108 comments

[ 3.1 ms ] story [ 129 ms ] thread
Wow, those ads convert well enough to be worth the clicks? Must be even shadier on the other side of the click.
This is one of the examples of why I consider Google a malware distributor. This sort of stuff just continues undealt with.

Companies should be held responsible for the ads they distribute, it's the only way to make them care enough to vet the ads they push.

(comment deleted)
I find that article hilarious with this context: https://arstechnica.com/information-technology/2016/02/googl...
Yeah, everyone got so riled up they forgot to see that this article is from 2013
Nothing has changed though. You still get these kinds of ads pretty much every time you visit the site. It doesn't matter that the article is from 2013 when the problem it describes still exists. That it has existed this long, despite people pointing it out, just makes it even worse.
That's my point though. Four years ought to be time enough for them to sort this out after implementing that new view on ads. What's worse, that initiative was about blocking sites altogether if they had this crap on them, despite still allowing their own partners to use these practices.
Yet, nothing of that sort has happened.

Screenshot taken 2 minutes ago: http://i.imgur.com/FOcB46m.png

And yet, yesterday, people were downvoting me because of my skepticism regarding the latest "we're going to keep Android installations updated -- no, really!" initiative.

Technically, this latest initiative actually makes sense.

But, manufacturers still want to sell new devices, and carriers want to move them, with mark-up. And there's no dis-incentive to this "abandon and re-sell" incentive.

And mostly, Google doesn't stick with things, any more.

Color me skeptical. Time to go and "Download" me a new phone...

----

P.S. I don't begrudge the Paint.NET developers recompense for their work. Although, as I recall, it originally came out of the University of Washington, presumably with some funding behind it (many years ago, and perhaps no more).

I've used it, upon occasion, and it's a very good substitute for everyday "photo-shopping", as it were.

But the ads, as described/demonstrated, sure seem to be at odds with the old "do no evil" or whatever it was. Loading grandma up ('Download! HERE!') with 5 "toolbars" and nag-ware? Bad Google.

Thanks for the link. I wondered what happened to that policy
This is trivially solved with an ad blocker. Frankly, I do not see the problem. Why should you rely on Google/Paint.NET/state legislation when the solution is literally a few button clicks away on both chrome and firefox? All browsers should come with ad blockers by default. Hell, the OS should come with blocking hosts.txt. That would make the digital world a whole lot safer. And before you say the internet will die, I'd be more than willing to pay a subscription fee for stuff like youtube and twitch.tv. Or there could still be ads like here on hackernews, relevant and embedded in the site.
As much as I agree that the problem is solved for those who know about ad blockers, many people (e.g. non-hacker news types!) do not know about them. In any case, whether users can solve this by installing an ad blocker is beside the point - this is really shitty behaviour that I wouldn't have expected Google to allow, or for Paint.NET to allow on their site.
I think a lot of the reason Google has been allowed to get away with this is because of ad blockers... the people in a position to most loudly condemn the practice and push for change... aren't using the same Internet as the rest of us, they don't see the problem.
I don't see any problem too. Now they download something that is not paint.net , next they download and run malware. In this case the cost of mistake is cheap. Let them learn from their mistakes. What we need is to educate people how to download and run what they really need, not blindly clicking the biggest banner on the page.
> In this case the cost of mistake is cheap. Let them learn from their mistakes.

All well and good until they unwittingly become part of a botnet and start attacking the rest of us...

It has been, for some time in the U.S., frowned upon, if not simply illegal, to partake in deceptive advertising practices. This "things are different now in the internet age" is getting a bit tiring. It should not fall upon the user to protect against this when we ALREADY have laws/rules in place to protect them.
I'm curious why these ads are even allowed to get through the network in the first place. Is there just NO content reviewing taking place? That's seems negligent on Google's part. There is no reason for an ad like that to exist on any webpage, period. It should have been blocked at the source.

