Re: [projectvrm] The marketing/cybercrime symbiosis

[Doc Searls < >]

+1 on this thread. Well doing, everybody.

Let's say you (Don, T.Rob or anybody who wants to weigh in) were running 
Mozilla. What would you do to make Firefox (or a "safe" version of it) work 
for us and not for the #adtech and #malvertising mills? And that serves our 
intentions as users and customers, for example by expressing *our* terms and 
policies?

Doc 

On Sep 22, 2014, at 2:33 PM, T.Rob 
<
 >
 wrote:

> Don,
> 
> I would agree with most of this except that we are locked in an escalating 
> tech war in which people utilize the browser controls available to them and 
> malvertisers then invent new tech to circumvent the user-side controls.  
> This is the same war we are locked in with regard to virus software and in 
> fact it is getting harder to differentiate between invasive adtech versus 
> viruses.  Furthermore, the content at the domain to which we surf has 
> written code into their page which a) refers the browser to 3rd party 
> domains and b) is often designed to make rendering of the content 
> contingent on the user having rendered the invasive 3rd party malvertising. 
>  It is not as though the content server is innocent in all of this.
> 
>> The more that we try to make the server side into the subject of the
>> sentence, the more that the problem tends to look like "please, please,
>> big bad example.com, stop tracking poor little passive us".
>> That way lies petitions, meetings, long arguments, and failure.
>> 
>> When we make the browser into the subject of the sentence, then it's more
>> natural to say, oh, I have software on my computer with a bug in it.  What
>> can I do to switch to something better (Apple Safari blocks third-party
>> tracking by default, and MSIE has Tracking Protection Lists) or install a
>> workaround (Disconnect or Privacy Badger)?
> 
> Sounds a bit like victim blaming. We were "asking for it" because we didn't 
> install the latest leading-edge anti-malvertising tech? 
> 
> Example: Here's a WSJ blog post on #adtech stating "there is no one size 
> fits all model."  Note that the post is hosted on a page that loads 200 
> scripts from 35 non-wsj.com domains. http://iopt.us/1mpt6XT To get to that 
> number with NoScript it was necessary to hit Temporarily Allow All about 5 
> times.  That means the scripts WSJ embedded on their base page loaded more 
> scripts nested to about 5 levels deep.  Each of these 35 domains has its 
> own privacy policy and TOS that each take longer to read than does the 
> content.  The reason that scripts are nested in this way is so that the 
> hard-coded script references on the content server can remain static whilst 
> the scripts responsible for loading malvertising can be dynamic.  That 
> means it might be substantially more or less or different scripts/domains 
> tomorrow.  Does WSJ, or any content server for that matter, check that the 
> malvertising content and scripts out to 5 levels of nesting are safe or 
> that they stay within the bounds of WSJ's own TOS and privacy policy?  Or 
> do they just warn us that they aren't responsible for the crap they 
> bootstrapped into the browser by coding it into their page?  And 5 levels 
> of nesting is about as benign as it gets.  I've found sites with much more 
> than that.
> 
>> But this time, the sales rep starts asking your _horse_ the questions, and
>> your horse answers -- clop, clop, clop with a front hoof on the marble
>> floor of the bank.
> 
> Your analogy is good but incomplete.  Let me catch you up a bit.
> 
> First of all, it isn't a sales rep.  It is the sales rep the bank invited 
> in, plus his invitees, plus their invitiees, and so on.  Many of the 
> invitees below the second level are members of organized crime using the 
> legitimate sales rep's credentials to gain access to the bank's lucrative 
> customer pool.
> 
> Second, some of these sales reps, all of whom have credentials to the 
> bank's property but almost none of whom are vetted or known to the bank, 
> have discovered how to steal the customer's banking credentials right out 
> of the saddlebag.  Customers are getting financially cleaned out, being 
> impersonated, and in some cases lose their lives.  Everyone, with the 
> exception of some of the customers, knows this.  Everyone who is not a 
> customer deems the risk acceptable.  None of these people who accept the 
> risk actually bear the burden of the risk.  Now that the bank, an 
> institution of some good repute, has actually become a dangerous place to 
> visit they disclaim any responsibility for the shenanigans going on with 
> the sales reps and claim they would go bankrupt without the revenue stream 
> provided by the crooks in the lobby and drive-through.
> 
> Knowing the dangers, I taught my horse not to answer but the sales rep 
> attached some GPS trackers to him when I wasn't looking.  I learned to 
> sweep for those so the sales rep put them in a sugar cube and fed them to 
> the horse.  When I muzzled the horse the sales rep donned some long gloves 
> and started spending time behind the horse.  Once I figured that out, the 
> bank changed their policy so they no longer provided banking services 
> unless my horse had been anal-probed and they could detect a live signal.  
> I looked for another bank and discovered they were all doing the same 
> thing.  When I objected, I was told that I could always choose to not use 
