With help from Google, impersonated Brave.com website pushes malware

With a valid TLS certificate, faux Bravė.com could fool even security-savvy people.

Read the whole story

 

[SplatMan_DK]

Even if you don't block ads, the lesson here is to never click them.

There's another lesson. Take another look at the screenshot. Part of the problem here (unmentioned by the article) was that Google isn't doing enough to visually differentiate ads from search results.

Many a Google search user, if they even noticed the 2-letter word "Ad" at all, would assume it referred only to what's to the right of it -- that "custom.mckelvettees" URL, not the giant link text below. It's not by accident, of course; Google has intentionally made ads less distinguishable than they used to. For example, gone is the peach background that used to make it clearer.

Ads should again be in a colored box. In fact, several things should be changed. Compare and contrast:

--------------------versus----------------------

I won't hold my breath, however.

This is a really good point. And it absolutely makes things worse that Google tries to mask ads as results.

I'd forgotten about the background colour. That was a much better solution.

 

[malor]

Generally speaking: would you allow a site to EVER gain it's reputation back, of it was hit even once, say, in 2015?

You are, probably deliberately, just not getting it. It doesn't matter how much reputation any site has, anywhere, if they use ad networks. They don't control the ad networks. Google's reputation doesn't matter. Ars' reputation doesn't matter. The NYT's reputation doesn't matter.

If they're engaging in unsafe behavior, it's just unsafe behavior, no matter who's doing it and no matter what you think of them. We are blocking unsafe behavior, and we won't unblock it for anyone, no matter how incredibly super-awesome they are. It's a bad idea no matter who does it, and we don't participate in that particular bad idea.

If they want money from us, they need a new business model, period. You can holler all you like, and it's not changing. Look how people are reacting to your posts here, and realize that you are wasting your time.

 

[malor]

The biggest vector, by far, is e-mail.

It is if you're stuck in the last century and actually download email to your computer. I don't and have not since the first web-based emails came about - which means for me around 1999.

Not one time has an email from Yahoo!, Hotmail, or any other posed a threat.

With ads in 2010+ there's no reason to take the risk. Block'em and be safe.

Sure I do. I use Outlook and have accounts in four corporate domains in addition to my private account. I haven't had malware in my inbox since the OS was XP or something. Hell, I haven't even received notifications from my malware suite that something in my inbox was blocked.

I am sure it exists somewhere, but if you think there is malware in an inbox just because it's local then you are the one living in the past. It's a false argument.

Local email is generally handled by different clients, and via at least two protocols, IMAP and POP3. It's hard to tell which type is riskier, honestly. There are enough clients that probably at least some of them have unique exploitable bugs. For instance, if Thunderbird has an IMAP handling vulnerability, a carefully crafted email might be able to exploit it, where it would bounce right off Firefox running webmail. But then a different email could exploit Firefox and maybe not Thunderbird.

I think the only conclusion that can be drawn is that the attack vectors are different. Characterizing relative risk by protocol (webmail, IMAP, POP3, many clients) seems very difficult.

Typically, successful email attacks are phishes, and since those are exploiting the human, can usually work through any transport.

 

[WXW]

Injecting malicious advertisements doesn't mean 0-click malware. It means malicious advertisements of any type. So show me how many people have mentioned the "0-click malware" reason, and compare with those that have mentioned other reasons.

The claim was that ads are an immediate risk, and blocking any and all ads even for reputable sites is somehow a responsible thing to do, because ads pose a security risk.

If you now want to turn that into "scam ads that might fool your mom" then you are moving the goalposts. Nobody here is likely to fall for that kind of shit, and you damn well know it.

There is a complete absence of data to support the claim, and in the absence of that data you're trying to move the goalpost to encompass users that are nothing like posters here.

0-click malware is still very much a possibility, and I'm not going to lower my defenses just because it's rare.

So which is it? Is it "very much" or is it "rare"?

I'll go with "rare" or "extremely rare" myself. Especially since nobody has been able to show any hard data to support this claim.

Or, in simpler terms: Citation needed. And no, the Wiki article with zero entries after 2015 doesn't count.

No, you just ignored all examples based on arbitrary reasons. I mean, you are commenting on a story about one, what can I say...

Bullshit.

