How the fuck does web ad work, Wolfos?
Yeah, I have heard enough people on the General forum whined and cried about ads poping up their screens and sound ads. We all agree that advertisement helps to keep this site up and running. But why some of you get the sound ads and some don't? This seems bothering everyone. So let's me walk you through this myth just like Adam busted stuff in Mythbusters.
Now we get people defending the way the ads help Newgrounds make money. Sure! But absolutely none of you questioned how-the-fuck do those ads know which person to pop-up at the right place and right time? More professionally and straight way to say this is: How do the web ads track/stalk us in the shadow?
I love Newgrounds but I hate the Internet users, esp trolls like you, Wolfos. Wolfos please drop your bullcrap dream and I don't think you are good at trolling either. Think of this as a provocative post directed to your shits.
Oh wonder how many dollars does Newgrounds make from ads only per day, Wolfos?
1) Can't be a good guy...
Hell, I was thinking to prove people with ethical way. But it can't be. In fact I can't prove how ads track users on Newgrounds site without re-demonstrading the way ad-bots work.
So most of my tools are belonged to the grey area. Google Search Engine, Firebug, Mozilla Web-dev Console and a few Perl/Python/PHP scripts. For the scripts just PM me.
I use my own account as a genuie pig for this demonstration.
2) Clickme I'm sounding & looking awesome!
I map out ads-bot automology with a research based upon the prespective areas that I can see cleary. However it doesn't mean it is 100% accurate since my source is only based on a handful type of famous ads-bots such as Google Analytic, Ad Sense and Bing spider. Yeah, you can 'assume' that most bots work these ways.
Appearance of an ads-bot:
= Ad's contents:
\\ Images, flash, audio, external URLs, texts, embedded scripts, etc.
Skeleton of an ads-bot:
= Data miners:
\\ Custom search engine setting - FYI you can custom what you want to search on the net (Ps. I'm talking 'bout G-Hack...)
\\ IP spoof > your ISP > region such as country or city.
\\ Session spoof > what are u doing currently? And more bonus shit. (check next section)
\\ Social engine search > looking for user's auto-logged in of social sites such as Facebook, Twitter, Digg, Reddit, etc... > what do you like?
\\ Cookie spoof > Probably for stuff above. This is an Easter Egg, check next section.
= Dark scripting:
\\ XST - Cross site tracking (IP/session/cookie spoof)
\\ MIM-XSS - Man-in-Middle Cross Site Scripting. Newgrounds is the 1st middle man. You are both target and 2nd MIM!
\\ DOM-XSS - Document Object Model XSS
\\ SQLi - Structured Query Language Injection
\\ Indirect/Direct Path Traversal
\\ MIM DoS/DDoS - Man-in-Middle (Distributed) Denial of Service. You are the temporary bot in the real time gigantic botnet. Happy dossing.
(Everything above is auto-scripted)
= Where to?
\\ Storage servers
\\ Ads-hosts' client servers (eh?)
\\ Goverment-linked servers (Based on tracking Bing spider, 20% of the backtracked links have crossed '.gov .mil' hosting servers. Check next section for demos)
\\ Bulletproof hosts
\\ Nothing-to-do-with-current hosts (found a bunch of .cn, .ru, .pl, .se domains that have nothing to do with actual game-ads server that located in US/Canada.)
3) I am lying.
Hell, people hate conspiracy-fags. Bunch of liars. However could what they said be true?
Act like an ads-bot:
So let's assume I'm an ads-bot that searching for Waffle-lovers and my clients want me to ad their top-class waffle prods. I want to search for a few basic things: target's favorite food, target's age/gender/culture-background(s) and target's real-time 'tag(s)'. Tag here, I mean 'keywords, cache and target's common/general activities'.
So how do I do these? I must have been scripted by some coder right? I'm an AI, of course.
How do I get the targets in the most effeciency way with the most simplified algorithms? Hierarchies.
Here is how a psuedo script of hierarchies of Waffle-lover hunt (don't compile this, it's made for only & only Waffle!):
find.any.target(target(null))
if target.food = true
switch(food) {
id(waffles|waffle|wafer|wafflel) = id(null) + remember(id(true))
id(db(food.any.waffleRelated(null))) = remember(id(true))
id(db(food.any(null))) = tempo.remember(id(loop))
}
else if target related.food = true
switch(related.food) {
id(related.food(waffles|waffle|wafer|wafflel)) = id(null) + remember(id(loop))
id(db(related.food.any.waffleRelated(null))) = remember(id(loop))
id(db(related.food.any(null))) = tempo.remember(id(loop))
}
else = false
This is how a transparent ad-bot works. If the id-variables appear to be true, contents will appear and some of you might get the Waffle songs too... MUAWAHAHA! ^.^
If loop, which mean = semi-false then I'll do another sweep. If false, I get the fuck out there...
