SERIES: Security Now!
DATE: September 1, 2015
TITLE: uBlock Origin
HOSTS: Steve Gibson & Leo Laporte
DESCRIPTION: Leo and I catch up with the week's major security events. We then examine the ecosystem of web page advertising by comparing it to other “opportunistic advertising” such as that appearing on public transportation, highway billboards, broadcast television commercials and other public venues - which consumers have no obligation to consume. I eschew the implication that visitors to a web page have an obligation to retrieve third-party content, over which the website has little or no control, which consumes bandwidth, reduces online privacy, hinders performance, and potentially exposes visitors to malicious exploitation. And I believe this remains true even when a visitor's retrieval of such despicable third-party content would generate much-needed revenue for the visited site. Finally, I review the many operational features of uBlock Origin, my chosen HTML firewall, which effectively returns control to web users.
SHOW TEASE: It's time for Security Now!. Steve Gibson's here. This is the episode I've been waiting for all week. He's going to cover adblocking, why he thinks we need adblockers, and, I think, I'm guessing, his favorite ad blocker to date. Actually, I like it a lot, too. uBlock Origin, how it works, how to work it best, coming up next on Security Now!.
LEO LAPORTE: This is Security Now! with Steve Gibson, Episode 523, recorded Tuesday, September 1st, 2015: uBlock Origin.
It's time for Security Now!, the show where we protect you and your privacy and your security. And of course there's no better guy to do it than Steve Gibson. I say it with love: He is paranoid. And that's what you want in a security expert; right? Hello, Steve.
STEVE GIBSON: Hello, my friend. So we had another - we had a modest news week, so the industry is cooperating with us.
STEVE: Which means that we get to give really full coverage of one of the tools that I think, I know you have been loving it since we talked about it last week and let our listeners know this is where we were going to go. I would imagine that a bunch of them have adopted it, too. And that's uBlock Origin is the name of an add-on which is cross-platform, cross-browser. And today we do a deep dive into its history and background because there's a lot of confusion about that due to some recent changes in ownership.
And in fact, as I was putting notes together, I thought, how could I describe its author, whose name is Raymond Hill? And I thought, you know, I've read everything he's written that I've been able to find. And if you were to combine Richard Stallman and John Dvorak…
LEO: Oh, dear.
STEVE: …that's what you would get.
LEO: Oh, my. A combination of the two? Oh, my.
STEVE: Oh, a cranky old geek and, yeah. But also a talented programmer.
LEO: Clearly. Clearly a very talented programmer, I would say.
STEVE: So we've got news. We're going to talk about briefly my experience of downgrading my rights running Firefox, which I'm now doing successfully. If there are any other holdouts who are still using XP, then pay attention. A little bit of news about malvertising. News of Amazon and Google and Flash. More sad news about where Microsoft continues to take Windows. Dave Winer had an interesting blog posting last week, I thought, that I got a kick out of. He's another one, actually he's 60 years old, so he's my age, and we're both a little bit older than you are, Leo. But we've all been around from the dawn of…
LEO: Not much, yeah, yeah.
STEVE: …this industry. A little bit of miscellany. And then a deep dive into, basically, on an audio podcast I can't point to things, but I don't need to. What I want to do, the idea with talking about uBlock Origin is to give people a good background in what it is, where it came from, and what they can expect from it, and what's in there. Because, if anything, it sort of is UI challenged. You know, it's - anyway, we'll go over the whole thing, have a great podcast.
LEO: Yeah, because there's some deep advanced settings I'm very curious about.
STEVE: Oh, boy. There's, like, what does this mean?
LEO: Yeah, yeah. Yeah, no kidding. All right. Let's get the security news from Mr. G.
STEVE: So just to follow up to our many people who heard that we were talking about audio quality problems at the end of last podcast, I focused on it. And I'm sure the problem was that my system at this end is so bolted down that, although I had originally configured to allow your networks to have direct access to my Skype system, that had not held. And so when we looked, after the podcast, the relay count showed six. Right now it shows zero, and we have 0.0% packet loss. So what this means is essentially I now have a direct UDP data connection between my machine and your Skype machine, with no intermediaries. And it's almost certain that that has been the problem. So in fact it may have been that we didn't lose this for a while so that initially my configuration was holding, and then it drifted. Anyway, I got it…
LEO: Yeah, it's weird. I mean, this is kind of the art of the Internet and of Internet broadcasting. You always have to fiddle with it.
STEVE: Well, for what it's worth, I know exactly what's going on. I mean, remember, I wrote IP stacks and ShieldsUP! and TCP protocols and all that.
LEO: No, I know, boy, if anybody does, you know it.
STEVE: Yeah. So anyway, I found out what was wrong, and I believe that I fixed it. And, I mean, I've got Wireshark running and confirmed that the IP of your machine is where my packets are going directly.
STEVE: So I think it's as good as it's going to get, at least with this level. So we'll see how we do.
The picture of the day is a screenshot of what you get - I actually hit this as I was putting the notes together because I went to a domain, adnxs.com. And, bang, I got a big yellow warning triangle - yeah, there it is - saying, oh, “uBlock Origin has prevented the following page from loading.” The reason I went to that domain is it was a couple removed from one serving malware on MSN. And so I thought, I wonder if this is being blocked? So the lesson here instantly is no one using uBlock Origin could have been infected by the malware which MSN has been serving. So that's a perfect example. Oh, and by the way, the blocking filter is adnxs.com. So uBlock Origin knows specifically that this particular domain is one that our browsers don't - it's not in their best interest to go fetch.
