53 comments

[ 5.1 ms ] story [ 114 ms ] thread
This page was loading so many trackers for a full minute (doubleclick, openx, google.ca???) that my laptop started heating up. I'll wait for another media source to read about it, thanks.
Or, use an Ad Blocker if you're so averse to this website making money off their content?
> this website making money off their content

That's an interesting wording. I would say it's making money off your data than their content.

In other situations, we'd normally call this doxing.

> In other situations, we'd normally call this doxing

No we wouldn't.

If you're going to complain about ads, but still want the content, then shutup and pay the website for it. You're not going to do that either, though. Want to have your cake and eat it too?

No, instead (generic) you just wants free content. (Generic) you isn't going to pay $12.99 monthly per website to support the content and operation costs. (Generic) you just wants free stuff.

How many people on HN complain about Paywalled websites and immediately seek ways to circumvent the paywall? Paywalls are the alternative.

There's real costs with running a website - even more-so with producing content people are interested in (clearly evidenced by front page of HN).

Or, just use an Ad Blocker and be on with your day. It's the complaining that's annoying - and petty. Solutions to your perceived problem are super easy and well within reach. It's literally 3 clicks to install uBlock Origin.

The problem is systematic: There is currently no realistic way to pay and be done with the medium; there is no spotify or netflix for websites. Those services kinda prove that people are willing to pay after a decade of torrenting and burning DVDs.

HN readers typically know how to deal with ad blockers, our less technical fellows don't, and we ultimately owe them to work against this bullshit, like we expect them to steer their respective fields and professions to the common benefit, that they make their products and services healthy and safe.

A computer literally heating up due to who knows what arbitrary javascript is executed on that person's computer is notable, and the advertising-tech-complex is very much on topic for HN.

Finally, there can be NO DEAL between a website visitor and a bunch of third party javascript that cannot be understood or audited, and if the operation is not profitable, tough. There were cool websites on the internet before ads and we will have websites in the future.

> there is no spotify or netflix for websites. Those services kinda prove that people are willing to pay

The overwhelming majority of Spotify accounts are Free Accounts, supported by... you guessed it... Ads.

People don't torrent music because Spotify is easier. Spotify earns money through advertisers paying them to advertise on their platform. Spotify pays part of that to artists who put music on their platform. Everyone is getting paid, and it costs the user nothing. That's why Spotify is so popular.

> There were cool websites on the internet before ads and we will have websites in the future

What is it your are arguing for? Charging $0.35 per every single page view? Or people running websites should just foot the bill out of the goodness of their hearts? Someone has to pay the hosting bill...

Some of the tech-elites on HN will pay this out of principle, but the overwhelming majority of people will not. Be realistic.

A world where you must pay for every page view is effectively antithetical to everything the web stood for. The _free_ distributions of knowledge to everyone simply would cease to exist.

It's actually amazingly clever. We've tricked 3rd party advertisers into footing the bill for literally _everything_ on the internet. You are free to consume content without paying a single penny - someone else is paying it for you. The trade? You gotta look at some ads once in a while. Oh the humanity!

If someone is this principled - they should run an Ad Blocker. Most people simply don't care. You can make a case that they should care, but then you'll need to come with with a robust system to pay content creators to ensure they aren't buried in expenses of running a website for a bunch of freeloaders.

Advertising is not free lunch. We pay by being manipulated into spending more. Would have been nice if there was a free source of money, but clearly this cannot possibly be true. Even if advertisements wouldn't work, the cost of advertisement is still baked into prices.

There is also no contract, no trade. People go on a website, ignore any and all terms of services and privacy notes and try to read what's up. Presenting such terms of services etc. is acting in bad faith (as no layperson is able to understand it and no lawyer has time to read all of it). Third party code is executed on their computer. Could be bitcoin miners or even ransomware.

Your example with spotify may be true, but you can't ignore that Netflix and others are raking in a lot of money and provide a really expensive product (compared to website articles which yes, were produced for free by many people for years, on some level). I used to subscribe to The Athletic and will probably do so again if there's football in autumn.

I really wouldn't mind seeing some ads. On a shoe website, see a banner ad for shoes, with a hyper link to another shoe website. No tracking, no code, just a link.

> No tracking, no code, just a link.

I think the problem there is those types of ads aren't effective. And therefore, advertisers won't pay for them, which then goes back to the original problem of "who's paying the hosting bill"? Let alone paying the salaries of a dozen journalists or content creators.

