As such I went along with allowing google ads since it seemed like a good middle ground between not wanting to have everything pay-walled off and still allowing sites to generate ad money
The claim is that a YouTube ad was serving malware.
However, upon reading the article, it seems that:
1. Somebody purchased legitimate YouTube ad space.
2. They then redirected that traffic twice through two other legitimate ad networks.
3. They then broke into a Polish government website, and funnelled the traffic there, to serve up malware.
That certainly doesn't seem to be a case of Google/YouTube serving up malware - if anything, these attacks went to a lot of trouble to obscure from YouTube what they were doing, precisely so they wouldn't get shut-down (presumably by either YouTube, or the two other ad networks they were piggy-backing on).
You could argue, they should have caught them earlier - but isn't that a bit like blaming your email provider that you got a spam/malware email - when the actual party to blame is the person sending you aforesaid spam/malware?
I'm not sure what you expect "Google ads serving malware" to mean other than exactly this. Of course it's not as simple as going into Google ad manager and clicking "upload virus". The fact that it included partner networks and a compromised website is unsurprising. When malware makes it through ad networks, it is common for it to take that kind of approach. At the end of the day you're effectively exploiting networks of trust.
>>> has google ads been responsible for virus/malware in the past?
Yes. Very much so.
Look for "VLC download" for instance, the first ads should be adware sites that distribute a fake version of the software and they paid to get that top search position.
Not doing it in the first place, of course! Because this has happened with VLC (a fact you seem to ignore), maybe they fixed it by now, or maybe it's temporary, or maybe you're just not in the "stupid people that would fall for this" filter bubble, but for quite a while Google Ads have been responsible for serving malware and damaging people's computers.
Also just because they try and fix it after the fact for VLC, doesn't mean it's not still happening for all sorts of other software. Google's approach for curation of ads is just not suitable to be able to provide a platform this large in a responsible manner (and I doubt it can ever be, but that doesn't give them a free ticket to behave irresponsibly).
Maybe you've forgotten what this thread was about in the first place, but if their policy is "we will remove ads that contain/link to malware as soon as they are (made) aware of them", then:
1) it's still a perfectly smart choice to use an adblocker because you can still get malware from ads (in addition to many of the other reasons such as opting out of clickbait timewasters, whose "innocence" evaporates as soon as you consider their scale), and a particularly important and smart choice to install it on people's computers that would actually fall for such a fake download link, which is not the HN crowd.
2) as a publisher, I would DEFINITELY want a much tighter guarantee on not serving/linking malware than "we'll remove it when we see it" because now it's not just my safety on the line (or my father trying to download VLC cause I told him over the phone, etc) but my entire audience!
I know I am careful personally, what to click and install, but I honestly wonder how long I myself could keep a fresh Windows install malware-free without running an adblocker. Some of those things are nasty clever and misleading (not thinking about Google Ads in particular, here). Ever consider the amount of good those people are doing? The ones writing the adblockers and keeping the blocklists up-to-date? They are not even getting paid to do it. It gives me such a bitter taste, every time I see a website whining about my adblocker usage. If you care so much, why are you using a third party ad network. If hosting and linking and curating your own advertisements is too much to ask, well then so is me whitelisting your site, sheesh.
"Malware, short for malicious software, is any software used to disrupt computer or mobile operations, gather sensitive information, gain access to private computer systems, or display unwanted advertising. Before the term malware was coined by Yisrael Radai in 1990, malicious software was referred to as computer viruses." [1] [2]
I don't think most people would consider Google's purposeful display ads, which site owners choose to put there and customers expect to see, 'Malware.' I think Adware/Advertising Malware refers to software that shows unexpected ads, such as after you leave the site, or installing software on your computer that randomly shows ads.
> disrupt computer or mobile operations, gather sensitive information, gain access to private computer systems, or display unwanted advertising
"Google Ads" is injected third-party code that literally does all of these things (and goes through quite some trouble to obfuscate it) (even if us techies are aware).
And they pay people to serve it to you.
I would like to consider my Android phone to be a "private computer system", yet Google has full access to it and they will disrupt its operations whenever I try to prevent them from either 1) gathering sensitive information or 2) displaying unwanted advertising.
But it came with Android when I bought it, yes? And I chose to agree to this agreement or something, right? Well first, we know by now that this "choice" is mostly illusion. I put Cyanogenmod on it to better protect myself, but the disruption persists and it merely exposes how aggressive the malware in fact is as soon as you put up any form of resistance. The mob can also be real nice people if you don't stand in their way. Also, if you buy a new laptop, the crapware it comes bundled with, is that malware? What if it would disrupt and limit the operation of this laptop if you decide not to use it (yes you must actually use it and thus provide them with sensitive private tracking data, not merely refrain from trying to uninstall it).
