I am truly very sorry. Let me explain.
A presentation at Ad Blocker Dev Summit in September 2019 in Amsterdam, Netherlands by Niels Leenheer
I am truly very sorry. Let me explain.
About 20 years ago, I created an ad server.
The makes me part of the dark side. Not Darth Vader or Darth Sidious level dark side, but definitely Storm Trooper.
So, you may know some of these names. I was the project leader of the open source project phpAdsNew, which turned into Openads, which raised some capital and turned into a startup called OpenX. Now OpenX still exists, but the software that I worked on is now spun off to become Revive.
As I said, I am sorry. But I’m not sorry about creating an ad server. Allowing publishers to monetise their work is important, because… well, nothing in life is for free and people need to eat.
But mistakes were made. And I don’t mean the fact that I quit the project right before it got funding thus failed to make any meaningful money from it, while others…. No, I’m not bitter. No, I’m talking about some technological problems and the solutions that we created.
First - and I am not proud of this - we deliberately made the web slow. Deliberately.
As a publisher what good is an ad when nobody sees it. You don’t get paid when the viewer navigates away before the ad is shown. That is a problem. So instead of a nice async way to load the ads – which we did have. We used synchronous javascript - document.write - to block rendering. And made sure ads are shown first. Another problem solved….
Secondly, when regular banners did not get enough attention anymore advertisers turned to pop-ups. And it’s ugly sister the pop-under. We didn’t invent these. And I thought they were really annoying. But we still implemented this in our server. Of course browsers quickly started blocking pop-ups and deservedly so.
So we created DHTML pop-ups. And I think we were the first to figure this out. A little floating window, right on top of the content. All the way back in the time of Netscape 4. Who here remembers the <layer> tag? And because it was part of the web page, and not in a separate window, the pop-up blocker could not do anything about it. And we could even make it more annoying by making it move, or shake. Yeah. I’m sorry. Nowadays these kinds of ads are very common. And still extremely annoying.
And third, instead of just allowing images and flash files. We also created the HTML banner. The advertiser would give a bunch of HTML code and we would just plop that into the publishers website. That of course was used to allow one ad server to serve ads from another ad server, leading to a russian nesting doll situation where there seems to be a never ending number of connections in order to serve just a single ad.
But it also means that as an advertiser you can just arbitrary execute javascript. And not within a sandboxed iframe, but right in the DOM of the publishers website. With access to anything the user does on that page.
Yeah… what could go wrong. Now give the advertiser a dashboard where he could log in and update his own banner…. And some people might have some very nasty ideas. And it is not just your advertisers. Remember the Russian nesting doll. You only need one bad actor somewhere down the line and it may end up on your site.
Ehhh…. oops. So, this was after I left. And I don’t think this is directly my fault. But yeah. The ad server turned out to have some bugs which allowed a hacker to…
Execute arbitrary sql queries. And with banners HTML code stored in the database, that means your ad server is now a deployment vector for viruses, malware and more nasties. And this was not just once. There were a dozen different CVE’s with remote execution of PHP code, remote execution of SQL and more.
Sorry. Now the biggest mistake was not either of these three. But the underlying mistake. I never thought about what I did as something that impacted people. I just saw it as a technological challenge. For me it was about finding a solution to a problem.
And that leads me to this famous quote from the Jurassic Park movie…. I believe that many developers have this ‘can I do this?’ oriented mindset and never think about the impact to actual people when the answer is ‘yes’.
We as developer should more often think whether or not we should. And realise that our work impacts real lives and users are not just hypothetical. We don’t work in a void. And evil patterns are not just a few lines code running on a computer. And I’m sorry that I didn’t realise that sooner.
Thank you
