[HN Gopher] A dark adtech empire fed by fake CAPTCHAs
___________________________________________________________________
A dark adtech empire fed by fake CAPTCHAs
Author : todsacerdoti
Score : 219 points
Date : 2025-06-12 22:15 UTC (1 days ago)
(HTM) web link (krebsonsecurity.com)
(TXT) w3m dump (krebsonsecurity.com)
| preinheimer wrote:
| I think the "prove you're human by hitting the button" attack is
| pretty clever.
|
| With the range of different ways captchas are presented today I
| can see it getting a good % of folks.
| a2128 wrote:
| It's our own fault for making the internet such a confusing
| Kafkaesque maze. Click this button, click that button, sign in
| to confirm you're not a bot, select the traffic signs, select
| the items that a rat would not eat, solve this maze to prove
| you're a human, type out the numbers hidden in these demonic
| noises, provide your phone number to prove you're real, compute
| proof-of-work, download this browser if you're having issues...
| The line between fraudster and modern tech company is honestly
| not clear anymore and especially not for people who don't care
| much about tech and just want to access something
| pixl97 wrote:
| Evolution is messy and guided by random occurrences.
|
| Early in the internet days I had ran an open SMTP server for
| a few years before it was used as a spam relay. The web
| browser didn't have a security model. Online shopping was
| going up to a site, writing what you wanted on paper, then
| mailing off a money order.
|
| Then both fraud and useful things like actual online shopping
| started happening while the size of the web exploded. Masses
| of people with no technical capability were getting online.
| And that's before we got to the age of social media and
| massive data collection.
|
| Simply put we didn't make the 'web' part of the internet,
| some people tossed it out as a child and it's been a tooth
| and nail fight for survival ever since, patching itself up
| one vuln at a time.
| permo-w wrote:
| never mind the fact that half these captchas are just
| excuses for orgs to sneakily extract some reinforcement
| learning data from you. last time I tried to sign into my
| microsoft account it made me do 6 captchas. SIX. not six
| like I failed 1 captcha six times, six like each captcha
| was iteratively marked i/6
| Mtinie wrote:
| ...but don't click _this_ button.
| miki123211 wrote:
| It's not just the captchas either, the "this GPS app needs
| access to your location" or "this photo taking app wants
| access to your camera" style pop-ups don't help either.
|
| If you learn once that clicking "deny" in a notification pop-
| up means your phone doesn't ring when your grandson calls you
| on Whats App, you won't be clicking "Deny" in those pop ups
| any more.
|
| I genuinely don't know how to solve that problem, and I
| definitely see non-technical family members struggle with it.
| Sophira wrote:
| The silly thing is, it was known before all these
| permission pop-ups were created that users will simply
| press "Yes", "OK", "Allow", "Agree", etc., on every
| dialogue they see simply in order to get rid of it. Many
| people -maybe even most people? - just see them as
| needlessly getting in the way of where they actually want
| to be.
|
| So, given that we knew that, why the hell did we create
| more?
| const_cast wrote:
| Because there's no good alternatives IMO.
|
| Auto-deny leads to a lot of unexpected and broken
| behavior, and most users aren't going to know where to go
| to enable that type of stuff.
|
| But auto-enable is even worse: because malicious actors
| can get permissions they shouldn't. In fact, even with
| mainstream applications, most of the permissions they ask
| for they don't need to operate - they're just used for
| tracking and data exfiltration.
|
| So ask every time has been the solution and it works
| okay. iOS actually does a good job with this. For
| suspicious permissions, such as accurate location data
| all the time, it periodically re-prompts. It's annoying,
| but it can catch a lot of suspect behavior. There's
| shockingly little apps that need your exact location when
| the app isn't open.
| LegionMammal978 wrote:
| > According to Qurium, TacoLoco is a traffic monetization network
| that uses deceptive tactics to trick Internet users into enabling
| "push notifications," a cross-platform browser standard that
| allows websites to show pop-up messages which appear outside of
| the browser.
|
| An elderly relative of mine was hit by this a couple years back:
| his computer's desktop was constantly being spammed with messages
| on startup, and there was no simple way to turn them all off. It
| turned out that they were all notifications from web workers that
| he'd inadvertently allowed at some point prior. (I set his
| browser to auto-deny notifications so it wouldn't happen again.)
| creeble wrote:
| Elderly neighbor for me. Quite insipid; it took me a few
| minutes to realize that they were browser-based when I first
| got to the computer.
