RE: [projectvrm] The marketing/cybercrime symbiosis

["T.Rob" < >]

Don,

I would agree with most of this except that we are locked in an escalating 
tech war in which people utilize the browser controls available to them and 
malvertisers then invent new tech to circumvent the user-side controls.  This 
is the same war we are locked in with regard to virus software and in fact it 
is getting harder to differentiate between invasive adtech versus viruses.  
Furthermore, the content at the domain to which we surf has written code into 
their page which a) refers the browser to 3rd party domains and b) is often 
designed to make rendering of the content contingent on the user having 
rendered the invasive 3rd party malvertising.  It is not as though the 
content server is innocent in all of this.

> The more that we try to make the server side into the subject of the
> sentence, the more that the problem tends to look like "please, please,
> big bad example.com, stop tracking poor little passive us".
> That way lies petitions, meetings, long arguments, and failure.
> 
> When we make the browser into the subject of the sentence, then it's more
> natural to say, oh, I have software on my computer with a bug in it.  What
> can I do to switch to something better (Apple Safari blocks third-party
> tracking by default, and MSIE has Tracking Protection Lists) or install a
> workaround (Disconnect or Privacy Badger)?

Sounds a bit like victim blaming. We were "asking for it" because we didn't 
install the latest leading-edge anti-malvertising tech? 

Example: Here's a WSJ blog post on #adtech stating "there is no one size fits 
all model."  Note that the post is hosted on a page that loads 200 scripts 
from 35 non-wsj.com domains. http://iopt.us/1mpt6XT To get to that number 
with NoScript it was necessary to hit Temporarily Allow All about 5 times.  
That means the scripts WSJ embedded on their base page loaded more scripts 
nested to about 5 levels deep.  Each of these 35 domains has its own privacy 
policy and TOS that each take longer to read than does the content.  The 
reason that scripts are nested in this way is so that the hard-coded script 
references on the content server can remain static whilst the scripts 
responsible for loading malvertising can be dynamic.  That means it might be 
substantially more or less or different scripts/domains tomorrow.  Does WSJ, 
or any content server for that matter, check that the malvertising content 
and scripts out to 5 levels of nesting are safe or that they stay within the 
bounds of WSJ's own TOS and privacy policy?  Or do they just warn us that 
they aren't responsible for the crap they bootstrapped into the browser by 
coding it into their page?  And 5 levels of nesting is about as benign as it 
gets.  I've found sites with much more than that.

> But this time, the sales rep starts asking your _horse_ the questions, and
> your horse answers -- clop, clop, clop with a front hoof on the marble
> floor of the bank.

Your analogy is good but incomplete.  Let me catch you up a bit.

First of all, it isn't a sales rep.  It is the sales rep the bank invited in, 
plus his invitees, plus their invitiees, and so on.  Many of the invitees 
below the second level are members of organized crime using the legitimate 
sales rep's credentials to gain access to the bank's lucrative customer pool.

Second, some of these sales reps, all of whom have credentials to the bank's 
property but almost none of whom are vetted or known to the bank, have 
discovered how to steal the customer's banking credentials right out of the 
saddlebag.  Customers are getting financially cleaned out, being 
impersonated, and in some cases lose their lives.  Everyone, with the 
exception of some of the customers, knows this.  Everyone who is not a 
customer deems the risk acceptable.  None of these people who accept the risk 
actually bear the burden of the risk.  Now that the bank, an institution of 
some good repute, has actually become a dangerous place to visit they 
disclaim any responsibility for the shenanigans going on with the sales reps 
and claim they would go bankrupt without the revenue stream provided by the 
crooks in the lobby and drive-through.

Knowing the dangers, I taught my horse not to answer but the sales rep 
attached some GPS trackers to him when I wasn't looking.  I learned to sweep 
for those so the sales rep put them in a sugar cube and fed them to the 
horse.  When I muzzled the horse the sales rep donned some long gloves and 
started spending time behind the horse.  Once I figured that out, the bank 
changed their policy so they no longer provided banking services unless my 
horse had been anal-probed and they could detect a live signal.  I looked for 
another bank and discovered they were all doing the same thing.  When I 
objected, I was told that I could always choose to not use the services of 
banks.  When I objected that this wasn't practical, I was told that the 
burden is on me to demand a more effectively sales-rep-resistant horse 
because banks will be banks, after all, and they are innocent in all of this.

Don, there's a steaming pile behind your horse analogy.  It turns out that 
you can lead a horse to the teller window but you can't make it think.

