"iOS Secuirty is fucked" -Zerodium Stops Accepting iOS Exploits Because of too Many Submissions

[Kisai]

16 hours ago, LAwLz said:

I'm what way is it "dead"? 

Why do you call the other OSes like I presume Tizen "buggier"? 

 

I feel like you're just throwing words around to sound cool and edgy, but you're compleley misusing them and they make no sense in the context. 

 

Because LG and Samsung don't want to use Android, but have no way of pushing their own OS. Samsung is caught between a rock and a hard place because they want to get rid of Android, but have only been able to push it onto their TV's, not the smartphones, because they know they will lose their market share overnight if they do. They are not in the position Apple has where Apple produces the hardware, OS, and all the software you'd normally need. 

 

Traditionally LG and Samsung phones were the worst phones to own, because they were disposable. That hasn't really changed at all. Instead of updating the OS and web browser, they would rather you just buy a new phone. Tizen is strangely enough the market leader for the SmartTV platform, but it's also full of security holes and privacy gaffs.

https://www.flatpanelshd.com/news.php?subaction=showfull&id=1583755244

Note that article is from March of THIS year.

 

Do you really want that experience on a smartphone. I think not.

[StDragon]

25 minutes ago, Brooksie359 said:

This is why I always run adblocker when possible. Honestly I find adblocker to be one key way to protect yourself from viruses and the like. 

Yes. Or for the whole household you can run a Pi-Hole DNS server that does the blocking for you.

 

One annoying thing however is the reliance on google.com, so a lot of marketplace links are inherently blocked if you click on the first links ranked at the top when googling. It's fair game, but just so you know.

 

Ad blocking will become more difficult as browser push harder to insist on DNS over HTTPS. So far it's optional, but don't be surprised when it becomes mandatory at some point.

[Kisai]

29 minutes ago, Brooksie359 said:

This is why I always run adblocker when possible. Honestly I find adblocker to be one key way to protect yourself from viruses and the like. 

Ad blockers protect the PEBKAC, not the computer. Adblockers don't prevent malware and viruses unless you only visit piracy and *chan sites.

[StDragon]

6 minutes ago, Kisai said:

Ad blockers protect the PEBKAC, not the computer. Adblockers don't prevent malware and viruses unless you only visit piracy and *chan sites.

For the most part, but not exclusively. Take a look at a Pi-Hole log file. Blocks all sorts of DNS requests that occur at the OS and app level (telemetry). Some malware (bots) will rely on DNS to perform resolution on C&C (Command and Control) nodes to update and receive execution commands. It's not a panacea, but DNS filtering adds an extra layer of mitigation (notice I didn't say "defense").

[Kisai]

52 minutes ago, StDragon said:

For the most part, but not exclusively. Take a look at a Pi-Hole log file. Blocks all sorts of DNS requests that occur at the OS and app level (telemetry). Some malware (bots) will rely on DNS to perform resolution on C&C (Command and Control) nodes to update and receive execution commands. It's not a panacea, but DNS filtering adds an extra layer of mitigation (notice I didn't say "defense").

I'd rather go with DNS blackholing than tampering with websites using untrustable blockers. I actually prefer ghostery's selective blocking over the crude blocking in other tools. 

 

The thing really is, google destroyed the advertising market, themselves, alone. To give a reference point. Not 5 years ago 2.00CPM was possible using high quality ad networks that don't resell other ads, now 0.01CPM isn't even possible, and that's because Google kept all the high CPM traffic for itself and chastized websites that put any kind of cpm floor in, because they couldn't dump their worthless ads on them.

 

High quality ads, that you saw instantly and didn't slow the website down, were like gold. But now you get these 50 layers of reselling nonsense and it's just nobody likes ads anymore, not even the advertisers. Nobody likes to advertise using google because that means your ads end up on rubbish sites, and nobody likes to put google ads on their site anymore because google will send you all the non-paying ads. So when your website with millions of impressions is only making a few dollars this year when it made 10,000$ a few years ago, something has clearly gone wrong.

 

 

[Koeshi]

2 hours ago, Kisai said:

they would rather you just buy a new

Hmmm, that attitude reminds me of a certain company: https://www.vice.com/en_us/article/akw558/apples-t2-security-chip-has-created-a-nightmare-for-macbook-refurbishers

 

Besides, while the abandonment is definitely an issue for some brands, I have a Samsung S7 as a work phone (released 2016) and I am still getting regular OS updates, so it is a bit unfair to lump all the brands together just because some of them have a poor record.

[Bombastinator]

17 hours ago, Curious Pineapple said:

Let me get this straight. Android devices seemingly don't have security holes that require a monster such as the T2 to mitigate, so by not having that mitigation, the platform is worse? That's like advising people to buy Intel over AMD because although Intel processors have had vulnerabilities, they fixed them but AMD didn't because they didn't have the issues to start with.

 

Makes sense. Buy product with fixed security holes that have drawbacks because the product that doesnt have the holes never got fixed.

Actually an argument was made that they have some of the exact same security holes.  The difference with Apple they’re covered and with android they’re not.  The issue is multiple layer protection.  Apple and android both have code based whack-a-mole security holes.  security holes that android does a better and faster job of replying to because they have to.  They don’t have backup coverage.  Apple does.  It’s a coverage that has massive problems, but they have it.   Because Apple has this coverage they appear to be a bit complacent about the base stuff which is a problem. 
 

