The latest malvertising incident and why you should care

Today’s news from Net-Security.org is that newly discovered malware was found on Google’s ad network and its purpose is to hijack your router’s DNS settings causing all devices behind your firewall to use poisoned DNS resolvers. That means even if *you* run NoScript, AdBlockPlus, HTTPS Everywhere, Ghostery, anti virus and avoid sketchy sites, a visitor on your guest network or even some anonymous neighbor leaching off your wireless signal can compromise your router.

Awesome.

Article: Attackers change home routers’ DNS settings via malicious code injected in ads

If all my ads were not so personalized and relevant, I’d be upset about this. But it’s SO worth it, right?

The funny thing is that the attackers have FAR more privileged access to your device and your data than do the malvertisers and yet so far they just want to take over your device and empty your bank account. If the attackers ever decide to go after your *data* they’ll not only find out your daughter is pregnant before you do, they’ll make her pay $100 to not tell you about it. Then you get an email asking what your conservative employer might think of your risque purchase history. They clean out your bank account and ruin you, it’s a 1-time profit. But if they blackmail you with your data they get a long-term income stream. They get a pension fund. Forget about calf-cow relationships. Start thinking ant-aphid.

But we’re good because there are lines – somewhere – that even creepy, invasive, malvertising adtech won’t cross and that will stop the spread of cybercrime over advertising infrastructure. Right? We’re good because the adtech industry is hard at work distancing themselves from organized crime and building security, accountability and user choice into the advertising system.

“Wake up T.Rob, you’re daydreaming again!”

Oh, right. I live in Bizarro World where adtech doesn’t acknowledge any responsibility for building the rails malware rides in on. They would side with us in our battle against against organized cybercrime, except they are too busy making advertising even more invasive: Targeted Online Marketing Got Creepier Again!

Note the exclamation point at the end.  Almost seems like the author is excited about this in a good way.  In fact, that’s the case.

So if you think of it – yes, it is very creepy. It goes to the extent that marketers will start knowing more about you than you do yourself.

But on the other hand we think it’s a great step forward. First of all it means that marketers are interested in finding out what we want to be offered. They are actually listening to us. Secondly this also means more targeted communications. Instead of being bombarded with advertisements you have zero interest in, you may find that eventually you start enjoy advertising as it fits seamlessly into what you are looking for.

But the Adtech folks aren’t stopping with impressively better tech, they are hitting new efficiency levels as well, as noted in Obama-Grade Ad Tech Coming to a Local Campaign Near You. “It’s been a challenge for even mid-range campaigns to be able to afford these online advertising capabilities. Today, it doesn’t matter if you’re running for city council or congress, because now you can reach voters in one of the most effective ways possible regardless of your campaign budget.”

Or if you go to Ad:Tech NYC next week, you can learn about the new frontier of tracking consumers offline in  Behavioral Breadcrumbs: New Tools to Read Digital Signals:

Most traditional digital tracking and measurement only works as long as a consumer sits in front of a browser. What happens when they disconnect? A new breed of technologies helps extend scalable insight into consumer behaviors beyond the screen. From RFID to Wifi to optical tracking, this panel will discuss methods that identify consumer behaviors, help test and ultimately measure.

Key Takeaways:

  1. Market to consumers using signals they’re pushing.
  2. Track behaviors using consumer signals.
  3. Create a type of interactivity and measurability in your campaigns.

I’m sorry, but I’m not PUSHING signal to your RFID reader, WiFi access point, or optical recognition tracker.

If you want to know what consumers pushing signals looks like, go talk to the folks at Customer Commons, whose QR-coded badges broadcast the intention to not be tracked in exactly these ways.  Does your optical tracker honor these signals?  I’m guessing not.

If you want to know what consumers pushing signals looks like, talk to the Respect Network who are building a platform specifically to exchange user-generated signal with marketers and businesses.

If you want to know what consumers pushing signals looks like, talk to me or my colleagues at Qredo who are building out the world’s first and best fully-encrypted, end-to-end communications and Personal Cloud platform that is mutually authenticated at the endpoints and yet the data and metadata are completely anonymous in the cloud servers.  We’re all about quality signal.

Most of all, if you want to know what consumers pushing signals looks like, read The Intention Economy.  Here’s a hint: when we customers push signals, it’s intentional, deliberate, and we like you for receiving them. If you have to hunt for the signal, if we don’t like that you received it, if stealth is involved, if it feels at all creepy to any of the participants, it probably isn’t being pushed.

I’m not going to reach anyone who honestly believes that signals received over passive RFID scans, Wifi hotspot scanning, and optical recognition tracking are being “pushed” by consumers.  However, there must be some marketing and advertising people who realize how incredibly wrong that characterization is and why.  To those people I plead: please side with the consumers against organized cybercrime.  Quit acting as the R&D arm of cybercrime who watch you lay the tracks, then ride them direct to your audience, poisoning the well for all involved.

We are on the verge of computerizing the consumer side of commerce.  When we computerized the supply side 30 or so years ago, it transformed the world.  But the consumer side is much larger and the transformation potentially that much richer.  Consumers want to build systems that send you signal.  Stop trying to sneak in and steal it and just partner with us.  Once we have some trust and accountability between us, organized cybercrime will have to do their own R&D.  And if you are wondering how to make those connections you’re in luck.  The next Internet Identity Workshop is next week.  The place is practically littered with common ground for us to meet on.

Marketers and advertisers, now you get to choose who you want to work with and for.  The customers, entrepreneurs, and identity geeks in the VRM community at IIW?  Or organized cybercrime?  Choose wisely because you’re running out of Mulligans on these compromised ad networks.

Names matter more than you might think

Patrick McKenzie’s blog post Falsehoods Programmers Believe About Names raises some interesting questions about online identity.  He writes: “So, as a public service, I’m going to list assumptions your systems probably make about names.  All of these assumptions are wrong.  Try to make less of them next time you write a system which touches names.”

He then provides a 40-point list of ways in which computer systems break human names acknowledges it is an incomplete list, and asks readers to provide additional examples.  The most egregious item on his list, [Read more…]