21 years ago was the first time I saw malware delivered over advertising on the web. 1998. I started blocking ads by manually managing my hosts file that day, for the most part I haven't look at ads since.
I'm still not sure why we're now basing our entire economy around advertising crap to people that they don't want or need, the web was ad free and worked great for many years before all this nonsense.
The fact that most all of the smart people in tech have been subsumed into ad tech is one of the most depressing things I could have possibly imagined 21 years ago. What a massive misuse of resources.
The people seeing the adds aren't the consumer, they are the commodity. The value of an ad isn't just in selling a product. Ad networks are great at collecting behavioral data. That data is quickly becoming more valuable than the products in the ads.
If I click on an ad for funeral services I might buy something but probably won't. But I may have just confirmed that a close relative just died. That factoid is worth something to a great many people beyond the local funeral parlor who paid for the ad. I should expect real estate agents and quack financial advisers to be knocking on my door by the end of the day.
>I'm still not sure why we're now basing our entire economy around advertising
I see 3 models for websites: completely donation based, advertising based, or subscription based. Many sites would have trouble getting the donations they would need to operate. Subscription based means only rich people can afford to use it. Advertising means poor people get the same functionality as rich people.
There have been some very interesting experiments in this area. Going back to the 90s, smaller website once gathered together to form communities under a single subscription fee. In some advanced groups each website was given a share based on traffic. This allowed a single reasonable subscription to back a great many independent websites.
As with most things on the internet, the porn industry did it first.
That subscription might be reasonable for a middle class person in the US, but way too expensive for the average person in a poorer country. Ads put everyone on the same footing.
And if you want to do research on a topic across many different websites, it'll happen that they won't all be in the same community, so you'll have to pay subscription fees to many different communities, sometimes just for a single page view.
Google Contributor is (was?) a good idea, and for a while I really enjoyed using it. It was nice to visit a page and see the "thanks for being a contributor" messages instead of visually aggressive ads.
Of course it was canceled at some point, and now it looks like there is some meager effort to require sites to opt-in somehow.... I can't tell if any sites have actually done so.
Too bad, because I really liked the old experience.
I had two accounts (done because at the time I didn’t realize you could change your account handle); one I rarely used and one I used daily. I went to log in to the rarely used one and the password didn’t work nor did recovery. It had been hacked. Nothing I did could get it back and Twitter just shrugged and said sucks to be me. So I cancelled the daily use one. Not just because of that mind you. Twitter has become a cesspool anymore and I realized it was making me unhappy more than it was contributing to my life. If, by some miracle I manage to get the other account back I’ll cancel it too.
Maybe I'm doing it wrong, but I don't have time to find and filter out decent followers. I signed up back in 2005 and couldn't tell you when it wasn't a cesspool for awful posts and comments.
Using it to keep up with politics or news can quickly lead you to some of the most highly concentrated cesspools of humanity's worst thoughts. There will be abject ignorance or just plain noise among the top replies to pretty much any tweet by The Economist, the New York Times, Barack Obama (actually any politician), ...
However, I've found it healthy and helpful to tap into active communities built around certain computer science topics, like machine learning, or "ML Twitter."
One thing which I didn’t see clarified here was the deceptive CNN domain. Either the preview card can be exploited to spoof CNN (bad on twitter) or CNN.com has an open redirect (bad on CNN).
As I understood it, twitter is following redirects to show the user the final destination in the card. The problem is the scammers recognise when twitter is generating the card and redirects twitter to a different domain than the what the actual user will be redirected to.
The problem is that twitter follows the redirects to show the final URL, presumably to support advertising companies that use third-party link tracking software like bit.ly, if they just showed the actual link they wouldn't have this problem.
Visit https://cards-dev.twitter.com/validator and paste in the spam URL there. You'll see that the validator warns that it is being redirected, but follows it anyway.
So the exploit is fake site -> user-agent specific redirector -> CNN. That would clear CNN.
