Giorgio Maone, NoScript.net and FlashGot.net
- Problem:
Some adverts are not blocked by EasyList on Giorgio Maone's add-on websites.
- Affects:
- Cause:
At the end of February the EasyList project were privately notified that there remained some unblocked adverts on Giorgio Maone's add-on websites which were slightly different to items usually blocked by the subscription. Instead of being an external file or text links, the images were encoded and saved in an embedded stylesheet, which meant that the only way to remove them would be to use element hiding rules to collapse the unwanted area.
Aware that the difficulty of filtering out images encoded in this method (data:image), I requested support for the format in the Adblock Plus forums, referring merely to "a familiar website" instead of explicitly naming the problematic domains. However, as such encoded images are not easily distinguished because they have no file name, it was decided that it might be better to wait and see whether the rules that RUAdList implemented were successful. While, under normal circumstances, filters would be added immediately, prior events (see Wladimir's and Giorgio's blogs) led the authors to concur that "we shouldn't start a cat and mouse game again".
This issue was then pushed to the back of our minds until the topic was publicly raised in the Adblock Plus forums on the ninth of April, with a user asking Giorgio the same question that he asked us: why were adverts still present on the NoScript website? Although Hubird, the Adversity author, explained that he believed that "the NoScript developer actively makes it difficult for subscription authors to remove ads from his site (changing site design in an effort to thwart attempts)", an assertion which MonztA, an EasyList author, agreed with, Giorgio responded with the following post, which I have included in its entirety to avoid possible misinterpretation:
@Hubird, @Montza:
No.
I haven't touched the "site design" for almost two years now, and I don't "actively make" anything about it.
Those units probably difficult to remove, but because they're just static images embedded in the page itself, which don't even perform any extra round trip to my own server -- let alone a 3rd party server -- and therefore don't implement any persistent tracking / behavioral stuff.
Of course the DOM being a bit random doesn't help either, but this picture of an evil and obsessive webmaster "actively" watching subscription authors and "changing site design in an effort to thwart attempts" is quite off base.
I and several others interpreted this statement to mean that the websites would not be changed in the event that filters were added for the domains, and I therefore committed what would be the first of many rules, reasoning that "if a website is not actively altered I see no reason why EasyList should not filter out all the adverts".
There were initially a couple of minor changes to the subscription, which were ultimately suggested to have resulted from a lack of testing on the website, as we assumed that the pages would remain static. I further proposed that the filters should be more specific to avoid false positives, a change that was implemented for both NoScript.net and FlashGot.net.
However, we then became increasingly aware that the filters were ineffective when we checked the domains, and therefore subsequently altered the rules on several occasions for both websites (the full list of revisions for NoScript.net and the list of revisions for FlashGot.net and are publicly available from our repository). Although we were aware that the website was randomly altered by the server, we all agreed that certain elements of randomness, such as using alternative and altering tag names, was definitely not present when filters were first added for the domains.
I further discovered from MonztA, an EasyList author and moderator on the Adblock Plus forums, that Giorgio posted anonymously as "Guest" on two occasions to report issues with the website, something that I consider to be unfair given that he was an involved party in the discussion. It also became apparent that a member of the community was being provided with pages that did not include adverts on Giorgio's domains, making it increasingly difficult to successfully filter the unwanted sections.
We eventually decided, having attempted repeatedly to remove the adverts without false positives, that it would be more productive and informative to remove the filters specifically for Giorgio's domains from EasyList and explain the circumstances in a blog post. While I cannot say that this is an unexpected result given past events, I can say that I am disappointed that I could not take Giorgio at his word when he claimed that the "picture of [him as a] webmaster "actively" watching subscription authors and "changing site design in an effort to thwart attempts" is quite off base". Security depends on the people you trust, as any author of major browser extensions will be aware, and I am certainly less inclined to trust Giorgio after this incident.
- Solution:
There aren't really many solutions to the current state of affairs. The use of images encoded and embedded in the stylesheet means that only element hiding rules may be used to collapse the adverts, and the constant randomisation of the domains, in addition to interventions to prevent existing rules from functioning, means that any publicly announced filters are usually invalid within a few hours. Furthermore, at least one member of the advert blocking community who might have been able to assist is unable to view the adverts after his IP address was identified and alternative pages provided.
