ugh, fuck freud. I hated when they made me learn his shit (which, admittedly i was already familiar enough to know was shit) but at least my teacher was kind of, approaching it as more of a "these ideas are prevalent and its important to recognize them so you can know when someone's a crock of shit" sorta thing (but also sometimes they're buried so deep its like you learn smth that sounds reasonable until you hunt down the origins of it). Alright, preemptive disclaimer: I am a few years out from an education that never actually got to the point of a degree due to complicated life upheavals. I try to keep up bcs it's a personal passion, but as you've said as well, psychology/ect is a rapidly-evolving field that is still divesting from a lot of older prejudices and yeah, it's very political. You DO have the more recent stuff and I do want to emphasize that I am not so much trying to discredit or outright disagree, just that with where there's overlaps in a lot of disorders (much like other illnesses), you know, understand why one thing vs another, ect. Bcs, again, you've got the most up to date resources, even if they might look different from the ones I'd get if I was able to immediately resume on the same level. (On a slightly other front, I also very much approach diagnosing a fictional character differently than I ever would even suggest IRL, largely in part due to the fact that many discredited or contested disorders, concepts, ect. are used as literary devices regardless of accuracy - Disassociative Amnesia/dissociative fugue, for example, is in particular a rather large one.)

Also some of my terminology is outdated as they frequently adapt them esp wrt as we gain greater understandings of what's actually going on behind the way things present. A vast majority of psychological terms, diagnoses, and symptoms currently do not have the same meanings or usages as their origins. Disassociation, as I recall, even started under the belief of being a "mental/cognitive deficit" and tied to a more archaic version of hysteria - which has a long political history esp tied towards the control & oppression of those diagnosed, often women.

DID is not something I necessarily was thinking of suggesting Jason might have, but rather wanting to bring in that Dissociative Fugue had been tied to other sources, & DID is frequently comorbid with other disorders that can sometimes make treatment of it, or the other disorders difficult due to the disparity - there's no medication for DID, and most treatment is directed largely at the others connected to it & regular counseling. Depression being most frequent esp treatment-resistant varieties, but PTSD & Borderline/BPD (which is also a very popular hc for Jason & includes dissociative episodes) are also not terribly infrequent (as well as any number of other personality, trauma, disorders, actually. It could be said that DID is almost an amplifier, in some ways). (DID, ftr, is also considered to be a trauma-induced disorder, especially tied to trauma starting in/induced in early childhood, and similarly to PTSD has been getting more momentum in recognition/study largely due to WW2. I have had multiple friends diagnosed with it and combined with my family history & OTHER friends who had schizophrenia it was a major factor in my interest in the field from the start, esp to understand where they diverge since they were frequently conflated. Also, an interesting note is that diagnosing DID is almost more about ruling out every other option than it is to diagnose DID itself. One of the biggest issues with it diagnostically is that a lot of the associated concepts for it are not clearly enough defined, & there are competing models for it. It may be the case that there are multiple "types" and it should be used more of an umbrella with more specific sub-branches or even just split into multiple concepts altogether, but admittedly that's a bit more of a personal theory than one I know to be actually considered.)

Where I was considering the Dissociative Fugue idea is largely more due to it's implications wrt mobility. ymmv on if "escaped the hospital and wandered around Gotham" constitutes a significant enough form of travel to qualify under "fugue", but given the emphasis on the comic even before he got hit on him walking several miles further than investigators suspected he could/would have, it seemed a viable consideration. It also apparently became More Explicitly part Dissociative Amnesia in the DSM-V which I guess was published the same year I was... studying... and my class at the time did not fully cover, jfc. That's kind of an embarrassing thing to have missed, actually. I was a bit focused on other things, but...

I believe you! Implicit learning is a good point, I was mostly concerned about how it would interact with, say, the dissociation in question. Using your house metaphor, if they're lower than the first basement, where they can't see or hear above, then how are they intaking and retaining that information. With a lighter dissociation it doesn't feel like a question, but the deeper in you get, it feels like there would be more of a struggle for that information to breach, you know? (Again, not saying you're wrong. This is just why I had the question/felt unsure of whether or not that specific concept(s) was still applicable under these conditions.)

Is it just me or does Jason not have catatonia in Red Hood: Lost Days?

It's been driving me crazy the more I think about it, his symptoms are way more consistent with dissociation than catatonia (not to mention the etiology fits much better. If you just gave me the list what happened to him and I had to pick what disorder he was most likely to suffer from (in RH: Lost Days) without describing anything, my bet would be on dissociation no question asked)

This is has enormous implications when it comes to the Lazarus Pit and what it can and cannot heal, how to calculate Jason's age, the diagnostic hypothesis we have for Jason and so much more. Am I missing something? Why does Winnick keep referencing to Jason's symptoms as catatonia?

Imagine: KBTBB and Budgeting

As someone from a less well-off financial standing, the way he spent his money was horrifying. Sure, there was a slim chance that he would ever be dirt-poor, however your frugal mentality itched to improve his senseless spending. From himself or his circle of friends, the mentality of grabbing items first then carelessly dropping nearly a million dollars to pay them off was not uncommon. You however were the type of person to invest half an hour contemplating whether it was okay to spend $45. 

Ota:

Managing to convince the young artist to show you his recent spendings, you found yourself slowly turning pale and developing an eye twitch. 

He was pacing around the room as you ran through each of his purchases from that week. You paused before mumbling, “Are you telling me that these paintbrushes are $100,000 a piece?” With that knowledge, your eyes shifted to the metallic container laying unassumingly on his desk and housing the most ordinary-looking brushes ever. 

There was a small pause as the blonde turned on his heel, “...If you think that I’m going to Michael’s to buy cheap-ass synthetic brushes like the ones you use on your face for what you consider makeup, then you have another thing coming.” 

Without fail, the spite and ever-lasting sass of his stung you. You knew that him being especially nasty was a defense mechanism to distract from the fact that he was spending hundreds of thousands on brushes. Yes, art was his livelihood and passion which enabled him to make millions. However, there had to be more affordable brushes to consider. 

“Sweetie, are you sure there aren’t any other types of brushes you can try?” You gave him an uneasy smile at how his complexion suddenly darkened at your suggestion. 

Shooting you a mockingly sweet smile that earned him the title of ‘Angelic Artist’ in spite of his more sadistic nature, he countered you with, “Honey, are you sure there aren’t any other types of concealer you can try?” 

In horror, your hands automatically shot up to your under-eye area as you felt your insecurities slowly being unravelled by the savagery of Ota Kisaki. “Ota, you take that back!! You’re being especially rude.” 

Needless to say, that day and beyond you never re-opened the discussion on his brushes’ price points. Your pride was too great for it. 

Eisuke:

The both of you were seated on one of the many Italian and custom leather couches in the vast living area of the penthouse. His latest model of laptop was placed in front of you as he explained his finances with a rather bored expression.

Your lips were pressed in a tight line as you processed what he was saying and were internally screaming. “Tax evasion is illegal, Eisuke.”

The familiar and piercing sepia orbs of his rolled as leaned back to cross his arms defiantly in his infamous purple dress shirt. “So are the auctions and more than half of the other things we do here, but I didn’t see you complaining about it when I bought you.”

Sharply inhaling through your nose at how ridiculous he was, you growled, “What are you talking about?? I COMPLAINED. A LOT. The whole time and process, I complained!!! At one point, I think I even tried to run away!!!” 

Exasperated, you threw your arms in the air when you noticed him tapping away on one of his many smartphones. 

“Oh, were you saying something? I just bought another island using my off-shore account. That reminds me, I want coffee.” Not taking his eyes off his mobile device, he blindly reached for and held up his half-empty mug. You noted how it was encrusted with Swarovski crystals and decided this was a fight for another day. 

Thick and through, Eisuke Ichinomiya was a diva. A tax-evading diva with selective memory and a knack for buying islands in the middle of arguments that was somehow your boyfriend. 

“MC, I am still waiting on that coffee.” 

“Coming, Eisuke!” Maybe you wouldn’t ever stop him from technically being a criminal or help him be more reasonable in terms of finances, but you could give him decaf. Right on, MC! That will totally show him. 

Mamoru:

You were logged onto the desktop in your shared apartment with the detective’s banking statements pulled up and him lazing on a couch behind you. His feet were propped up as he sipped at a canned beer in his wrinkled work suit. Periodically, he commented on the muted game playing on the living room TV.

As you scrolled through the reports and did separate calculations on your smartphone, you grew more horrified. “Mamoru, you spend nearly $400 on cigarettes a month.”

Without even turning around, you could already envision his deadpan as he mindlessly commented, “What’s your point?” 

You swiveled the office chair and glared at the back of his mop-like head of hair, “My point is that you can’t be spending like this. You’re a cop and you don’t make nearly as much money as the other guys!” Sure, he assisted the bidders with the auctions and received a percentage, however he was hardly of millionaire status. If he was, would he really dress like that? The thought passed through your mind as you nearly snickered before snapping back to reality. 