Where is the 3-strikes policy in the ad space? Google is so eager to punish its Youtube streamers for running questionably offensive content, and yet it continues to let advertising scum like this run rampant across its ecosystem.

I wonder if they ran an A/B test on customer spending depending on the time it takes from "uploading" an ad to the network and the ad showing positive metrics. My guess is the result of such a finding would impact the duration and thoroughness of the review process.

And my guess is youtubers make up such a small slice of revenue that the threat of lawsuits outweighs the convenience of the customer.

I highly doubt it has to do with the time it takes to have someone review the submission. Google does not like hiring people to do things it thinks algorithms can do adequately, because people cost a lot more than servers.
At least on adwords, you get a "quality score" for ads, which is essentially a clickthrough rate, which lowers your cost per impression. In this case, I assume those ads get a high clickthrough rate due to being terribly misleading, which leads the algorithm to believe these ads are the most appropriate for this ad slot (they are if the only metric you care about is money going into Google's pockets).
What is amazing is that this is the easiest type of content check to automate.
> Google is so eager to punish its Youtube streamers for running questionably offensive content, and yet it continues to let advertising scum like this run rampant across its ecosystem.

Youtube streamers are not cients, they are content creators. Just like newspaper sites, the average email user, or, in this case, paint.net.

Google can afford to treat content creators poorly, but they won't slight real clients : people actually paying them money. No matter how scummy these are.

And one of the download button ads that I just checked (EasyPDFCombine) is "getting trough" 3 separate Google "reviews" if I understand correctly how this scheme works:

1. The misleading download button Google ad.

2. After clicking the ad they ask the user to install their extension from the Google Chrome Web Store [1].

3. After installation, the extension replaces new tab page with their own which includes a "custom" search engine "Enhanced by Google" [2].

4. PROFIT!!!? They make money when the user clicks a Google ad in their search results on that new tab page.

I'm not sure how it's worth it for Google because with the extension installed they are sharing part of their search results revenue with the owner of the extension compared to the users directly using the Google search when there is no extension to "hijack" it.

From the users perspective: Sure, it's not a ransomware level malware but it's still a PUP and the users are annoyed that they were "tricked" into installing it and their new tab page has been changed, as it can be seen in almost all of the reviews for their chrome extension, and almost all the first page google result for "EasyPDFCombine" is about how to remove this "virus".

It's the same decade old trick from the same company: Mindspark aka MyWebSearch aka Ask Toolbar and many more names.

[1] https://chrome.google.com/webstore/detail/easypdfcombine/kpo...

[2] http://hp.myway.com/portal/ttab02/index.html

I found this kind of misleading download buttons to be very common for free (no-cost) Windows software, and I also can't understand why Google is unwilling to put a stop to it. I'm pretty sure that this class of advertisement can be quite reliably identified with machine learning techniques, of which Google is so fond.
I think this was the exact same downfall as SourceForge. It's great we don't live in the SoftPedia/SourceForge days anymore (or maybe it's just me, I'm on a Mac now).
My question is why is it so easy to have advertisements that directly link to downloadable software? If I'm clicking on an advertisement I want to know more about a product, not be forced to run a binary of which I have no certainty of it's true purpose. Or am I thinking wrong? If you disallow download based advertising including linking to pages that only offer you a download, this could be a little more useful against malvertisements. More reason to run an adblocker.
The problem is enforcement. Telling malware distributors "that's not allowed" obviously isn't going to do anything, and it's easy to have the ad go to one place when Google is investigating and another when a user clicks the ad in the wild.
I can't believe Google couldn't categoricatically add context to these type of ads if they really cared.

Google knows the ad link. Google can crawl the target page / file. If it's an installer, Google can run it in a VM and note what ends up being installed.

If you can't pull a clear "this is crapware" signal out of that, then their ML is a lot less advanced than it seems.

And if they can, then just automatically put a stronger visual border around it with something like "This is an advertisement" in bold. Then let advertisers sort it out. Google penalizes SEO they disagree with all the time, and people stop doing it because they don't want to take the hit.