If tastefully done, ads can be discrete and effective. There are bad apples out there, who plaster every pixel of page space with ads and more ads and more ads.

I don't think anyone enjoys that experience - but that's not the ads fault, it's the webmaster who did it! Eventually, that strategy won't pay for itself anymore as people stop using the website.

Netflix is a strange thing to relate to here, I think. People have always paid for movies - so I think it was a natural progression to pay for a movie streaming service.

Websites have mostly always been free - and the ones that successfully run a subscription model absolutely limit their market appeal and userbase. Making people pay for every page view (the effective equivalence of running impression-based ads) is simply not going to work; you'll have an immense challenge to convince people what was previously "free" is now going to cost them actual money directly from their bank account.

At the end of the day, there's two arguments going on here.

1) Tracking is a violation of expected privacy, and should not be done.

2) Ads are bad and should go away.

Number 1 is true! However, the result of stopping would be unrelated ads being shown to people with practically zero percent chance of converting into a transaction for the advertiser (showing diaper ads to a single man that lives by their self, for example). That could be fine, but again, reduces advertising effectiveness which means advertisers will pay less for the ad space. This could work... but will have ramifications that are potentially not great (more paywalls, for example).

Number 2, in my opinion, isn't true, and isn't realistic for the reasons laid out above.

> then shutup

You aren't new here. Whatever you said, I stopped reading here.

I suppose that's fine, because you'd owe me $0.35 if you want to continue reading my content. ;)
Why is it more appropriate to actively subvert a content provider's ability to monetize while still consuming their product?
It’s one thing to show an ad, and it’s a completely other thing to go around the internet and unmaks my behaviour and identity in order to profile me in order to show me ads AND store data about me. The thing is, I don’t know whether site will do that or “just show an ad” before I go there, so it’s not active subversion, it’s an active defense against downright shady business. Show me an ad - fine. Go out and profile me - fuck you.
I don't mind ads per se, I mind intrusive ads that use more data and system resources than the content.
They didn't mention anything about ads, just trackers that bogged down their PC.
I'm pretty sure many other companies sell this information as well. I'm pretty sure Comcast sells it as I share an account with someone but it uses my phone for verification & support. I received a spammy text with their name. It's the only account we share.
Facebook has also been caught doing this (as mentioned in OP article as well).

https://techcrunch.com/2018/09/27/yes-facebook-is-using-your...

Are they selling it though? Or giving 3rd parties in access in any way. To me it reads like they're using it internally for ad targeting / notifications.

Comcast is just giving it to the highest bidder.

Why do they keep doing this type of stuff? It’s obviously not allowed, so why risk it? Is there so much money to be made?
No one gets promoted for making the same amount of money.
2FA is only as good as the company that employs it otherwise it just gives people a false sense of security and privacy.
I've become pretty convinced that sms-based 2FA is an anti-pattern. I've seen too many articles and anecdotes about sim-swap attacks to feel at all comfortable trusting sms as an authentication method.
SMS 2FA is still superior to nothing. Most account compromises aren't because of SIM swapping. Phishing, password spraying, and (especially) password reuse are the most common and SMS 2FA completely defeats the latter two and makes the first one harder.

Most people/groups who phish are pretty technically inept so they struggle to automate things like OTP capture/use, so they're stuck doing it live, and that obviously doesn't scale well.

> SMS 2FA is still superior to nothing.

It's better than nothing, but given that it's trivial to go from that to just an authenticator app, I would personally not have any of my accounts set up to accept sms 2FA.

Of course, the best thing would be for people to use actual passwords instead of "Watermelon23", but that's easier said than done.

This is the standard pattern of every new security technique ("2FA" in this case). Once it becomes an industry buzzword, snake oil vendors get busy coming up with ways of technically supplying the buzzword without the difficulties inherent to the actual security.

When sites require this crap, I give them a phone number that forwards to my email. If my desktop computer gets owned, I've got much bigger problems than some fraudulent bank transactions.

So long as the UI surrounding the SMS 2FA setup process makes it clear that strong passwords are as important as ever, I think it's still easily a net positive for the vast majority of people. Of course, the better solution is Google's default two-step verification flow, which involves sending a push notification to your phone and tapping Yes in Gmail. That's both easier and more secure, since SMS is taken out of the process.