| KevinGlass wrote:
| I honestly think desktop notifications in their current form
| are one of the worst features of the modern web. Sure it's nice
| to get an email alert but on my experience there's probably a
| thousand confused old people getting spammed for each person
| that intentionally enabled it.
|
| What's worse is they look like native OS alerts (on Windows) so
| when one says "SECURYIRT ALERT!! CALL NOW" it's that much more
| effective at getting people on the phone with scammers.
| cortesoft wrote:
| So many sites ask for permission to send notifications that
| have zero reason to do so. Why would I want push
| notifications from a shopping or news site?
| tim-- wrote:
| Honestly, push notifications from a news site arguably is
| one of the few sites that I see having a reason to send
| push notifications.
|
| Communication platforms; messaging apps (Slack, Discord
| etc); email sites (gmail and co.) also make sense.
| Financial platforms (banks, Stripe etc)
|
| Once you start getting out of these two categories, then
| yeah, it gets silly. No way should an airline website even
| be allowed to ask to send push notifications.
|
| Google does have a way for Chrome users to not show the
| notification window (https://yespo.io/blog/google-chrome-
| will-now-block-abusive-b...) by default
| (https://support.google.com/webtools/answer/9799829?hl=en)
| but I really wish that this was flipped, so that Google
| would first need to approve sites to use notifications,
| similar to the Public Suffix List.
| vanviegen wrote:
| > No way should an airline website even be allowed to ask
| to send push notifications.
|
| Your flight is delayed/now boarding/etc?
| dmonitor wrote:
| I'm rarely at a computer in the airport without my phone
| graemep wrote:
| I would prefer to know about a delayed flight before I
| get to the airport.
|
| Your phone needs a web browser or an app. An app for
| every airline you ever use? You already have a web
| browser.
|
| They could SMS but its more expensive to send, often even
| more so for customers on roaming to receive.
|
| Nothing else is universal.
|
| I think there are much better possible solutions. An open
| notification standard or reasonable pricing of bulk
| sending SMS would do it.
| codingminds wrote:
| We still have eMail in place. If they don't want to spend
| money on an SMS they can send an eMail.
|
| If browser notification permissions would have a TTL, I'd
| might considering it. But until this happens I won't
| allow anyone to send me browser notifications. And even
| then I'd be very picky.
| mr_mitm wrote:
| Emails have essentially become notifications anyway. All
| my emails are things like "your booking has been
| confirmed", "your package has been shipped", "your
| invoice is ready for download", "a login from a new
| device happened", "your flight is delayed", etc.
| PaulHoule wrote:
| Emails have a mature ecosystem. We've been getting spam
| and scam emails since 1994, we have tools for dealing
| with it.
| notpushkin wrote:
| > An app for every airline you ever use? You already have
| a web browser.
|
| And yet I'm sure airlines will push you towards the app
| every time!
| zeta0134 wrote:
| What do you mean nothing else is universal? I can't book
| a flight without a phone number and an email address, and
| they usually send emails. My phone is set to do
| notifications when I get one of those. Why is this
| solution bad? Any network situation that causes both SMS
| and email to fail certainly isn't going to magically
| deliver a push notification from a browser.
| Sophira wrote:
| > I would prefer to know about a delayed flight before I
| get to the airport.
|
| Generally, the recommendation is that you get to the
| airport at least two hours before your flight departs.
| Ideally, you shouldn't be rushing to try to get your
| plane.
|
| Granted, the world has changed since that was first a
| recommendation, but even in today's connected world, it's
| still a good idea to get there two hours before
| departure, in my experience.
| graemep wrote:
| > Generally, the recommendation is that you get to the
| airport at least two hours before your flight departs.
|
| A lot of delays are known much earlier than that. For
| example if a flight gets seriously delayed taking off and
| the plane is going to turn round and return, then the
| return flight will be delayed.
|
| In any case, once at the airport delays will be announced
| and shown on screens. Once you get there you do not need
| phone notifications.
| account42 wrote:
| Do you really need a reminder that the flight is
| boarding?
| devilbunny wrote:
| You do if your goal is to chill out in the lounge until
| that point.
| evilduck wrote:
| The native apps for my phone aren't really reliable
| enough at letting me know about delays or gate changes, I
| don't expect a web push notification to be any better at
| something that's already untrustworthy, especially on a
| system that lacks a cellular modem to stay online all the
| time. Even if they did work perfectly and could be
| trusted to serve that purpose, no company would only send
| status updates about your flight in the long term,
| they're unable to restrain themselves and will view it as
| an advertising avenue just like they do with phone apps.