The title of the claim was that “Apple is fucked” they’re not. But they could be.  I get how the Apple haters will say anything and the Apple lovers will say anything.  The answer appears to be more in the middle though.  Is there a problem?  Apparently.  Is it as deadly dire as the Apple haters say?  Doesn’t look that way.  Quite.  Apple needs to get its thumb out and fix this stuff.  The whole t2 thing cannot be relies upon any more than perfect hole free coding.  They made a second layer of protection which would have been an even better idea if it didn’t also produce massive repairability problems.  For safety multiple layers of protection are needed.  This is practically a truism.  Things fail.  Not keeping up on one because you’ve got another is stupid though.  Having two buys time to fix the other is all.  The general standard isn’t even two.  It’s three.  Having just two isn’t good, though it’s better than one.  Not keeping up one of the two means there isn’t two.  Just one.  

[LAwLz]

On 5/16/2020 at 7:22 PM, Bombastinator said:

The default browser has been near useless for a year or so.  Google has been producing “free” SDKs for developers which are supposed to be universal but actually aren’t and break on safari.   No one uses it as a result.  

I don't understand what you're saying.

1) We're talking about iOS here. The "default browser" is the only browser you can run on the platform. Chrome, Firefox and other third party browsers on iOS still use the Safari engine. The default browser is extremely important on iOS because it's the only thing you really got.

2) What SDK are you referring to here?

 

 

22 hours ago, AndrzejL said:

For some reason I do not believe in all this nonsense. While back not very long time ago they were paying big money for iOS 0 day. Now they say they have tons? I will take my chances and keep using my iPhone 6s+ with the latest iOS on it.

I am not following your logic.

It seems like you're picking and choosing to believe in stuff based on if they fit your narrative or not.

 

So when Zerodium offered a bunch of money (which was actually a quite long time ago, about 3-5 years ago) you think that's evidence that iOS is secure. But now that the same people are saying "okay, there are quite a lot of exploits out there so we won't pay people to submit any more to us" you go "well you can't trust them, iOS is secure anyway!".

You either use the money Zerodium offers for exploits as an indication of platform security, or you don't. You don't get to pick and choose to use them as evidence sometimes, but stop using them as evidence when it starts contradicting you.

[LAwLz]

19 hours ago, Kisai said:

Because LG and Samsung don't want to use Android, but have no way of pushing their own OS. Samsung is caught between a rock and a hard place because they want to get rid of Android, but have only been able to push it onto their TV's, not the smartphones, because they know they will lose their market share overnight if they do. They are not in the position Apple has where Apple produces the hardware, OS, and all the software you'd normally need. 

I fail to see how that fits the definition of "dead OS".

"It runs on 70% of the world's smartphones but it's dead because two manufacturers would use their own OS if they could". What you're saying doesn't make any sense.

Want an example of a dead OS? Windows 10 on phones has less than 0,07% market share and isn't getting updates anymore (I think). That's a dead OS. Android is very much alive. It's about as far from dead as you can get.

 

 

19 hours ago, Kisai said:

Traditionally LG and Samsung phones were the worst phones to own, because they were disposable. That hasn't really changed at all. Instead of updating the OS and web browser, they would rather you just buy a new phone. Tizen is strangely enough the market leader for the SmartTV platform, but it's also full of security holes and privacy gaffs.

https://www.flatpanelshd.com/news.php?subaction=showfull&id=1583755244

Note that article is from March of THIS year.

You're changing the subject.

You said that Tizen and other OSes are "bugger" and your evidence is a link about how Samsung TV's has ads in them. The articles you're linking are completely irrelevant to the claims you made.

 

It seems to me like you're using words like "dead" and "buggy" without knowing what they mean.

Dead means "no longer in use" or "no longer active".

Buggy means "containing many bugs", and "bug" means "flaw in a computer program that causes it to produce an incorrect or unexpected result".

 

 

19 hours ago, Kisai said:

Ad blockers protect the PEBKAC, not the computer. Adblockers don't prevent malware and viruses unless you only visit piracy and *chan sites.

And now you're using the word "PEBKAC" incorrectly. Are you doing this on purpose?

Or if you think you know what it means, your sentence doesn't make any sense.

 

And adblockers most certainly protects against malware. There are a ton of examples where trustworthy sites have ended up having malware on them.

The Asus website was hijacked once and started spreading malware. It happened because a vulnerability was found in the Vbulletin software Asus used to run their forums.

Pretty sure LinusTechTips.com was infected at one point as well. We have also had a lot of cryptominers sneak their way into websites using ads.

 

 

 

6 hours ago, AndrzejL said:

Andrzej

Tips: You can configure a signature in your profile. That way you don't have to write it out in every post. It appears automatically.

[StDragon]

21 minutes ago, LAwLz said:

The "default browser" is the only browser you can run on the platform. Chrome, Firefox and other third party browsers on iOS still use the Safari engine.

WKWebView, but yeah, all browsers in iOS are the same and the rest is just a skin. But Brave runs so much better unsurprisingly because it blocks a lot of the ad crap.

[Bombastinator]

1 hour ago, LAwLz said:

I don't understand what you're saying.

1) We're talking about iOS here. The "default browser" is the only browser you can run on the platform. Chrome, Firefox and other third party browsers on iOS still use the Safari engine. The default browser is extremely important on iOS because it's the only thing you really got.

2) What SDK are you referring to here?

 

 

I am not following your logic.

It seems like you're picking and choosing to believe in stuff based on if they fit your narrative or not.

 

So when Zerodium offered a bunch of money (which was actually a quite long time ago, about 3-5 years ago) you think that's evidence that iOS is secure. But now that the same people are saying "okay, there are quite a lot of exploits out there so we won't pay people to submit any more to us" you go "well you can't trust them, iOS is secure anyway!".

You either use the money Zerodium offers for exploits as an indication of platform security, or you don't. You don't get to pick and choose to use them as evidence sometimes, but stop using them as evidence when it starts contradicting you.

? 
I go to the App Store, I download firefox, I use it. It runs different.  Things that show blank page or links that won’t work suddenly do.

