[HN Gopher] The FBI now recommends using an ad blocker when sear... ___________________________________________________________________ The FBI now recommends using an ad blocker when searching the web Author : taubek Score : 154 points Date : 2023-02-23 20:47 UTC (2 hours ago) (HTM) web link (www.standard.co.uk) (TXT) w3m dump (www.standard.co.uk) | saklash wrote: | Over the years, marketing networks have been infiltrated by | hackers who manipulate ads to spread malware. Since the ads were | served through a host of web pages, the attackers could do damage | to a victim's computers in minutes. With an ad blocker, though, | you can prevent this situation from happening to you. | TacticalCoder wrote: | Here are a few things I do to combat nasty websites: | | - blacklists entire domains using wildcards (using an "unbound" | DNS resolver and forcing all traffic to my DNS resolver, | preventing _my browser_ to use DoH -- I can still then use DoH if | I want, from unbound) | | - reject or drop a huge number of known bad actors, regularly | updated: they go into gigantic "ip sets" firewall rules | | - (I came up with this one): use a little firewall rule that | prevents _any_ IDN from resolving. That 's a one line UDP rule | and it stops cold dead any IDN homograph attack. Basically | searching any UDP packet for the "xn--" string. | | I do _not_ care about what this breaks. The Web still works | totally fine for me, including Google 's G Suite (yeah, I know). | | EDIT: just to be clear seen the comments for I realize I wasn't | very precise... I'm not saying all IDN domains are bad! What I'm | saying is that in my day to day Web surfing, 99.99% of the | websites I'm using do not use IDN and so, in my case, blocking | IDN, up until today, is totally fine as it not only doesn't | prevent _me_ from surfing the Web (I haven 't seen a single site | I need breaking) but it also protects me from IDN homograph | attacks. Your mileage may vary and you live in a country where | it's normal to go on website with internationalized domain names, | then obviously you cannot simply drop all UDP packets attempting | to resolve IDNs. | cgb223 wrote: | What's an IDN and what does blocking them help with? | NetOpWibby wrote: | Mainly homoglyphs. Characters that LOOK like Latin characters | but aren't. Scammers register domains to make it look like at | a glance you're visiting a reputable site. | | It's why many browsers started defaulting to showing | "xn--<whatever>" (punycode representation of IDN characters). | | It sucks for domains that are emoji but whatevs. Scammers | ruining things for everyone, as usual. | buildbot wrote: | International domain name - blocking them prevents look alike | URLs from working. But also, IMO, this is bad advice for | anyone who uses not English as a language... | giobox wrote: | While these are all good practices, killing DoH conclusively on | your home network is more difficult than you've made it seem, | as ultimately all you can really do is use domain blacklists at | your firewall. It's no longer as straight forward as just | control port 53 traffic, not like you can realistically shut | down 443... Blocking DoH is largely whack-a-mole and I think is | only going to get worse as this and similar techniques spread. | There are so many sneaky ways to resolve a hostname an app or | device can choose to use now. | | You can force traditional port 53 DNS protocol traffic to your | own resolver with firewall rules, the same doesn't work for | DoH. a DoH request to a domain your firewall blacklist doesn't | have looks just like ordinary https/443 traffic and will pass | unhindered. | LinuxBender wrote: | _Blocking DoH is largely whack-a-mole_ | | Maybe this is so but I have yet to see it. AFAIK all the | DoT/DoH are on known dedicated IP addresses. I know they | don't have to be. They could be on generic | Akamai/CF/BunnyCDN/etc... end points but I have yet to come | across one utilized in the wild. Have you found any? What are | their IP addresses? I would like to add them to my DNS | timing/monitoring scripts. | | I null route about 24 DoT/DoH IP addresses and my one | smartphone seemed to figure out automagically that my router | was serving up DoT on 853. | TacticalCoder wrote: | > While these are all good practices, killing DoH | conclusively on your home network is more difficult than | you've made it seem | | Oh I know but so far you can still ask both Firefox and | Chromium to not use DoH and hence force them to use port 53 | and from what I've seen they really honor that. For the | moment. | | I don't doubt that in a not so distant future we may see | companies hardcoding DoH into apps without any