| vanviegen wrote:
| My guess is it would be just as (un)reliable as an app.
|
| Many airlines now more or less force you to install their
| bespoke apps, which could have just as well been
| websites, just to board their planes. I'm less than happy
| to install them.
| Propelloni wrote:
| See, that's just the point. You see a need for that. I'd
| never enable push notifications from a news site, I don't
| need to know NOW that some pupil shot 17 teachers and
| pupils in the elementary school around the corner. There
| is nothing I could do anyway. I'm extremely unlikely to
| enable notifications from async messaging because, you
| know, they are async. If it's urgent, come over to my
| desk or use your phone to call me.
|
| Financial data or travel info is something I'm actively
| watching, when I travel, just like car traffic.
| Otherwise, why would I need to know? That's a good
| question to ask anyway anytime you come across an inbox.
| I have been in management really long now and designing
| your information flow strategically is crucial to being
| effective.
| miki123211 wrote:
| If I trusted airlines to only send me notifications about
| gate changes, failed payments, delayed flights, maaaybe
| low prices on route-date combinations I previously
| expressed interest in, I'd give them notification
| permissions. I definitely don't trust them to do that,
| though.
| CamperBob2 wrote:
| See also: Uber and Uber Eats.
|
| It seems that companies like this can't _help_ but abuse
| the permissions I grant them, so the result is that they
| don 't get any permissions at all.
| ryukoposting wrote:
| I wonder how many people's browsers get push notifications
| from Temu, or Amazon.
| jeroenhd wrote:
| Same reason you subscribe to their newsletters. To get
| discounts.
|
| I don't understand why people would want that, but neither
| do I understand the people who actually enter their email
| address in those "subscribe to my newsletter" popovers.
| codedokode wrote:
| Instead of desktop notifications web apps should use pinned
| tabs and show a badge in the tab header.
| layer8 wrote:
| That's more a browser implementation issue though. Browser
| could offer that as a choice for how to handle
| notifications, on a per-website basis.
| zamadatix wrote:
| I feel like the web would be a better place if "allow
| notifications" popups were only allowed for PWAs the user
| already installed. I.e. they have to manually interact with
| the page and then click the prompt acknowledging they want to
| install the site as an application on their computer before
| the site can start popping up windows from the browser asking
| for notification permissions.
|
| It's not that there are 0 use cases where it could possibly
| be convenient to get notifications from a plain site but,
| like you said with the email example, 95% of the legitimate
| use cases are probably better modeled as an app anyways.
| PaulHoule wrote:
| What's "progressive" about installing software?
|
| It's always saddened me that people failed to understand
| the web platform, and never more so than today when that
| platform could be on the verge of extinction.
|
| Young people don't remember this: in the 1990s if a big
| corporation wanted to make a 1-line change to an
| application deployed to a fleet of desktops they'd have to
| _update every single machine_ and to do so they 'd probably
| have to hire at least 1 FTE and probably more for installer
| engineering and other makework.
|
| With the web it is often git pull
|
| on the server and _you 're done!_
|
| As it is I can find web sites with search, links from other
| sites, bookmarks and history. If you "install" applications
| you just clutter up your desktop with 300 icons for
| applications you don't really use which makes it hard to
| find the 2-3 that you really use.
| _Algernon_ wrote:
| One of the first settings I change in any new browser is to
| forbid notification requests from all pages, and disable
| dom.beforeUnload (stops websites being able to prompt to
| confirm if I want to close the tab). Those functionalities are
| probably the most abused browser functionalities and definitely
| shouldn't be enabled by default (or if so only for a whitelist
| of sites).
| privatelypublic wrote:
| How do you do this? I'm looking to do it for the clipboard
| API. Browsers should be able to block copy and paste.
| AugustoCAS wrote:
| A quick google shows this for FF (taken from a thread in
| StackOverflow):
|
| > In Firefox you can completely disable beforeunload events
| by setting dom.disable_beforeunload to true in
| about:config. Extensions may be needed for other browsers.
|
| A word of caution: I'm not 100% sure, but I wonder if some
| web collaboration tools might use this to ensure data has
| been synced with a server.
| LadyCailin wrote:
| It surely has a lot of legitimate uses, even if it is
| primarily abused. I've used it before to do various
| cleanup tasks, to have a more timely "user disconnected"
| event, rather than waiting on some timeout to occur
| server side.
|
| Having said that, it should never be the end of the world
| to disable, sites should never have data loss due to this
| event missing, because if so, they already have a data
| loss problem when for instance the power goes out.