This story is about scam ads in Google searches. This is not the kind of ads people use to excuse blocking ads on pages like Ars.

And no, there hasn't been a lot of examples. There has been one, affecting 30K machines, with a vector that would hit ZERO posters here, because they're not running Windows XP or machines with deliberately disabled antimalware suites.

There. Is. No. Data. To. Support. The. Claim.

You're acting like that's my fault. What you should be doing instead is reflect about WHY you can't find any compelling examples. I am sorry reality disagrees with your preconceptions, but a grownup response would be to learn from that instead of lashing out at the messenger.

If I ask for content from "whatevernews.com", and I get content for "tracker1.com" and "adsx.net", I sure as hell didn't get only what I asked for, I didn't know in advance what I was going to get.

Sure you do. That's why you're installing a blocker. And as I have said many times you can easily block the tracking without blocking the ads. You can also block certain kinds of ads (javascript) and leave the simple graphics banners in place. But I bet you don't do that either.

If I get malware, is it my fault because I asked for malware?

You have failed to show that getting malware is a real risk for you.

Or maybe they can show me other types of ads. Or I may click on affiliate links. Or I may subscribe or donate in the future. Or many other ways to give something in return, that wouldn't happen if I don't use the service. Those are still very much included in business models, you can't just ignore them if it doesn't support your belief that all of us are just leeches.

That is 100% true, and likely the reason very few sites lock out visitors with ad blockers. I am not sure why you bring it up though, as it doesn't change the ethics involved.

Ad 7:
Compared to "my eyes exploding"??? Hell yeah!

And compared with winning the lottery, having a lifetime of good luck and getting the superpowers of Superman, the problems malicious ads can cause are horrible. But I thought we weren't trying to compare them with absurd extremes.

Sir, I was not the one making the exploding-eyes example.

Well, apparently I'm moving the goalposts, even though I never said the risks are only due to 0-click exploits. And even though, as far as I see, nobody did. Even though you are the one saying "this example is not valid because it was from <arbitrary amount of time>", "this is not valid because it's a scam", "this one is not valid because none here would fall for it"...

Can you stop the bullshit and go back to read the reasons people have given to block ads?

Can you stop saying reputable sites can't ever get malicious ads, while commenting on a story about a reputable site getting malicious ads?

Can you read again about knowledgeable people that fell for scams? Can you acknowledge there's people in the world that aren't so knowledgeable, including here?

I completely agree with other poster, you are not engaging in good faith at all.

(And, by the way, "very much" is an expression used for emphasis).

 

[SplatMan_DK]

Generally speaking: would you allow a site to EVER gain it's reputation back, of it was hit even once, say, in 2015?

You are, probably deliberately, just not getting it. It doesn't matter how much reputation any site has, anywhere, if they use ad networks. They don't control the ad networks. Google's reputation doesn't matter. Ars' reputation doesn't matter. The NYT's reputation doesn't matter.

I am not arguing in bad faith here.

It has been established that there are reputable ad networks and non-reputable ones. I fully get that ads are brokered when they're served in near-realtime. That doesn't change the fact that some ad networks don't serve such ads. This is available in industry reports submitted earlier in the thread (not by me).

In addition, you still haven't shown data to support the claim/theory that such bad ads are in fact served - or have been for 3+ years - on reputable sites like Are. I see it as a baseless claim, and nobody has substantiated it.

.

 

[SplatMan_DK]

The biggest vector, by far, is e-mail.

It is if you're stuck in the last century and actually download email to your computer. I don't and have not since the first web-based emails came about - which means for me around 1999.

Not one time has an email from Yahoo!, Hotmail, or any other posed a threat.

With ads in 2010+ there's no reason to take the risk. Block'em and be safe.

Sure I do. I use Outlook and have accounts in four corporate domains in addition to my private account. I haven't had malware in my inbox since the OS was XP or something. Hell, I haven't even received notifications from my malware suite that something in my inbox was blocked.

I am sure it exists somewhere, but if you think there is malware in an inbox just because it's local then you are the one living in the past. It's a false argument.

Local email is generally handled by different clients, and via at least two protocols, IMAP and POP3. It's hard to tell which type is riskier, honestly. There are enough clients that probably at least some of them have unique exploitable bugs. For instance, if Thunderbird has an IMAP handling vulnerability, a carefully crafted email might be able to exploit it, where it would bounce right off Firefox running webmail. But then a different email could exploit Firefox and maybe not Thunderbird.