And I'm pretty sure it is (image recognition) and they don't... so... advertising buys trump "don't be evil."

They would care if thousands of organisations pulled their advertising over it.
I really wish this were the case. It would be nice if more organizations were more action oriented against malvertisement. I seem to recall there was one blog / news site that got rid of Google Adsense from their website here on HN not over a year ago, and I'm sure others have. It's really sad that Google doesn't put any effort (that we know, though we would see less of this) against these advertisements.
Clicking the advertisement does what you want. It doesn't download anything (at least the one I clicked on), it takes you a site with more information where you can download the advertised thing.
I don't think 2013 article is still relevant today.
It's still relevant. I took this screenshot a few seconds ago: https://i.imgur.com/6LoQ3TW.png
Today I visited the site again and now it started to show me the same download ads.

So it is still relevant. But how these ads are able to pass through AdWords review.

(comment deleted)
And nothing has changed in 2017 from both sides, the ads are still there and show spyware download links.

I guess Google is too busy dealing with "fake news" and paint.net can't give up that sweet ad money.

This is exactly why People need to use the store only as much as possible, and Paint.NET needs to get on the Windows Store as well
Interesting, I've visited this website multiple times before and didn't know about this problem until today. Ad blocker browser add-on seems to be doing its job really well.
Sounds like a personal problem to me...

This is a little shady, but all the units are clearly labeled as ads. I have a hard time getting as worked up over this as the author does. Paint.NET is a free product, what do you expect?

You could've at least visited the website. They are NOT clearly labeled as ads.

https://www.getpaint.net/index.html

wcummings might mean the tiny grey-and-blue icons in the top right of each unit.

If so, I disagree. Those icons are not visible enough, and are hard for many users to click without accidentally clicking the ad instead.

At least one of them in the screenshots says "advertisement by", in addition to the tracking opt out icon. But yes that is what I was referring to.
Indeed. Little icons inside the square can also be imitated by ads and do something quite different.
There's screenshots in the article I don't see why that would be necessary. Anyway, all Google ads have a tracking opt out link.

When I go to the site the ads aren't even "download" style ones like those in the screenshots, just normal banner ads.

https://ninite.com/ Accept no substitutes when installing on Windows.
Looks nice, but I would always prefer Chocolatey (https://chocolatey.org/packages). Reason: More (and easier to customize) packages / applications to get.
Ninite has the advantage of being self-contained in a single executable, though. Chocolatey looks like something you have to install, which makes it poorly suited for quickly installing something on a machine that's not yours.
Chocolatey is like apt for Windows. It is worth the install.
That's really interesting. I'll try it out next time I have to wipe my Windows machine.
You can report these bad ads by clicking the small X in the corner. Please do that if you ever see any of those, and they'll be replaced by other kinds of ads (and hopefully over time they'll get enough reports to be removed.)
The better solution is installing a capable adblocker.
That works around the problem for you. It does not solve it.
That works for me, but then leads to me telling a friend/relative to get the software and them managing to screw up their machines by doing what they think I told them to do.
Hmm I tried this and I see 4 reasons: (1) Seen this ad multiple times (2) Already bought this (3) Not interested in this ad (4) Ad covered content

There doesn't seem to be an option for "this ad is a huge DOWNLOAD link directly above the actual download link on a page that offers to help me download software." I did try filling out the form at https://support.google.com/adsense/troubleshooter/1190500 with this info, though. There was no way to indicate with a screenshot in that form exactly what the bad ad was.

Interesting, for me the options were

1) Not interested in this ad 2) Seen this ad multiple times 3) Ad is inappropriate 4) Ad covered content

I chose 3 for all of them, but I'd argue that 4 would also fit somewhat.

And as unpopular as the idea is with geeks, I think this illustrates the need for a "walled gardened" for the majority of users where each app is sandboxxed. Something like this couldn't happen on iOS, ChromeOS or Windows 10s.