possibility of | removing that setting! | | What I do is no panacea but it gets rid of a lot of things. | | > There are so many sneaky ways to resolve a hostname an app | or device can choose to use now. | | But I whitelist apps that can connect to the net. Browsers, | apt (for Debian/Devuan package update), the one that update | the NTP/time, SSH out and that's basically it. | | I know it's a game of whack-a-mole, but I'm still playing it | : ) | SahAssar wrote: | The last one is very anglo-centric (or at least centric to | fully latinized languages). Do you not find the rules[0] in for | example chrome working? | | [0]: | https://chromium.googlesource.com/chromium/src/+/main/docs/i... | TacticalCoder wrote: | I'm not even a native english speaker and my native language | does have accentuated characters so there's that... | | I don't like to have to set rules in browsers: I'll do it | when mandatory but I prefer things that the browser won't | change during it's next update and, also, I use several | browsers. | eurticket wrote: | Steven Black runs a hosts file on GitHub with regular updates. | https://github.com/StevenBlack/hosts | | There are a bunch of file variants to weed out specific bad | actors. | | It's well currated though I will disclaimer it has broken a few | websites in the past for me. Maybe that's a good thing. | halfjoking wrote: | FBI must have infiltrated ad blocker servers containing malicious | url lists. | | Never using an adblocker again. | raydiatian wrote: | Username checks out. | shadowgovt wrote: | Using an adblocker based on Manifest v3 would avoid this, as | those blockers can't phone home to update their malware | datasets. ;) | cudgy wrote: | Is this not also the case when using iOS content blockers? | [deleted] | westcort wrote: | Any recommendations for a good ad blocker and other precautions | to take? | lemoncookiechip wrote: | A combination of uBlock Origin + NoScript + Bypass Paywalls | Clean + FastForward + ClearURLs as well as a pop-up blocker of | your choice, will make your web browsing experience a bit | cleaner. Not all of these might available for Chromium, I | personally use Firefox for my daily use, with some Chromium | browsers as backup. | | NoScript will break pretty much 50% of the web. It'll take you | about a day to whitelist all the sites you use daily and then | it's smooth sailing. | | I would also highly recommend this privacy focused list. | https://www.privacytools.io/ | markx2 wrote: | https://nextdns.io and then UBlock Origin, uMatrix, Noscript at | least. | blakesterz wrote: | I think I found NextDNS here on HN and I've been really happy | with it. | SparkyMcUnicorn wrote: | NextDNS + Ublock Origin (or Brave Browser, since it uses the | UBO lists by default) is a really good combo on its own, and | easy enough for my self-proclaimed "tech illiterate" friends | to set up and use. | | Also, it's pretty cool that NextDNS has this: | https://github.com/nextdns/nextdns/wiki | Scoundreller wrote: | On iOS (but also for mac and tvOS), I took my pick of dns based | systems here: | | https://encrypted-dns.party/ | | https://gitlab.com/nitrohorse/ios14-encrypted-dns-mobileconf... | | No idea if I should really trust them, or if there's a better | way to install profiles directly from CIRA or Mullvad like I | use. | | Nice thing is that it's device wide and all free (hopefully not | for malicious intents). | sys42590 wrote: | I recommend uBlock Origin and the anti-malware DNS from | Cloudflare | haunter wrote: | I use uBlock Origin on PC and Adguard Pro on iOS (with the | uBlock Origin filters 1:1) | bogwog wrote: | I use adnauseam (https://adnauseam.io/), which is built on top | of ublock origin, and it works pretty well. | | The generic nuclear option to hide terrible web design, bypass | (some) paywalls, and improve performance 1000x is to disable | javascript. ublock and adnauseam both have a button to disable | all javascript on a page, which is handy when reading articles | on sites filled with garbage. | autoexec wrote: | adnauseam is seriously a terrible idea. It's actually | dangerous. The idea that you can somehow trick advertisers by | polluting your dossier and making it useless to them after | filling it with random data is fundamentally flawed. | | Every scrap of data collected about you will be used against | you. It doesn't matter if it's accurate or not, nobody cares | if they data they have about you is accurate, data brokers | will happily sell your personal info to anyone even knowing | full well that it's got inaccurate and conflicting info in | it. Many won't even know because the process is entirely | automated. | | By automatically clicking on ads and "expressing interest" in | random things you're just filling your dossier with ammo | which gets handed to others to fire at you. Every random | thing you add to your permanent record is one more thing that | can only hurt you. | | You cannot know what will prejudice someone against you. | Maybe one day adnauseam decides to click on something that | gets you flagged as having a certain political view, or | having a certain sexual orientation, or being an alcoholic, | or having a mental illness, or being at a certain income | level, or belonging to a certain religion, etc. One day that | exact data can cause you to get turned down for a job, or for | housing. It can mean that a website charges you more than | what your neighbor pays for the same product. It can mean | your insurance rates go up next year. | | You will never be told when it happens or why. Your health | insurance company isn't going to tell you that they raised | your rates because you (adnauseam) clicked on too many fast | food ads last quarter. You're just suddenly getting a higher | bill. Your auto insurance company won't tell you that they | raised your rates after you were clicking ads for DUI | lawyers, but suddenly they and every other insurance provider | you try are quoting you higher monthly prices. | | If your browser extension decides to go click on ads about | abortions you could even end up being hauled into a texas | courtroom and having to defend against charges. Sure, you'd | get them thrown out eventually. Probably. But it would still | cost you a ton of time and money and stress. The information | in your dossier can get you targeted, harassed, or attacked | by extremists. It can get be used against you in court rooms. | It can get you investigated by three letter agencies. It can | be used to impact your 'secret consumer score' or consumer | trustworthiness rating. | | The information being collected about you is sold to | companies, employers, activists, extremists, and law | enforcement. That data never goes away. It follows you for | the rest of your life and will be used against you in ways | you'll never be aware of and cannot today imagine. Filling | your dossier with huge amounts of content (random or not) is | dangerous and only increases your risk for zero benefit. | bogwog wrote: | All I care about is hiding/obfuscating my personal | information. I just don't like the idea of giving that away | for free, even if it's actually harmless. | | I don't care if I get wrongly labeled/categorized due to | this. It's not like my profile was an accurate | representation of who I am before I turned on ad nauseam. | If someone gets dragged into a court room for clicking ads, | that would be funny, and I doubt they would have a hard | time finding support from orgs like the EFF, gofundme, etc. | | One long term benefit of this is that if a lot of people | use it, advertisers will start seeing diminishing returns | on their investment in internet ads. This will lead to | reduced spending and less ads overall. | autoexec wrote: | > All I care about is hiding/obfuscating my personal | information. | | adnauseam does not do this. It only adds to your personal | information. It doesn't hide anything. | | > I don't care if I get wrongly labeled/categorized due | to this. | | Then you must not care when you suffer from the impacts | of having been wrongly labeled/categorized. Nobody can | make you care about yourself, your money, your safety, or | your time if you won't. | | > It's not like my profile was an accurate representation | of who I am before I turned on ad nauseam. | | Again, nobody cares about how accurate it is or not. It's | about quantity, not quality. Accurate or not, that data | will increasingly impact your life in very real ways. The | more data they have, the worse it will be for you. | | > One long term benefit of this is that if a lot of | people use it, advertisers will start seeing diminishing | returns on their investment in internet ads. | | this isn't actually true, because again, advertisers | don't care. That's why the world is filled with ads that | aren't laser focused on you as an individual. We have | more and more ads on network TV, on billboards, on radio | etc. None of them were stopped because they sometimes | showed an ad to someone who doesn't care about it. | Seriously, they don't care. You clicked, that's good | enough for them. Sales aren't even always the goal. Being | seen (or the appearance of being seen) is often all they | need. | | You're seriously only hurting yourself. | krackers wrote: | >both have a button to disable all javascript on a page | | Be slightly careful, there's a known issue (limitation