Posts
I'd like to draw three related things to your attention.
First: Avast released a study on malicious advertisements in February, and the media's had some fun reporting on "malvertising" while seasoned professionals tried not to roll their eyes at yet another buzzword. (Tired of malvertising? Try "badvertisements!") Malvertising is one way legit sites get hosed: estimates say 75% of sites with malicious code are legit sites that got compromised.
Second: Back in March, Ars Technica posted a rant, "Why Ad Blocking is devastating to the sites you love." That they felt ad blocking was impacting revenue and asked people not to do it. (Note that this argument spawned rebuttals.)
Third: I went to a talk by Terry O'Reilly and Mike Tennant, as part of their book tour for The Age of Persuasion: How Marketing Ate Our Culture. (I recommend their radio show.) Among the things they talked about the advertising social contract: In exchange for your attention, advertisers give you something in return. TV advertisements subsidize programming, so they're honouring the contract. Billboards don't really give anything back to the consumer, so they're breaking it.
----
So here's where we put it all together:
Using ad blockers breaks a social contract with advertisers: namely, you get free stuff (content) in exchange for those eyes. If you're taking without exposure to the advertisements, you're "stealing."
But advertisers are breaking the contract in even worse ways with malvertising. They're basically stealing from viewers. It might not be intentional, but it's probably the equivalent of having advertisements on the TV that blare so loud that they cause hearing damage. Could you blame people for turning those off?
Ad blockers do more than keep you from seeing advertisements: they may actually make you safer.
So what to do? The advertisers can try to woo people away from ad blockers by giving more. Terry O'Reilly and Mike Tennant talked about how they like to make their ads funny: so you're giving more in terms of entertainment. What can advertisers do to give back when it comes to security and privacy?
One answer I've seen on that front comes from a surprising source: Facebook. Although Facebook isn't known for getting privacy right at all, but they are doing their darnedest to put a nice spin on their privacy violations. Sure, maybe you didn't want to share with those Facebook connect apps... but isn't is awfully convenient how other sites already know your preferences?
Unfortunately, I (and many others) don't WANT creepy customization. So in the end what they're trying to do doesn't really help with their end of the social contract at all. It may even hurt for many people. Let's just hope that later attempts are a little more generous on their side of the bargain.
You know who did it better? Burger King. Their Whopper Sacrifice where you defriended 10 people for a whopper was quite the hit. In exchange for ditching your friends and giving up some privacy, you could get a free burger. And lots of people did.
I'm not sure I'd give up more privacy and security for a burger, but I'm curious to see how the more creative advertising folk handle this challenge. If users become more aware of malicious advertising, will it even be possible to overcome this challenge and still use banner advertisements, or will we be seeing advertising in new ways?
Showing posts with label buzzwords. Show all posts
Showing posts with label buzzwords. Show all posts
Monday, May 10, 2010
Wednesday, October 15, 2008
What constitutes new? Why buzzword bingo might help security.
Last week, I was reading through the web security mailing list. The topic of the day was ClickJacking, which of course had come under fire because it's not really that new. Critics accused it of being just another useless trendy buzzword applied to a specific style of Cross Site Request Forgery.
This caught my attention for two reasons:
(a) This was my first reaction to the announcement. I'd talked about this sort of attack with colleagues at the university months (maybe over a year?) ago. My first experience that got me thinking about what is now called clickjacking was a car ad that overlaid a huge chunk of a page I was visiting. It was a flash thing that just made a car drive across the page. Harmless, except that it happened to cover something I wanted to click on at the time. And it made me realise -- there's no reason my click supposedly on that ad couldn't result in me clicking something else I didn't want to click on that page... I've been suspicious of those "x to close" things on ads ever since.
If I'd realised I could just give it a shiny new name and publish, we could have gotten some nice papers out of it. Oh well. It seemed so obvious, though, what was the point?
(b) This was actually one of the reactions we got for the next paper I'll be presenting at a conference. Roughly translated, the reviewer said "It's not really that new an idea, but it's a nicely combined set of protections." The reviewer recommended us anyhow and the paper was accepted.