| dizhn wrote:
| I am not sure if this is implemented using this
| functionality but when I am on a console session on
| proxmox and hit ctrl+w due to muscle memory, it's nice to
| have a warning telling me the tab will be closed. Same
| with all kinds of remote access tools. One legit use case
| I can think of.
| _Algernon_ wrote:
| In firefox: about:config -> dom.disable_beforeunload=true
|
| For copy-paste: dom.event.clipboardevents.enabled=false I
| would guess.
| mapt wrote:
| The entire idea of push notifications on browsers was obviously
| toxic from the start, especially the privileged status "Do you
| want to enable notifications?" popups had.
|
| I think the idea comes from the 2010's hype about Phone-Ifying
| The Desktop. Someone clearly thought they were recreating the
| Google Reader / RSS ecosystem (Mozilla had RSS in the browser
| in a flop)... but everyone else was just enthusiastic about
| dark patterns that were viable in mobile apps that didn't exist
| in a desktop browser.
| hsbauauvhabzb wrote:
| IMO random websites prompting to access your location data is
| far more problematic
| riddlemethat wrote:
| DocuSign tracks your location when you sign a document
| unless you disable it in the browser. Learned that a few
| years ago.
| mtillman wrote:
| The biggest problem there is that several browsers don't
| want to remember your response of "No" for more than one
| day. They want you to be constantly tracked. I'd like to be
| able to tell all browsers, never track my location or send
| me a notification from any website but that's not what they
| want. Orion by Kagi is a breath of fresh air in this
| department.
| johnmaguire wrote:
| I think notifications came about as part of Progressive Web
| Apps (PWA).
| jeroenhd wrote:
| I use this feature all the time and I love it. Not having to
| install dozens of apps just to see the occasional
| notification is a dream come true.
|
| The way it's trivial for browsers to fake OS notifications on
| some platforms is a clear design flaw, though. I get the need
| for it (PWAs and such) but unless the website sending a
| notification is a PWA, there's no need for a notification to
| be that ambiguous.
|
| The current system, where Chrome (the only browser that
| matters) collects information about websites and only shows
| the permission popup on some websites has mostly killed
| useful notification support for a lot of websites.
| ninkendo wrote:
| I can think of exactly two use cases for web browser push
| notifications:
|
| - Web-based email
|
| - Web-based chat
|
| That's it. Every other use case seems to be solving a
| "them" problem (how do we increase engagement?) and not a
| "me" problem.
|
| _Even if_ I wanted to hear about updates from a website
| (and I never do), I could sign up for emails. And If I
| don't trust a website with my email, I certainly don't
| trust them with sending me push notifications.
|
| In fact, let me take chat apps off that list, because if I
| don't have the webapp open in a browser window, the chat
| app should have the option to just email me about someone
| trying to message me (and ideally, letting the other party
| know I'm unavailable and letting them choose whether to
| send me the email.) So no, really just email and that's it.
|
| I'm super curious what your use cases are if you use web-
| based push notifications "all the time".
| charcircuit wrote:
| Youtube uses it well. You can get notifications when
| people upload videos or to recommend you suggested videos
| you may like. Sure engagement increases, but that is
| because I'm watching videos that I find entertaining.
| It's a win win for YouTube and the users.
| ninkendo wrote:
| I can see that being useful if it's important to you to
| start watching someone's videos within minutes of them
| posting it, but I've never understood why that's
| desirable for anyone.
|
| To me, I watch YouTube when I have some time to do so and
| make the active decision to open the app... _then_ let me
| know about which of my subscriptions have recent videos.
| I just can't imagine being in the middle of something
| else and dropping everything because someone posted a
| video. But different people are different I guess.
| cyanydeez wrote:
| Its a progressive webapp feature and would be a necessary
| tool tobescape Apple and Google stores and hardwarw lockin.
| Like all tech, hindsight is 20/20 with malicious actors.
| QuantumGood wrote:
| I have run into this. My notes: Google Chrome (Desktop &
| Android)
|
| chrome://settings/content/notifications Or Settings > Privacy
| and security > Site settings > Notifications Under "Default
| behavior," select: Don't allow sites to send notifications.
|
| ------------------
|
| Mozilla Firefox (Desktop)
|
| Settings > Privacy & Security Scroll to the "Permissions"
| section, find "Notifications," and click "Settings..."
|
| At the bottom, check: Block new requests asking to allow
| notifications.
|
| ------------------
|
| Microsoft Edge
|
| Settings > Cookies and site permissions > Notifications Set the
| default to block all notification requests.