[Kisai]

3 hours ago, LAwLz said:

I fail to see how that fits the definition of "dead OS".

Because the vendors using it would rather use their own OS, particularly Samsung who has 40% of the Android market, have phones that run Tizen, and push Tizen on all their other products. All of them. If they own the app store, they get the money from it. Not that Android even has a healthy or profitable app store to begin with. Both Google Play and Chrome extensions full of bugs, and rubbish are examples of Google just not giving even a little thought about it. Android is dead and it's better off something better came along that didn't make any of Android's mistakes. Google v Oracle is STILL going on, and it's still possible for Oracle to win it and utterly wreck the Android OS due to the reliance on Java API's even when nobody likes the dalvik Java junk to begin with.

 

3 hours ago, LAwLz said:

 

And now you're using the word "PEBKAC" incorrectly. Are you doing this on purpose?

Or if you think you know what it means, your sentence doesn't make any sense.

 

 

PEBKAC = Problem Exists between Keyboard and Chair, aka, the user. Adblockers solve nothing except some psychological need to regain control over their system. It does not prevent malware, it does not prevent viruses, it does not eliminate annoyances from websites. Most of the blockers are ginormous resource hogs because they have regex filters for every website that runs ads in them. That's ass-backwards software design. The only effective way to prevent "ads" is at the DNS level, by which the web browser is smart enough to cache things once looked up. Yet many of the worst ad vendors actually create new domains daily just to get around that as well.

 

And ad blockers would never have had to be a thing if Google didn't screw it up for everyone. Google keeps all the good paying ads for itself, and passes along the worthless ads to everyone else, makes egregious demands on both websites and advertisers that chase them off their platform, and right into the arms of the shitty ad services that make no attempt to check for quality.

 

The best thing that Google could do to come back from the hell they created for themselves is to stop making nitpicky bullshit demands on both who they advertise on and who is allowed to buy advertising and instead silently blackhole ads that contain javascript and WASM by default. Thereby only permitting ads that are png or jpeg that computer vision algorithms can check, and humans sign off on. Only permit ads to link to product websites that have existed for 3 months and have a SSL certificate from someone other than CentOS/Let's encrypt/Cloudflare. Don't allow ads that link to sites behind Cloudflare or other "privacy hiding" nonsense. If a site is unwilling to pay for it's own SSL certificate to sell a product, you don't want to go there anyway.

 

Google screwed everyone the minute they got into the ad business, and the only way out now is for the companies that own the large ones to stop treating it like a stock market where every middle man tries to suck all the profit out of it so the website gets none of it.

[Bombastinator]

3 hours ago, StDragon said:

WKWebView, but yeah, all browsers in iOS are the same and the rest is just a skin. But Brave runs so much better unsurprisingly because it blocks a lot of the ad crap.

So why does it so often happen that things refuse to load in safari but work fine in iOS firefox or brave?  

[Bombastinator]

4 minutes ago, Kisai said:

Because the vendors using it would rather use their own OS, particularly Samsung who has 40% of the Android market, have phones that run Tizen, and push Tizen on all their other products. All of them. If they own the app store, they get the money from it. Not that Android even has a healthy or profitable app store to begin with. Both Google Play and Chrome extensions full of bugs, and rubbish are examples of Google just not giving even a little thought about it. Android is dead and it's better off something better came along that didn't make any of Android's mistakes. Google v Oracle is STILL going on, and it's still possible for Oracle to win it and utterly wreck the Android OS due to the reliance on Java API's even when nobody likes the dalvik Java junk to begin with.

 

PEBKAC = Problem Exists between Keyboard and Chair, aka, the user. Adblockers solve nothing except some psychological need to regain control over their system. It does not prevent malware, it does not prevent viruses, it does not eliminate annoyances from websites. Most of the blockers are ginormous resource hogs because they have regex filters for every website that runs ads in them. That's ass-backwards software design. The only effective way to prevent "ads" is at the DNS level, by which the web browser is smart enough to cache things once looked up. Yet many of the worst ad vendors actually create new domains daily just to get around that as well.

 

And ad blockers would never have had to be a thing if Google didn't screw it up for everyone. Google keeps all the good paying ads for itself, and passes along the worthless ads to everyone else, makes egregious demands on both websites and advertisers that chase them off their platform, and right into the arms of the shitty ad services that make no attempt to check for quality.

 

The best thing that Google could do to come back from the hell they created for themselves is to stop making nitpicky bullshit demands on both who they advertise on and who is allowed to buy advertising and instead silently blackhole ads that contain javascript and WASM by default. Thereby only permitting ads that are png or jpeg that computer vision algorithms can check, and humans sign off on. Only permit ads to link to product websites that have existed for 3 months and have a SSL certificate from someone other than CentOS/Let's encrypt/Cloudflare. Don't allow ads that link to sites behind Cloudflare or other "privacy hiding" nonsense. If a site is unwilling to pay for it's own SSL certificate to sell a product, you don't want to go there anyway.

 

Google screwed everyone the minute they got into the ad business, and the only way out now is for the companies that own the large ones to stop treating it like a stock market where every middle man tries to suck all the profit out of it so the website gets none of it.

I partially disagree with this.  Adblockers block ads.  It might produce some “psychological feeling of control” for some but that is not the purpose.  The purpose is to stop your screen from being hijacked by whatever so you can do the thing you were trying to do instead of being forced to deal with the electronic equivelant of some salesman with his foot in your front doo jam.  Does it stop malware or any of that? No.  It’s not security, normally though some ads come with nasty little bits attached and blocking the whole thing can block those too.  It’s edge case though.