I think the only conclusion that can be drawn is that the attack vectors are different. Characterizing relative risk by protocol (webmail, IMAP, POP3, many clients) seems very difficult.

Typically, successful email attacks are phishes, and since those are exploiting the human, can usually work through any transport.

Agreed.

But as I understood the argument it was specifically that downloading files (attachments?) posed a bigger threat than using a webmail client, because the local client "downloads" things you wouldn't otherwise have.

But I think we're in agreement here. Accept perhaps that you're omitting native Exchange as a mail protocol. It might be bigger than IMAP these days really.

 

[SplatMan_DK]

Injecting malicious advertisements doesn't mean 0-click malware. It means malicious advertisements of any type. So show me how many people have mentioned the "0-click malware" reason, and compare with those that have mentioned other reasons.

The claim was that ads are an immediate risk, and blocking any and all ads even for reputable sites is somehow a responsible thing to do, because ads pose a security risk.

If you now want to turn that into "scam ads that might fool your mom" then you are moving the goalposts. Nobody here is likely to fall for that kind of shit, and you damn well know it.

There is a complete absence of data to support the claim, and in the absence of that data you're trying to move the goalpost to encompass users that are nothing like posters here.

0-click malware is still very much a possibility, and I'm not going to lower my defenses just because it's rare.

So which is it? Is it "very much" or is it "rare"?

I'll go with "rare" or "extremely rare" myself. Especially since nobody has been able to show any hard data to support this claim.

Or, in simpler terms: Citation needed. And no, the Wiki article with zero entries after 2015 doesn't count.

No, you just ignored all examples based on arbitrary reasons. I mean, you are commenting on a story about one, what can I say...

Bullshit.

This story is about scam ads in Google searches. This is not the kind of ads people use to excuse blocking ads on pages like Ars.

And no, there hasn't been a lot of examples. There has been one, affecting 30K machines, with a vector that would hit ZERO posters here, because they're not running Windows XP or machines with deliberately disabled antimalware suites.

There. Is. No. Data. To. Support. The. Claim.

You're acting like that's my fault. What you should be doing instead is reflect about WHY you can't find any compelling examples. I am sorry reality disagrees with your preconceptions, but a grownup response would be to learn from that instead of lashing out at the messenger.

If I ask for content from "whatevernews.com", and I get content for "tracker1.com" and "adsx.net", I sure as hell didn't get only what I asked for, I didn't know in advance what I was going to get.

Sure you do. That's why you're installing a blocker. And as I have said many times you can easily block the tracking without blocking the ads. You can also block certain kinds of ads (javascript) and leave the simple graphics banners in place. But I bet you don't do that either.

If I get malware, is it my fault because I asked for malware?

You have failed to show that getting malware is a real risk for you.

Or maybe they can show me other types of ads. Or I may click on affiliate links. Or I may subscribe or donate in the future. Or many other ways to give something in return, that wouldn't happen if I don't use the service. Those are still very much included in business models, you can't just ignore them if it doesn't support your belief that all of us are just leeches.

That is 100% true, and likely the reason very few sites lock out visitors with ad blockers. I am not sure why you bring it up though, as it doesn't change the ethics involved.

Ad 7:
Compared to "my eyes exploding"??? Hell yeah!

And compared with winning the lottery, having a lifetime of good luck and getting the superpowers of Superman, the problems malicious ads can cause are horrible. But I thought we weren't trying to compare them with absurd extremes.

Sir, I was not the one making the exploding-eyes example.

Well, apparently I'm moving the goalposts, even though I never said the risks are only due to 0-click exploits. And even though, as far as I see, nobody did. Even though you are the one saying "this example is not valid because it was from <arbitrary amount of time>", "this is not valid because it's a scam", "this one is not valid because none here would fall for it"...

Can you stop the bullshit and go back to read the reasons people have given to block ads?

Can you stop saying reputable sites can't ever get malicious ads, while commenting on a story about a reputable site getting malicious ads?

Can you read again about knowledgeable people that fell for scams? Can you acknowledge there's people in the world that aren't so knowledgeable, including here?