Most non developers would be served perfectly fine with a locked down OS.

So you want to limit creativity and empower big companies even more by pushing forward walled gardens, because there are too many ads on the download page of one paint app out of a myriad?

It's like adding regexp to have one more problem.

How does it "empower" big companies? With app stores, distribution is easier and people are more likely to download an app knowing that it won't install malware, they have fine grained control over what the app can do (at least on iOS) and they can pay just buy putting their thumb on the fingerprint sensor.

Compare that to distributing apps on the internet where you have to trust each software provider with your credit card credentials and even if you do trust the vendor, there is a certain amount of friction just entering your payment information all over the internet.

I much prefer handling all of my subscriptions through iTunes even for services that use other places like Hulu, Netflix, and PluralSight.

Did you ever try to distribute a mobile J2ME app on mobile before the Apple and Google app stores? I know indie PC developers love Steam.

I'm very hestitant to download random software on Windows because of crapware/malware. I'll download iOS apps with abandon from the shadiest developers because I know they can't really do that much harm.

What I'm reading is that you like a process to be enforced to guarantee some level of quality, which is indeed something I like as well.

However I believe good package formats and OS-level checks can get us there without compromising my private informations to a third party in the process.

It's not about a level of quality. I can ask for my money back if the software sucks. I know when I download an app from the iOS App Store, exactly what the app is and is not allowed to do based on the sandboxxing that IOS does. I also know that the app won't have access to my private information without me giving it explicit permission when it tries to use it.

The "third party" I'm more concerned about is the random app developer. iOS prevents random developers from having access to files, the camera, the microphone, my music library, my location, contacts, my browsing history,using cellular data, draining my battery by processing in the background, etc. without me giving explicit permission.

Even ad blockers on iOS don't have access to my browsing history and you can disable third party keyboards from having network access.

First of all, malicious developpers can still ask for unreasonable access and often do. How many times did you want to install an app and wonder why they ask for insane permissions like sending text messages. You may be aware enough to refuse and uninstall at that point but that's not the case for everyone, and Apple washes their hands with this issue.

Furthermore, you may not allow such an app to access your privacy, but Apple itself is above the permission and will happily gather all kinds of data about you, with your implied consent (after all you DID buy a tapped piece of hardware). That's Siri and every remote Apple service for starters, and god knows what else in their closed source shiny software.

The random developer is the least of my concerns.

Now a truly open model where people can enforce torch apps cannot ask for ridiculous permissions, that's better. Enforced by enough parties that nobody can pull the blanket.

What it illustrates the need for is understanding why you're receiving things (which is a pretty vital outside of software, too). If you pay for your product then you won't see phishing on the download page. If it's a subscription fee, then they're going to make it difficult to abandon or switch away from. And if it's "free", then who knows what's going on - maybe the product will wantonly encourage spending money (advertising), or manipulate you towards a paid service. Or maybe the secret motives are innocuous, like the dev's resume or (very rarely) the common good, but you need to understand that before you know what's coming.
Look at all of the open source software that is there for the common good, but is still hijacked with crapware by places like SourceForge and Download.com.

You can even search for Windows drivers and instead of getting drivers from the manufacturer, you end up with malware from a third party site.

.. and that's the profit model of sourceforge etc. You need to consider all parties involved, of course.
And you expect everyone to know this? Sourceforge caught a lot of tech savvy people by surprise when they first started doing this.

What do most non devs gain by an "open system" that a well functioning App Store that forces apps to be sandboxed where the user has to grant permissions individually to apps?

People must remember that Google is first and foremost an advertising company. 90% of its revenue comes directly from advertising. Anyone who thinks they will prioritize anything over ad revenue is either very naive or very stupid.

Google's CEO declared it's "AI first" and they developed TensorFlow. If they wanted to, they could have easily prevented those ads from entering their network.

Please explain how, since it’s easy.
I'll take a crack at an explanation:

Google has machine learning technology that automatically reads street address numbers on houses, regardless of angle, color, size, focus, or typeface.