LEO: And of course I went right there and got the same exact yellow triangle.
LEO: Good thing.
STEVE: Okay. So I promised that I would follow up last week on this little utility that was of use in the XP era, but not at or after Windows 7. And that's called DropMyRights. DropMyRights was written by a Microsoft developer to leverage a feature in Windows which allows a process to be started with specific rights, never more than the current user, but conditionally less than. And so all this thing does, the source code is available, and in fact I mentioned last week, if you put DropMyRights into Google, our podcast, discussing it years ago, is the first link that comes up. And Elaine shot me a note when she was doing the transcribing. She does not use Google, and so she shot me a note saying, yeah, not only on Google are you first. So it's sort of fallen by the wayside except at GRC. We are proudly keeping it and XP alive. So…
LEO: Good job.
LEO: Standard. Standard user.
STEVE: Or standard.
STEVE: Yeah. And I'm saying “normal” because the actual header file says “safer level ID fully trusted,” then there's “normal,” there's “constrained,” there's “untrusted,” and there's “disallowed.” And so you can choose among those. And Firefox won't run as anything other than either fully trusted, which is not as safe as it could be, or normal, which as we know, and as you say, Leo, you're right, in Windows they call it a “standard” user. So I get to be an admin, yet Firefox has reduced rights. So if anything ever happened, then there's much less that it's able to do. And as we're going to see in this episode, one of the coolest things about uBlock Origin is, I mean, way beyond the adblocking aspect is the malvertising, and also explicit malware blocking. So it does an awful lot for us in terms of preventing the abuse that is increasingly prevalent on the web.
So speaking of malvertising, the first note I had to talk about today was that the Malwarebytes guys that have really been focused on the so-called “Angler” exploit kit have detected it elsewhere. And as I just mentioned, they found it on MSN.com. It's the same ad network which uses AdSpirit.de as its launching point. And so the MSN.com site has links to lax1.ib.adnxs.com. And we've talked about, we've talked in the last couple weeks about the way these things work is they essentially chain together domains.
What's actually happening is all kinds of extra-value tracking is going on. And in fact I looked at some of the - by using the logging feature in uBlock Origin, I looked at some of the .js files. And, I mean, it is a little chilling to imagine that, every time we go to pages, all of this stuff is running. So anyway, we'll get to that. But what happens is the first script then invokes a second script, in this case pub.adspirit.de. And then it goes, like, three or four more. From there it actually uses Red Hat's cloud storage as one of its intermediaries through a chain of about five different things, until you are finally delivered using whatever wedge they are trying to exploit in your browser end of things in order to install either ad fraud software or the CryptoLocker ransomware-style software.
So out of curiosity, because we were going to be talking about uBlock Origin, I gulped and put both of those domains in the URL address bar. Now, I wasn't going to get served anything. I thought, you know, maybe I'll see the company, in the worst case. In both cases, uBlock origin already knew about them and just said, no, this is not somewhere you want to go. This is actually a new feature that uBlock Origin added with 9.8 something, where it also filters the first-party domain.
Notice that I actually put those into the URL bar. That wasn't in there initially, and the earlier variations of this that we'll be talking about don't offer that feature. And specifically, for example, its sister, which is just called uBlock - on which development has all but stopped at this point, whereas Raymond is moving ahead - it doesn't do that. It only does third-party references get filtered, but everything in a first-party context doesn't. And Raymond being, as I said, kind of a hybrid between John Dvorak and Richard Stallman, based on everything that I've seen, he just thought, oh, let's filter the first party also, just keep people safe.
So, and for what it's worth, there were three different lists which each of those was blocked by because, when this block comes up, the blocking page also tells you why it was that this got blocked. And if you, for example, SourceForge is being blocked because, as we know, their behavior has been sort of questionable lately. And so one of the first things that happened to me was I followed a link to SourceForge, and up came the big yellow triangle. And I thought, eh, it's okay. So I think I hit “temporary,” just because why not just keep things temporary. But so you're able to, right there on the page, say, okay, you're getting a little carried away here. Let's allow this. And then I was able to do my business at SourceForge, whatever it was. So we'll talk about all those features here in a moment.
Today is September 1st, 2015, the day on which two things happen, which is not as good as they could be, but not bad. One is that Amazon has decided to ban Flash ads starting today, September 1st. And it's interesting because it would be great if they were saying no more, we're no longer going to accept Flash ads because they're insecure. Instead, Amazon's posting said that this is driven by recent browser-setting updates from Google Chrome and existing browser settings from Mozilla Firefox and Apple Safari, for example. And what they're referring to there is the click-to-play settings, where it doesn't come up and just run. You have to click on it in order to make it go.
Amazon continues, saying: “…that limits Flash content displayed on web pages. This change ensures customers continue to have a positive, consistent experience across Amazon and its affiliates, and that ads displayed across the site function properly for optimal performance.” So essentially what they're saying is we don't want to take ads that we're not going to be able to serve, so let's all stop doing this.