I completely agree with other poster, you are not engaging in good faith at all.

(And, by the way, "very much" is an expression used for emphasis).

I am sorry you think it's bad faith in my part. I assure you it isn't, and I arguably spent more time reading peoples proposed sources than they spent reading them themselves (as evident by how irrelevant they were).

I'll try to do better and be more clear when posting. But yes I do feel people moved the goalposts, from something that started with code-executable malvertising to "I might fall for a banner scan when I am distracted". Especially since such ads just never show up on sites like Ars and The Guardian - which are the kind of sites seeing losses from blocking.

 

[malor]

Generally speaking: would you allow a site to EVER gain it's reputation back, of it was hit even once, say, in 2015?

You are, probably deliberately, just not getting it. It doesn't matter how much reputation any site has, anywhere, if they use ad networks. They don't control the ad networks. Google's reputation doesn't matter. Ars' reputation doesn't matter. The NYT's reputation doesn't matter.

I am not arguing in bad faith here.

It has been established that there are reputable and networks and non-reputable ones. I fully get that ads are brokered when they're served in near-realtime. That doesn't change the fact that some ad networks don't serve such ads. This is available in industry reports submitted earlier in the thread (not by me).

In addition, you still haven't shown data to support th claim/theory that such bad ads are in fact served - or have been for 3+ years - on reputable sites like Are. I see it as a baseless claim, and nobody has substantiated it.

It happened this fucking week. (or at least we heard about it this week.) Google is the best company in the world at large-scale network security, or at least has the most in-house expertise, and they totally missed it.

edit: you have a fixed opinion, that website advertising is okay and that it's unethical to block it. You filter all other evidence through this given. There is no evidence that will convince you otherwise. It doesn't matter how many attacks we adblockers have avoided, it doesn't matter how safe or unsafe things get. You have a fixed, polestar opinion, and you will wiggle and twist in any possible way to keep that opinion intact. For you, this is religion, not facts.

The more evidence we present, the stronger your counter opinion becomes. Evidence doesn't matter, you can always come up with an excuse for why this particular piece of evidence doesn't count.

We're telling you how to be safe, but since you have already determined that you are safe no matter what we tell you, your mind cannot be changed. You are safe, so all evidence to the contrary is rejected.

You are the exact equivalent of an antivaxxer.

 

[SplatMan_DK]

Generally speaking: would you allow a site to EVER gain it's reputation back, of it was hit even once, say, in 2015?

You are, probably deliberately, just not getting it. It doesn't matter how much reputation any site has, anywhere, if they use ad networks. They don't control the ad networks. Google's reputation doesn't matter. Ars' reputation doesn't matter. The NYT's reputation doesn't matter.

I am not arguing in bad faith here.

It has been established that there are reputable and networks and non-reputable ones. I fully get that ads are brokered when they're served in near-realtime. That doesn't change the fact that some ad networks don't serve such ads. This is available in industry reports submitted earlier in the thread (not by me).

In addition, you still haven't shown data to support th claim/theory that such bad ads are in fact served - or have been for 3+ years - on reputable sites like Are. I see it as a baseless claim, and nobody has substantiated it.

It happened this fucking week. (or at least we heard about it this week.) Google is the best company in the world at large-scale network security, or at least has the most in-house expertise, and they totally missed it.

edit: you have a fixed opinion, that website advertising is okay and that it's unethical to block it. You filter all other evidence through this given. There is no evidence that will convince you otherwise. It doesn't matter how many attacks we adblockers have avoided, it doesn't matter how safe or unsafe things get. You have a fixed, polestar opinion, and you will wiggle and twist in any possible way to keep that opinion intact. For you, this is religion, not facts.

The more evidence we present, the stronger your counter opinion becomes. Evidence doesn't matter, you can always come up with an excuse for why this particular piece of evidence doesn't count.

We're telling you how to be safe, but since you have already determined that you are safe no matter what we tell you, your mind cannot be changed. You are safe, so all evidence to the contrary is rejected.

You are the exact equivalent of an antivaxxer.

I am sorry you feel that way. In my view, you're exactly the same, refusing to show any credible threat with ads on the normal sites you visit and deprive of income.