In the IT security industry the phrase "advanced persistent threat," or APT, 
describes a determined attacker with advanced technology and vast resources 
available for R&D.  Originally this referred to nation-states attacking 
national infrastructure targets.  Lately it has come to describe any 
relentless attacker with way more money and far better tech than the target.  
Though it isn't normally applied at this level, the scenario exactly 
describes adtech as the APT and ordinary browser users as the targets.  
Adtech is relentless, utilizes cutteing-edge technology, and has R&D 
capabilities far greater than the resopurces available for countermeasures.  
Ordinary users who lack specialized skill, resources, and political influence 
actually are "poor little passive us" compared to the forces brought to bear 
on them.

If you'll excuse me, I now have to go write a piece on anti-bullying that 
suggests getting bullies to behave better is a more appropriate solution than 
arming victims.

Kind regards,
-- T.Rob

T.Robert Wyatt, Managing partner
IoPT Consulting, LLC
+1 704-443-TROB
https://ioptconsulting.com
https://twitter.com/tdotrob


> -----Original Message-----
> From: Don Marti 
> [mailto:
 ]
> Sent: Monday, September 22, 2014 11:24 AM
> To: T.Rob
> Cc: 'ProjectVRM list'; 'Doc Searls'; 'M a r y H o d d e r'
> Subject: Re: [projectvrm] The marketing/cybercrime symbiosis
> 
> begin T.Rob quotation of Mon, Sep 22, 2014 at 12:46:32AM -0400:
> 
> > I'm also finding it difficult to draw the line that designates public
> > versus private space on the Internet because there is no opt-out of
> malvertising.
> > The deal we are offered is to either accept the adtech or else don't
> > use the site.  But even though "the site" might arguably be public,
> > the ads that are being served aren't coming from the site you are
> > visiting.  So it's not like "I went to wsj.com and all these ads were
> > there."  A more accurate description would be "I went to wsj.com and
> > they silently gave access to my browser session to 35 non-WSJ domains
> > who then downloaded 200 scripts to my PC and executed them without my
> > knowledge or consent, and without any accountability as to what
> > exactly those scripts do to my PC or what information they collect."
> 
> This is mixing up the subject and object of the sentence.  Normally I try
> not to be a grammar nerd, but in this case, the way that we communicate
> about the problem is interfering with getting an answer.
> 
> The web browser is the active side here.  The developers of the browser
> can decide the policies for how to handle security and privacy issues.
> The browser makes a request of the web server on behalf of the user.  Then
> the browser has the option of following up on it, to ask the same server
> or other servers for additional resources that were mentioned on the page
> the user asked for.
> 
> The more that we try to make the server side into the subject of the
> sentence, the more that the problem tends to look like "please, please,
> big bad example.com, stop tracking poor little passive us".
> That way lies petitions, meetings, long arguments, and failure.
> 
> When we make the browser into the subject of the sentence, then it's more
> natural to say, oh, I have software on my computer with a bug in it.  What
> can I do to switch to something better (Apple Safari blocks third-party
> tracking by default, and MSIE has Tracking Protection Lists) or install a
> workaround (Disconnect or Privacy Badger)?
> 
> > Would you be OK with it if you went to the mall and while you were
> > inside 35 different companies put GPS trackers on your car then broke
> > in and slathered the dashboard and windshield with advertising printed
> on adhesive stickers?
> > Because what you see in context of the WSJ page is one thing.
> > Downloading scripts onto your PC, causing your PC to execute them, and
> > then exfiltrating data from your PC back to the mother ship is a whole
> > lot more like finding your car bugged and covered in ads than it is
> > seeing a billboard while walking in the park.
> 
> I like analogies as much as the next person.  But let's stick with
> analogies that are closer to how the web works.  The browser isn't an
> inert parked car.
> 
> Imagine a nosy timeshare sales rep hanging out in the lobby of your bank,
> asking all kinds of personal finance questions.  (You don't know why the
> bank decided to let him in.)
> 
> Now imagine that the bank advertises ride-through banking. You decide that
> would be a great time-saver, saddle up your horse, and ride in to do your
> bank business.
> 
> But this time, the sales rep starts asking your _horse_ the questions, and
> your horse answers -- clop, clop, clop with a front hoof on the marble
> floor of the bank.
> 
> The partly trained horse is like today's web browser.
> Some of them are making progress, though.
> 
> --
> Don Marti
> http://zgp.org/~dmarti/
>