|
| ------------------
|
| Safari (macOS)
|
| Safari > Settings (or Preferences) > Websites tab >
| Notifications Untick: Allow websites to ask for permission to
| send notifications
|
| ------------------
|
| Samsung Internet (Android)
|
| Settings > Notifications > Allow or block sites
| PaulHoule wrote:
| Advocacy for "progressive web apps" always fell flat to me.
| There are a few reasons, such as web workers being a Rube
| Goldberg machine when people just wanted the kind of facility
| to control caches and fetching that Netscape Netcaster had _in
| 1997_. It was predictable to me that the usage breakdown of
| push notification was going to be 50% spam
| 49% scams 1% other
|
| and now people are just catching up to the obvious.
| username223 wrote:
| > TacoLoco is a traffic monetization network that uses deceptive
| tactics to trick Internet users into enabling "push
| notifications,"
|
| Why is it even possible for hostile code (i.e. JavaScript) to
| send OS-level notifications? If clicking a link runs untrusted
| code with layers of legal insulation, that code should run in a
| very limited sandbox. It's crazy that we're turning the "Open
| Web" into an ever-expanding attack surface.
| hakfoo wrote:
| Because people turned browsers into an app platform and users
| wanted their webmail and chat services to have the same first-
| class features native clients had.
| username223 wrote:
| Who wanted their web browser to let hostile programs send
| notifications and access battery levels, unused fonts, etc.?
| Ad companies run the web standards bodies, so "people" (i.e.
| you and me) have to deal with this.
| Xevion wrote:
| In all fairness, some of these things you've mentioned
| could be useful. If your battery is low, reprioritize the
| webapp's functions, lower requests, disable anything not
| necessary in the moment.
|
| Notifications are just another convenient thing that me and
| you use every day.
|
| Perhaps these things should be disabled by default, or
| requested upon being needed, but that's not really your
| argument it would seem.
| account42 wrote:
| > In all fairness, some of these things you've mentioned
| could be useful. If your battery is low, reprioritize the
| webapp's functions, lower requests, disable anything not
| necessary in the moment.
|
| This kind of automated perfomance tuning is almost always
| more annoying than useful.
|
| > Notifications are just another convenient thing that me
| and you use every day.
|
| Who is "me and you"?
| username223 wrote:
| "Requested upon being needed" might work if it weren't
| possible for sites to get around it by probing and
| popping up their own "yes / ask me again later" dialogs.
| Have the APIs ask on the first call, with a "yes/no +
| make answer permanent" dialog, and return fake data if
| the answer is "no." If people were sufficiently annoyed
| by constant requests for stuff a basic webpage wouldn't
| seem to need, the web might become a better place.
|
| But yeah, web browsers basically run arbitrary code
| written by hostile companies, with layers of indirection
| to confuse accountability. In that environment, you have
| to weigh "nice to have" against "could be abused," and
| err on the side of caution.
| jeroenhd wrote:
| Because it's very useful.
|
| You don't call any OS level API from a website. The browser
| makes and shapes the notification for you. If the notification
| cannot be traced back to your browser, blame your browser
| vendor for their bad design.
|
| That said, no amount of good browser design can protect a
| computer from people who don't know what they're doing. I
| recall a recent malware campaign where a similar mechanism was
| used, but instead of "click this button, go to site settings,
| click notifications, click allow", it'd show "copy this, hit
| windows+r, hit ctrl+v, then press enter to confirm you're
| human".
|
| As computers continue to be dumbed down, I don't expect
| computer literacy to rise to a safe level any time soon. It's a
| matter of time before executing downloads from the internet
| becomes impossible.
| justusthane wrote:
| > Doppelganger campaigns use specialized links that bounce the
| visitor's browser through a long series of domains before the
| fake news content is served
|
| What's the purpose of being bounced across several different
| domains before arriving at the destination? I've noticed this
| behavior when accidentally clicking on sketchy ads, but never
| stopped to think about it.
| Mtinie wrote:
| Multiple impressions per interstitial domain, I imagine.
| out-of-ideas wrote:
| reminds me of how okta and similar handle logging in. feels
| like 10thousand redirects later.. training users that behavior
| is okay
| Xevion wrote:
| I despise how my university's login system just redirects
| several times (sometimes getting stuck, reloading and
| redirecting multiples times, and then occasionally shitting
| me out on the logged out screen, wondering WTF happened).
|
| I cannot fathom how their IT staff allows things to be that
| way. One redirect ideally. Two max. Three, and I'm assuming
| you don't know what you're doing, at all.