You are correct that I don't equate sponsored Google search results with banner ads on Ars or The Guardian. I think they're two very different products, vettet in different ways (or not vetted at all). For the case in this article (Google) I am sure it will happen again. With hard work and perseverance a scammer can do the same next month. That might be a problem for unsavvy users, but it's not a very good argument for screwing Ars over. I have been an Ars user since 2007 and in that time I have never been served anything even resembling a malicious ad. Thats 14 years of experience that says "your proposed problem is completely theoretical". It is off course also anecdotal evidence. But it seems it's the only evidence we have, since literally nobody has shown that this can be a problem on this page, with whatever decent ad network Conde Nast is using.

Now granted, as a subscriber I might see fewer ads than non-subscribers, but I don't always browse Ars while logged in because I switch devices a lot and have waiting time that can be used for reading. It's probably around 1/3 anonymous and 2/3 logged in. But that still gives me quite a lot of ad views in a year.

 

[malor]

I am sorry you feel that way. In my view, you're exactly the same, refusing to show any credible threat with ads on the normal sites you visit and deprive of income.

You just keep moving those goalposts. First it's showing that it's a threat, then it's showing that it's a recent threat, and now it's showing that it's a threat on Ars Technica.

As I just said:

You have a fixed, polestar opinion, and you will wiggle and twist in any possible way to keep that opinion intact. For you, this is religion, not facts.

 

[SplatMan_DK]

I am sorry you feel that way. In my view, you're exactly the same, refusing to show any credible threat with ads on the normal sites you visit and deprive of income.

You just keep moving those goalposts. First it's showing that it's a threat, then it's showing that it's a recent threat, and now it's showing that it's a threat on Ars Technica.

As I just said:

You have a fixed, polestar opinion, and you will wiggle and twist in any possible way to keep that opinion intact. For you, this is religion, not facts.

Likewise.

I don't know why you think Ars is irrelevant. Obviously the threat has to be relevant to the sites you visit and for which you haven't made exceptions in your blocker.

Or are you claiming that "It's a threat on sites I never visit" is a valid argument for blocking ads here? Or on any other sites you visit?

Why on earth would the context of the threat we discuss NOT be the specific sites you visit? How can anything you not visit ever be a threat???

And yes, it has to be recent. This is IT. Stuff that happened in 2015 has no bearing on contemporary best practices. And you damn well know it.

 

[malor]

Oh, so, it's normal to only browse Ars, ever? Because ads are so safe, if we just stay here on Ars, we'll be okay?

You just twist yourself up further and further. You're down to inventing weird scenarios where viewing ads might be safe and then trying to persuade everyone that this is how people browse.

Google was hijacked into malvertising. GOOGLE. If the Internet has a center point, that's it. That's the site almost everyone visits.

Well, except maybe you? I can't see how you'd think it was reasonable for other people to only come here unless that's what you do yourself?

Or are you claiming that "It's a threat on sites I never visit" is a valid argument for blocking ads here? Or on any other sites you visit?

It's a threat everywhere that uses an ad network. Goddamn you are impenetrable.

 

[ikhtiar]

Oh, so, it's normal to only browse Ars, ever? Because ads are so safe, if we just stay here on Ars, we'll be okay?

You just twist yourself up further and further. You're down to inventing weird scenarios where viewing ads might be safe and then trying to persuade everyone that this is how people browse.

Google was hijacked into malvertising. GOOGLE. If the Internet has a center point, that's it. That's the site almost everyone visits.

Well, except maybe you? I can't see how you'd think it was reasonable for other people to only come here unless that's what you do yourself?

Or are you claiming that "It's a threat on sites I never visit" is a valid argument for blocking ads here? Or on any other sites you visit?

It's a threat everywhere that uses an ad network. Goddamn you are impenetrable.

As you have mentioned earlier, he will not change his mind. So, why trying? Arguing with them only make them feel more important - fighting for the little poor websites/ad networks against the mighty visitors/us.

 

[malor]

Yeah, that was very close to my last reply anyway, so it makes sense to just stop there.

 

[WXW]

And now we need to provide examples only for the exact sites we visit. Oh God, I'm actually this close to laughing, I'm serious, it's ridiculous.

SplatMan_DK, are you going to do the things I asked for above? Nah, don't bother, your mind has solidified into diamond already, there's no point.

 

[kerikoli]

"could fool even security-savvy people"
Security-savvy people block advertising.