“It’s my money and I can do what I want with it! If I damned please, I could buy a ticket to Cuba, buy my smokes there, and come back in one trip just to spite you! Hell, I could even buy myself a new suit from Macy’s for that same trip to Cuba!” Growing impressively heated, he finally sat up and shifted to shoot you a harsh glare. 

You briefly wondered if he somehow picked up on your silent judgement of his fashion choices and about how awfully specific he was being about Cuba along with Macy’s. 

Turning to face the computer screen, your fingers hovered above the mouse to a certain bit of his banking report and stopped. With a rather smug grin, you stated, “Babe, I’m looking at your checking account right now, and you can’t even afford a decent suit with that money. So what makes you think you can afford to go to Cuba?” 

From behind, you could hear him scrambling to his feet and nearly knock over the ratty fabric couch as he rushed to the computer. “THAT CAN’T BE RIGHT!!! I HAD AT LEAST A HUNDRED LAST TIME I CHECKED!!” In his desperation, he nearly shoved you to the side as he gazed at the screen. Any hope left soon was drained as he realized the truth. 

“Do you think if I started vaping I would save more money?” 

“I think if you started vaping, I would leave you.” 

Baba: 

The two of you were sorting through your shared walk-in closet and deciding which clothes needed to go. Unlike most of the bidders, Baba was very receptive to your ‘normal person’ customs and seemed eager to donate any unused items to charity. As his partner, you wanted to help in any way possible and were working towards maximizing his finances. 

That mission was on your mind as you started to note the extensive fedora collection owned by the international thief extraordinaire. They were some with the most blinding patterns (ie. zebra stripes) and most ridiculously resembling the iconic burgundy hat he was known for. Your hands wandered to check the brand names and also realized that many were still new with their price tags included. You choked at the several zeroes accompanying each tag. It was undeniable that you loved the man, but his fedoras were so damned tacky that their cost made no sense. 

From his corner of the closet, the older male glanced up from his pile of old shirts and asked, “Is something wrong, pretty lady?” The affectionate pet names was always pleasant to hear, but almost fell on deaf ears to you as you started to do mental math. 

“...Mitsunari, you don’t need all these fedoras, you just want them.” It was a harsh revelation that you admittedly winced at when delivering because of how dear the accessory was to him. You felt your heart pang when you saw his light demeanor fall. 

With his broad shoulders drooping, he asked in a rather small voice, “But don’t you think they look nice?” His thin and long digits reached up to run along the rim of his current and burgundy hat, almost as if to comfort himself. 

On the inside, you screamed how tacky you truly thought they were. However, you constructed a careful response for the sake of his feelings, “Dear, don’t you think you should cut back a bit on these...investments? You have dozens of fedoras here that you’ve never even used.” 

After several moments of silence in which you sweated bullets, Baba nodded with a suddenly cheerful grin. “Aww, you’re right! I’ll even wear this one to dinner! It’s Chanel!” He crossed the room and plucked one of his many pieces from the shelf with a rather victorious smile. 

You felt your very essence shake at how the hat looked exactly like the one he was wearing now and at the knowledge that a revered brand like Chanel would produce such a heinous accessory. In a way, you won. However, in another way, you still lost. 

Soryu: 

Out of all the bidders, you felt Soryu was fairly reasonable. If you omit his bad habit of brandishing his gun in public at rude waiters and Mamoru, he was pretty okay. When it came to checking his spending habits, you felt there wouldn’t be anything too outrageous. With that, you nearly lost your shit when you noticed a rather costly trend from his most recent statements. 

“Soryu! Sweetie, can you come here for a sec?” You called out to your mobster boyfriend from your comfy position on your side of the king-sized bed. Placing the Macbook on your lap, your face twitched at the numbers glaring across the screen. 

In a few moments, the rather tall and raven-haired male entered the room. He was still in his work suit and had been working in his office when you called. “Is everything alright?” His smooth baritone cut through the silence as he moved to sit at the edge of the bed by your feet. 

You noted how impossibly handsome he was and forced yourself to quit checking him out. This was a topic that needed to be addressed and his fine cheekbones would not stop you. “So I was looking at your recent statements and...how much money do you think you spend on hair gel?” Your eyes were suddenly glued on his shiny and slicked back hair. 

He seemed suddenly self-conscious as he shifted, rubbing the back of his neck. Pursing his thin lips, he tried to seem casual as he replied with, “I’m not sure. In a year, probably only a few hundred. I have tried some brands here and there.” 

You unintentionally squinted at him, wondering if he was knowingly lying to you. “Hmm. I hate to break it to you, but this past year you’ve spent several thousand on hair gel.” 

The more you thought about how much volume was in a typical container of hair gel, the more you wanted to break into laughter at how your partner was likely dousing his whole being in it. He had only so much hair and the idea of investing so much into it seemed ludicrous. Yes, it was nice hair, but how much product did he realistically need? 

Although silence was not uncommon for the Ice Dragon Boss, you still grew a bit nervous. He finally sighed and slightly dropped his shoulders, “I didn’t think I was that bad. It’s just that this brand I use now is imported from the Middle East with essential oils and...has extra holding strength.” 

No matter what, you could not laugh. You were biting down on your tongue so hard that you were sure that it was going to rip off. The way he was being so bashful about damned hair product made it morally painful to make fun of him. 

“...I can start using generic again, if you want me to.” He offered despite the obvious frown on his pale visage, eyes seeming pained at the idea of using low-quality gel. 

Although this entire situation was meant to minimize his extravagant spending, you did not have the heart to take this away from him. Damn it all, Soryu is a mobster boss and he deserves proper hair gel!

You reached forward for one of his hands and he easily allowed it. Rubbing soothing circles onto the back of his hand, you shake your head, “I won’t take this away from you. There are worst ways to spend your money like on cocaine or gambling which I’m sure Mamoru does.” 

Soryu seemed to flinch at the mentioning of his faux arch-nemesis but ultimately softened at your display of affection. “I’ll try to get help one day.”

What the Google Chrome Ad Blocker Means for Your Website Popups (Plus 8 Really Smart Targeting Tips)

blockquote h2 {margin-left:0px !important;} blockquote p {font-size: 1rem !important;} blockquote p em {font-size: 1rem !important;} blockquote.long p {font-size: 0.9rem !important;} blockquote.long p a {font-size: 0.9rem !imporptant; text-decoration:underline !important;} hr {margin:70px auto 80px auto !important;border-top:1px solid #ddecf2 !important;} .exampleTitle {padding:20px 5% 20px 9% !important;margin-top:50px !important;} strong a {font-weight:bold !important;}

Last week you likely saw a ton of news about Google Chrome’s Ad Blocker going into effect Feb 15, 2018. And nobody could blame you if you took one look at some of the reports and thought, “Oh no! Popups are dead. Google just outlawed them, and I have to take down the 35 I’m using across my web properties that are generating 12,000 leads per month”.

Well, fortunately, after combing through the details, I’m happy to tell you that — from our early interpretation — this doesn’t seem to be true.

You can still confidently use popups and sticky bars on your website and landing pages, and today I’ll take you through the news with a bit more nuance to explain why (and how to do so without compromising your user experience).

As I wrote in Technology isn’t the Problem, We Are. An Essay on Popups there’s a reason why bad marketing practices exist (spoiler alert, it’s bad marketers), and we all need to play a part in reversing these bad practices because frankly, we all deserve a better internet.

Here at Unbounce, we welcome this defense of higher internet standards by Google. But we do need to unpack the announcement to see what the potential impact could be on your marketing activities.

What is the Google Chrome Ad Blocker and Why Are We Talking About It?

On February 15th 2018, Google officially introduced an ad blocker to the Google Chrome browser that will screen for (and eventually block) what they deem to be “intrusive” ad experiences. This is further to Google’s partnership with the Coalition for Better Ads they announced previously with the January 10th 2017 change re: Mobile ad experiences.

In short, while it seemed like news last week, it’s an initiative that’s been in the works for some time.

The Coalition for Better Ad Standards

The Coalition for Better Ad Standards (CBA) is a group made up of trade associations and companies involved in online media. Their mission is to improve consumers’ experiences with online advertising and includes a set of global standards that address consumer expectations with online advertising.

As part of this mission, they performed a research study of 25,000 consumers to identify the ad experiences most likely to make those consumers install ad blocking software.

The study presents a range of user experience factors to discover which ones ranked worst. But before we get into the ads raising concerns, we should first address what constitutes an ad.

What is an Ad (In the Eyes of The Better Ad Standards Coalition)?

This is where things start to get a little vague. As per the Better Ads Standards website:

An “ad” is promotional content displayed on the web as the result of a commercial transaction with a third party.

In our interpretation, the above refers to a paid ad (such as Google AdSense) that appears on your website, not a popup containing your own marketing materials such as an e-commerce discount, a newsletter subscription, or a time-sensitive offer. The third party being an ad network and the ad being what’s delivered to the website.

If this is the correct interpretation it makes sense, because ads such as this are not related to the marketing efforts of the host website. They’re the result of the host website trying to generate ad revenue and presenting incongruent and somewhat random display ads.

