You probably won’t be targeted by spyware, but if you are, odds are you won’t know about it. The latest spyware slips in unseen through online ads as you go about your digital life.
This is the crazy thing about ads. The ad network and site operators should be responsible for making sure both the ads and the people putting up the ads are trustworthy. The reason I now block all ads is this reason. Neither party cares and they are willing to act as a conduit for this stuff. In most other industries orgs are responsible for their supply chains.
Ah, but see that would require actual human attention and judgment for the vetting process, which would cost money. Automating the ad selling process is so much better… for the shareholders.
Hmm, sarcasm aside, now I’m thinking about it and wondering if you could at least automatically scan the ad content and distinguish between say, a jpg or webp image and a potentially malicious executable. If you could prevent ads from running any code, and only allow them to display static images, that might be good enough.
There are plenty of ways. They probably just do not want to do it. Easiest might be only certain allowed formats and all the content must be on the ad networks servers. They could allow more options for vetted business partners.
The problem with this is that I can label a file any format I want, because ultimately the file is just a string of binary. A lot of file formats use embedded headers to make them identifiable regardless of label or metadata, but it’s completely possible to fake those. I could even give you an image file that is malware, which would be difficult to identify until it actually did something malicious.
I think to be sure, you’d have to basically detonate every ad file in a sandbox environment to see if it tried do anything unexpected, which would be… less than simple. You’d have to check it across every major browser and OS, because it might only operate on specific systems.
This is the crazy thing about ads. The ad network and site operators should be responsible for making sure both the ads and the people putting up the ads are trustworthy. The reason I now block all ads is this reason. Neither party cares and they are willing to act as a conduit for this stuff. In most other industries orgs are responsible for their supply chains.
Ah, but see that would require actual human attention and judgment for the vetting process, which would cost money. Automating the ad selling process is so much better… for the shareholders.
Hmm, sarcasm aside, now I’m thinking about it and wondering if you could at least automatically scan the ad content and distinguish between say, a jpg or webp image and a potentially malicious executable. If you could prevent ads from running any code, and only allow them to display static images, that might be good enough.
There are plenty of ways. They probably just do not want to do it. Easiest might be only certain allowed formats and all the content must be on the ad networks servers. They could allow more options for vetted business partners.
The problem with this is that I can label a file any format I want, because ultimately the file is just a string of binary. A lot of file formats use embedded headers to make them identifiable regardless of label or metadata, but it’s completely possible to fake those. I could even give you an image file that is malware, which would be difficult to identify until it actually did something malicious.
I think to be sure, you’d have to basically detonate every ad file in a sandbox environment to see if it tried do anything unexpected, which would be… less than simple. You’d have to check it across every major browser and OS, because it might only operate on specific systems.