Most companies configure their proxies to block ads. Because they are a well known security issue.
And domain spoofing is not that special, punycode or not (just display punycode in about:config in Firefox). Domain shadowing can be more tricky.

 

[SplatMan_DK]

It's a threat everywhere that uses an ad network. Goddamn you are impenetrable.

Citation needed. Credible source please.

 

[SplatMan_DK]

SplatMan_DK, are you going to do the things I asked for above? Nah, don't bother, your mind has solidified into diamond already, there's no point.

Sounds like you're looking into a mirror. I'll sift through the thread again if needed, but not before you produce a credible source that actually shows ads are as dangerous as you claim. You still haven't. Last time I spent hours reading material and links it was mostly useless and irrelevant sh*t plus one industry report ... which happened to show that the problem was very small. But as this was an inconvenient fact it was obviously ignored, even by the poster who submitted it as "evidence".

 

[madewokherd]

Sounds like you're looking into a mirror. I'll sift through the thread again if needed, but not before you produce a credible source that actually shows ads are as dangerous as you claim. You still haven't. Last time I spent hours reading material and links it was mostly useless and irrelevant sh*t plus one industry report ... which happened to show that the problem was very small. But as this was an inconvenient fact it was obviously ignored, even by the poster who submitted it as "evidence".

Maybe we should start applying this standard to your claims. Where is your evidence that tech-savvy people don't fall for scams or get fooled by deceptive ads like the subject of this article? That claim is required to sustain your unique and impossible standard for what you consider a threat, and even if true it would indicate that we should be telling everyone else to block ads.

 

[SplatMan_DK]

Sounds like you're looking into a mirror. I'll sift through the thread again if needed, but not before you produce a credible source that actually shows ads are as dangerous as you claim. You still haven't. Last time I spent hours reading material and links it was mostly useless and irrelevant sh*t plus one industry report ... which happened to show that the problem was very small. But as this was an inconvenient fact it was obviously ignored, even by the poster who submitted it as "evidence".

Maybe we should start applying this standard to your claims. Where is your evidence that tech-savvy people don't fall for scams or get fooled by deceptive ads like the subject of this article? That claim is required to sustain your unique and impossible standard for what you consider a threat, and even if true it would indicate that we should be telling everyone else to block ads.

I don't think it is. The claim is that ads are a substantial threat and that blocking any and all ads is the only reasonable protection. If they aren't in fact a threat then everything else is irrelevant.

I am not the one who has made a claim that needs proof. I am questioning/rejecting an existing claim because nobody has been able to substantiate it.

 

[SplatMan_DK]

Sounds like you're looking into a mirror. I'll sift through the thread again if needed, but not before you produce a credible source that actually shows ads are as dangerous as you claim. You still haven't. Last time I spent hours reading material and links it was mostly useless and irrelevant sh*t plus one industry report ... which happened to show that the problem was very small. But as this was an inconvenient fact it was obviously ignored, even by the poster who submitted it as "evidence".

Maybe we should start applying this standard to your claims. Where is your evidence that tech-savvy people don't fall for scams or get fooled by deceptive ads like the subject of this article? That claim is required to sustain your unique and impossible standard for what you consider a threat, and even if true it would indicate that we should be telling everyone else to block ads.

I don't need to substantiate it. I reject the base premise. There is no credible threat, and nobody has demonstrated that there is (sponsored Google links described in this article notwithstanding).

You're asking me to prove a negative, and that is not how evidence works. For example, I don't accept that homeopathy just works, and I won't entertain demands that I "prove it doesn't work". The onus is on proponents of homeopathy to prove their claims - not on everyone else to prove the reverse.

The same is true here. I won't entertain the idea that I should prove "there isn't a threat". The people who claim there IS a threat need to step up and show credible data to support their claim. So far they haven't.

 

[malor]

Sounds like you're looking into a mirror. I'll sift through the thread again if needed, but not before you produce a credible source that actually shows ads are as dangerous as you claim. You still haven't. Last time I spent hours reading material and links it was mostly useless and irrelevant sh*t plus one industry report ... which happened to show that the problem was very small. But as this was an inconvenient fact it was obviously ignored, even by the poster who submitted it as "evidence".