of | Chrome really) where requests and javascript are not blocked | in the first few seconds of launching a browser or an | incognito window (you can test this yourself). And this is | true even with "Suspend network activity until all filter | lists are loaded" enabled, because I think it's some | limitation on Chrome as to when exactly extensions get | loaded. | | So if you do rely on javascript being disabled for safety, | after a fresh launch or new incognito window, you should | visit a safe webpage first before going to the risky one. | kevin_thibedeau wrote: | Just switch to a browser that respects user privacy. With | NoScript you can fine tune which domains you'll accept | scripts from when the zero-JS experience isn't usable. | fl0ps wrote: | I'm going to just read "limitation on Chrome" as "purposely | defective by design" as there's sufficient incentive to | delay disabling to let a few telemetric squeaks escape. | _rs wrote: | On Mac and iOS I use and recommend AdGuard which has native | content blocker extensions and lets you use Easylist block | lists (as well as their own). | | On Chrome/Firefox I use uBlock Origin which works well. I'm not | sure if the community recommends something else at this point. | | I also use various other extensions like StopTheMadness to | disable right click hijacking and other bad behavior and Banish | on iOS to prevent certain banners from appearing. | jjkmk wrote: | UBlock Orgin works for most browsers, and has been the industry | standard for some time. You can even deploy it as part of group | policy in an organization: | https://deployhappiness.com/deploying-ublock-origin-for-chro... | nathanaldensr wrote: | uBlock Origin, Privacy Badger, Pi-hole, and a mobile browser | like Firefox that allows for extensions for those times when | one is not browsing on the same network that the Pi-hole runs | on. One may also use a VPN on all devices that connect to a | network with DNS-level ad-blocking. | pmontra wrote: | If you're on Android also use Blockada to block ads in app. | It's a local VPN server that filters out requests to ad | servers. I think there are other apps like that but I never | used anything else. | dooglius wrote: | It ultimately depends on what your threat model is, what are | you trying to defend against? I use Qubes dispvms (whonix if | possible) for personal browsing, but that's pretty far toward | the extreme end of the scale. | [deleted] | ezfe wrote: | I use Wipr on Safari for Mac & iPhone | behnamoh wrote: | I know most people trash on Brave, but honestly, if you disable | its crypto features (which is just a click away), it's actually | a decent browser that blocks almost all ads I see, even on iOS! | | For example, YouTube has no ads in iOS Brave. Since iOS doesn't | allow real browsers and extensions, Brave has been a sanity- | saver for me. | | Pair that with uBlock on desktop and you're golden. 98% of the | sites don't break at all either. | frizlab wrote: | Safari on iOS does allow extensions. It also is a "real" | browser, whatever that means. iOS does not, however, allow | _alternate rendering engines_, which is different. | kadoban wrote: | It allows one real browser. The rest might as well just be | reskins for how little it matters. | behnamoh wrote: | I find Safari extensions inferior than Chrome/Firefox | extensions. Who thought it's a good idea to show extensions | as apps on the springboard/launchpad?? | | I now have 68 extensions on my Brave (desktop). Imagine | seeing 68 additional icons on my macOS launchpad! | Zurrrrr wrote: | Acting like you don't know what a real browser means in | this context just so you can be mock offended. | | Oh you Apple users. | SparkyMcUnicorn wrote: | It's also way easier to just tell my mom (for example) to use | Brave, rather than explaining extensions, why "uBlock Origin" | vs "uBlock", etc. | | Single app, all devices, works great out of the box. | Zetice wrote: | On MacOS I like Little Snitch for OS level stuff, with some | rule groups like ads_stevenblack and malwares_prigent. | anonymousiam wrote: | Pi-hole (https://pi-hole.net/) is a great ad blocker that | requires no changes to your clients. | mouse_ wrote: | I feel like, for those asking for cursory information about | setting up an ad blocker, ublock origin should be | recommended, and not pi-hole. Ublock Origin is a one click | solution that works great for everyone, while pi-hole | requires setup and does quite a lot. For instance, when I was | using pi-hole, Windows Update and Epic Games Launcher simply | stopped working for me. I'm not sure what was going on, it | could have been something wrong on my end, but nonetheless, | I'd hate having