However, at this time, it’s admittedly difficult to determine exactly what the coalition is considering an ad. To ensure we get you the best answer possible, we contacted Better Ad Standards directly to clarify whether our early interpretation of their definition is correct.

My main question is concerned with how the two parties will be evaluating the ads. Is it the content or is it the delivery mechanism? In other words, are Chrome and the Better Ad Standards coalition concerned with the interaction method of the message delivery? Or the content of the message? Or a combination of both?

My gut says it’s a combination, where the content must be considered an “ad” and the delivery mechanism falls into a few specific categories of interaction that are deemed as bad experiences.

Update from the Coalition for Better Ads

We got a response back from the CBA pretty quickly which was awesome. Unfortunately, the response didn’t really add any extra clarity to the original definition.

Here’s a portion of my question:

Are you able to confirm whether an ad in this instance includes website popups (or sticky bars) for our own business, placed on our own website? For example a newsletter subscription popup on our blog, or a discount popup on our pricing page.

Or are you referring to paid ads from an ad service such as Google AdSense that appear on a website, but are not part of that website’s business? For example, an ad for hair products that shows up on the New York Times.

And a portion of their response:

You should direct any questions about the Chrome browser and its plans to Google.

The Coalition does not currently provide specific evaluative guidance on questions of interpretation relating to the current Better Ads Standards. However, in conjunction with the Better Ads Experience Program, this service may be offered to participating companies in the future.

The Coalition for Better Ads plans to release additional details about its Better Ads Experience Program in the coming months. The Program will certify web publishers that agree not to use the most disruptive ads identified in the Better Ads Standards and will accredit browsers and other advertising technology companies that will assess publishers’ compliance with the Standards and filter digital ads based on the Standards. If compliance issues arise, certified companies will be notified and have an opportunity to address violations or to pursue review by an independent dispute resolution mechanism available through the Program.

The opening of enrollment for publishers that wish to certify their compliance with the Better Ads Standards and participate in the Program’s register was recently announced. Interested publishers can follow this link to learn more about the Program and the registration process. The Program expects to introduce an independent dispute resolution mechanism in the second quarter of this year.

Further updates on the Better Ads Experience Program are forthcoming, so please continue to monitor the Coalition for Better Ads’ blog and press releases page for updates. All Coalition initiatives and authoritative guidance are first published on the CBA website.

Based on this, I’m still not entirely sure if our interpretation is right or wrong.

If we are wrong, then it’s more important than ever to be creating the best possible experiences, and the easiest way for you to do that is with advanced targeting and triggers. You will find 8 examples of proactive great experience creation at the end of the post.

Here are some smart ways to do the right thing if you want to skip ahead to some implementation ideas:

Campaign Scheduling

Cookie Targeting

Referrer URL Targeting

Location Targeting

Click Triggers

Mobile Scroll Up Trigger

Frequency

Super Advanced Multi-Option Targeting

Which types of ad experience are raising a concern?

On desktop they refer to the following four ad experiences:

And mobile has an even larger set:

Again, while the images above could be alarming to anyone running popups, based on our early interpretation of the definition above I don’t think these are popups or sticky bars that you place on your own website with your own marketing content in them. I think we’ll end up finding as time goes on that the standards are targeting at neutralizing bad behavior with respect to third-party ads.

Does this mean you should ignore these guidelines if you’re not using third-party ads?

Not entirely, no. Conscientious targeting and triggering still reign supreme. You can continue to present popups and sticky bars to visitors on your website, but you should use the guidelines to do everything you can to deliver great experiences.

To help avoid getting warnings now that the standards are in place, Google offers a tool which can help you to determine if they consider your website to be infringing on the guidelines or not.

How to Check Your Website For Adherence Using The Google Ad Experience Report

The Ad Experience Report is designed to identify ad experiences that violate the Better Ads Standards, and you can check it for both desktop and mobile inside Webmaster Tools (now simply called Web Tools).

You can find the Google Ad Experience Report here.

When you choose your web property from the drop-down on that page, you will see this:

The video explains how it all works, and if you click desktop or mobile in the left navigation, you’ll instantly get a report like this one for unbounce.com:

If you receive any warnings you can make changes and request a fresh site review.

From Google: Violations of the Standards are reported to sites via the Ad Experience Report, and site owners can submit their site for re-review once the violations have been fixed. Starting on February 15, in line with the Coalition’s guidelines, Chrome will remove all ads from sites that have a “failing” status in the Ad Experience Report for more than 30 days. All of this information can be found in the Ad Experience Report Help Center, and our product forums are available to help address any questions or feedback.

What Else Can You Do to Create Better Popup Experiences?

I fully embrace this news and the mission of the Coalition for Better Ads because it gives me the opportunity to broach the topic of popup misuse. As a platform offering popups, sticky bars (and landing pages of course) it’s incumbent upon Unbounce to take a stance and work hard to help marketers deliver especially respectful and responsible web experiences.

Popup misuse typically falls into the following categories:

Interaction modes that prevent control of the experience by the visitor (such as easy and obvious close and bypass mechanisms).

Manipulative copywriting that uses psychological means to coerce visitors into taking an action, such as the manipulative confirm shaming styles like this: [ Get Your Ebook ] [ No ebook for me. I prefer to kill kittens! ]

Overly persistent frequency rules where you show the popup every time someone arrives.

Multiple popups on the same page, at the same time.

To provide a method of evaluating popup experiences and to help combat bad behavior I created The Popup Delight Equation.

Essentially the equation reverse engineers an excellent popup experience and allows you to generate a percentage score by analyzing seven principles: clarity, control, creativity, relevance, charm, value, and respect.

I’d also recommend you read Stop Making These Common Mistakes with Your Website Popups (Includes Examples and Quick Fixes) which has some great ideas on the topic.

What is Unbounce Doing to Help Customers Avoid Ad Blocker Warnings?

Fabulous question! I asked Cole Derochie, one of Unbounce’s product owners, to elaborate on how we’re approaching the news and what it means for our customers.

“Unbounce respects this policy, and shares Google’s concern for ensuring users are able to easily access content — regardless of device.

Our goal with popups and sticky bars is to help our customers make offers that are relevant and valuable, and thereby increase their conversion rates, without harming the user experience.”

As I mentioned earlier, it does seem the news pertains to third-party ads, but having said that, we are determined to help marketers adhere to great internet standards. One way we’re doing that is by creating tips and warnings inside the Unbounce builder to help prevent some of the design methods that Google considers bothersome, in particular for the mobile experience.

For instance, in the screenshot below, a warning appears if you try to increase the height of the sticky bar beyond 100px:

Despite our belief that this announcement (and the general concerns of Google and the Coalition for Better Ads) isn’t specifically directed at regular popups and sticky bars, it does still represent an opportunity to take an honest look at the ways we’re all presenting our marketing, and step away from some of the more blatant behaviors mentioned in the research.

One of the best ways to ensure a quality experience is to use some of the more advanced targeting, trigger, and frequency settings that Unbounce provides to give your visitors a respectful interaction that’s as relevant as possible.

  Using Targeting, Triggers, and Frequency to Improve Popup and Sticky Bar Experiences

From a high-level philosophical perspective, we should be thinking beyond surface level conversion metrics to focus on quality rather than quantity. I’m referring to tactics like showing popups on every visit, which in my mind is just a little desperate, and destined to not be delightful.

Here are some ways you can deliver a better user experience and stay on Google’s good side:

Method #1 – Campaign Scheduling

If you’re running a time-sensitive campaign, it’s important to only show your offer when it’s actually valid. I’m sure you’ve seen those “live” chat windows that tell you nobody is home. If nobody is home, don’t show the live chat box dummies! Similarly, you don’t want to show a discount or special offer when it’s already expired.

In Unbounce you can set your campaign schedule down to the minute.

Method #2 – Cookie Targeting

Cookies are a great way to create more personalized experiences, basing the display of you offer on previous visitation or behavior tracking. But they are equally as powerful when you use them as an exclusion mechanism.

Let’s say you have an offer for a discount on your SaaS product to encourage people abandoning your website, but you don’t want existing customers to see it (it could make them jealous or upset that they didn’t get the discount).

If you are able to set a cookie within your app somewhere to label a customer as a customer, you can then use the “Don’t Show” cookie targeting to make sure they are not shown the offer.

Bazinga!

Method #3 – Referrer URL Targeting

Context is king when it comes to communicating your message quickly, and if you target your popups and sticky bars using the referrer URL option you can present content that’s highly relevant to where the visitor just came from. This is especially effective for co-marketing where your popup or sticky bar can showcase both brands by including the partner’s logo, creating a more powerful connection between the two experiences.

Here’s another really interesting use case that uses the “Don’t Show” setting.

I’m in the middle of a reboot of our landing page course, and I’m running some popups containing Typeform surveys for the purposes of research.

The problem though is that the homepage of the course is a landing page on a subdomain of the primary course domain – and I’m running the survey on both the homepage and the internal pages of the microsite.