Of course I don't really consider my phone to be a "private computer system", not any more, but that is exactly the sad state of affairs. I can't consider it private because I am aware of the above and my lack of real choice in the matter. But this way you can argue that any computer system that malware has gained access to, is no longer private. But that is basically just giving up.
It's a very natural human instinct to legitimize something just because it's the largest, most successful player. There's an internal urge to want to side with the winner. But not all human urges are rational or even okay to give in to, without seriously considering the implications.
Well... You do have the choice to buy a phone with an OS from a company who's business is to sell phones, rather than ads, don't you? Seems a bit absurd to claim a lack of real choice in this instance.
I think they are talking about the tracking capabilities of these ads, which are unexpected by the user and compromise their privacy. Thus, they behave as malware.
I have gone so far as to suggest a significant portion of Google's revenue is likely serving malicious content, which leaves them very little incentive to do anything about it.
Almost every senior citizen I've ever had clean up malware for got it from a malicious search ad. And the tech support scams they continue to list take advantage of tons of people as well.
I've pointed out before that Google happily lists phone numbers of tech support scams on search terms for Windows tech support, but doesn't show ads at all if you look for Chromebook support, pointing you straight to their official contact.
As a note, if anyone would like to see examples of this in action, I can go get screenshots and example links and everything, it just takes a little while to put together, as I would prefer to offer evidence of what I see "today" rather than any past examples I might have.
> I have gone so far as to suggest a significant portion of Google's revenue is likely serving malicious content, which leaves them very little incentive to do anything about it.
That's quite a serious accusation :). One that is not substantiated by the facts:
A Google blog post is not "the facts". A Google blog post is, in fact, an ad for Google. Your sources should be independent, and independently verifiable. What Google says they do is useless, because it cannot be verified.
Do you have anything specific that would refute anything in the report? Simply mounting an ad-hominem attack doesn't add anything to the discussion.
It's like somebody saying "Tesla cars suck - they explode". And Elon Musk comes out and says, "No they don't, here's the testing/validation we did". And you say "Oh but...but....you work for Tesla. It must be lies!"
If there's factual inaccuracies - of course, that's a different story. But you seem to be simply saying, "They must be lying, because that suits my narrative, so I'm not going to bother trying to refute it".
Reply All did a great episode about google assisting in scammers operations inadvertently. It primarily focuses on the barrage of cheap shady lock smith services offered as sponsored ads at the top of google results.
It is quite exaggerated to say that a significant portion of Google's revenue comes from serving malicious content.
But malicious content (even on the SERP) is common enough that one of the most effective steps that you can do to protect senior citizens from malware is to install a good ad blocker. The ironic thing is that the search algorithm does a decent job of filtering out malicious sites from appearing on the first page, but that does no good if there is a malicious ad right above the filtered results.
That's a key point. Google's primary business model relies on convincing you to not click on the "best search result". This is why they have, over time, reduced the visible difference between ads and real results. I've regularly found that lay users are not aware they are clicking on ads when they click on Google's search ads.
Even if Google is removing "x million bad ads", they are merely replacing bad ads with other bad ads. Removing bad ads doesn't significantly impact their revenue. I'd argue that while Google is willing to make gestures like removing some ads, they are unwilling to do what's necessary to protect users: Stop serving ads entirely where malicious ads are particularly prevalent, and clearly highlight the difference between ads and search results.
Wow, thanks for this. I've been using an adblocker for a while (and even before, I was "blind" to Google ads), but it's really ridiculous what comes up by searching for e.g. "windows help" or "hp support". Shame on Google!
I've known several people on the abuse teams for ad revenue at Google and I can tell you they work very hard and care deeply at preventing malware. It is, however, an extremely non-trivial task.
To be clear, I don't really fault those people specifically, I'm sure they do the absolute best at the jobs they are given. But this is a systemic issue with Google and the sort of solution that would actually fix it would cost more profits than they intend to spend on unimportant issues like protecting consumers from fraud.
I thought they were, while still annoying, safe from serving such content. So much that if they detect your site has malware they prevent it from serving their ads https://support.google.com/adwordspolicy/answer/1308246?hl=e...
As such I went along with allowing google ads since it seemed like a good middle ground between not wanting to have everything pay-walled off and still allowing sites to generate ad money