Thursday, March 20, 2014

Why I run Adblock Plus and Ghostery...

A few topics came up on my radar recently that questioned whether or not AdBlock Plus is a security risk because several websites are now asking users to disable it for their website and claimed AdBlock Plus is a security risk.

That got me thinking about why I really run both AdBlock Plus and Ghostery. I trust both plugins because they do their job VERY well, are generally trusted products by millions of people, and, most importantly, are open source software. However, the reason I run these tools is not the usual "ads are annoying" or "privacy is important" reasons that I see bandied about. I run them because NOT running these tools introduce security vulnerabilities and serious performance degradation into the web browser stack and those using ad servers do not follow the law. Here are a few reasons as to why you should be running *at least* AdBlock Plus:

  1. Ad server operators are notorious for running any ad, including ads that deploy malware. It is not uncommon for a hacker to use a stolen credit card to flight malware ads on an ad server platform. They send over their malicious creative and it runs without being analyzed. In some instances, the ad runs before payment even clears! If the flighted ad is placed on what is known as a "remnant ad provider", it can take 6 to 8 hours after discovery of the malware to get it taken offline. Meanwhile, the ad is being served up to all sorts of users around the world. This actually happens and it happens because there is no accountability in the ad server world and the people responsible are reactive instead of being proactive. AdBlock Plus (and, to some extent Ghostery) should be considered to be part of a comprehensive security solution beyond what your anti-virus software and hardware firewall solutions offer. This reason alone should be sufficient to immediately install AdBlock Plus (or equivalent) because, if the ad server can't serve anything in the first place, it can't deliver malware to your computer or other devices. These tools reduce the potential attack surface of the web browser.

  2. Ad servers can be (maliciously) configured to request the user's password for the website they are currently visiting using browser-based authentication dialogs. Users will freely enter their login information for the current website (thank you AOL!), which can be used to compromise the account. Let's say an attacker gets onto the web server itself that hosts the ads, they reconfigure the server so that it asks for everyone's usernames and passwords, and then they start collecting information. Millions of compromised accounts across millions of systems in a matter of minutes. Seriously, install AdBlock Plus and Ghostery right now. (Added on June 24, 2016 after seeing this.)

  3. Excessive web requests. Remnant ad servers are especially notorious for this. To request a single remnant ad position, the browser will generally contact an average of 15 different servers across the Internet. Each server request also requires talking to a local DNS server to get an IP address of the destination. If the local DNS server doesn't know the IP address of the target server (fairly common), it has to go and find out. DNS requests are fairly expensive. Throw 3 to 4 ads on a page and suddenly page load times skyrocket to at least 20 seconds per page. I've personally seen page load times in excess of 60 seconds on modern hardware. AdBlock Plus drops page load times to under 6 seconds in many cases by simply blocking the excessive web requests. Ad server operators don't know when to say "no" to money and constantly make exceptions. Therefore, they don't set rules on request depth and, even if they did, they would never stick to such rules because the drive for money outweighs common sense. I also use Ghostery more for the reason of excessive web requests than the "privacy" reasons that other people use Ghostery for - it shaves off another 1 to 3 seconds per page load with very few issues.

  4. Those flighting ads also almost always do not know nor have the desire to know even very basic HTML. They will happily flight ads that output broken content onto the page, which then proceeds to destroy the layout of the page. Mismatched 'div's or other bad HTML code results in half of a page simply not loading or loading properly. It then takes up to several hours to diagnose the problem ad and then the ad finally gets taken down. Meanwhile, users suffer with an unusable website. A more stable website viewing experience is just one more reason to run AdBlock Plus.

  5. Most ads are not compliant with the Americans with Disabilities Act. Ads that flash, rapidly change colors, have wild patterns (e.g. optical illusions), or otherwise move on a screen can trigger seizures even in those who have never had a seizure before. These triggers are scientifically proven. Therefore, AdBlock Plus is also a lifesaving medical device and brings website operators into some semblance of compliance with ADA regulations. The only ads that are remotely ADA compliant are those that are static images with muted color combinations. But since you don't know nor can control what ads will be served to you, the only solution is to install AdBlock Plus.

  6. Animated ads other than GIFs, especially Flash ads, also dramatically hurt browser performance. Moving DOM elements around on a page causes DOM thrashing (for lack of a better term) and redraw operations at the OS level - combined, they take a lot of CPU power to pull it off and frequently lag. Fortunately, some browser vendors are blocking Adobe Flash by default now, but authors of ad creative are just switching to a "Javascript plus images" method, which doesn't help much. The only solution to this problem is to block all ads until the industry wakes up and realizes that animated ads aren't just annoying, they hurt the performance of the user's web browser.

  7. Ad server operators don't demand that all ad creative fit in with their website design. It doesn't seem to matter which ad, they all look ugly and destroy what would otherwise be an elegant website design. This stems from no review process prior to flighting any ad. A good review process will reject both ads and advertisers that refuse to meet a set of well-defined requirements that result in ads that look good in relation to the rest of the website. This lack of concern over the ad creative that users will see demonstrates that there is also a lack of concern over the website's users. If a website operator can't be bothered to properly care for their users by only flighting ads that have been through an extensive review process, then AdBlock Plus is a great way to send the message that the users want to be cared about to the website operator.