Maybe we should start applying this standard to your claims. Where is your evidence that tech-savvy people don't fall for scams or get fooled by deceptive ads like the subject of this article? That claim is required to sustain your unique and impossible standard for what you consider a threat, and even if true it would indicate that we should be telling everyone else to block ads.

I don't need to substantiate it. I reject the base premise. There is no credible threat, and nobody has demonstrated that there is (sponsored Google links described in this article notwithstanding).

You're asking me to prove a negative, and that is not how evidence works. For example, I don't accept that homeopathy just works, and I won't entertain demands that I "prove it doesn't work". The onus is on proponents of homeopathy to prove their claims - not on everyone else to prove the reverse.

The same is true here. I won't entertain the idea that I should prove "there isn't a threat". The people who claim there IS a threat need to step up and show credible data to support their claim. So far they haven't.

"There is no threat, except all the ones I choose to ignore because they violate the premise that there is no threat."

 

[SplatMan_DK]

Sounds like you're looking into a mirror. I'll sift through the thread again if needed, but not before you produce a credible source that actually shows ads are as dangerous as you claim. You still haven't. Last time I spent hours reading material and links it was mostly useless and irrelevant sh*t plus one industry report ... which happened to show that the problem was very small. But as this was an inconvenient fact it was obviously ignored, even by the poster who submitted it as "evidence".

Maybe we should start applying this standard to your claims. Where is your evidence that tech-savvy people don't fall for scams or get fooled by deceptive ads like the subject of this article? That claim is required to sustain your unique and impossible standard for what you consider a threat, and even if true it would indicate that we should be telling everyone else to block ads.

I don't need to substantiate it. I reject the base premise. There is no credible threat, and nobody has demonstrated that there is (sponsored Google links described in this article notwithstanding).

You're asking me to prove a negative, and that is not how evidence works. For example, I don't accept that homeopathy just works, and I won't entertain demands that I "prove it doesn't work". The onus is on proponents of homeopathy to prove their claims - not on everyone else to prove the reverse.

The same is true here. I won't entertain the idea that I should prove "there isn't a threat". The people who claim there IS a threat need to step up and show credible data to support their claim. So far they haven't.

"There is no threat, except all the ones I choose to ignore because they violate the premise that there is no threat."

That's a load of bull. I read through every source and they simply didn't support the claim. With few exceptions they might as well have been to links products from The Shopping Channel. Or Infowars. People googled some random sh*t in pursuit of "whatever suited their agenda" and the result reflected that.

FFS man, even the Wiki article didn't have anything notable after 2015 - and I wasn't the one to throw that link in the table to begin with.

And crucially: there was no data to support the alleged scale justifying a blanket "block all" policy. On the contrary, the sources showed the opposite.

 

[madewokherd]

When the question is a source of personal risk, you do have to provide evidence that it is safe. Suppose someone offered you a medical procedure that has had no clinical testing. They have some argument for why it would help you, but this is something that has never been tried before. What would you require before you allow them to do this, at unknown risk to you? At the very least, you should expect that it had been tried on animals and shown to be safe and effective at least in that context. You'd have to have reason to believe the analogy to humans is a good one, and no particular reason to believe humans would respond differently. Even then, the potential benefit would have to be strong.

As much as I dislike anti-vaxxers, the demand for evidence before engaging in a behavior you consider risky is a reasonable one. I wouldn't tell someone who is hesitant to get a vaccine that the burden is on them to prove that vaccines are dangerous, I would attempt to provide positive evidence that vaccines are safe and necessary.

In this case, the risk is smaller than some untested medical procedure, but it's still a case where people are exercising caution (and following the well-accepted information security principle of least privilege), by not allowing their computers or their brains to process data they consider risky and unnecessary. I've even provided evidence that, for some portion of the population, it is risky, as people are commonly scammed as a result of online ads. If you are going to claim that it is not risky for a particular subset of the population (the sort of tech-savvy people who read Ars), yes you should have to provide evidence for that.

 

[malor]

Thought this was relevant, worth resurrecting this old thread:

The NSA and CIA Use Ad Blockers Because Online Advertising Is So Dangerous

Plus, in searching for this thread, I found a whole bunch more examples of how dangerous online advertising is, simply in Ars articles. I'd be happy to post a list if anyone still cares.