Think about it this way: for an attacker trying to compromise more than one account, SMS-based 2FA makes it significantly more expensive to perform the attack. It certainly isn't much help as the victim of a targeted attack, but it makes account takeovers much more difficult in 99% of cases.

Geez, it's a good thing I removed cell 2FA from all my accounts after getting hacked (SIM card transfer via social engineering)
The problem with Twitter is they don't allow adding more than one security key (like Yubikey, NitroKey etc) per account. Google, FB, Github and almost everyone else who supports security keys does support multiple keys. Without it, I wouldn't disable SMS auth on Twitter, yet (the security key could die at any point, hypothetically speaking; which is why you have a backup or two).
Why wouldn't you just record the authenticator code somewhere?

You can easily generator OTP codes the same as any of the "authenticator" apps using, for example, oathtool [1]

You don't even need the code to be stored on a computer. Just write it down somewhere safe if you're paranoid about getting hacked. The seed codes are usually 16 characters or so.

[1] https://www.nongnu.org/oath-toolkit/oathtool.1.html

You're right, that's exactly what I've got. I'd forgotten the exact setup I have on Twitter. I just checked and I've got a TOTP app (with backup codes on paper) + Yubikey. I'd disabled SMS for 2FA last year, around the time when Jack Dorsey's Twitter account was compromised with a SIM swap attack.
>(SIM card transfer via social engineering)

How exactly does this happen?

Impersonate as the client of the phone company and request a new SIM card under the pretense that your current SIM card was stolen/lost.

Or bribe company staff to give you the SIM card.

Phone company staff are error-prone humans just like you and me who in general don't earn well enough for their responsibilities.

Aha! I'm an idiot; I thought this referred to social engineering of the person who owns the handset/SIM, not phone company staff.

That makes a lot more sense. Thanks!

SIM swapping should not be an attack. It's called "Two-factor Authentication", not "OK Whichever Authentication".
It absolutely is an attack. SIM swap is a targeted attack. In a targeted attack scenario, phishing (for id and password) will succeed with high enough probability. Also, the account recovery path often requires only the phone number, effectively making the recovery phone number as the single factor.
I'm remarking on the last sentence of your comment~
Yes. Anyone who want the protection from the SIM swap attack should remove phone 2FA from their accounts, and should consider accounts that do not support such configuration as vulnerable.

Whether you consider the SIM swap attack a threat worth protecting from would depend on many factors, even though the threat itself is very real, and almost all phone numbers are vulnerable to the attack. I have yet to learn any phone service provider that is not vulnerable to this attack. I've heard people speculating that Google Fi might be one such provider, but I don't know if Fi customer service actually is not vulnerable.

I wonder if they write off fines as expenses and still turn a profit.
Yeah, what would the penalty have to be to get companies to stop doing this?
They are expenses, but companies do try to avoid paying for stuff they don't have to. Legal risks are a thing, and some manager somewhere is going to get backup from legal when they argue against doing this, using this story as an example.
I'm more paranoid about big companies selling me out for ad money than I am about phishing attacks. There's a number of sites where I feel like I should add 2FA for security, but I won't do it for privacy reasons. Logging into Microsoft Office for my job is a pain in the ass because they redirect me to the "Add your phone number" page twice for each app that I use. I have to click "skip this step" 4 times, since I'm using Teams and Outlook. Was the world a better place when every transaction you made in a retail store didn't come with a request for tracking? "Can we get your email? What's a good phone number for you? Do you have a rewards card? Do you want one? Any way we can peg you with a unique id and sell it to a data broker?"
(comment deleted)
If a company wants to know who you are they can find out. Data brokers are pretty cheap and they share so much data between each other it's bonkers.
Doesn't Twitter also require a unique phone number to make an account these days?

I'm guessing that number has no protections the way 2FA ones do?

They do. There are also operators whose numbers Twitter won't accept for signing in. I had to borrow someone's phone to sign up for Twitter because they didn't like my number.
[deleted]
No throwaway? Someone is going to out your company.
(comment deleted)
Let that happen, then--if he/she is in a safe position now, it would only be fair that the company was outed.
Prison time is the only serious deterrent. Specific people in the upper management need to have non-suspendable prison sentences.

Start with maybe 3-6 months, then escalate for repeat offenders. That fact that these decisions were made internally to a business should not indemnify the executives who allowed it to happen from criminal charges with mandatory prison time that cannot be suspended or avoided.