Course homepage URL: do.thelandingpagecourse.com Internal course page URLs: thelandingpagecourse.com/*

There’s a lot of organic traffic coming to the homepage and also the internal pages. But I don’t want to show it to a visitor to the homepage, and then show it again when they click through to start part one of the course.

To solve this problem, I set a “Don’t Show” setting on the Referrer targeting like this:

Which means that none of the internal course pages will show the popup if the visitor got there via the course homepage. This is a brilliantly simple way of solving what would otherwise require a bit of complex coding to resolve.

Even better is the fact that you can add as many “Show” and “Don’t Show” targeting rules as you like.

Method #4 – Location Targeting

Unbounce location targeting allows you to drill all the way down to the city level, and all the way up the the continent level. Personally, I’d be stoked if someone from the Antarctic saw one of my popups, but there are times when you do need to hide your marketing from certain locations, or target it specifically to a location or locations.

Just like in #3, the great thing is that you can add as many rules in here as you like, so you could set it up like the image below to target every major city in Texas, avoiding rural areas if that so happens to not be your target audience. Or reverse it to target all rural areas and avoid the cities. YUSS!

Method #5 – Click Trigger

Undoubtedly the best trigger type is the click trigger. Why? Because it’s entirely user-driven. A great use case for this option is two-step opt-in forms where your popup with a form only shows up when requested. The conversion rates are typically very high because the initial click declares intent making the contents of the popup desirable.

With Unbounce you can set the click trigger to work on any page element by using the CSS id, or you can even apply it to a CSS class which could make multiple page elements interactive.

Method #6 – Mobile Scroll Up Trigger

Google has expressed discontent for certain types of popup that appear on entry, on mobile devices. For this reason we created the “Scroll Up” trigger. It works a little like an “Exit Trigger” on desktop as it may signal that someone is leaving the page. If you use this, and keep the size of your Sticky Bar to 100px in height or below, you can create a nice experience that’s not too interruptive, doesn’t prevent the visitor from leaving, and lets you notify them of something important.

Method #7 – Frequency Settings

What’s the frequency, Kenneth? If you don’t get that reference then either you’re really young or I’m really old. Either way, frequency matters. And when you get it wrong it hertz. Pro tip – once and done When in doubt, the first option (“Show once per visitor”) is the best. Show it once, and go cry in your soup if it didn’t convert. Do NOT pester people over and over again. If they want it they’ll say yes. If they don’t, well that’s a lesson (in the form of a poor conversion rate) you can use to better understand your audience.

For the other options, if you wanna be super respectful and let people check out your site without any distractions, think about using the “Show only on visit x” option. Typically the x would be the number 2. Show it the second time they are there. That way they’ve had the chance to get to know you and your offer will seem more relevant.

For example, there’s nothing more annoying on a blog than when you get an entrance popup saying “Love this content! Subscribe for more!!!!!”. No, I don’t love this content cos I just got here, dammit! Whereas if you show it on the second visit, you know they liked you enough to come back. Done.

Method #8 – Super Advanced Multi-Option Targeting

How about this idea for some extreme relevance! You can use all four advanced targeting rules at the same time to get hyper-personalized. In the example below I’m targeting people in Vancouver, Canada who’ve got a cookie called “ILikeTurtles” who are coming from my partner’s site during the dates of my campaign. SICK!

In Conclusion: What Should You Do Now?

Well for starters I recommend that you go make 50 popups with “Every visit” targeting and a frequency of 100 times per visit.

Wait. Don’t do that.

Do what a thoughtful marketer would do and spend some time thinking about your visitors, and about the really cool things you can do when you combine triggers, frequency, scheduling, and advanced targeting rules.

The combinations are literally limitless. I’m not sure on my math there, so there may be some finite limit to what you can do, but whatever it is, it’s huge!

This is a hot and contentious topic, with much to discuss, particularly because of how hard it is to interpret some of the communications surrounding it, so please add comments with any intel or different perspectives you have.

We’re committed to staying on top of the situation as it continues to unfold, and will bring you more details and ideas as soon as they become apparent.

Here’s to better marketing standards, and better marketing in general.

Cheers Oli Gardner

$(function() { $('a[href*=#]:not([href=#])').click(function() { if (location.pathname.replace(/^\//,'') == this.pathname.replace(/^\//,'') || location.hostname == this.hostname) {var target = $(this.hash); target = target.length ? target : $('[name=' + this.hash.slice(1) +']'); if (target.length){$('html,body').animate({scrollTop: target.offset().top}, 1000);return false;}}});});

from Marketing http://unbounce.com/website-optimization/google-chrome-ad-blocker-website-popups/ via http://www.rssmix.com/

What the Google Chrome Ad Blocker Means for Your Website Popups (Plus 8 Really Smart Targeting Tips)

blockquote h2 {margin-left:0px !important;} blockquote p {font-size: 1rem !important;} blockquote p em {font-size: 1rem !important;} blockquote.long p {font-size: 0.9rem !important;} blockquote.long p a {font-size: 0.9rem !imporptant; text-decoration:underline !important;} hr {margin:70px auto 80px auto !important;border-top:1px solid #ddecf2 !important;} .exampleTitle {padding:20px 5% 20px 9% !important;margin-top:50px !important;} strong a {font-weight:bold !important;}

Last week you likely saw a ton of news about Google Chrome’s Ad Blocker going into effect Feb 15, 2018. And nobody could blame you if you took one look at some of the reports and thought, “Oh no! Popups are dead. Google just outlawed them, and I have to take down the 35 I’m using across my web properties that are generating 12,000 leads per month”.

Well, fortunately, after combing through the details, I’m happy to tell you that — from our early interpretation — this doesn’t seem to be true.

You can still confidently use popups and sticky bars on your website and landing pages, and today I’ll take you through the news with a bit more nuance to explain why (and how to do so without compromising your user experience).

As I wrote in Technology isn’t the Problem, We Are. An Essay on Popups there’s a reason why bad marketing practices exist (spoiler alert, it’s bad marketers), and we all need to play a part in reversing these bad practices because frankly, we all deserve a better internet.

Here at Unbounce, we welcome this defense of higher internet standards by Google. But we do need to unpack the announcement to see what the potential impact could be on your marketing activities.

What is the Google Chrome Ad Blocker and Why Are We Talking About It?

On February 15th 2018, Google officially introduced an ad blocker to the Google Chrome browser that will screen for (and eventually block) what they deem to be “intrusive” ad experiences. This is further to Google’s partnership with the Coalition for Better Ads they announced previously with the January 10th 2017 change re: Mobile ad experiences.

In short, while it seemed like news last week, it’s an initiative that’s been in the works for some time.

The Coalition for Better Ad Standards

The Coalition for Better Ad Standards (CBA) is a group made up of trade associations and companies involved in online media. Their mission is to improve consumers’ experiences with online advertising and includes a set of global standards that address consumer expectations with online advertising.

As part of this mission, they performed a research study of 25,000 consumers to identify the ad experiences most likely to make those consumers install ad blocking software.

The study presents a range of user experience factors to discover which ones ranked worst. But before we get into the ads raising concerns, we should first address what constitutes an ad.

What is an Ad (In the Eyes of The Better Ad Standards Coalition)?

This is where things start to get a little vague. As per the Better Ads Standards website:

An “ad” is promotional content displayed on the web as the result of a commercial transaction with a third party.

In our interpretation, the above refers to a paid ad (such as Google AdSense) that appears on your website, not a popup containing your own marketing materials such as an e-commerce discount, a newsletter subscription, or a time-sensitive offer. The third party being an ad network and the ad being what’s delivered to the website.

If this is the correct interpretation it makes sense, because ads such as this are not related to the marketing efforts of the host website. They’re the result of the host website trying to generate ad revenue and presenting incongruent and somewhat random display ads.

However, at this time, it’s admittedly difficult to determine exactly what the coalition is considering an ad. To ensure we get you the best answer possible, we contacted Better Ad Standards directly to clarify whether our early interpretation of their definition is correct.

My main question is concerned with how the two parties will be evaluating the ads. Is it the content or is it the delivery mechanism? In other words, are Chrome and the Better Ad Standards coalition concerned with the interaction method of the message delivery? Or the content of the message? Or a combination of both?

My gut says it’s a combination, where the content must be considered an “ad” and the delivery mechanism falls into a few specific categories of interaction that are deemed as bad experiences.

Update from the Coalition for Better Ads

We got a response back from the CBA pretty quickly which was awesome. Unfortunately, the response didn’t really add any extra clarity to the original definition.

Here’s a portion of my question:

Are you able to confirm whether an ad in this instance includes website popups (or sticky bars) for our own business, placed on our own website? For example a newsletter subscription popup on our blog, or a discount popup on our pricing page.

Or are you referring to paid ads from an ad service such as Google AdSense that appear on a website, but are not part of that website’s business? For example, an ad for hair products that shows up on the New York Times.

And a portion of their response:

You should direct any questions about the Chrome browser and its plans to Google.

