.

If I'm wrong and mining actually could be easily blocked on language level using some DSL, I'm all ears.

[mcphage]

It would be nice if things could be blocked by CPU usage... even if you’re not mining cryptocurrency, if your ad uses more then 5% of my CPU it should be killed.

[mgleason_3]

...and total CPU Time.

Interesting, just noticed that watching a Udemy course uses %98 CPU (in Activity Monitor on a MBP). This even if playback if paused. Wonder if they're doing something similar or it's just a lame implementation?

[Crespyl]

I've seen some software video decoders do that at times, though if it's happening even while paused it's a little unusual (maybe decoding buffered frames?).

[rapnie]

yep, i've had the same with udemy app..

[earenndil]

Maybe they're polling for input?

[nopriorarrests]

yeah, good point, but it's hard to differentiate between malicious ad and, say, some widget displaying real-time NASDAQ chart.

Sometimes I want some pages (or even iframes in those pages) consume my CPU and be as smooth as possible.

[jzwinck]

Once a widget has run say 100 million instructions, suspend it if it comes from a different domain than the main page, mark it visually and provide a button on it to enable high CPU usage.

We used to do something like that with Flash: make the user click it if they want it to run.

[pedalpete]

I hope that doesn't occur, as it would break our site and the usability for our users.

Hopefully a more sophisticated solution which requires or measures GPU usage to UX updates may be better.

WebGL games and heavy animations can run on the GPU, but if they aren't updating the interface, perhaps that can be used to find something nefarious

[dvfjsdhgfv]

That's exactly the reasoning that is the root cause of all these problems. You designed a website and you don't want it to be broken. Fair enough. But as a user, I don't really care about your website - what matters for me is if I can prevent it from taking over my CPU or not. This option should be there and it should be configurable. The browser makers already figured this is a problem and have some rudimentary mechanisms preventing total abuse ("this window/tab became unresponsive...") but if users have more control over it, it completely changes the rules of the game. Having a configurable option "if a script consumes more than N% of CPU, turn it off" would save many people the time spent on looking for the culprit, sometimes hidden between tabs. Fortunately many people have an auditory clue when the JS is abused: the fan noise.

Designers and developers need to understand that allowing them to run their code on my computer is a privilege, not an absolute right. As every right, it must not be abused. If it's abused, it will be terminated. Google finding and disabling these Coinhive miners on YT is just treating the symptoms, not the root cause.

[tripzilch]

I've come to decide that the only ads I consider "legit" are where the site owner strikes a deal with another business that is interested in advertising on their site, the site owner hosts the ad on their own server, as a picture banner or text or perhaps a nice block in a side column that says "sponsored content" or whatever, and just links to the other business.

Site owner controls all the content. Any tracking will be done mainly via server logs, if the site owner wants to they can use a bit of script to quickly shove in a redirect onmousedown, in order to track exactly when the user clicked what link. But frankly I've found even that technique a privacy insult ever since I noticed Google doing this in their own search results.

This is analogous to how paper newspapers used to manage their ad space. No third party shit, and if the magazine was proud of itself it would curate the ads to only deal with advertisers that wouldn't annoy their reader base (too much).

A bit of a hassle maybe, but it shows your readers that you actually care about what content is displayed on your site (let alone what code is run). But most importantly, no adblocker will block these kinds of ads. Because they're just image links, after all. Adblocker can't see if that's an ad banner or just a thumbnail linking to an external domain. And I would maybe even bother to whitelist those if they did (right until one shows me crap I don't want to see, like being confronted with nudity or sex when I'm not in the mood for it).

[dsfyu404ed]

>I've come to decide that the only ads I consider "legit" are where the site owner strikes a deal with another business that is interested in advertising on their site, the site owner hosts the ad on their own server, as a picture banner or text or perhaps a nice block in a side column that says "sponsored content" or whatever, and just links to the other business.

I agree. When it comes to ads for niche content (blogs, forums, etc). The ad industry sells online ads like they're TV commercials but the companies buying the ads should be looking at them like partially sponsoring a race team in exchange for your logo showing up in front of people who are interested in your type of products/services.

[singingboyo]

Evidently blocking math is probably not okay.

However, mining is useless without a way to send it back out to the network. I doubt ads need networking capabilities - so just prevent that bit. That should do it, as far as I can tell.

[nopriorarrests]

I know a bit about modern ad-tech.