| imp0cat wrote:
| If only it were that simple. You can thank Apple, Google
| and their war on cookies for that.
| immibis wrote:
| One reason is to set session ID cookies on several
| different domains.
| mschuster91 wrote:
| The problem with university login systems - at least here
| in Germany/Europe - is this global federation system that's
| also backing EduRoam. Authentication flows there are
| insanely complex, not to mention dealing with known quirks
| of some university's implementation...
| rrr_oh_man wrote:
| > I cannot fathom how their IT staff allows things to be
| that way. One redirect ideally. Two max. Three, and I'm
| assuming you don't know what you're doing, at all.
|
| Welcome to Microsoft/Live/Bing/Skype/Edge/...
| badmintonbaseba wrote:
| Still better than the MS Teams website, which can get into a
| weird state and redirect in circles.
| OkayPhysicist wrote:
| I literally just implemented an Okta integration with an
| internal tool yesterday, so let me offer a little insight on
| why this happens. I have an existing tool. The guy in charge
| of it doesn't want me breaking anything, but we want to add
| an SSO flow to avoid having to login.
|
| So I need a "SSO login page", which fetches some
| configuration data, stores it, generates some shared tokens,
| hands them to the browser, and then redirects the user to an
| Okta endpoint. Okta, for some reason, doesn't directly serve
| the login screen at that endpoint, so it captures the tokens
| I gave the browser, then redirects to its login page. The
| user logs in on the Okta page, which then redirects the user
| back to a page that I specified, which (since I don't want to
| touch the fragile 10,000 line php document that is the
| application's home page, is a separate page, which gets some
| information from the browser, makes a request to another Okta
| endpoint, at which point the user can be authenticated,
| logged in, and then sent to the home page of the app.
|
| Basically, the most standalone way of handling the problem
| involves 4 redirects.
| byteknight wrote:
| It bypasses a lot of the checks they do on the initial site
| when submitting to ad networks. It also allows custom
| redirections based on user agent, potential ip location, etc.
| Common in phishing.
| weird-eye-issue wrote:
| In addition to what the other comments said it also would allow
| for first-party cookies to be set for those domains
|
| Not sure if that's the purpose but it could potentially be used
| for tracking, monetization, etc
| lionkor wrote:
| A lot of microsoft services do this, too. Though, that's
| probably incompetence.
| tempodox wrote:
| It never ceases to amaze me how creativity gets ramped up to 11
| when it comes to graft, theft and scam.
| palmfacehn wrote:
| A clever social engineering approach, but Kreb's trite alarmism
| overshadows the novelty.
| wwn_se wrote:
| Great article but the fix is Adblock! Enable adblock everywhere
| for your family and friends at risk. Even if an ad sometimes
| slips through they since its out of the ordinary they are way
| less likely to click.
|
| https://firstpartyornoparty.org/
| lionkor wrote:
| Okay, my family has iPads. What should they use? Brave? lol
| nake89 wrote:
| Yes
| brettermeier wrote:
| Tablets not from Apple. That's your fault if you use that
| shit and can't block ads or install whatever you want.
| carlosjobim wrote:
| It's easy for a non technological person to block ads and
| malicious domains on the system level on all Apple devices.
| lionkor wrote:
| They already have an iPhone, a Mac, a MacBook, which tablet
| would you recommend that integrates just as well? My point
| is that this is not a realistic option for a lot of people.
| Adblockers only work for people who have previously valued
| their freedom.
| v5v3 wrote:
| Nextdns/similar.
|
| Vpn with ad blocking built in
| ikekkdcjkfke wrote:
| UBOL is in testing now for iOS, but Apple has some bugs on
| their content blocking side. Reminder that adblockers are
| recommended by the FBI
| Tijdreiziger wrote:
| There are various ad blockers for Safari on the App Store.
| coldpie wrote:
| People always say this, but I wish they would suggest a
| specific one. There are so many out there, it's hard to
| know which ones are high quality, still maintained, etc.
| thimabi wrote:
| I recommend 1Blocker, it's actively maintained and pretty
| good. However, if you're not a grandfathered user like
| me, it does come with a small price.
| qilo wrote:
| Firefox Focus is available on App Store. You don't have
| to use it (I don't), but set it as a content blocker in
| Safari settings.
|
| https://support.mozilla.org/en-US/kb/safari-integration-
| fire...
|
| The only other extension I've started using recently,
| when the quantity/frequency of YouTube ads on Safari
| became unbearable, is 1Blocker. It includes a specific
| filter for blocking YouTube ads, and you can use one
| active filter for free without subscription.