Using the same type of algorithm to answer "does this ad have anything that looks like a button in it?" is relatively simple by at least two orders of magnitude.

So rather than it being "easy" in some absolute sense, what's meant here is that it is easy compared to similar tasks that we already know Google does routinely and has largely automated.

Lots of things have button and aren't maliciously masquerading as download links. Furthermore, if they start doing that then ad producers will start changing their ad images to evade the algorithm. It's much harder to use ML for a problem when you have a malicious opponent actively working against it.
There is a human behind every single creative shown on Google AdSense. There are even rules around these creatives (need to have distinct border and need to say the name of the advertised product).
It should be as simple as:

- Is this a download page?

- Does this ad contain a button-like image with the word "Download" on it?

Presumably the people creating these ads are specifically targeting pages with the word "download" in to create this confusion, it doesn't seem like rocket science for Google to apply the exact same rules.

ML could be used as a tool to empower the reviewers to to review the most suspect ads first.
The easiest thing is to say something is too hard to even try that you don't even want to try for other reasons, such as green paper.

And changing the images to evade the algorithm would also directly affect how likely they are to trick people, so it's win/win?

Yes, but evading the filter by making the ad not look like a download button (or link, I guess) also solves the problem.
Might be easy, and I imagine they are going to shuffle employees around (they read HN) believe it or not, they are humans and make mistakes. It's very likely that up to this point in time, they didn't think to use ML on proposed ads, and even if they did, it's not like every employee working at Google has ML skills yet. The most advanced ML departments there are probably already working on their top priority issues that need ML. Second tier ML guys at Google are probably the ones that are learning ML just like many devs on HN, won't quite have the expertise to get this stuff moving quickly.

But yes, if they wanted to, they can divert their more advanced ML teams to tackle specific issues like this first and get it done. I really doubt this is a high priority issue for them.

The terrible experience of pulling down an installer for Paint.net was one of the final straws that pushed me to move over to using chocolatey for windows workstation setup.

   > choco install paint.net
Unfortunately, while that allows me to never see fake download-button ads when pulling down software for my machine, one place it's still a nightmare in is the world of getting minecraft mods installed on a kid's computer. Picking out the real download link from among all the fake ads is sometimes a real challenge.
Have you got uBlock Origin installed?
Yep, the only time I've ever managed to install malware was trying to put a very ordinary Minecraft mod on for my kid. How to feel stupid in one easy move.
Don't feel too hard on yourself. While I do not think I've installed malware because of that, I've mostly been lucky I guess (or just haven't noticed the malware yet).

The stars are aligned against you on this:

1) impatient kid who wants his mod working,

2) unfamiliar territory for you,

3) the timing for these things is ALWAYS wrong, you've probably got pressing household matters to attend to or another kid wanting your attention,

4) a couple of more points I forgot.

I was going to say - obviously the author of this post hasn't looked for Minecraft mods, because there the problem is far worse.
is it? 99% of the mods nowadays can be downloaded from Curse [1] without any ads and for easy mod management you can even install their launcher

those that can't, can be usually found on this site with their official download site linked [2]

[1] https://minecraft.curseforge.com/ [2] https://bot.notenoughmods.com/

>and for easy mod management you can even install their launcher

Does that launcher ask for the username and password?

That's a pretty lousy message to be teaching mostly children about password security.

no it does not, it launches the vanilla client in which you enter your username and password so it goes directly to Mojang! the launcher (technically a wrapper around the normal launcher) was recently rebranded to Twitch Launcher since Amazon (Twitch) bought Curse

https://mods.curse.com/client

Ah, that's good. Thanks for the correction.
You can thank the community's reliance on scummy ad-laded URL shorteners like Adfly for that. It seems like every time I'm going through an adfly link, there's a fake download button.

Worse, they've got fairly effective adblock detection.

Everyone seems to give Google the benefit of the doubt here. Is it possible they aren't doing anything because they are making lots of money from this ethical grey area?