> the services of banks.  When I objected that this wasn't practical, I was 
> told that the burden is on me to demand a more effectively 
> sales-rep-resistant horse because banks will be banks, after all, and they 
> are innocent in all of this.
> 
> Don, there's a steaming pile behind your horse analogy.  It turns out that 
> you can lead a horse to the teller window but you can't make it think.
> 
> In the IT security industry the phrase "advanced persistent threat," or 
> APT, describes a determined attacker with advanced technology and vast 
> resources available for R&D.  Originally this referred to nation-states 
> attacking national infrastructure targets.  Lately it has come to describe 
> any relentless attacker with way more money and far better tech than the 
> target.  Though it isn't normally applied at this level, the scenario 
> exactly describes adtech as the APT and ordinary browser users as the 
> targets.  Adtech is relentless, utilizes cutteing-edge technology, and has 
> R&D capabilities far greater than the resopurces available for 
> countermeasures.  Ordinary users who lack specialized skill, resources, and 
> political influence actually are "poor little passive us" compared to the 
> forces brought to bear on them.
> 
> If you'll excuse me, I now have to go write a piece on anti-bullying that 
> suggests getting bullies to behave better is a more appropriate solution 
> than arming victims.
> 
> Kind regards,
> -- T.Rob
> 
> T.Robert Wyatt, Managing partner
> IoPT Consulting, LLC
> +1 704-443-TROB
> https://ioptconsulting.com
> https://twitter.com/tdotrob
> 
> 
>> -----Original Message-----
>> From: Don Marti 
>> [mailto:
 ]
>> Sent: Monday, September 22, 2014 11:24 AM
>> To: T.Rob
>> Cc: 'ProjectVRM list'; 'Doc Searls'; 'M a r y H o d d e r'
>> Subject: Re: [projectvrm] The marketing/cybercrime symbiosis
>> 
>> begin T.Rob quotation of Mon, Sep 22, 2014 at 12:46:32AM -0400:
>> 
>>> I'm also finding it difficult to draw the line that designates public
>>> versus private space on the Internet because there is no opt-out of
>> malvertising.
>>> The deal we are offered is to either accept the adtech or else don't
>>> use the site.  But even though "the site" might arguably be public,
>>> the ads that are being served aren't coming from the site you are
>>> visiting.  So it's not like "I went to wsj.com and all these ads were
>>> there."  A more accurate description would be "I went to wsj.com and
>>> they silently gave access to my browser session to 35 non-WSJ domains
>>> who then downloaded 200 scripts to my PC and executed them without my
>>> knowledge or consent, and without any accountability as to what
>>> exactly those scripts do to my PC or what information they collect."
>> 
>> This is mixing up the subject and object of the sentence.  Normally I try
>> not to be a grammar nerd, but in this case, the way that we communicate
>> about the problem is interfering with getting an answer.
>> 
>> The web browser is the active side here.  The developers of the browser
>> can decide the policies for how to handle security and privacy issues.
>> The browser makes a request of the web server on behalf of the user.  Then
>> the browser has the option of following up on it, to ask the same server
>> or other servers for additional resources that were mentioned on the page
>> the user asked for.
>> 
>> The more that we try to make the server side into the subject of the
>> sentence, the more that the problem tends to look like "please, please,
>> big bad example.com, stop tracking poor little passive us".
>> That way lies petitions, meetings, long arguments, and failure.
>> 
>> When we make the browser into the subject of the sentence, then it's more
>> natural to say, oh, I have software on my computer with a bug in it.  What
>> can I do to switch to something better (Apple Safari blocks third-party
>> tracking by default, and MSIE has Tracking Protection Lists) or install a
>> workaround (Disconnect or Privacy Badger)?
>> 
>>> Would you be OK with it if you went to the mall and while you were
>>> inside 35 different companies put GPS trackers on your car then broke
>>> in and slathered the dashboard and windshield with advertising printed
>> on adhesive stickers?
>>> Because what you see in context of the WSJ page is one thing.
>>> Downloading scripts onto your PC, causing your PC to execute them, and
>>> then exfiltrating data from your PC back to the mother ship is a whole
>>> lot more like finding your car bugged and covered in ads than it is
>>> seeing a billboard while walking in the park.
>> 
>> I like analogies as much as the next person.  But let's stick with
>> analogies that are closer to how the web works.  The browser isn't an
>> inert parked car.
>> 
>> Imagine a nosy timeshare sales rep hanging out in the lobby of your bank,
>> asking all kinds of personal finance questions.  (You don't know why the
>> bank decided to let him in.)
>> 
>> Now imagine that the bank advertises ride-through banking. You decide that
>> would be a great time-saver, saddle up your horse, and ride in to do your
>> bank business.
>> 
>> But this time, the sales rep starts asking your _horse_ the questions, and
>> your horse answers -- clop, clop, clop with a front hoof on the marble
>> floor of the bank.
>> 
>> The partly trained horse is like today's web browser.
>> Some of them are making progress, though.
>> 
>> --
>> Don Marti
>> http://zgp.org/~dmarti/
>> 
 
>