I’m thinking through how Twitter would combat something like this. IMO they would flag new domains for manual approval (or hey, require TFA for self-serve ad accounts!) but both of these add to the cost and friction of their adtech.
Always a bummer when good security practice gets overruled by the need to squeeze every cent of revenue they can.
>I’m thinking through how Twitter would combat something like this.
Display the real link domain by default, but offer custom domains for manually verified advertisers. That obviously involves some degree of cost, but it's worthwhile to preserve trust in the platform.
Maybe twitter could show something on the card “CNN.com via malicious.example.com”? Personally I like knowing when I’m clicking a tracked or affiliate link anyway.
I'm not sure how many people that would work for. If malicious.example.com were some pithy little domain on a trendy ccTLD like bit.ly, I think most twitter users would ignore it, assuming it was yet another URL shortener.
This isn't a new problem. Cloaking[1] has been around for a long time. Google[2], and Facebook[3] have been fighting this problem for years. Even Google hasn't had perfect luck with fighting off cloakers[4].
The malicious webserver is probably redirecting the Twitter crawler based on its user-agent to CNN, and Twitter's redirect-busting is helpfully pulling in the "final" destination.
It's a good reminder that you can't just build the registration and on-boarding processes to filter out spammers.
You have to ensure that the damage is limited and reversible even if your trusted users (or worse, staff) are hacked or turn malicious. Though this system is usually harder to build and generalize.
It's not that twitter is not doing anything , but that scamming people out of crpyo currency and money is very lucrative owing to human gullibility and the viralness of the twitter platform, so scammers have an incentive to keep finding loopholes after twitter closes existing ones. And most scmamers fail to bypass twitter security measures, so all you're seeing the ones who succeeded. if 90 scammer fail and 10 find a loophole, then those 10 will proliferate until twitter fixes it again. It's sorta like a virus that acquires drug persistence.
The guy whose tweets are being used as examples is still hacked and while this discussion is going on has no idea how to fix his account.
The author could've used screenshots, but he wanted to use a live example, so instead of giving the non-technical person a straight link to ads.twitter.com, he just told him he'd written an article on the problem [0]
The big problem here is that people create accounts on multiple sites and then reuse the username/passwords on many sites. Then, one of the sites gets hacked, the database gets leaked with unencrypted passwords. Eventually this database gets passed around the internet for anyone to use. Now people simply go down the list trying to log in with these username/password combos on every site.
My account has been suspended in the past 2 weeks. Having gone through their support page a few times, I have yet to receive an email about the reasoning.
I'll be setting up a Mastodon machine soon, deleting my Twitter account, and making sure that my posts are forever owned by myself and my online voice can't ever be taken away from me again.
But... now I think about it, I probably still have CloudFlare cacheing on. Which means that won't get hit some of the time. Hmmmm.... Let's see if my server can survive HN without a CDN.
I had a twitter account from 2007 to 2016; enjoyed using it. Though the email attached to it I lost access to and Twitter doesn't care to help you get your account back. I haven't used Twitter since!
Something similar happened to me on May 23rd, 2019 (three days ago) [0], where I ended up losing my Twitter account.
Essentially, my t-mobile mobile phone number was hijacked (despite I had a PIN, which the attacker didn't need - poor security practice by t-mobile), and after that they proceed to change the password of my Twitter account using the phone.
Thankfully I was close to a t-mobile shop in San Francisco, and ~40 minutes later I regained control of my SIM card. Nothing else has been affected so far.
FYI, T-mobile can't be sued for damage resulting from something like this. We have to "thank" judge Scalia for this.
As of now, Twitter is slowly responding to my issue, despite I had a few friends there try to help.
I'm still not sure why we're now basing our entire economy around advertising crap to people that they don't want or need, the web was ad free and worked great for many years before all this nonsense.
The fact that most all of the smart people in tech have been subsumed into ad tech is one of the most depressing things I could have possibly imagined 21 years ago. What a massive misuse of resources.