Ads absolutely need networking capabilities, for tracking stuff like "viewability", or "anti-fraud, brand safety and independent measurement" by some third-party provider. In fact, you can't get serious marketing budget from reputable brand without having your, err... their ad wrapped inside some JS which does networking calls. Brands want to audit each impression you, as ad-tech firm, will serve on their behalf.

[e1ven]

Part of what I find frustrating as a user is that I don't like ANY of those features :)

While I'd prefer a model without any advertising (and am willing to pay for it), I can put up with unobtrustive ads, without tracking, like Daringfireball uses.

I've worked in adtech before, and I know that these techniques make money, and are important to advertisers. But as a user, I find them intrusive, and they are why I run adblockers.

[nopriorarrests]

Yeah, race to the bottom. Fraud in online advertising estimated to be tens of billions USD yearly, so brands require more and more "brand safety" and "measurements", each ad calls, like, 4 different vendors calculating some metrics, and this, in turn, fuels adblockers growth.

Interestingly enough, "walled gardens", like facebook, are big and important enough to bully advertisers into playing by facebook rules, accepting FB measurement standards, without calls to 3rd party vendors.

It's only open web which is polluted more and more each year.

[stevenwoo]

Shouldn't Google be big enough to bully advertisers into the same sort of deal? It seems like a business opportunity for Google here.

[nopriorarrests]

Well, it's a complicated question, and I'm not that well educated.

To my best knowledge...

1. You can't make a single cent if your bot visited facebook.com 100 million times. You can make some serious money if your bot visited some-exciting-domain.com, which belongs to you, and there was 5 ads displayed on each visit.

With this incentive you have all the reasons to make your bot very human-like (think headless chrome, realistic mouse movements, having old cookies, etc) so fighting fraud gets extremely hard.

It's easier to serve the ads and let advertiser figure out anti-fraud measures by himself. Being responsible for measurements and lack of fraud on open web is a huge PITA without clear path to huge uplift in revenue.

2. Facebook optimizes UX (or claims to), and calls to other servers make site slower, especially on mobile, lowering user engagement. This argument obviously does not work for some-exciting-domain.com. So, you can call whatever your want from your ad on some-exciting-domain.com, but on facebook.com you play by facebook rules.

In fact, some-exciting-domain.com can probably ban ads which call other domains, but it will just kill his revenue (programmatic systems will label him as "non-performing", because nothing is properly measured and stop buying ads there).

[chiefalchemist]

> "It's only open web which is polluted more and more each year."

Is water still polluted if more and more and more are willing to chug it?

[nopriorarrests]

I do not think that metaphor holds at all, if "water" is open web and "chugging" means spending advertising dollars there.

I don't have a link on hand, but GOOG and FB captured something like 95% of digital advertisement growth in 2017. In other words, out of each new 1$ shifted to digital from TV and print, 95 cents went to duopoly.

And advertisers which are still "chugging" open web, installing more and more "filters" and "purifiers" (different anti-fraud and measurement providers).

People from digital media are talking about digital media crash. [0] Buzzfeed failed their revenue goal and fired 100 employees. [1] Mashable was sold for peanuts. [2] Business Insider, granddady of ad-monetized clickbait, pushing more and more articles under "BI Prime", which means paid access.

A lot of people were clamoring for death of ad-supported publishing on open web. Well, the future is almost here.

[0] https://talkingpointsmemo.com/edblog/theres-a-digital-media-... [1] https://www.recode.net/2017/11/29/16715350/buzzfeed-lays-off... [2] https://www.recode.net/2017/12/5/16735262/ziff-davis-mashabl...

[keldaris]

As a user I love all of those features. Every single one of them makes my adblockers more effective, not to mention they drive more people to use adblockers. :)

[tinus_hn]

Ads absolutely do not need this. One day these capabilities will be taken from the networks and they will survive.

The advertisers will take anything they can. It’s up to others to set the limits.

[nopriorarrests]

Will be taken by who? As long as we have publishers and adnetworks allowing this behaviour, money will flow there.

[tinus_hn]

The audience is clawing back their rights using ad blockers and the browser vendors are already limiting tracking by eliminating apis used for tracking and limiting cookies.

Ultimately the browser vendors and the users make the rules, not advertisers.

[chii]

but one of the biggest browser is owned by one of the biggest advertisers in the world. you'd expect dive conflict of interest at best, and anticompetitive behaviour at worst, from them.

[anfilt]

Some Ads do you use networking capability. How do you think they do cross domain tracking?

I have also seen some ads with chat boxes to either talk to the seller or other people viewing the add.

[dmytrish]

Ads could run on something like the Ethereum virtual machine, having a limited amount of "gas" (instructions) to execute.