The Coalition does not currently provide specific evaluative guidance on questions of interpretation relating to the current Better Ads Standards. However, in conjunction with the Better Ads Experience Program, this service may be offered to participating companies in the future.

The Coalition for Better Ads plans to release additional details about its Better Ads Experience Program in the coming months. The Program will certify web publishers that agree not to use the most disruptive ads identified in the Better Ads Standards and will accredit browsers and other advertising technology companies that will assess publishers’ compliance with the Standards and filter digital ads based on the Standards. If compliance issues arise, certified companies will be notified and have an opportunity to address violations or to pursue review by an independent dispute resolution mechanism available through the Program.

The opening of enrollment for publishers that wish to certify their compliance with the Better Ads Standards and participate in the Program’s register was recently announced. Interested publishers can follow this link to learn more about the Program and the registration process. The Program expects to introduce an independent dispute resolution mechanism in the second quarter of this year.

Further updates on the Better Ads Experience Program are forthcoming, so please continue to monitor the Coalition for Better Ads’ blog and press releases page for updates. All Coalition initiatives and authoritative guidance are first published on the CBA website.

Based on this, I’m still not entirely sure if our interpretation is right or wrong.

If we are wrong, then it’s more important than ever to be creating the best possible experiences, and the easiest way for you to do that is with advanced targeting and triggers. You will find 8 examples of proactive great experience creation at the end of the post.

Here are some smart ways to do the right thing if you want to skip ahead to some implementation ideas:

Campaign Scheduling

Cookie Targeting

Referrer URL Targeting

Location Targeting

Click Triggers

Mobile Scroll Up Trigger

Frequency

Super Advanced Multi-Option Targeting

Which types of ad experience are raising a concern?

On desktop they refer to the following four ad experiences:

And mobile has an even larger set:

Again, while the images above could be alarming to anyone running popups, based on our early interpretation of the definition above I don’t think these are popups or sticky bars that you place on your own website with your own marketing content in them. I think we’ll end up finding as time goes on that the standards are targeting at neutralizing bad behavior with respect to third-party ads.

Does this mean you should ignore these guidelines if you’re not using third-party ads?

Not entirely, no. Conscientious targeting and triggering still reign supreme. You can continue to present popups and sticky bars to visitors on your website, but you should use the guidelines to do everything you can to deliver great experiences.

To help avoid getting warnings now that the standards are in place, Google offers a tool which can help you to determine if they consider your website to be infringing on the guidelines or not.

How to Check Your Website For Adherence Using The Google Ad Experience Report

The Ad Experience Report is designed to identify ad experiences that violate the Better Ads Standards, and you can check it for both desktop and mobile inside Webmaster Tools (now simply called Web Tools).

You can find the Google Ad Experience Report here.

When you choose your web property from the drop-down on that page, you will see this:

The video explains how it all works, and if you click desktop or mobile in the left navigation, you’ll instantly get a report like this one for unbounce.com:

If you receive any warnings you can make changes and request a fresh site review.

From Google: Violations of the Standards are reported to sites via the Ad Experience Report, and site owners can submit their site for re-review once the violations have been fixed. Starting on February 15, in line with the Coalition’s guidelines, Chrome will remove all ads from sites that have a “failing” status in the Ad Experience Report for more than 30 days. All of this information can be found in the Ad Experience Report Help Center, and our product forums are available to help address any questions or feedback.

What Else Can You Do to Create Better Popup Experiences?

I fully embrace this news and the mission of the Coalition for Better Ads because it gives me the opportunity to broach the topic of popup misuse. As a platform offering popups, sticky bars (and landing pages of course) it’s incumbent upon Unbounce to take a stance and work hard to help marketers deliver especially respectful and responsible web experiences.

Popup misuse typically falls into the following categories:

Interaction modes that prevent control of the experience by the visitor (such as easy and obvious close and bypass mechanisms).

Manipulative copywriting that uses psychological means to coerce visitors into taking an action, such as the manipulative confirm shaming styles like this: [ Get Your Ebook ] [ No ebook for me. I prefer to kill kittens! ]

Overly persistent frequency rules where you show the popup every time someone arrives.

Multiple popups on the same page, at the same time.

To provide a method of evaluating popup experiences and to help combat bad behavior I created The Popup Delight Equation.

Essentially the equation reverse engineers an excellent popup experience and allows you to generate a percentage score by analyzing seven principles: clarity, control, creativity, relevance, charm, value, and respect.

I’d also recommend you read Stop Making These Common Mistakes with Your Website Popups (Includes Examples and Quick Fixes) which has some great ideas on the topic.

What is Unbounce Doing to Help Customers Avoid Ad Blocker Warnings?

Fabulous question! I asked Cole Derochie, one of Unbounce’s product owners, to elaborate on how we’re approaching the news and what it means for our customers.

“Unbounce respects this policy, and shares Google’s concern for ensuring users are able to easily access content — regardless of device.

Our goal with popups and sticky bars is to help our customers make offers that are relevant and valuable, and thereby increase their conversion rates, without harming the user experience.”

As I mentioned earlier, it does seem the news pertains to third-party ads, but having said that, we are determined to help marketers adhere to great internet standards. One way we’re doing that is by creating tips and warnings inside the Unbounce builder to help prevent some of the design methods that Google considers bothersome, in particular for the mobile experience.

For instance, in the screenshot below, a warning appears if you try to increase the height of the sticky bar beyond 100px:

Despite our belief that this announcement (and the general concerns of Google and the Coalition for Better Ads) isn’t specifically directed at regular popups and sticky bars, it does still represent an opportunity to take an honest look at the ways we’re all presenting our marketing, and step away from some of the more blatant behaviors mentioned in the research.

One of the best ways to ensure a quality experience is to use some of the more advanced targeting, trigger, and frequency settings that Unbounce provides to give your visitors a respectful interaction that’s as relevant as possible.

  Using Targeting, Triggers, and Frequency to Improve Popup and Sticky Bar Experiences

From a high-level philosophical perspective, we should be thinking beyond surface level conversion metrics to focus on quality rather than quantity. I’m referring to tactics like showing popups on every visit, which in my mind is just a little desperate, and destined to not be delightful.

Here are some ways you can deliver a better user experience and stay on Google’s good side:

Method #1 – Campaign Scheduling

If you’re running a time-sensitive campaign, it’s important to only show your offer when it’s actually valid. I’m sure you’ve seen those “live” chat windows that tell you nobody is home. If nobody is home, don’t show the live chat box dummies! Similarly, you don’t want to show a discount or special offer when it’s already expired.

In Unbounce you can set your campaign schedule down to the minute.

Method #2 – Cookie Targeting

Cookies are a great way to create more personalized experiences, basing the display of you offer on previous visitation or behavior tracking. But they are equally as powerful when you use them as an exclusion mechanism.

Let’s say you have an offer for a discount on your SaaS product to encourage people abandoning your website, but you don’t want existing customers to see it (it could make them jealous or upset that they didn’t get the discount).

If you are able to set a cookie within your app somewhere to label a customer as a customer, you can then use the “Don’t Show” cookie targeting to make sure they are not shown the offer.

Bazinga!

Method #3 – Referrer URL Targeting

Context is king when it comes to communicating your message quickly, and if you target your popups and sticky bars using the referrer URL option you can present content that���s highly relevant to where the visitor just came from. This is especially effective for co-marketing where your popup or sticky bar can showcase both brands by including the partner’s logo, creating a more powerful connection between the two experiences.

Here’s another really interesting use case that uses the “Don’t Show” setting.

I’m in the middle of a reboot of our landing page course, and I’m running some popups containing Typeform surveys for the purposes of research.

The problem though is that the homepage of the course is a landing page on a subdomain of the primary course domain – and I’m running the survey on both the homepage and the internal pages of the microsite.

Course homepage URL: do.thelandingpagecourse.com Internal course page URLs: thelandingpagecourse.com/*

There’s a lot of organic traffic coming to the homepage and also the internal pages. But I don’t want to show it to a visitor to the homepage, and then show it again when they click through to start part one of the course.

To solve this problem, I set a “Don’t Show” setting on the Referrer targeting like this:

Which means that none of the internal course pages will show the popup if the visitor got there via the course homepage. This is a brilliantly simple way of solving what would otherwise require a bit of complex coding to resolve.

Even better is the fact that you can add as many “Show” and “Don’t Show” targeting rules as you like.

Method #4 – Location Targeting

Unbounce location targeting allows you to drill all the way down to the city level, and all the way up the the continent level. Personally, I’d be stoked if someone from the Antarctic saw one of my popups, but there are times when you do need to hide your marketing from certain locations, or target it specifically to a location or locations.

Just like in #3, the great thing is that you can add as many rules in here as you like, so you could set it up like the image below to target every major city in Texas, avoiding rural areas if that so happens to not be your target audience. Or reverse it to target all rural areas and avoid the cities. YUSS!