I didn't agree that our solution wasn't novel, but I could definitely agree that it clearly synthesized ideas from other sources (in fact, we'd made this clear in the paper!). If we assumed that anything made from wood was more or less the same and not novel or worthy of note, Ikea would be out of business, though. ;) It's an important part of science to learn which things are related and how they can influence each other. Why shouldn't it be a useful part of computer science?
The author of this web security mailing list post got me thinking further about buzzwords and media-awareness however:
As someone with a fair amount of biology training, I know the answer to this. People connect much better to the Sugar Maple than they do to its scientifically useful name, Acer saccharum. Do you care about Danaus plexippus or is it the words Monarch Butterfly that would bring to mind the delicate migrators? And honestly? As long as you don't overdo it, having "common" names for things just makes it easier to communicate about them.
And communicating about web security issues is clearly something we need to do. With many web programmers convinced that they don't need to write secure code because they're not handling traditional targets such as credit cards, it's leaving a lot of people at risk. Part of the reason is that security sounds complex, and it's filled with "if you mess this up at all, your entire system is insecure" leading people toss up their hands. Everyone knows how easy it is to make a mistake, so what's the point?
If a new name and some media attention helps people communicate and maybe even realise that they are at risk and that mitigating it might be a good idea, we might be one step closer to a more secure world. "Oh, that's not new," may be true, but it can lead people to believe that they can go back to their dangerous assumptions that all is well in their worlds...
So next time, I'm going to think twice about dismissing the latest buzzword. It may be doing more good than I think!
This caught my attention for two reasons:
(a) This was my first reaction to the announcement. I'd talked about this sort of attack with colleagues at the university months (maybe over a year?) ago. My first experience that got me thinking about what is now called clickjacking was a car ad that overlaid a huge chunk of a page I was visiting. It was a flash thing that just made a car drive across the page. Harmless, except that it happened to cover something I wanted to click on at the time. And it made me realise -- there's no reason my click supposedly on that ad couldn't result in me clicking something else I didn't want to click on that page... I've been suspicious of those "x to close" things on ads ever since.
If I'd realised I could just give it a shiny new name and publish, we could have gotten some nice papers out of it. Oh well. It seemed so obvious, though, what was the point?
(b) This was actually one of the reactions we got for the next paper I'll be presenting at a conference. Roughly translated, the reviewer said "It's not really that new an idea, but it's a nicely combined set of protections." The reviewer recommended us anyhow and the paper was accepted.
I didn't agree that our solution wasn't novel, but I could definitely agree that it clearly synthesized ideas from other sources (in fact, we'd made this clear in the paper!). If we assumed that anything made from wood was more or less the same and not novel or worthy of note, Ikea would be out of business, though. ;) It's an important part of science to learn which things are related and how they can influence each other. Why shouldn't it be a useful part of computer science?
The author of this web security mailing list post got me thinking further about buzzwords and media-awareness however:
"Which one is the proper way to describe the attack vector? The one labeled with the shiny new name or the one with the more technically-accurate name? And which one had the most positive impact, that is, which one educated the most people? And finally, should security researchers package security issues for media consumption?"
As someone with a fair amount of biology training, I know the answer to this. People connect much better to the Sugar Maple than they do to its scientifically useful name, Acer saccharum. Do you care about Danaus plexippus or is it the words Monarch Butterfly that would bring to mind the delicate migrators? And honestly? As long as you don't overdo it, having "common" names for things just makes it easier to communicate about them.
And communicating about web security issues is clearly something we need to do. With many web programmers convinced that they don't need to write secure code because they're not handling traditional targets such as credit cards, it's leaving a lot of people at risk. Part of the reason is that security sounds complex, and it's filled with "if you mess this up at all, your entire system is insecure" leading people toss up their hands. Everyone knows how easy it is to make a mistake, so what's the point?
If a new name and some media attention helps people communicate and maybe even realise that they are at risk and that mitigating it might be a good idea, we might be one step closer to a more secure world. "Oh, that's not new," may be true, but it can lead people to believe that they can go back to their dangerous assumptions that all is well in their worlds...
So next time, I'm going to think twice about dismissing the latest buzzword. It may be doing more good than I think!
Subscribe to:
Posts (Atom)