Apply to region and background searches too.
e.g: target.region(country(city(ISP(loop.all)))) > target.background(culture(gender(age(loop.all)))
) > target.food(input.what.iTyped.above.here)
Harvey Two-Faces:
No-tech is enough... by 'referencing'(stealing) other spider/crawler's DB... XD
Stuff like auto dork-search (inurl, filetype, site, "waffle" OR "waffles", ) (google, bing, yahoo, baidu, dogpile...), user-agent spoof, what-is-my-ip-address, stat-my-site, robtex, WebCrawler, pipl, people123, etc... combine with clever work-around scripts to counter NG's anti-crawler and All Your Base Are Belong To Us! =P
April Fool: This guy Marty's flash looks normal but http://www.newgrounds.com/lit/marty/intro.swf this is what this guy actually put on! (.swf exposed|non-inurl search but filetype)
Anyway, I'm not suppose to find user's stuff on dumping ground RIGHT? I thought they are private unless user share them!!!! /dump/ was disallowed! http://www.newgrounds.com/robots.txt
Also the rest of *Disallowed* dir are crawl-able too. No matter "/" or not. I used PHP script to crawl.
In the FAQ, it says "The only other people who have access to them are those who are given the URL for a particular file"
Eh?
Auto-generate/harvest header/usr-agent and auto-proxy-harvest scripts are no problem now. Of course my IP... or proxy IPs are everywhere on NG logs already.
Here is a cookie that id me:
NG_GG_username=Wurfel-Waffles; __utma=158261541.1059185036.1326839903.133132757 8.1331329547.107; __utmz=158261541.1331329950.107.76.utmcsr=google |utmccn=(organic)|utmcmd=organic|utmctr=site%3An ewgrounds.com%20filetype%3Aswf; ng_adcode_country_id=3; vmkldu5I8m=50ed79279dda604b; vmk1du5l8m=f0de362eada46981; ng_user0=a%3A1%3A%7Bs%3A7%3A%22default%22%3Ba%3A 0%3A%7B%7D%7D; __utmc=158261541; NGBBS_timestamp=1331321863; NGBBS_last_visit=1331321863; __utmb=158261541.4.10.1331329547
Yes, I did use Google dork site:newgrounds.com filetype:swf ... thing is, ads-bot got it too.
Here is when I logged out. Interestingly how Newgrounds store my current session and IP. Also, log anyshit I do that related to Newgrounds.com.
NG_GG_username=Wurfel-Waffles; __utma=158261541.1059185036.1326839903.133132757 8.1331329547.107; __utmz=158261541.1331331239.107.78.utmcsr=google |utmccn=(organic)|utmcmd=organic|utmctr=site%3An ewgrounds.com%20document.cookie; ng_adcode_country_id=3; ng_user0=a%3A1%3A%7Bs%3A7%3A%22default%22%3Ba%3A 0%3A%7B%7D%7D; __utmc=158261541; NGBBS_timestamp=1331321863; NGBBS_last_visit=1331321863; __utmb=158261541.7.10.1331329547
yeah, I did search for document.cookie and found stuff below.
Site admin's real time management is the only obstacle for ad-bot to deal with.
Easter Egg: Newgrounds Tank's ASCII art. Look awesome!
Why's so serious?
If ads-bot has access to general universal database, so why can't it have access to site vulnerabilities? Sites like PacketStormSecuritty.org | XSSed.com | OffensiveSecurity DB | etc... are great gold mines for auto-bots.
NG has an old forum/BBS database that accessable by all types of crawlers n bots. Vulnerabilities found. Some has direct paths to current site. This is a silver mines... and hey I did not use Web Archive!
There are tons of way to hide JavaScript DoS algorithms. Tons of way to hide a JS vul scanner.
To be continue...
Counter:
Cookie filtering, JS disable/filtering, proxy, user-agent/header generator... in the ind sum it up that hide your real life info.
To be concluded...