The incentives seem perfectly aligned... the advertiser doubtlessly doesn't care about whether it's a scrupulous ad or not. Paint.NET authors make money, and Google makes money.

This is entirely it. It's not nearly offensive enough to get the "you're putting racist ads on my page" level of public uproar for them to do anything about it. And distributing malware is incredibly profitable. They simply have no incentive to stop. And trying to moderate it would cost them money, both in terms of effort to review ad submissions, and lost revenue from the ads themselves.

Heck, Google likes to brag about how Chromebooks don't get viruses. Distributing viruses for Windows PCs only helps their bottom line. (You'll also notice that Windows support-related search queries have malicious ads, and no ads display at all for Chromebook or Google support-related search queries.)

If the toolbars, as is typical, end up hijacking the search engine, or injecting their own ads on pages, then Google loses money.
And yet this happens. All the time. In adsense, on youtube, on Google+, on the Play store and basically in every other customer-facing Google business. I can see two reasons for that:

1. A not-my-problem mentality at Google

2. Google is trying to replace human intelligence with AI pseudo-intelligence which has turned out to be really really easy to fool

I believe it's actually a combination of the two and it scares the crap out of me thinking these guys want to create self driving (and flying!) cars.

I think you should look at point 3., slightly different from 1: everytime Google acts on something like this, they show that they can act.

If the damage it causes them, both in profit and image, is not very large then it might very well not be worth it to risk setting a precedent than Google is responsible for policing their ads. It is exactly the scenario they were caught in with YouTube, and becoming the police there didn't help them at all compared to the previous status quo.

Of course that's the good scenario, the bad one would be that Google, being of a size and importance that can be called a monopoly in the Internet ad space, would be violating these "fraudsters" rights since technically what they do may not be breaking any laws, which would lead to this becoming a precedent and all the others who currently try to keep themselves mostly clean in their ads would be vindicated to go evil too.

I'm not saying these are the real reasons, but again if the damage and risk they represent is insignificantly small relative to the whole, why would Google risk opening that can of worms.

This article is from 2013. Google has banned these types of ads from its network (and started blocking sites that serve them) since then, as was discussed on HN at the time: https://news.ycombinator.com/item?id=11032270
And four years later they are still there...
To be fair, this is not just Paint.NET. I am a Adsense publishers and I had the chance to talk to "optimizers" from the Adsense team from time to time, and I told them how much I loath those "Download" ads... unfortunately, up to today, things haven't improved, and there is little an Adsense publisher could do, because you can ban those ads in your Adsense panel, but usually they just show up a few days later under a different account.
Just curious, why single out Paint.NET exclusively? These types of ads have a long history all over the Internet, even on more popular sites than this - isn't this more of a Google issue than an individual website operator?
The Bing search engine is about as bad.

A close friend used IE to get Google Chrome. They clicked the first result and luckily I was able to stop them before starting the install on some crapware.

So I asked them to be careful to ensure the download site is correct and left them to it.

I came back to find they had downloaded some other crapware.

I checked the search results. The ENTIRE first one and a half page of results were advertisements for versions of crapware which may or may not have been Chromium or Chrome lookalikes with lots of malware.

I hope the author of Paint.NET will see this submission and removes the ads. I'm a big fan Paint.NET and made a donation. But this practice is just shady and makes no honor to the author of otherwise great application.
Yes, I'm also very fond of Paint.Net, so it irks me to see this kind of article
I wouldn't hold my breathe, the post is from 2013.
How about users, and especially corporate users, actually start paying for Paint.NET and other pieces of software they rely on so the developers don't have to resort to Ad Sense or e-begging to fund further development?
If it is about the money for Google, can't they at least put a warning over the ad that says "Are you really sure you want to download [Some Malware]?" if you hover/click on the ad.

Nevermind, the right thing to do would be to ban these kinds of ads outright, but we can't count on them to do that now, can we?