Hacker News new | ask | show | jobs
by dwild 2540 days ago
> often includes malware.

Can you define often? It seems quite rare actually for a malware to be distributed online without user intervention, with the recent Firefox 0-day being one of theses cases and only touched a small proportion of people.

The web is quite secure already and sure ads network is a good vector but so is Hacker News, Reddit and Facebook, which nobody cares about (have you ever not clicked on a link on any of theses platforms and looked at the URL first?).

I seriously hate that argument of security, it's just wrong.
2 comments
Tomte 2540 days ago
When you visit a serious web site, like t-online.de or spiegel.de, with an up-to-date iPad and you're getting popups with porn or gambling offers that cannot be closed (they can, but reopen instantly), when you cannot use the back button anymore, and the only way to regain control of your browser is to either reboot the iPad (that's what many normal people do) or you force-close Safari... then you've caught malware from a big ad network that t-online.de or spiegel.de use.

Happened regularly about a year or two ago, certainly more often than every month, haven't seen it since, though.

> have you ever not clicked on a link on any of theses platforms and looked at the URL first?

That's not what happens.

> I seriously hate that argument of security, it's just wrong.

Maybe you should contemplate the possibility that you're wrong.

link
dwild 2540 days ago
> to regain control of your browser is to either reboot the iPad (that's what many normal people do) or you force-close Safari...

That's seems more like a browser issue, but none the less, any links on Hacker News could do the same.

I don't consider that malware to have to close an application, just like I don't consider a malware a link that rick roll me (which still force me to close a tab ;) unless I want to stay on Youtube).

> That's not what happens.

Aren't we talking about running malicious JS? Any link you click can contains malicious JS, yet you click on that link without thinking about it, but when it's an ad that may contains malicious JS, you block it altogether.

I don't understands really what you means by not what happens.

> Maybe you should contemplate the possibility that you're wrong.

I contemplate each time I'm discussing with someone about it. I still haven't got any evidence about it.

Each time I ask someone that does it for "security purpose", when they don't answer by "do your own research" (which I always try when they say that even if it's absurd to have nothing to defends yourself), the best example they always have is either link to some report with stats that doesn't define malware, or the Forbes case of when one of their ad was a fake Java update. If that's malware, then here we go, HN now serve malware too: Click on that URL to update Java: https://forbes.com

If we were arguing blocking Javascript for security purpose, now that does make sense (still pretty unlikely, but based on news, it seems to happen much more).

link
Tomte 2540 days ago
With ad networks you didn't click on some shady link. You just get the malware Javascript served. Without clicking or visiting anything shady. Reputable sites deliver malware through their embedding of ads.

That's not theoretical (like your "but HN could deliver malware, too), that's reality.

link
dwild 2540 days ago
> You just get the malware Javascript served.

Which happens on any link you click on Reddit, Hacker News or Facebook. Unless you don't click on them and only visit website that you consider trustworthy, you get the exact same risk. Actually even if you may feel that a link is trustworthy, it doesn't even means it actually is, like it happened for the past Firefox 0-day exploit. This guy nearly got it by trusting that [0].

[0] https://robertheaton.com/2019/06/24/i-was-7-words-away-from-...

> That's not theoretical (like your "but HN could deliver malware, too), that's reality.

My textual example was to discredit the Forbe example. I have an hard time understanding your point about it being theoretical. Are you actually refering to my other example about links from HN that could contains malicious Javascript? That's to know if you check links or you click on them arbitrarily with all the risk that come with it.

My point is that malicious Javascript is extremely rare and when it does happen, it's targeted and doesn't use ad network. Theses vulnerabilities are gold mine and it makes no sense to put it on an ad network and hope that you'll get enough out of it before it get caught and removed/fixed. Selling it to the highest bidder or targeting a specific group of people make much more sense.

If you have any example of where an actual malware was spread using ads, I would be happy to learn about it.

I'm also curious to know if you block Javascript and if you do, why do you block ads on top of that?

link
Tomte 2540 days ago
> If you have any example of where an actual malware was spread using ads, I would be happy to learn about it.

I just gave you a first-hand account of exactly that happening, and you keep dismissing that, claiming that it does not happen.

If you don't believe me, google for it. There have been plenty of articles about ad networks as malware services.

I find your behaviour here very dishonest, and for me it's EOD.

link
dang 2540 days ago
We've warned you many times about not crossing into personal attack on HN. I don't want to ban you, but you need to do your part as well, by editing such bits out of your comments here.

https://news.ycombinator.com/newsguidelines.html

link
dwild 2540 days ago
> I just gave you a first-hand account of exactly that happening, and you keep dismissing that, claiming that it does not happen.

You means the popup that force you to force-close your iPhone browser app? I already answered that:

> That's seems more like a browser issue [...] I don't consider that malware to have to close an application, just like I don't consider a malware a link that rick roll me (which still force me to close a tab ;) unless I want to stay on Youtube).

I did get theses kinds of ads on some sketchy website on my Android phone, I can't do back but closing the tab is alright.

To me closing an annoying tab isn't much of a malware. If none of my information were at risk, that's not a malware.