[Kisai]

10 minutes ago, Bombastinator said:

I partially disagree with this.  Adblockers block ads.  It might produce some “psychological feeling of control” for some but that is not the purpose.  The purpose is to stop your screen from being hijacked by whatever so you can do the thing you were trying to do instead of being forced to deal with the electronic equivelant of some salesman with his foot in your front doo jam.  Does it stop malware or any of that? No.  It’s not security, normally though some ads come with nasty little bits attached and blocking the whole thing can block those too.  It’s edge case though.

 

Manage a website will you. When users start complaining in both directions that 1) the ads are interfering with their website viewing and 2) blocking the ads makes the site unnavigatable since all the ad spaces are now collapsed and the content no longer where it's supposed to be.

 

Thats why I said it's PEBKAC. These are issues caused by the user trying to assert control over a website they have no business tampering with. DO REALIZE you are running software on your computer that can also be compromised. No honor among thieves.

[Curious Pineapple]

4 minutes ago, Kisai said:

 

Manage a website will you. When users start complaining in both directions that 1) the ads are interfering with their website viewing and 2) blocking the ads makes the site unnavigatable since all the ad spaces are now collapsed and the content no longer where it's supposed to be.

 

Thats why I said it's PEBKAC. These are issues caused by the user trying to assert control over a website they have no business tampering with. DO REALIZE you are running software on your computer that can also be compromised. No honor among thieves.

If the ads are interfering with viewing the website, then they're in a shitty place. As soon as I get an ad load in the middle of a mobile page I just leave. I can't be fucked with them, especially the crafty transparent ones that you can't avoid tapping.

[Kisai]

19 minutes ago, Curious Pineapple said:

If the ads are interfering with viewing the website, then they're in a shitty place. As soon as I get an ad load in the middle of a mobile page I just leave. I can't be fucked with them, especially the crafty transparent ones that you can't avoid tapping.

If you've seen how wordpress actually works, you would understand that people literately do not know how websites work and just place ads wherever they want them to appear, even if it makes the website run like molassas.

 

All the sites I've ever setup with ads, run perfectly, you don't even notice any ad load time. Then as I've said several times in this thread already, Google started making it so only the worst/unprofitable ads wind up on ad-supported sites, so no matter how you tune a website for performance, nothing helps when an ad is handed off to 100 different ad vendors looking for inventory. Blocking ads, is a cat-and-mouse game for how many thousands of domains might be running ads on any particular day, never mind the millions of subdomains on hijacked VPS sites that run malware.

 

A lot of you are being dismissive about how ads and adblockers work. Adblockers only block and tiny portion of the rubbish, and block a lot more of the paying content that ad-supported content needs to survive. Malware on sites, such as vBulletin are not stopped by ad blockers, because the malware becomes part of the site, and there are a lot of abandoned forums out there full of spam due to the operators having abandoned the site, guess what happens when an exploit becomes available.

 

For a while there, in the early 2010's I was getting a lot of abuse reports from people working for banks and other IP claiming that "my site" was running (fill in the blank) nusiance, when in actual fact some spammer 3 years prior posted link spam with their brand in it, to some defunct domain that is now ... you guessed it, full of malware. Likewise all those phishing emails with images in it? Guess what they're usually hosted on? Yes, any random forum that allows attachment uploads.  Go ahead and look in your spam folder and "View source" on a few. Those images aren't in the email, they're being used to track being read.

 

In the end, ideally governments would just ban all third-party advertising from the internet and this would be over pretty darn quick.

[SpaceGhostC2C]

On 5/15/2020 at 10:01 PM, TopHatProductions115 said:

Anyone wanna make their own mobile OS? Or are we sitting here trying to tell multi-million dollar corporations what to do with their software and massively uninformed userbase(s) again?

That's the only true way forward, but it would take some sort of android-esque equivalent of Red Hat to go anywhere.

 

21 minutes ago, Kisai said:

Manage a website will you. When users start complaining in both directions that 1) the ads are interfering with their website viewing

Terrible ad design choices will lead to complaints. Not much of a surprise.

 

21 minutes ago, Kisai said:

and 2) blocking the ads makes the site unnavigatable since all the ad spaces are now collapsed and the content no longer where it's supposed to be.

I've haven't encountered this problem so far, it must be a particularly bad website you have in mind. Ad blockers will sometime interfere with terrible site functionality, but that's just a double plus.

What I have encountered are websites that can't display content correctly with cookies disabled. The only course of action then is to navigate away of their awfulness.

 

21 minutes ago, Kisai said:

Thats why I said it's PEBKAC. These are issues caused by the user trying to assert control over a website they have no business tampering with.

Users aren't tampering with websites, they are controlling their browsers (as in, their individual instance of a browser), and rightfully so. You're trying to present it as a mixed bag of outcomes when the experience of ad block users is overwhelmingly positive in terms of sites' cleanliness, site load speeds, and use of computer resources (since the extensions take a tiny fraction of the resources than the blocked ads would use). Sure, you have sites like LTT where the benefit is dubious at best, but if every website was like LTT, ad blockers wouldn't even exist as there would be no demand for them.

Oh, and sites like LTT work flawlessly whether you block ads or not.

 

21 minutes ago, Kisai said:

DO REALIZE you are running software on your computer that can also be compromised. No honor among thieves.

Thieves? LOL, are you in charge of some terrible website not getting the income it mistakenly expected to get?  

 

[Kisai]

1 minute ago, SpaceGhostC2C said:

 

Thieves? LOL, are you in charge of some terrible website not getting the income it mistakenly expected to get?  

 

People who block ads are always the same people ripping the content and posting it on image sharing sites, and have no misgivings about pirating anything. So yes.

 

I don't care if you block ads, I do care if you complain about it.

[Curious Pineapple]

2 minutes ago, Kisai said:

People who block ads are always the same people ripping the content and posting it on image sharing sites, and have no misgivings about pirating anything. So yes.