While not an optimum solution, it would appear that the only certain method to avoid Giorgio's adverts is to cease visiting both domains entirely.
- Update: 29/05/2011
Ares2 claims to have found some safe filters with which do not cause false positives, and I have therefore permitted him to commit these rules to the subscription.
It boggles my mind that someone would go to such lengths to circumvent adblock. What do they think, that somehow annoying people who go out of their way to block advertisements will somehow make that person want to buy their stuff? They are so single-mindedly focused ont he goal of getting the advertisement on my screen that they forget the end purpose isn't the display of the advertisement but to sell stuff. Whatever advertiser is stupid enough to pay noscript.net for the traffic ought to reexamine their budget priorities.
Obviously the advertisement system on the internet is very broken. I would encourage you to continue to work to find ways to block sites like this, or else this sort of behaviour will spread. The addition of pattern and fuzzy match support in element blocking is obviously needed.
Comment by Kurt Fitzner — May 1, 2011 1:37:08 PM | # - re
This is, as far as I am aware, an unusual situation; if the pages were not manually altered we would have no difficulty in removing the unwanted content.
Comment by Michael — May 2, 2011 3:19:13 PM | # - re
He found the IP address of one of your members, and I'm guessing you discovered he was posting as Guest by matching IP addresses as well. Both sides need to learn how to use Tor. :-)
Comment by rsquare — May 4, 2011 3:40:41 AM | # - re
Someone did use Tor. As I understand it every message by "Guest" after the posts known to be by Giorgio in the topic https://adblockplus.org/forum/viewtopic.php?t=7356 have an IP address associated with a Tor exit node. Although there is nothing to officially link all of the posts by "Guest" together, some forum members have expressed their suspicions about the identity of the user.
Comment by Michael — May 4, 2011 6:33:00 AM | # - re
Frankly speaking, you bunch are all acting like a bunch of kids. Pushing modifications to tackle one another's modifications? Don't you have better things to do? Such a shame.
This issue has nothing to do with NoScript. Any webmaster out there that knows how ABP works could hack their way around it as long as they server their ads locally like NoScript. Why has this become a NoScript issue?
ABP serves as a tool to block commonly known ads, and ads served statically are not commonly known ads. Add that to your user manual or whatever and move on.
Comment by msakr — May 5, 2011 12:27:41 PM | # - re
There is nothing wrong with being reactionary; such is a fact in everyday situations. People continue to attempt to reach a destination despite obstacles to their journey and would generally be praised for their persistence. Advert blocking is necessarily a response to existing circumstances that continually alter; advertisers determine the locations we block, not the other way around.
The reason that this is a NoScript issue is because it is one of the few domains that are actively altered to prevent the removal of adverts, and we therefore have decided to notify the user base that it is not currently feasible to hide the unwanted content on the website in order to avoid having to repeat the information on several occasions at a later date.
The purpose of Adblock Plus is to facilitate the removal of unwanted content; the purpose of EasyList is to removal all advertisements that meet our policy (https://easylist.adblockplus.org/en/policy#easylist). This includes first party and static items as we are notified of them.
Comment by Michael — May 6, 2011 8:02:00 PM | # - re
Just block all the css from this sites and replace with clear own css - two sites worth it, as a lesson to others
Comment by proposition — May 28, 2011 2:49:30 AM | # - re
Well this definitely changes my view on the author of NoScript and the addon itself.
Comment by kgodjgso — Aug 15, 2011 7:07:11 PM | # - re
:D I had to laugh at this. You're trying to use a Firefox addon to block ads on a site owned by someone who's an expert on web security (and web insecurity), and who, moreover, authors his own Firefox addon, doing battle against the most devilishly cunning tricks and exploits known to hackerdom. Getting around ABP is probably a hobby for him!
I run ABP so I can manually block things, but since I also run NoScript and RequestPolicy, I don't bother with EasyList :).
Comment by Thrawn — Sep 8, 2011 5:07:28 AM | # - re