> If you don't believe me, google for it. There have been plenty of articles about ad networks as malware services.

You do this after I even mentioned this happening all the time.

> Each time I ask someone that does it for "security purpose", when they don't answer by "do your own research" (which I always try when they say that even if it's absurd to have nothing to defends yourself), the best example they always have is either link to some report with stats that doesn't define malware, or the Forbes case of when one of their ad was a fake Java update. If that's malware, then here we go, HN now serve malware too: Click on that URL to update Java: https://forbes.com

I'll google with you then: ad network malware

Result 1:

> Hackers Abuse Google Ad Network To Spread Malware That Mines Cryptocurrency > https://www.forbes.com/sites/leemathews/2018/01/26/hackers-a...

You may not want cryptominers in your ads, but that's not really a malware again, your information are safe. There's nothing dangerous there.

Result 2: > Malvertising - Wikipedia > https://en.wikipedia.org/wiki/Malvertising

It does contains an interesting history, which push toward my theory.

> advertisements telling them their systems were infected and trying to trick them into installing rogue security software > drive-by download

So theses malware get installed if you download it and run it voluntarily...

> The attack infected users' machines with the ransomware, ‘Cryptowall’, a type of malware that extorts money from users by encrypting their data and placing a ransom of up to $1000 in bitcoins, to be paid in 7 days, to decrypt the data.

That's an interesting case, but doesn't mentions how the payload was delivered, could be drive-by download like always.

> In 2014 there were major malvertising campaigns on the DoubleClick and Zedo ad networks. [...] As in previous attacks the cybercrime involved Cryptowall as the malware infection. This spate of malvertising was believed to have brought over $1 million of ransom money in by infecting over 600,000 computers.

That one is not directly interesting because the source say that:

>through aggressive distribution using a variety of tactics that included spam emails with malicious links or attachments, drive-by-download attacks from sites infected with exploit kits and through installations by other malware programs already running on compromised computers

Again, either by running it directly voluntarily, or by other malware already running....

However after more research from this case, I found another article [0], which said that:

> now millions of computers have likely been exposed to Zemot, although only those with outdated antivirus protection were actually infected.

So an actual case of infection! Caused by outdated antivirus though and worse than that:

> Zemot is focused on computers running Windows XP,

For something in 2014... Windows XP stopped being supported at all in April 2014. Don't use an outdated system...

I would go into each result, but they are mostly definitions and I already lost enough time. The last result of the page is interesting and probably the first case that I see.

> Malicious code hidden in advert images cost ad networks $1.13bn this year > https://www.zdnet.com/article/malicious-code-hidden-in-adver...

> "In this instance, the malicious code was an auto-redirect to a phishing site targeting US users."

So that's interesting, usually I wouldn't call phishing a malware mostly because you should always check the URL, but in this case considering it was doing it on the website itself, I would consider it as essentially one. First case I found! Adblock would then make sense on website where you put personal information. I hope browsers/ad-network will fix this auto-redirect issue quick though.

> I find your behaviour here very dishonest, and for me it's EOD.

What's dishonest about my behaviour?

[0] https://www.theverge.com/2014/9/19/6537511/google-ad-network...

link
smt88 2540 days ago
> Can you define often?

It doesn't matter. It could be 1 out of every million hits, but it's still a source of malware. Most of us don't upgrade to the latest browser version the minute it's released, which makes us vulnerable.

> ads network is a good vector but so is Hacker News

Uhh... what are you talking about? HN has minimal JS, and they wrote it. Some ad networks are injecting JavaScript into your browser that they have never seen before and didn't write themselves.

I may trust, let's say, NYT not to serve me malware with code they wrote in their offices, but NYT is not the entity that wrote the JavaScript delivered in their ads.

> have you ever not clicked on a link on any of theses platforms and looked at the URL first?

You seem to be arguing that hyperlinks are an attack vector, which assumes such a broad interpretation of "attack vector" that the word becomes meaningless. It's like saying that an airplane is an attack vector because it can fly you into a war zone. Yes, it can... but I get to choose where I'm going.

Regarding that choice: these platforms show you the domain you're clicking through to, so you have a chance to bail. And with an ad blocker, you don't have to be as afraid to visit a malicious site. I have JS and ad blocking on by default, and I whitelist a site when it seems trustworthy enough.

link
dwild 2540 days ago
> It doesn't matter.

It does matter, you used the word often, that word has a meaning.

> Uhh... what are you talking about? HN has minimal JS, and they wrote it. Some ad networks are injecting JavaScript into your browser that they have never seen before and didn't write themselves.

You never click on the article link? That page can be anything, thus include any JS.

> I get to choose where I'm going.

Thus you check every link before clicking on it? I feel like that's not the case, but I would applaud you to be consistent if you do.

> And with an ad blocker, you don't have to be as afraid to visit a malicious site.

Ad blockers only block ads, not malicious JS. If you visit a website which include malicious JS, it's just as bad as an ad that contains malicious JS.

> I have JS and ad blocking on by default

Blocking JS that's a good way to stop malicious JS. Blocking ads then is redundant, what does it give you more?

link