 

I don't care if you block ads, I do care if you complain about it.

Worked that one out with tracking cookies?

[TopHatProductions115]

I went on and did some spelling corrections while quoting people, so please correct me if I got the wrong idea  

 

20 minutes ago, Kisai said:

If you've seen how wordpress actually works, you would understand that people literately do not know how websites work and just place ads wherever they want them to appear, even if it makes the website run like molassas.

A few questions:

1. Why are you using WordPress? Is it due to time constraints and actual business costs (hire a web developer vs. using pre-made materials), or just laziness? Just curious.
2. I assume that the next sentence applies to common end-users and non-programmers/designers.
3. That's where front-end/UI developers are supposed to come in. If you have them handle tasks like that, they'll know how to do the job better than an ameature. Completely on management and the organisation itself to make sure they put the right people to the task.

19 minutes ago, Kisai said:

All the sites I've ever setup with ads, run perfectly, you don't even notice any ad load time. Then as I've said several times in this thread already, Google started making it so only the worst/unprofitable ads wind up on ad-supported sites, so no matter how you tune a website for performance, nothing helps when an ad is handed off to 100 different ad vendors looking for inventory. Blocking ads, is a cat-and-mouse game for how many thousands of domains might be running ads on any particular day, never mind the millions of subdomains on hijacked VPS sites that run malware.

1. That's nice to hear. 
2. Is it possible to use other advertisement providers, outside of Google? They've gotten a bad rep recently for how services like YouTube got handled - especially during the AdPocalypse. I would have jumped ship or diversified my ad sources if I was in that position, and the options existed.
3. That is true. DNS/Domain based adblocking is tougher in some regards because of this.

27 minutes ago, Kisai said:

A lot of you are being dismissive about how ads and adblockers work. Adblockers only block and tiny portion of the rubbish, and block a lot more of the paying content that ad-supported content needs to survive. Malware on sites, such as vBulletin are not stopped by ad blockers, because the malware becomes part of the site, and there are a lot of abandoned forums out there full of spam due to the operators having abandoned the site, guess what happens when an exploit becomes available.

1. Not all of us. I, for one, am willing to address you.
2. What is this?
   • https://help.getadblock.com/support/solutions/articles/6000092027-about-the-acceptable-ads-program-and-non-intrusive-ads
   • https://acceptableads.com/standard
3. When you say "a part of the website", do you mean that the changes are being pushed to the server-side, where the original content originates? 
4. Expanding on the topic of abandoned vBulletin websites, I'm under the impetus that most of these websites are not hosted in-house/locally. Otherwise, I'm sure the website owner(s) would have to address the issue of leaving a dead website running on their local infrastructure and using their bandwidth. This sounds like a web-host issue. I've been on free plans that used cPanel, where if my website remained inactive/unaltered (on the site owner's end), they'd either suspend or delete my website/account.
5. Even if we ignore the oversight on the part of the web hosting provider, it is still the site owner/admin's job to know when to kill a dead website/service. It's gross negligence otherwise. From this point-of-view, I see no reason to prevent blocking of infected domains, even if they are vBulletin based. Dead websites should be converted to read-only archives, to prevent abuse at the very least.

45 minutes ago, Kisai said:

For a while there, in the early 2010's I was getting a lot of abuse reports from people working for banks and other IP claiming that "my site" was running (fill in the blank) nuisance, when in actual fact some spammer 3 years prior posted link spam with their brand in it, to some defunct domain that is now ... you guessed it, full of malware. Likewise all those phishing emails with images in it? Guess what they're usually hosted on? Yes, any random forum that allows attachment uploads.  Go ahead and look in your spam folder and "View source" on a few. Those images aren't in the email, they're being used to track being read.

I remember that. It was a nuisance, and ticked off tons of users on a ton of forums that I used to frequent. Quite the annoyance indeed.

 

I'll be back in a few...

[TopHatProductions115]

2 hours ago, Kisai said:

Because the vendors using it would rather use their own OS, particularly Samsung who has 40% of the Android market, have phones that run Tizen, and push Tizen on all their other products. All of them. If they own the app store, they get the money from it. Not that Android even has a healthy or profitable app store to begin with. Both Google Play and Chrome extensions full of bugs, and rubbish are examples of Google just not giving even a little thought about it. Android is dead and it's better off something better came along that didn't make any of Android's mistakes. Google v Oracle is STILL going on, and it's still possible for Oracle to win it and utterly wreck the Android OS due to the reliance on Java API's even when nobody likes the dalvik Java junk to begin with.

If we're gonna start talking about dead OS's, let's start with a few that are actually close to being just that:

• https://en.wikipedia.org/wiki/Tizen
  • https://www.sammobile.com/2018/12/16/samsung-tizen-smartphones-possibly-discontinued
• https://en.wikipedia.org/wiki/Firefox_OS
  • https://medium.com/@bfrancis/the-legacy-of-firefox-os-c58ec32d94f0
• https://en.wikipedia.org/wiki/Windows_Phone
  • https://timesofindia.indiatimes.com/gadgets-news/rip-the-windows-phone-is-officially-dead-and-gone-urges-users-to-move-to-android-or-iphone/articleshow/67620974.cms

Notice something? These products aren't market leaders, and haven't had current releases in at least a year. If you want to call Android a dead-end OS with nowhere to to go or expand, there is Google Fuschia to help make the argument. But that's very far off in the distant future, so let's keep the speculation under control. Android's here to stay for the long-term, until someone dethrones it. iOS is the closest anyone in recent memory has come to pulling it off. And if you feel the need to mention Amazon and its app store, please don't - there's a reason so many tutorials exist on how to convert it to stock Android. FireOS is a pain to use, and is built on Android - just heavily modified by an OEM (Amazon).