Method #5 – Click Trigger

Undoubtedly the best trigger type is the click trigger. Why? Because it’s entirely user-driven. A great use case for this option is two-step opt-in forms where your popup with a form only shows up when requested. The conversion rates are typically very high because the initial click declares intent making the contents of the popup desirable.

With Unbounce you can set the click trigger to work on any page element by using the CSS id, or you can even apply it to a CSS class which could make multiple page elements interactive.

Method #6 – Mobile Scroll Up Trigger

Google has expressed discontent for certain types of popup that appear on entry, on mobile devices. For this reason we created the “Scroll Up” trigger. It works a little like an “Exit Trigger” on desktop as it may signal that someone is leaving the page. If you use this, and keep the size of your Sticky Bar to 100px in height or below, you can create a nice experience that’s not too interruptive, doesn’t prevent the visitor from leaving, and lets you notify them of something important.

Method #7 – Frequency Settings

What’s the frequency, Kenneth? If you don’t get that reference then either you’re really young or I’m really old. Either way, frequency matters. And when you get it wrong it hertz. Pro tip – once and done When in doubt, the first option (“Show once per visitor”) is the best. Show it once, and go cry in your soup if it didn’t convert. Do NOT pester people over and over again. If they want it they’ll say yes. If they don’t, well that’s a lesson (in the form of a poor conversion rate) you can use to better understand your audience.

For the other options, if you wanna be super respectful and let people check out your site without any distractions, think about using the “Show only on visit x” option. Typically the x would be the number 2. Show it the second time they are there. That way they’ve had the chance to get to know you and your offer will seem more relevant.

For example, there’s nothing more annoying on a blog than when you get an entrance popup saying “Love this content! Subscribe for more!!!!!”. No, I don’t love this content cos I just got here, dammit! Whereas if you show it on the second visit, you know they liked you enough to come back. Done.

Method #8 – Super Advanced Multi-Option Targeting

How about this idea for some extreme relevance! You can use all four advanced targeting rules at the same time to get hyper-personalized. In the example below I’m targeting people in Vancouver, Canada who’ve got a cookie called “ILikeTurtles” who are coming from my partner’s site during the dates of my campaign. SICK!

In Conclusion: What Should You Do Now?

Well for starters I recommend that you go make 50 popups with “Every visit” targeting and a frequency of 100 times per visit.

Wait. Don’t do that.

Do what a thoughtful marketer would do and spend some time thinking about your visitors, and about the really cool things you can do when you combine triggers, frequency, scheduling, and advanced targeting rules.

The combinations are literally limitless. I’m not sure on my math there, so there may be some finite limit to what you can do, but whatever it is, it’s huge!

This is a hot and contentious topic, with much to discuss, particularly because of how hard it is to interpret some of the communications surrounding it, so please add comments with any intel or different perspectives you have.

We’re committed to staying on top of the situation as it continues to unfold, and will bring you more details and ideas as soon as they become apparent.

Here’s to better marketing standards, and better marketing in general.

Cheers Oli Gardner

$(function() { $('a[href*=#]:not([href=#])').click(function() { if (location.pathname.replace(/^\//,'') == this.pathname.replace(/^\//,'') || location.hostname == this.hostname) {var target = $(this.hash); target = target.length ? target : $('[name=' + this.hash.slice(1) +']'); if (target.length){$('html,body').animate({scrollTop: target.offset().top}, 1000);return false;}}});});

What the Google Chrome Ad Blocker Means for Your Website Popups (Plus 8 Really Smart Targeting Tips) published first on http://nickpontemktg.blogspot.com/

What the Google Chrome Ad Blocker Means for Your Website Popups (Plus 8 Really Smart Targeting Tips)

blockquote h2 {margin-left:0px !important;} blockquote p {font-size: 1rem !important;} blockquote p em {font-size: 1rem !important;} blockquote.long p {font-size: 0.9rem !important;} blockquote.long p a {font-size: 0.9rem !imporptant; text-decoration:underline !important;} hr {margin:70px auto 80px auto !important;border-top:1px solid #ddecf2 !important;} .exampleTitle {padding:20px 5% 20px 9% !important;margin-top:50px !important;} strong a {font-weight:bold !important;}

Last week you likely saw a ton of news about Google Chrome’s Ad Blocker going into effect Feb 15, 2018. And nobody could blame you if you took one look at some of the reports and thought, “Oh no! Popups are dead. Google just outlawed them, and I have to take down the 35 I’m using across my web properties that are generating 12,000 leads per month”.

Well, fortunately, after combing through the details, I’m happy to tell you that — from our early interpretation — this doesn’t seem to be true.

You can still confidently use popups and sticky bars on your website and landing pages, and today I’ll take you through the news with a bit more nuance to explain why (and how to do so without compromising your user experience).

As I wrote in Technology isn’t the Problem, We Are. An Essay on Popups there’s a reason why bad marketing practices exist (spoiler alert, it’s bad marketers), and we all need to play a part in reversing these bad practices because frankly, we all deserve a better internet.

Here at Unbounce, we welcome this defense of higher internet standards by Google. But we do need to unpack the announcement to see what the potential impact could be on your marketing activities.

What is the Google Chrome Ad Blocker and Why Are We Talking About It?

On February 15th 2018, Google officially introduced an ad blocker to the Google Chrome browser that will screen for (and eventually block) what they deem to be “intrusive” ad experiences. This is further to Google’s partnership with the Coalition for Better Ads they announced previously with the January 10th 2017 change re: Mobile ad experiences.

In short, while it seemed like news last week, it’s an initiative that’s been in the works for some time.

The Coalition for Better Ad Standards

The Coalition for Better Ad Standards (CBA) is a group made up of trade associations and companies involved in online media. Their mission is to improve consumers’ experiences with online advertising and includes a set of global standards that address consumer expectations with online advertising.

As part of this mission, they performed a research study of 25,000 consumers to identify the ad experiences most likely to make those consumers install ad blocking software.

The study presents a range of user experience factors to discover which ones ranked worst. But before we get into the ads raising concerns, we should first address what constitutes an ad.

What is an Ad (In the Eyes of The Better Ad Standards Coalition)?

This is where things start to get a little vague. As per the Better Ads Standards website:

An “ad” is promotional content displayed on the web as the result of a commercial transaction with a third party.

In our interpretation, the above refers to a paid ad (such as Google AdSense) that appears on your website, not a popup containing your own marketing materials such as an e-commerce discount, a newsletter subscription, or a time-sensitive offer. The third party being an ad network and the ad being what’s delivered to the website.

If this is the correct interpretation it makes sense, because ads such as this are not related to the marketing efforts of the host website. They’re the result of the host website trying to generate ad revenue and presenting incongruent and somewhat random display ads.

However, at this time, it’s admittedly difficult to determine exactly what the coalition is considering an ad. To ensure we get you the best answer possible, we contacted Better Ad Standards directly to clarify whether our early interpretation of their definition is correct.

My main question is concerned with how the two parties will be evaluating the ads. Is it the content or is it the delivery mechanism? In other words, are Chrome and the Better Ad Standards coalition concerned with the interaction method of the message delivery? Or the content of the message? Or a combination of both?

My gut says it’s a combination, where the content must be considered an “ad” and the delivery mechanism falls into a few specific categories of interaction that are deemed as bad experiences.

Update from the Coalition for Better Ads

We got a response back from the CBA pretty quickly which was awesome. Unfortunately, the response didn’t really add any extra clarity to the original definition.

Here’s a portion of my question:

Are you able to confirm whether an ad in this instance includes website popups (or sticky bars) for our own business, placed on our own website? For example a newsletter subscription popup on our blog, or a discount popup on our pricing page.

Or are you referring to paid ads from an ad service such as Google AdSense that appear on a website, but are not part of that website’s business? For example, an ad for hair products that shows up on the New York Times.

And a portion of their response:

You should direct any questions about the Chrome browser and its plans to Google.

The Coalition does not currently provide specific evaluative guidance on questions of interpretation relating to the current Better Ads Standards. However, in conjunction with the Better Ads Experience Program, this service may be offered to participating companies in the future.

The Coalition for Better Ads plans to release additional details about its Better Ads Experience Program in the coming months. The Program will certify web publishers that agree not to use the most disruptive ads identified in the Better Ads Standards and will accredit browsers and other advertising technology companies that will assess publishers’ compliance with the Standards and filter digital ads based on the Standards. If compliance issues arise, certified companies will be notified and have an opportunity to address violations or to pursue review by an independent dispute resolution mechanism available through the Program.

The opening of enrollment for publishers that wish to certify their compliance with the Better Ads Standards and participate in the Program’s register was recently announced. Interested publishers can follow this link to learn more about the Program and the registration process. The Program expects to introduce an independent dispute resolution mechanism in the second quarter of this year.

Further updates on the Better Ads Experience Program are forthcoming, so please continue to monitor the Coalition for Better Ads’ blog and press releases page for updates. All Coalition initiatives and authoritative guidance are first published on the CBA website.

Based on this, I’m still not entirely sure if our interpretation is right or wrong.