|
| https://support.1blocker.com/en/articles/9313640-how-to-
| bloc...
| jeroenhd wrote:
| iPads don't support notifications unless your family figures
| out how to use PWAs (they won't, Apple made sure of that).
| Also, there are various content blockers for iOS.
|
| Unfortunately, because real alternative browsers are only
| supported in the EU (and even then with big asterisks), you
| won't see a normal browser engine powerful content blocking
| any time soon. The content filters you can download from the
| app store help, but they're not as powerful as uBO and
| friends.
| const_cast wrote:
| Orion has ad blocking built in and supports Firefox
| extensions.
|
| I think the extension support is explicitly disallowed by
| Apple so shhh don't tell anyone teehee!
| swat535 wrote:
| Adguard for Safari is excellent, it can be combined with
| Vinegar and Baking Soda:
|
| Baking Soda: https://apps.apple.com/ca/app/baking-soda-tube-
| cleaner/id160...
|
| Vinegar: https://apps.apple.com/us/app/vinegar-tube-
| cleaner/id1591303...
|
| Adguard pro: https://adguard.com/en/adguard-ios-
| pro/overview.html
| imzadi wrote:
| The problem with this is that many older people are reluctant
| to use web browsers that actually support true ad blocking.
| They are used to Chrome and don't want to use anything that is
| even remotely different. I have this argument with my mom on
| almost a daily basis. She is always messing up her phone or
| computer by clicking on something she shouldn't. I have
| installed firefox for her, but she refuses to use it.
| b0a04gl wrote:
| > This is the new pop-up ad.
|
| browser gave it a front row seat without asking. feels less like
| security and more of a prank someone forgot to turn off
| thyristan wrote:
| This is, at least for browser notifications, just yet another
| result of generally atrocious browser UI decisions.
|
| There are tons of permissions a site may or may not request, all
| of them configured and requested in different ways. Sometimes it
| is a full page overlay, like when you get a certificate error.
| Sometimes it is a separate popup window, like when you allow
| using a client certificate. Sometimes it is a whole-width bar
| below the address bar, like when a page requests becoming your
| mailto:-scheme-handler. Sometimes it is a smaller popover
| dangling from the address bar or some icon there, like for camera
| or location. Sometimes I can allow/deny, sometimes I can allow or
| just close that tab. Sometimes I can remember the setting,
| sometimes it is auto-remembered.
|
| As soon as the initial setting has been configured, removing or
| reconfiguring it happens in totally different and unobvious
| places again.
|
| And then, If I allowed something and there is e.g. a notification
| from a website, the browser hides the fact that this is a
| browser-based notification, there are no embedded "STFU, never
| show again" buttons or anything.
|
| There also is no simple place to just look at all the permissions
| some website might have. There also isn't a place for many
| permissions, where you can get a list of websites that have e.g.
| camera permissions.
|
| It is all just very opaque, non-obvious, historically grown
| inconsistent spaghetti.
|
| What needs to happen is a consistent permission request and
| change flow for everything a website wants to do. Not only with
| "allow forever/deny forever", but also with "allow/deny once",
| "allow/deny for session", "allow/deny for timeframe". And with an
| "allow to ask again after timeframe/never/..." selection. Not
| with popups or bars, but with a whole-page overlay like HTTPS
| does. Why whole-page? Because then clickjacking won't work, there
| is more space to put an explanation and options, and pages need
| to interrupt flow so this will hopefully be used sparingly.
| tehwebguy wrote:
| Once again grateful that at least one mobile platform doesn't
| allow browser push notifications.
| HocusLocus wrote:
| I've followed Krebs for years and appreciate this specific
| warning. I changed my dad's default Windows colors so when he was
| presented with fake system dialogues floating on web pages he'd
| spot them as different right away. But the "click allow to prove
| you're a human" might have caught him. Captcha-annoyed people are
| slightly easier to fool sometimes. Push wasn't a big thing then
| or I would have disabled it.
|
| Dad was one of those late computer adopters who had to be
| instructed carefully about things pretending to be other things
| and and nested windows. I remember when pages spawning new
| windows (then grabbing focus to hide them) was a thing. Then
| older folks about to go to bed closing their browsers and
| greeting the hidden windows like a continuation of their browsing
| experience.
|
| Russia has evolved along with us on the Internet and I'd remind
| Mr. Krebs paraphrasing Freud, sometimes a Russian oligarch is
| just a Russian oligarch. It's possible that the Kremlin has hired
| these companies like everyone else, and a lot of shady people
| want to penetrate EU DNS defenses.