 

And pertaining to this:

• https://en.wikipedia.org/wiki/Google_v._Oracle_America

More than just Google's Android project is at stake here. Are you sure that you want that to come to pass?

Quote

Google successfully petitioned to the Supreme Court to hear the case in the 2019 term, focusing on the copyrightability of APIs and subsequent fair use. The case is of significant interest within the tech and software industries, as numerous software programs and libraries, particularly in open source, are developed by recreating the functionality of APIs from commercial or competing products to aid developers in interoperability between different systems or platforms.

Just how many other popular tools, applications, and SDKs will be impacted by this if Oracle wins? I'm sure you'll be impacted in some way as well.

 

2 hours ago, Kisai said:

PEBKAC = Problem Exists between Keyboard and Chair, aka, the user. Adblockers solve nothing except some psychological need to regain control over their system. It does not prevent malware, it does not prevent viruses, it does not eliminate annoyances from websites. Most of the blockers are ginormous resource hogs because they have regex filters for every website that runs ads in them. That's ass-backwards software design. The only effective way to prevent "ads" is at the DNS level, by which the web browser is smart enough to cache things once looked up. Yet many of the worst ad vendors actually create new domains daily just to get around that as well.

Adblockers can actually prevent some malware encounters, depending on how you configure them. They aren't meant to be security tools themselves, but they do play an important role in controlling the user experience by blocking unwanted elements. If you're using a domain/DNS/hosts based application (as you've mentioned), you can manually add domains that are known to be malicious. I've done it before. It's not out of the question. I've also white-listed certain websites when I found that their ads were not too intrusive for my liking. Once again, this complaint kinda reminds me of the Acceptable Ads Program. HTML element based adblocking used to work, before people started getting fancy with how they placed and served the ads.

 

2 hours ago, Kisai said:

And ad blockers would never have had to be a thing if Google didn't screw it up for everyone. Google keeps all the good paying ads for itself, and passes along the worthless ads to everyone else, makes egregious demands on both websites and advertisers that chase them off their platform, and right into the arms of the shitty ad services that make no attempt to check for quality.

Another reason to not depend on Google for everything. Diversify ad sources?

 

2 hours ago, Kisai said:

The best thing that Google could do to come back from the hell they created for themselves is to stop making nitpicky bullshit demands on both who they advertise on and who is allowed to buy advertising and instead silently blackhole ads that contain javascript and WASM by default. Thereby only permitting ads that are png or jpeg that computer vision algorithms can check, and humans sign off on. Only permit ads to link to product websites that have existed for 3 months and have a SSL certificate from someone other than CentOS/Let's encrypt/Cloudflare. Don't allow ads that link to sites behind Cloudflare or other "privacy hiding" nonsense. If a site is unwilling to pay for it's own SSL certificate to sell a product, you don't want to go there anyway.

Would it be a bad idea to hand-pick sponsors and advertisers that you'll permit on your website, so that you have more control over the image of your platform? Is this option only reserved for people with money and influence?

• https://www.monetizemore.com/blog/choose-ads-show-website/

A lot of this sounds like issues associated with depending too much on 3rd-party entities to do the right thing, instead of taking control from the start. But I could be wrong.

 

2 hours ago, Kisai said:

Google screwed everyone the minute they got into the ad business, and the only way out now is for the companies that own the large ones to stop treating it like a stock market where every middle man tries to suck all the profit out of it so the website gets none of it.

Is it possible to cut out the middleman?

• https://firstsiteguide.com/selling-ads/

I think Direct Advertising will be a better bet in this case...

 

[Kisai]

35 minutes ago, TopHatProductions115 said:

I went on and did some spelling corrections while quoting people, so please correct me if I got the wrong idea  

 

A few questions:

1. Why are you using WordPress? Is it due to time constraints and actual business costs (hire a web developer vs. using pre-made materials), or just laziness? Just curious.

I do not use wordpress, and I tell people to not use wordpress. The best options are picking smaller CMS systems that let you edit the template as HTML, not as a hodgepodge of mixed php and html and certainly not with scripts on top of scripts like wordpress, phpbb, vbulletin, drupal and joomla do.

 

Wordpress is the internet's humvee but with a gas tank the size of a water bottle.

 

Quote

1. I assume that the next sentence applies to common end-users and non-programmers/designers.

One part of my clients are web content, some of it's tame, some of it's adult in nature, at least two were fairly popular newsblogs within their genre, there was no way I could spell it out to anyone on wordpress what they were doing wrong that was making their high traffic website require far more overkill servers than they really needed. Like simply adding ads using an "ad rotation" plugin for wordpress guarantees that no page ever gets cached. Ads have to be driven by either straight anchor+img, or javascript on the client end (thus vulnerable to being blocked) , yet they were dumping these things within the ad rotation plugin so not only did the php have to generate it for every page load, it wasn't benefiting from the javascript client caching at all.

 

 

Quote

1. That's where front-end/UI developers are supposed to come in. If you have them handle tasks like that, they'll know how to do the job better than an ameature. Completely on management and the organisation itself to make sure they put the right people to the task.

 

Right, you tell the person who wants to spend no more than $10 on dreamhost/bluehost not to use wordpress because their site will buckle when 10 users view the site. I've pretty much given up trying to dissuade people from using wordpress. Just pay a html wizard to generate a static site for you, and then take that and apply it to a much smaller CMS that does what you want rather than deal with the resource pig of wordpress. Especially if you are not using the blog or comment system to begin with.

 

Quote

1. That's nice to hear. 
2. Is it possible to use other advertisement providers, outside of Google? They've gotten a bad rep recently for how services like YouTube got handled - especially during the AdPocalypse. I would have jumped ship or diversified my ad sources if I was in that position, and the options existed.
3. That is true. DNS/Domain based adblocking is tougher in some regards because of this.

