Hacker News new | ask | show | jobs
by reallydude 2486 days ago
If the ad makes a remote call during execution (for an dynamic ad serve), it's an attack vector. There is always custom ad code for analytics that adserves use to fill (the ad placement space) and report back, called an admanager. As an advertiser, you can upload your own admanager (that that has your own custom code.

Reading the code of the NPM package will not typically help with understanding what it's going to do, because of the ad ecosystem, which guarantees running code you have never seen.

I could understand banning dynamic ad injection and telemetry. My ethical line would be if a package manager were to ban static links/symbols displayed in a README and that's not what NPM aims for, so it's fine by me.
1 comments
ryanlol 2486 days ago
>If the ad makes a remote call during execution (for an dynamic ad serve), it's an attack vector. There is always custom ad code for analytics that adserves use to fill (the ad placement space) and report back, called an admanager. As an advertiser, you can upload your own admanager (that that has your own custom code

Can you point out a real example of terminal advertising like this?

link
reallydude 2486 days ago
No. I haven't looked through many js packages.

I could make it without any effort via:

> https://github.com/feross/funding/blob/master/messages.json

Currently it's "manually curated" which is a fancy way of saying, it's my own custom ad-tag that doesn't call an adserver. Replacing one field with a function that is immediately called and getting your value out, is how most people would integrate an ad-tag.

Using DFP or whatever, you can plug in an adtag call and parse values and you're in business. Ad platforms don't usually support plaintext tags, but I have seen them still supported by some of the older "native ad" platforms who started as platforms that served HTML strings (Taboola, etc).

The takeaway is that NPM nipped it in the bud because it's trivial to abuse.

link
ryanlol 2486 days ago
So you’re talking about software which doesn’t exist, right?

This seems like a silly slippery slope argument.

link
reallydude 2486 days ago
> So you’re talking about software which doesn’t exist, right?

It exists on my computer right now (didn't use an actual admanager, just coded a remote call). You want to believe the gun pointed at the door with a string on the trigger and doorknob is not a danger because you don't want to open the door. Good luck with whatever.

link