|
| Fake camping sites with AI content whether its disinformation or
| deception or hallucination with no human proofreading, is a
| looming problem. Keep an eye on the prize, preventing old people
| from getting scammed.
|
| People need more education in general to spot nefarious content,
| no matter who the state actor is. We don't want a repeat of the
| Alfa-Bank scam 'October Surprise' either. It relied on the
| gullibility of the Internet surfing public but DNS administrators
| should have seen through it and asked more questions.
| BMaronge wrote:
| The article is a bit vague on some points, for example: the links
| bounce the visitor through a series of domain names... why
| exactly? What do the scammers gain by redirecting the visitor
| multiple times instead of just once? It is not explained.
| coldpie wrote:
| KrebsOnSecurity is a really weird website. I feel like I should
| be the perfect audience for it, as a software engineer who is
| very interested in security and reverse engineering, but every
| time I try to read their articles it just comes across as
| paragraphs and paragraphs of overwrought fluff with zero actual
| content. I guess their audience is someone with less technical
| knowledge who is impressed by empty phrases like "startling
| discovery" and "online hucksters and website hackers" and
| "resilient and incestuous". And that's all just in the first
| paragraph here. Get to the point, man.
| bn-l wrote:
| Huh that's weird I feel the exact same way and should also be
| the natural audience.
|
| Every time I read an article though I feel like my eyes go
| cross eyed. It's like you said, the words are there they
| should make sense, but I find my attention wandering.
|
| It's like they are written by a very very early LLM.
| cpburns2009 wrote:
| I stopped reading his website after he started spreading
| disinformation about Ubiquiti.
| StuntPope wrote:
| Lost me at "Kremlin disinformation".
|
| Krebs need to ditch the TDS.
|
| His "Red Herring DNS flaw" garbage was when I realized that 90%
| of what he spits out is Gell-Mann amnesia.
| PaulHoule wrote:
| Kinda wish the web had an ability to defend itself.
|
| Put CAPTCHAs on your site: zero traffic.
|
| EU adds those cookie banners to everything: EU should have been
| disconnected from the internet.
| lcnPylGDnU4H9OF wrote:
| > EU adds those cookie banners to everything
|
| EU required website operators to disclose certain uses of
| cookies and many of them chose the most obnoxious way possible.
| Perhaps more agreeable: every website that uses those banners
| should be disconnected from the internet.
| PaulHoule wrote:
| They coulda said "Respect DNT or go to jail" but instead they
| broke the ultimate window.
|
| For years I advocated, mostly successfully, to keep pop-ups,
| pop-unders, pop-ins and other abuse like that out of sites I
| worked on. Then the EU pulls this magic trick that transforms
| them into something required, and then "wholesome" so after
| that the dam breaks and it is common for a blog today to pop
| up three banners that want your email address, for pop-up ads
| to cover other pop-up ads, etc.
|
| When your government is unresponsive like that the only
| choice is exit, no wonder the EU is overrun by populists that
| want out. If they don't want Frexit and Sprexit and Grexit
| they'd better think twice when they make another thoughtless
| law with terrible consequences.
| Ylpertnodi wrote:
| >They coulda said "Respect DNT or go to jail" but instead
| they broke the ultimate window.
|
| You know EU law only applies in the EU? And blockers exist?
| I always howl with laughter when some bumhole USA newspaper
| presents me with a cookie banner that got through. Then i
| change vpn-server, read what i want, and get on with my
| tawdry existence.
| lcnPylGDnU4H9OF wrote:
| > and then "wholesome"
|
| What is this referring to?
|
| > thoughtless law with terrible consequences
|
| Fair enough, I guess. If I understand the point, the EU
| should not have presumed so much that the law would change
| behavior for the better. The obvious result is that
| behavior changed for the worse. For what it's worth, I
| still personally prefer speaking against those who made
| their behavior worse to comply with the law when it's so
| obvious what the lawmakers' intention was; the EU actually
| had user-friendly intentions and the cookie banners'
| implementations are the result of user-hostility.
| psychoslave wrote:
| >While TDSs are commonly used by legitimate advertising networks
| to manage traffic from disparate sources and to track who or what
| is behind each click, VexTrio's TDS largely manages web traffic
| from victims of phishing, malware, and social engineering scams.
|
| Legal sysops is still sysops. Certainly every actor out there
| putting in place individual level mass surveillance and influence
| consider themselves very legitimate.
___________________________________________________________________
(page generated 2025-06-13 23:01 UTC)