 

go to any ad-supported site and affix ads.txt to their root domain and see how many ad resellers they deal with.

https://www.nytimes.com/ads.txt

https://www.washingtonpost.com/ads.txt

 

Interesting to note:

https://www.amazon.com/ads.txt

 

There are sites that have like 500 different domains. Like https://www.aol.com/ads.txt

 

 

Quote

1. Not all of us. I, for one, am willing to address you.
2. What is this?
   • https://help.getadblock.com/support/solutions/articles/6000092027-about-the-acceptable-ads-program-and-non-intrusive-ads
   • https://acceptableads.com/standard

That's just blackmail and arbitrary wishful thinking.

 

The only "safe" ads are those that have no tracking on them, and only load images from first party domains. So if your site is www.nytimes.com, you set a cname on your domain eg aolads.nytimes.com pointing to aol's ad server, and thus the aol ads are now a "first party" unit on the site. No javascript, No WASM, No cookies, no Localstorage, no Canvas tag, No Video tag. GDPR basically ruined any form of tracking, so may as well forget about it. Doing this also gets rid of the "domains changing every hour" that some untrustworthy ad networks and also malware use.

 

Now I'm going to carve out an exception here because video ads and video streams come from the same source (youtube), to which third party video must download no more than the first two keyframes (eg 15 frames) and the user must manually hit play on the video unless the user has indicated prior that "Play all videos on this site". That solves the nusiance video ads appearing on sites with no video content.

 

Sure both of these are treating the disease by amputating the patient, but we really are at a place where no third party content should ever be trusted again. That includes "third party" jailbreak/app stores on mobile phones, tablets and smart TV's.

 

If advertisers can't get their ducks in a row here, I see a market for "dns filter" devices that go one step further than pihole does and crowdsource dns blacklists. Cloudflare can go die in a fire though, don't trust them or anyone else who is publicly traded.

 

Quote

1. When you say "a part of the website", do you mean that the changes are being pushed to the server-side, where the original content originates? 

Malware gets onto forums and CMS three primary ways:

1) The administrator account to the CMS is compromised, thus allowing stuff to be uploaded and arbitrarily edited. Especially when the CMS allowed editing the template or php files from within it like Wordpress

2) The system account is compromised, allowing arbitrary edits. Yes malware will login to a user's site and edit every php file, or look for specific ones. If you view the log file for any site, you will see a lot of /wp-admin/ files requests come up a lot.

3) The CMS is vulnerable due a library in the scripting language, so something like a crafted jpeg or png causes a buffer overflow and a rootkit is installed, allowing full access to the machine, see previous two points.

 

Quote

1. Expanding on the topic of abandoned vBulletin websites, I'm under the impetus that most of these websites are not hosted in-house/locally. Otherwise, I'm sure the website owner(s) would have to address the issue of leaving a dead website running on their local infrastructure and using their bandwidth. This sounds like a web-host issue. I've been on free plans that used cPanel, where if my website remained inactive/unaltered (on the site owner's end), they'd either suspend or delete my website/account.

 

That's because Cpanel routinely requires updating, and the underlying Linux (usually CentOS) OS becomes unsupported. Contrast that with stable OS's like FreeBSD where you can update the OS without taking anything down, or later versions of Windows Server. Unless you have a relationship with the webhost or the server administrator to ensure your site never gets deleted, sites that are abandoned are usually left up with the assumption that the user will one day come back, or if the user has died, that it remains active. If webhosts deleted sites at the drop of a hat, for non-payment there would be a lot of memorial sites being deleted after a few months.

 

 

Quote

1. Even if we ignore the oversight on the part of the web hosting provider, it is still the site owner/admin's job to know when to kill a dead website/service. It's gross negligence otherwise. From this point-of-view, I see no reason to prevent blocking of infected domains, even if they are vBulletin based. Dead websites should be converted to read-only archives, to prevent abuse at the very least.

I remember that. It was a nuisance, and ticked off tons of users on a ton of forums that I used to frequent. Quite the annoyance indeed.

 

I'll be back in a few...

The best option for dealing with dead sites is really to have archive.org or something similar create a shadow domain system that archives the content statically so that you could do something like archive[timestamp]://old.example.com in the web browser and have it pull the static page from that timestamp or the closest to it. Once the site is shadow copied, take the original site offline. However that's not how it works right now, and many archiving attempts run into problems with dynamic scripts such as forums and wordpress sites because there's 20 different ways to reach the same content, and the content is always "new" going by last-modified timestamps. So archive systems really have no mechanism for knowing when a site has disappeared since it can be replaced with malware or some other malicious content once some domain squatter gets the domain.

 

[Kisai]

32 minutes ago, TopHatProductions115 said:

If we're gonna start talking about dead OS's, let's start with a few that are actually close to being just that:

• https://en.wikipedia.org/wiki/Tizen
  • https://www.sammobile.com/2018/12/16/samsung-tizen-smartphones-possibly-discontinued
• https://en.wikipedia.org/wiki/Firefox_OS
  • https://medium.com/@bfrancis/the-legacy-of-firefox-os-c58ec32d94f0
• https://en.wikipedia.org/wiki/Windows_Phone
  • https://timesofindia.indiatimes.com/gadgets-news/rip-the-windows-phone-is-officially-dead-and-gone-urges-users-to-move-to-android-or-iphone/articleshow/67620974.cms

Notice something? These products aren't market leaders, and haven't had current releases in at least a year. If you want to call Android a dead-end OS with nowhere to to go or expand, there is Google Fuschia to help make the argument. But that's very far off in the distant future, so let's keep the speculation under control. Android's here to stay for the long-term, until someone dethrones it. iOS is the closest anyone in recent memory has come to pulling it off. And if you feel the need to mention Amazon and its app store, please don't - there's a reason so many tutorials exist on how to convert it to stock Android. FireOS is a pain to use, and is built on Android - just heavily modified by an OEM (Amazon).