to help a user with issues like this after | recommending pi-hole when all they wanted in the first place | was a simple ad blocker. In my opinion, pi-hole is great, but | it should only be brought up in cases where the user has | already communicated they want something more than UBO. | anonymousiam wrote: | I respect your feelings, but Ublock Origin is not available | on my Android phone or on my iPad. It's also not available | for all browsers. It may not work for you, but for me Pi- | hole is a wonderful solution for my whole family, and they | don't ever need me to touch their devices in order for it | to work for them. | Zizizizz wrote: | It's on Firefox | adgjlsfhk1 wrote: | it works on android (as long as you use firefox) | cld8483 wrote: | That's fine if you have no other option, but it is inferior | to uBlock Origin since it can't do any cosmetic filtering. | Better to use pi-hole on your network for clients that have | no other choice, but to then also use uBlock Origin on any | client you can. | jmclnx wrote: | I use noscript | | https://noscript.net/ | | But I sort of think this may be more of an issue with Cell | Phones. | Workaccount2 wrote: | No script is excellent, but it is certainly not for the faint | of heart. It basically breaks the (modern) internet and then | you have to go in yourself an unfuck each website. | | The upside though is big, stops all the insane bloat that | runs on most pages. Many websites run fine with all their | scripts blocked too. | radium3d wrote: | hehe makes sense to send all the pages you visit to the FBI/NSA, | etc. If they have multiple sources (DNS and AdBlockers, VPNS, | etc. They can verify the data on one or the other. | drusepth wrote: | Does anyone have any adblockers they recommend that still show | "safe" ads (e.g. non-malware) by default, without having to | whitelist every site? I'd be open to the security benefits of an | adblocker if I could still passively support all the sites I | visit. | | Edit: changed "good" to "safe" for clarity | cld8483 wrote: | The only "good" ads are those you have to specifically go out | of your way to view because you want to view them; such as | product catalogues. | | All other ads are physiological assault and should be made | illegal. Particularly those ads which exist "IRL" and can't | otherwise be blocked, such as billboards. | cinntaile wrote: | The problem is you can't tell the difference. | autoexec wrote: | Pretty late to the game there, FBI. There are examples going back | decades of drive by downloads and exploits from ads on popular | websites. It's not enough to avoid shady websites. Any website | filled with ads is already a shady website. | madars wrote: | Or, in other words, FBI now recommends using Android :-) It's | baffling how much better uBlock Origin + Firefox experience on | Android is compared to any iOS ad blocker I have tried. They | kind-of work but let half of the ads through. | hailwren wrote: | Yeah, android trades browser ads for system wide tracking. I'm | not really sure that's a good deal. | poglet wrote: | Not comparable but NextDNS has been working well for me on iOS. | comprev wrote: | NextDNS works for 95% of the web I visit. AdGuard iOS plugin | works on Facebook's mobile web app for when I rarely use it. | dcdc123 wrote: | Brave browser on iOS has good blocking, but the browser | experience itself is a bit of a mixed bag. | kmlx wrote: | i've used this one for years: | | https://apps.apple.com/gb/app/wipr/id1030595027 | | no issues, works great. | mlindner wrote: | Do all the people who use computers to browse the internet (the | majority of people on the internet) suddenly no longer exist? | contravariant wrote: | I'm wondering if those still are the majority, worldwide. | Smart-phones have done a lot to democratize computing power | (now if only they weren't used to put >90% of their users in | corporate controlled walled gardens...) | jstx1 wrote: | I bet they're still the majority - the people who only use | their phone do it through apps, not through their mobile | browser. | LinuxBender wrote: | I'm still here. I've used a browser on my phone exactly once | to register my phone. With exception to that one time I only | use Firefox on Linux on an old PC. | ajsnigrutin wrote: | Those who used them 10 years ago still use them... but | billions who didn't use them then, use smartphones now. | VFIT7CTO77TOC wrote: | It is infuriating that Google seems to be doing nothing about | scam ads. For years I have been seeing "Click to install iPhone | update!!!" ads on YouTube mobile. Easy to have huge profit | margins when your company hires no humans to do things like | customer support and