  8. Third-party server dependencies hurt browser performance. If just one third-party server goes offline in an unusual way, pages that depend on the third-party will never finish loading. A lot of sites depend on the "DOM ready" event to fire to execute important changes to the page. If the browser is waiting on some third-party server to return content before continuing and that server hangs for 30+ seconds, I'll generally just leave and go elsewhere. I've seen both ad servers and analytics servers hang for extended periods of time. AdBlock Plus and Ghostery dramatically reduces the number of third-party dependencies, which speeds up page load times while simultaneously helping improve site uptime.

Until all of these issues are addressed by the entire ad and SaaS industries, AdBlock Plus and Ghostery stay installed and active on my hardware.

Saturday, March 08, 2014

Writing software without copyright still needs a license

Let's say for a moment that you are writing some software that you want to release into the public domain. That is, you don't want to claim that you own a copyright on the software. This is very rare to see in the first place, but it does happen. Interestingly, Copyright Law doesn't do anything but protect others from copying and modifying your work. Neither public domain software nor copyright protected software protect the author from lawsuits that arise from damages involving the use of the software. In layman's terms, you still need a license to protect yourself from liability lawsuits.

Unfortunately, it seems like there aren't any OSI approved licenses for software authors that are prepackaged and ready for use with public domain software. The OSI actually doesn't have such a license because it believes it can't correctly define what Public Domain means to the author within the license itself. I disagree with that assessment.

Having researched numerous licenses over the years, I'm very comfortable with various licenses. The MIT license is, in my non-legal opinion (because I'm not a lawyer), the most liberal open source license that's as close the public domain without it actually being public domain. It basically says, "Hey, you can do whatever you want with this software just don't sue me if it causes harm. However, please note that I own the code and you have to include this license and my claim to copyright somewhere in your software." That last little bit is a sticking point if you don't WANT to claim copyright because you want it to be in the public domain.

Toward this end, here is my best attempt to satisfy the concerns of OSI regarding public domain with a modified MIT license:

Modified MIT License for Public Domain software

Public Domain or legal equivalent
Original authorship by [authors] (the "Authors") in [year]

Permission is hereby granted, free of charge, to any person obtaining a copy
of this software and associated documentation files (the "Software"), to deal
in the Software without restriction, including without limitation the rights
to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
copies of the Software, and to permit persons to whom the Software is
furnished to do so.

THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
AUTHORS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN
ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN
CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.

The first line of the actual agreement ("Public Domain or legal equivalent") is intended to be treated as a title for the agreement, having legal impact wherever it applies (e.g. United States Copyright Law clearly defines what Public Domain means). If a locale has no such definition, the first line will most likely be overlooked and the second line ("Original authorship by [authors] (the "authors") in [year]") says who is the actual owner of the copyright (i.e. a legal fallback mechanism). "Original authorship" is a clever avoidance of the legally defined word "copyright" in many locales.

The first paragraph therefore will only technically apply to those locales where copyright law has no official definition of Public Domain. However, some or all of the terms may apply regardless. In essence, it clarifies the intentions of the author in regards to their hold on copyright. Should copyright still apply, attribution is included with the license to indicate who the claimants actually are. Obviously someone with intention to place their software into the Public Domain has no intention to ever claim ownership of their copyright in the first place. The definition of Public Domain is therefore clearly defined by the first paragraph. Whenever and wherever there may be doubt, define what you mean.

The second paragraph is the "covering your legal rear" paragraph. Of the two paragraphs, this is the most important one because it protects the authors from many types of lawsuits. However, wherever copyright law may still apply (and even those locales where it doesn't), the combination with the first paragraph adds extra protection by clearly specifying that the author allows the software to be used for any purpose, thus removing all legal liability (wherever legally allowed). I removed the words that referenced "copyright holders" since, by definition of public domain, there are no copyright holders. However, the use of '(the "Authors")' in the legal fallback mechanism used earlier means that the word 'AUTHORS' is tied to those who hold the copyright (if any). Even if copyright doesn't apply, the word 'AUTHORS' in that specific location protects the authors from legal liability for the software. This really wraps up the entire package, puts a fancy bow on it, and tells lawyers to go away.

It is my opinion that this license represents the closest to public domain that we as software developers can get legally worldwide while staying really far away from liability lawsuits.

---
Permission is hereby granted, free of charge, to any person obtaining a copy of this license (the "License", to deal in the License without restriction, including without limitation the rights to use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of the License, and to permit persons to whom the License is furnished to do so.

THE LICENSE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE LICENSE OR THE USE OR OTHER DEALINGS IN THE LICENSE.
---

Hey, gotta cover my legal rear when writing licenses too. Interestingly, the license itself is a kind of circular reference.