Re: [projectvrm] The marketing/cybercrime symbiosis

[Don Marti < >]

begin Doc Searls quotation of Mon, Sep 22, 2014 at 02:46:53PM -0400:

> Let's say you (Don, T.Rob or anybody who wants to weigh in) were running 
> Mozilla. What would you do to make Firefox (or a "safe" version of it) work 
> for us and not for the #adtech and #malvertising mills? And that serves our 
> intentions as users and customers, for example by expressing *our* terms 
> and policies?

 * Tor Browser Bundle and Tails have much tougher
   privacy requirements than run-of-the-mill
   tracking-avoiding users.  Help Tor as much as
   possible by putting TBB and Tails-friendly work
   upstream.

   Yes, that means fixing a bunch of hard stuff:
     https://wiki.mozilla.org/Fingerprinting
   Good that Mozilla is thinking about it, but more
   work needed.

   The less that the "high-privacy" browser has to be
   different from the "mainstream" browser, the better
   for everyone.  High-privacy users get extra quality
   and maintenance, regular users get extra
   privacy/security.

 * Put the privacy options up front at browser install
   time.  Don't make the DNT mistake that the
   MSIE team did -- it's too easy for ad networks
   to justify ignoring DNT if it's the default.
   Start users off with a couple of basic options,
   not a single default.

 * Steal all of EFF Privacy Badger's work and build it
   in.  Make DNT/PB one of the options.

 * Make "Kangaroo Cookie Court" a thing.  Hire an
   artist to do a cute kangaroo mascot.  Kangaroo and
   badger plush toys for all!  (Make a semi-cute bad guy
   mascot, too: a hoodie-wearing bug with long antennae?)

> On Sep 22, 2014, at 2:33 PM, T.Rob 
> <
 >
>  wrote:
> > I would agree with most of this except that we are locked in an 
> > escalating tech war in which people utilize the browser controls 
> > available to them and malvertisers then invent new tech to circumvent the 
> > user-side controls.  This is the same war we are locked in with regard to 
> > virus software and in fact it is getting harder to differentiate between 
> > invasive adtech versus viruses.  Furthermore, the content at the domain 
> > to which we surf has written code into their page which a) refers the 
> > browser to 3rd party domains and b) is often designed to make rendering 
> > of the content contingent on the user having rendered the invasive 3rd 
> > party malvertising.  It is not as though the content server is innocent 
> > in all of this.

All true.  Everyone is responding to incentives.
The browser is the one player that the user has
the most influence over, though.  You can switch
browsers, or add a privacy extension, faster than
you can petition every content site to which someone
might send you a link.

> >> The more that we try to make the server side into the subject of the
> >> sentence, the more that the problem tends to look like "please, please,
> >> big bad example.com, stop tracking poor little passive us".
> >> That way lies petitions, meetings, long arguments, and failure.
> >> 
> >> When we make the browser into the subject of the sentence, then it's more
> >> natural to say, oh, I have software on my computer with a bug in it.  
> >> What
> >> can I do to switch to something better (Apple Safari blocks third-party
> >> tracking by default, and MSIE has Tracking Protection Lists) or install a
> >> workaround (Disconnect or Privacy Badger)?
> > 
> > Sounds a bit like victim blaming. We were "asking for it" because we 
> > didn't install the latest leading-edge anti-malvertising tech? 

The question isn't who's the ultimate cause of
malvertising, it's what can we do to fix it.
Ultimately the wannabe malvertisers will suffer
adverse consequences, and legit advertisers will
benefit.  Fix bugs where they present themselves to
be fixed, and let whatever justice there is in the
universe do its (slow) work.

> > In the IT security industry the phrase "advanced persistent threat," or 
> > APT, describes a determined attacker with advanced technology and vast 
> > resources available for R&D.  Originally this referred to nation-states 
> > attacking national infrastructure targets.  Lately it has come to 
> > describe any relentless attacker with way more money and far better tech 
> > than the target.  Though it isn't normally applied at this level, the 
> > scenario exactly describes adtech as the APT and ordinary browser users 
> > as the targets.  Adtech is relentless, utilizes cutteing-edge technology, 
> > and has R&D capabilities far greater than the resopurces available for 
> > countermeasures.  Ordinary users who lack specialized skill, resources, 
> > and political influence actually are "poor little passive us" compared to 
> > the forces brought to bear on them.

Adtech can't even protect itself from Florida-based
fraud rings, and you're putting it down for "vast
resources?"

Yes, malvertisers are sneaky, and yes, browser vendors
need to keep their eye on the ball to protect user
security/privacy.  But that's no different from the
situation faced by any other Internet-facing software.

Legit vendors and users together can beat malware in
all its forms, at least well enough to keep business
and civilized society going on the Internet.

-- 
Don Marti                    
http://zgp.org/~dmarti/