If we are wrong, then it’s more important than ever to be creating the best possible experiences, and the easiest way for you to do that is with advanced targeting and triggers. You will find 8 examples of proactive great experience creation at the end of the post.

Here are some smart ways to do the right thing if you want to skip ahead to some implementation ideas:

Campaign Scheduling

Cookie Targeting

Referrer URL Targeting

Location Targeting

Click Triggers

Mobile Scroll Up Trigger

Frequency

Super Advanced Multi-Option Targeting

Which types of ad experience are raising a concern?

On desktop they refer to the following four ad experiences:

And mobile has an even larger set:

Again, while the images above could be alarming to anyone running popups, based on our early interpretation of the definition above I don’t think these are popups or sticky bars that you place on your own website with your own marketing content in them. I think we’ll end up finding as time goes on that the standards are targeting at neutralizing bad behavior with respect to third-party ads.

Does this mean you should ignore these guidelines if you’re not using third-party ads?

Not entirely, no. Conscientious targeting and triggering still reign supreme. You can continue to present popups and sticky bars to visitors on your website, but you should use the guidelines to do everything you can to deliver great experiences.

To help avoid getting warnings now that the standards are in place, Google offers a tool which can help you to determine if they consider your website to be infringing on the guidelines or not.

How to Check Your Website For Adherence Using The Google Ad Experience Report

The Ad Experience Report is designed to identify ad experiences that violate the Better Ads Standards, and you can check it for both desktop and mobile inside Webmaster Tools (now simply called Web Tools).

You can find the Google Ad Experience Report here.

When you choose your web property from the drop-down on that page, you will see this:

The video explains how it all works, and if you click desktop or mobile in the left navigation, you’ll instantly get a report like this one for unbounce.com:

If you receive any warnings you can make changes and request a fresh site review.

From Google: Violations of the Standards are reported to sites via the Ad Experience Report, and site owners can submit their site for re-review once the violations have been fixed. Starting on February 15, in line with the Coalition’s guidelines, Chrome will remove all ads from sites that have a “failing” status in the Ad Experience Report for more than 30 days. All of this information can be found in the Ad Experience Report Help Center, and our product forums are available to help address any questions or feedback.

What Else Can You Do to Create Better Popup Experiences?

I fully embrace this news and the mission of the Coalition for Better Ads because it gives me the opportunity to broach the topic of popup misuse. As a platform offering popups, sticky bars (and landing pages of course) it’s incumbent upon Unbounce to take a stance and work hard to help marketers deliver especially respectful and responsible web experiences.

Popup misuse typically falls into the following categories:

Interaction modes that prevent control of the experience by the visitor (such as easy and obvious close and bypass mechanisms).

Manipulative copywriting that uses psychological means to coerce visitors into taking an action, such as the manipulative confirm shaming styles like this: [ Get Your Ebook ] [ No ebook for me. I prefer to kill kittens! ]

Overly persistent frequency rules where you show the popup every time someone arrives.

Multiple popups on the same page, at the same time.

To provide a method of evaluating popup experiences and to help combat bad behavior I created The Popup Delight Equation.

Essentially the equation reverse engineers an excellent popup experience and allows you to generate a percentage score by analyzing seven principles: clarity, control, creativity, relevance, charm, value, and respect.

I’d also recommend you read Stop Making These Common Mistakes with Your Website Popups (Includes Examples and Quick Fixes) which has some great ideas on the topic.

What is Unbounce Doing to Help Customers Avoid Ad Blocker Warnings?

Fabulous question! I asked Cole Derochie, one of Unbounce’s product owners, to elaborate on how we’re approaching the news and what it means for our customers.

“Unbounce respects this policy, and shares Google’s concern for ensuring users are able to easily access content — regardless of device.

Our goal with popups and sticky bars is to help our customers make offers that are relevant and valuable, and thereby increase their conversion rates, without harming the user experience.”

As I mentioned earlier, it does seem the news pertains to third-party ads, but having said that, we are determined to help marketers adhere to great internet standards. One way we’re doing that is by creating tips and warnings inside the Unbounce builder to help prevent some of the design methods that Google considers bothersome, in particular for the mobile experience.

For instance, in the screenshot below, a warning appears if you try to increase the height of the sticky bar beyond 100px:

Despite our belief that this announcement (and the general concerns of Google and the Coalition for Better Ads) isn’t specifically directed at regular popups and sticky bars, it does still represent an opportunity to take an honest look at the ways we’re all presenting our marketing, and step away from some of the more blatant behaviors mentioned in the research.

One of the best ways to ensure a quality experience is to use some of the more advanced targeting, trigger, and frequency settings that Unbounce provides to give your visitors a respectful interaction that’s as relevant as possible.

  Using Targeting, Triggers, and Frequency to Improve Popup and Sticky Bar Experiences

From a high-level philosophical perspective, we should be thinking beyond surface level conversion metrics to focus on quality rather than quantity. I’m referring to tactics like showing popups on every visit, which in my mind is just a little desperate, and destined to not be delightful.

Here are some ways you can deliver a better user experience and stay on Google’s good side:

Method #1 – Campaign Scheduling

If you’re running a time-sensitive campaign, it’s important to only show your offer when it’s actually valid. I’m sure you’ve seen those “live” chat windows that tell you nobody is home. If nobody is home, don’t show the live chat box dummies! Similarly, you don’t want to show a discount or special offer when it’s already expired.

In Unbounce you can set your campaign schedule down to the minute.

Method #2 – Cookie Targeting

Cookies are a great way to create more personalized experiences, basing the display of you offer on previous visitation or behavior tracking. But they are equally as powerful when you use them as an exclusion mechanism.

Let’s say you have an offer for a discount on your SaaS product to encourage people abandoning your website, but you don’t want existing customers to see it (it could make them jealous or upset that they didn’t get the discount).

If you are able to set a cookie within your app somewhere to label a customer as a customer, you can then use the “Don’t Show” cookie targeting to make sure they are not shown the offer.

Bazinga!

Method #3 – Referrer URL Targeting

Context is king when it comes to communicating your message quickly, and if you target your popups and sticky bars using the referrer URL option you can present content that’s highly relevant to where the visitor just came from. This is especially effective for co-marketing where your popup or sticky bar can showcase both brands by including the partner’s logo, creating a more powerful connection between the two experiences.

Here’s another really interesting use case that uses the “Don’t Show” setting.

I’m in the middle of a reboot of our landing page course, and I’m running some popups containing Typeform surveys for the purposes of research.

The problem though is that the homepage of the course is a landing page on a subdomain of the primary course domain – and I’m running the survey on both the homepage and the internal pages of the microsite.

Course homepage URL: do.thelandingpagecourse.com Internal course page URLs: thelandingpagecourse.com/*

There’s a lot of organic traffic coming to the homepage and also the internal pages. But I don’t want to show it to a visitor to the homepage, and then show it again when they click through to start part one of the course.

To solve this problem, I set a “Don’t Show” setting on the Referrer targeting like this:

Which means that none of the internal course pages will show the popup if the visitor got there via the course homepage. This is a brilliantly simple way of solving what would otherwise require a bit of complex coding to resolve.

Even better is the fact that you can add as many “Show” and “Don’t Show” targeting rules as you like.

Method #4 – Location Targeting

Unbounce location targeting allows you to drill all the way down to the city level, and all the way up the the continent level. Personally, I’d be stoked if someone from the Antarctic saw one of my popups, but there are times when you do need to hide your marketing from certain locations, or target it specifically to a location or locations.

Just like in #3, the great thing is that you can add as many rules in here as you like, so you could set it up like the image below to target every major city in Texas, avoiding rural areas if that so happens to not be your target audience. Or reverse it to target all rural areas and avoid the cities. YUSS!

Method #5 – Click Trigger

Undoubtedly the best trigger type is the click trigger. Why? Because it’s entirely user-driven. A great use case for this option is two-step opt-in forms where your popup with a form only shows up when requested. The conversion rates are typically very high because the initial click declares intent making the contents of the popup desirable.

With Unbounce you can set the click trigger to work on any page element by using the CSS id, or you can even apply it to a CSS class which could make multiple page elements interactive.

Method #6 – Mobile Scroll Up Trigger

Google has expressed discontent for certain types of popup that appear on entry, on mobile devices. For this reason we created the “Scroll Up” trigger. It works a little like an “Exit Trigger” on desktop as it may signal that someone is leaving the page. If you use this, and keep the size of your Sticky Bar to 100px in height or below, you can create a nice experience that’s not too interruptive, doesn’t prevent the visitor from leaving, and lets you notify them of something important.

Method #7 – Frequency Settings

What’s the frequency, Kenneth? If you don’t get that reference then either you’re really young or I’m really old. Either way, frequency matters. And when you get it wrong it hertz. Pro tip – once and done When in doubt, the first option (“Show once per visitor”) is the best. Show it once, and go cry in your soup if it didn’t convert. Do NOT pester people over and over again. If they want it they’ll say yes. If they don’t, well that’s a lesson (in the form of a poor conversion rate) you can use to better understand your audience.