ad vetting. | wlesieutre wrote: | There's been a series of malware distribution ads pretending to | be blender.org popping up at the top of Google results on and | off for months. | | 1 month ago: | https://www.reddit.com/r/blender/comments/109yjxm/dont_click... | | 2 months ago: | https://www.reddit.com/r/blender/comments/zewem3/beware_of_p... | | 4 months ago: | https://www.reddit.com/r/blender/comments/xxkx5s/warning_som... | | 7 months ago: | https://www.reddit.com/r/blender/comments/vuqu1r/hey_so_what... | | Pretty sad state of affairs that Google can't or won't stop | this, especially since they gradually redesigned the ads spots | to look practically identical to the search results. Be very | careful clicking anything on Google's search results. | junon wrote: | I still get ads for Slovenian brides on YouTube. Not only is it | incredibly gross and objective to me, Google clearly knows | nothing about my demographic. | prox wrote: | I still see extreme right wing propaganda on a pristine | profile on YouTube's flipping homepage. I would love to use | expletives on the YT management right now, but I refrain. | UberFly wrote: | Yea, I think we can all conclude they just don't care if it | effects their bottom line. So short-sighted. About a month ago | people in the AMD subreddit were complaining about compromised | drivers and software appearing as the #1 search results due to | these kind of ads. | [deleted] | tomohawk wrote: | They don't like the competition. | TheSpiceIsLife wrote: | Which we should probably take to mean at least some of the | popular ad blockers are comprised to some degree in law | enforcements favour. | | Just because I'm paranoid doesn't mean they're not out to get me | ;) | cheapliquor wrote: | FBI said I can have a little uBlock Origin | | As a treat | annoyingnoob wrote: | I think browser Notifications help drive these attacks. How many | web sites do you visit that offer a pop-up that says the site | would like to send you Notifications? You click Allow and | suddenly start seeing Ads popup in your Notification area, not a | site notification but an Ad. | | I had a user show me one of these Notification ads just this | week, telling here that McAfee found a virus and click the Ad to | remove the virus. We do not even use McAfee, it was a straight up | attack ad. Thanks Chrome! | elecush wrote: | FBI's chief export: software suggestions | lakomen wrote: | Well too bad Google won't let you on the phone, Firefox at least | allows you to install ublock. | Zizizizz wrote: | Brave, Firefox, Bromite all do, or you can use nextdns or | adguard as a private DNS in your network settings. I think the | last option is a little wireguard set up to route traffic to a | server or small pc that has unbound and pinhole on it | staringback wrote: | DNS adblocking isn't even remotely comparable to ublock | origin | wooptoo wrote: | Can you please elaborate on this? thanks | rmason wrote: | Is it time for an open source adblocker that only blocks bad | actors? | | I am perfectly fine with ads, I've previously run sites where it | was a small source of income myself. I know it would be in a cat | and mouse game with the bad guys but if it blocked most of them | it would certainly help a lot of people. | WirelessGigabit wrote: | Let's build that company that serves ads and blocks bad actors. | We can then offer the blocklist to other blockers. | | Problems: * vetting ads costs a lot of time (= money). So | you're getting less money per impression * requires a massive | amount of infrastructure if you want to ensure that the ad | doesn't change in between you vetting it and you serving it to | your clients (= money). | | Meaning the consumers of our company will get less money per ad | they show to their visitors. | | So they'll go to one that offers more. Simple as that. | | In order to fix the bad actors we need to start making the | websites serving the ads (like Reddit) and/or the networks | (DoubleClick) responsible for what they offer up. | | As long as that doesn't happen it'll remain a cesspool. | Animats wrote: | Make ad brokers share responsibility for losses due to scam ads. | If the ad broker is unable to clearly identify the advertiser for | lawsuit purposes, the ad broker should face consequences. They're | assisting the criminal by helping them hide. | NetOpWibby wrote: | I like this | kerkeslager wrote: | At this point it's irresponsible for browsers not to come with ad | blocking preinstalled. | tech234a wrote: | Official announcement, December 2022: | https://www.ic3.gov/Media/Y2022/PSA221221 ___________________________________________________________________ (page generated 2023-02-23 23:00 UTC)