 

And pertaining to this:

• https://en.wikipedia.org/wiki/Google_v._Oracle_America

More than just Google's Android project is at stake here. Are you sure that you want that to come to pass?

Just how many other popular tools, applications, and SDKs will be impacted by this if Oracle wins? I'm sure you'll be impacted in some way as well.

 

Adblockers can actually prevent some malware encounters, depending on how you configure them. If you're using a domain/DNS/hosts based application (as you've mentioned), you can manually add domains that are known to be malicious. I've done it before. It's not out of the question. I've also white-listed certain websites when I found that their ads were not too intrusive for my liking. Once again, this complaint kinda reminds me of the Acceptable Ads Program. HTML element based adblocking used to work, before people started getting fancy with how they placed and served the ads.

 

All of the stuff above I'm done arguing about. I hate Android, I hate Android's Dalvik API, and I hate hate the entire development system for Android. It's a mess, it's literately a decade of mess upon messes. I want something else that allows developers to use C/C#/C++/Rust compiled naively, and an app store that requires the developer to upload the source code to be vetted . Not the ten layers of hell google puts you through to develop anything on it. The Android phone is as far from the open "PC" platform, and full of pitfalls that I quite honestly don't trust any software to still work on the next minor Android OS version.

 

Part of Android's failure can also be laid at the feet of Linux developers (no not the kernel) insisting on changing things for fundamentally "not invented here" reasons. There is no reason to keep changing the ABI (yes ABI) with every major and minor OS version of all the libraries on the OS. If you need to make a breaking change, keep the old and new library around until nothing on the device uses the old library. 

 

Quote

Another reason to not depend on Google for everything. Diversify ad sources?

 

Would it be a bad idea to hand-pick sponsors and advertisers that you'll permit on your website, so that you have more control over the image of your platform? Is this option only reserved for people with money and influence?

• https://www.monetizemore.com/blog/choose-ads-show-website/

A lot of this sounds like issues associated with depending too much on 3rd-party entities to do the right thing, instead of taking control from the start. But I could be wrong.

 

Is it possible to cut out the middleman?

• https://firstsiteguide.com/selling-ads/

I think Direct Advertising will be a better bet in this case...

 

 

Well of course there is too much dependency on relying on third parties to do the right thing. You want to spend as little time and money on non-core businesses as possible. If you have a website selling $10 hammers, and you allow third parties to push whatever, then the person selling $9 hammers is going to target your website, so instead of you selling $10 hammers your website is earning you 1 cent every time someone sees an ad for that $9 hammer. Maybe it wouldn't matter if 1000 people were seeing the ad and you being paid, even if you don't sell one hammer, but you would make more money selling 1000 hammers.

 

It's wishful thinking (and this is the horrible wishful thinking that the MPAA/RIAA/BSA/etc operate under) that every non-sale is a lost sale. Rather, you have to think of it this way, that if your content is worth buying, then ads on your site need to be relevant. So gaming sites would advertise games, or comics based on that game, or some other tie-in. That makes sense. But people blocking all the ads, will never see it, and if a site is "70% of users block the ads" than that site is passed over for another where the users are not subscribing to the robin hood mindset. That's why piracy and *chan-type sites have all these ultra-gross ads that have horrible behavior, because 99% of the users of those sites block the ads and thus the ad algorithms only see the people who don't, and since the site is financially nonviable to advertise on, it gets all the rubbish at the bottom of the barrel. So it only takes one unvetted advertiser targeting these sites to wreck things for the 500 others not targeting them.

 

If you're selling $10 hammers, but not nails, you should be approving the ads for nails, not hoping that someone selling nails will put ads on your site. Having ads for wedding dresses and gucci bags will not earn the advertiser anything, because presumably the person buying a hammer, needs a hammer.

 

It does not matter what ad network you use, everyone buys inventory from everyone else. The one you use is the middleman getting the sell-side commission, and if they also have inventory they get the buy-side commission, otherwise they really don't care, it's just arbitrage to them. Site A has inventory, Advertiser B has ads they want to sell, Middleman for A says OK send me X impressions, and Middleman B goes "OK" (this is all automated, no humans involved) , and that's just how things work now. If you want to vet every single ad, you will get no ads, ever. It's high-speed trading, but with ads, not stocks.

 

[StDragon]

34 minutes ago, Kisai said:

Unless you have a relationship with the webhost or the server administrator to ensure your site never gets deleted, sites that are abandoned are usually left up with the assumption that the user will one day come back, or if the user has died, that it remains active. If webhosts deleted sites at the drop of a hat, for non-payment there would be a lot of memorial sites being deleted after a few months.

 

Nope. I'm calling BS on this. As someone whom works in the MSP side of things, most abandoned sites that stay up are for several reasons; of which none relates to altruism.

 

-Rotating IT staff in which the previous admin was fired or left - no passing of institutional knowledge.

-Management keeps paying the invoice thinking it's something "important" without understanding it's just deadwood.

-The hosting provider also suffers from poor IT systems administration to where it's kept online long after the customer stops paying the bill.

 

It really is comical. IT seems to be the only industry where you can get away with not paying for something, or you are and the content is maintained improperly. It's quasi-dysfunctional given how rapidly the industry changes. Trying getting away with that at physical storage facility. If the bill isn't paid, they will forklift your junk to the curb. But in IT, storage is so cheap that if it's a crappy little website, it's a statistical rounding error in storage consumed on the SAN.

 

As always, "Never attribute to malice that which can be adequately explained by stupidity"