For the other options, if you wanna be super respectful and let people check out your site without any distractions, think about using the “Show only on visit x” option. Typically the x would be the number 2. Show it the second time they are there. That way they’ve had the chance to get to know you and your offer will seem more relevant.

For example, there’s nothing more annoying on a blog than when you get an entrance popup saying “Love this content! Subscribe for more!!!!!”. No, I don’t love this content cos I just got here, dammit! Whereas if you show it on the second visit, you know they liked you enough to come back. Done.

Method #8 – Super Advanced Multi-Option Targeting

How about this idea for some extreme relevance! You can use all four advanced targeting rules at the same time to get hyper-personalized. In the example below I’m targeting people in Vancouver, Canada who’ve got a cookie called “ILikeTurtles” who are coming from my partner’s site during the dates of my campaign. SICK!

In Conclusion: What Should You Do Now?

Well for starters I recommend that you go make 50 popups with “Every visit” targeting and a frequency of 100 times per visit.

Wait. Don’t do that.

Do what a thoughtful marketer would do and spend some time thinking about your visitors, and about the really cool things you can do when you combine triggers, frequency, scheduling, and advanced targeting rules.

The combinations are literally limitless. I’m not sure on my math there, so there may be some finite limit to what you can do, but whatever it is, it’s huge!

This is a hot and contentious topic, with much to discuss, particularly because of how hard it is to interpret some of the communications surrounding it, so please add comments with any intel or different perspectives you have.

We’re committed to staying on top of the situation as it continues to unfold, and will bring you more details and ideas as soon as they become apparent.

Here’s to better marketing standards, and better marketing in general.

Cheers Oli Gardner

$(function() { $('a[href*=#]:not([href=#])').click(function() { if (location.pathname.replace(/^\//,'') == this.pathname.replace(/^\//,'') || location.hostname == this.hostname) {var target = $(this.hash); target = target.length ? target : $('[name=' + this.hash.slice(1) +']'); if (target.length){$('html,body').animate({scrollTop: target.offset().top}, 1000);return false;}}});});

from RSSMix.com Mix ID 8217493 http://unbounce.com/website-optimization/google-chrome-ad-blocker-website-popups/

When IoT puts the user last

This is especially true today when consumer tech and business computing are often one and the same. It seems quaint, in this world of smartphones, that BYOD was once a topic of hot debate.

I’m not sure that type of convergence is happening with IoT, though. At least not yet.

Solutions in search of problems

Taylor Lorenz wrote about how “CES was full of useless robots and machines that don’t work.” Her observations pretty much line up with my overall take on smart home devices — so many are solutions in search of problems.

I have a few connected monitoring devices of various sorts in my house. They let me virtually drop in when I’m traveling, which provides some level of comfort.

For the most part, though, smart home gadgetry is aimed at solving problems most of us don’t actually have. Flicking a light switch or going to the door if someone knocks rank very far down the list of things I need to automate and complicate. (Of course, if someone is mobility-impaired I can fully understand why devices to help with these things could be useful, but that’s a corner case.)

Clean the house, wash and put away the dishes, do laundry? In other words, truly interact with the physical world. Now we’d be talking. But most smart home devices can’t actually do any of these things or, if they do, they do so in such a limited way that they’re effectively useless. There are partial exceptions, like the Roomba and its knockoffs, but even those require the right layout of house to be genuinely useful.

Furthermore, a lot of this stuff not only solves problems we don’t have, but does it badly. I’m pretty experienced with electronics and networking and I still fully expect that unboxing one of these creations will be the prelude to an hour or two of cursing, upgrading firmware, rebooting and other aggravations.

User experience rules

By contrast, smartphones and consumer-oriented web apps won because they were better. Consumers liked iPhones and Android phones better than they liked BlackBerry phones. They liked modern, responsive web interfaces better than they liked their enterprise apps.

That’s not hard. Admittedly, a user experience that leads to sending a ballistic missile warning by mistake is a particularly extreme case in point. But, let’s face it, a lot of traditional enterprise apps are pretty user hostile. But consumer IoT hasn’t put user experience in the forefront as successful consumer products do.

It doesn’t have to be this way.

Read More Here

Article Credit: TechTarget

Go to Source

The post When IoT puts the user last appeared first on Statii News.

from Statii News http://news.statii.co.uk/when-iot-puts-the-user-last/ from Statii News https://statiicouk.tumblr.com/post/170222058147

WikiLeaks Dumps Docs on CIA’s Hacking Tools

WikiLeaks on Tuesday dropped one of its most explosive word bombs ever: A secret trove of documents apparently stolen from the U.S. Central Intelligence Agency (CIA) detailing methods of hacking everything from smart phones and TVs to compromising Internet routers and computers. KrebsOnSecurity is still digesting much of this fascinating data cache, but here are some first impressions based on what I’ve seen so far.

First, to quickly recap what happened: In a post on its site, WikiLeaks said the release — dubbed “Vault 7” — was the largest-ever publication of confidential documents on the agency. WikiLeaks is promising a series of these document caches; this first one includes more than 8,700 files allegedly taken from a high-security network inside CIA’s Center for Cyber Intelligence in Langley, Va.

The home page for the CIA’s “Weeping Angel” project, which sought to exploit flaws that could turn certain 2013-model Samsung “smart” TVs into remote listening posts.

“Recently, the CIA lost control of the majority of its hacking arsenal including malware, viruses, trojans, weaponized ‘zero day’ exploits, malware remote control systems and associated documentation,” WikiLeaks wrote. “This extraordinary collection, which amounts to more than several hundred million lines of code, gives its possessor the entire hacking capacity of the CIA. The archive appears to have been circulated among former U.S. government hackers and contractors in an unauthorized manner, one of whom has provided WikiLeaks with portions of the archive.”

Wikileaks said it was calling attention to the CIA’s global covert hacking program, its malware arsenal and dozens of weaponized exploits against “a wide range of U.S. and European company products, include Apple’s iPhone, Google’s Android and Microsoft’s Windows and even Samsung TVs, which are turned into covert microphones.”

The documents for the most part don’t appear to include the computer code needed to exploit previously unknown flaws in these products, although WikiLeaks says that stuff may show up in a future dump. This collection is probably best thought of as an internal corporate wiki used by multiple CIA researchers who methodically found and documented weaknesses in a variety of popular commercial and consumer electronics.

For example, the data dump lists a number of exploit “modules” available to compromise various models of consumer routers made by companies like Linksys, Microtik and Zyxel, to name a few. CIA researchers also collated several pages worth of probing and testing weaknesses in business-class devices from Cisco, whose powerful routers carry a decent portion of the Internet’s traffic on any given day. Craig Dods, a researcher with Cisco’s rival Juniper, delves into greater detail on the Cisco bugs for anyone interested (Dods says he found no exploits for Juniper products in the cache, yet).

WHILE MY SMART TV GENTLY WEEPS

Some of the exploits discussed in these leaked CIA documents appear to reference full-on, remote access vulnerabilities. However, a great many of the documents I’ve looked at seem to refer to attack concepts or half-finished exploits that demand more work and that may be limited by very specific requirements — such as physical access to the targeted device.

The “Weeping Angel” project’s page from 2014 is a prime example: It discusses ways to turn certain 2013-model Samsung “smart TVs” into remote listening devices; methods for disabling the LED lights that indicate the TV is on; and suggestions for fixing a problem with the exploit in which the WiFi interface on the TV is disabled when the exploit is run.

ToDo / Future Work: Build a console cable

Turn on or leave WiFi turned on in Fake-Off mode

Parse unencrypted audio collection Clean-up the file format of saved audio. Add encryption??

According to the documentation, Weeping Angel worked as long as the target hadn’t upgraded the firmware on the Samsung TVs, and that the firmware upgrade eliminated the “current installation method,” which apparently required the insertion of a booby-trapped USB device into the TV.

Don’t get me wrong: This is a serious leak of fairly sensitive information. And I sincerely hope Wikileaks decides to work with researchers and vendors to coordinate the patching of flaws leveraged by the as-yet unreleased exploit code archive that apparently accompanies this documentation from the CIA.

But in reading the media coverage of this leak, one might be led to believe that even if you are among the small minority of Americans who have chosen to migrate more of their communications to privacy-enhancing technologies like Signal or WhatsApp, it’s all futility because the CIA can break it anyway.

Perhaps a future cache of documents from this CIA division will change things on this front, but an admittedly cursory examination of these documents indicates that the CIA’s methods for weakening the privacy of these tools all seem to require attackers to first succeed in deeply subverting the security of the mobile device — either through a remote-access vulnerability in the underlying operating system or via physical access to the target’s phone.

As Bloomberg’s tech op-ed writer Leonid Bershidsky notes, the documentation released here shows that these attacks are “not about mass surveillance — something that should bother the vast majority of internet users — but about monitoring specific targets.”

By way of example, Bershidsky points to a tweet yesterday from Open Whisper Systems (the makers of the Signal private messaging app) which observes that, “The CIA/Wikileaks story today is about getting malware onto phones, none of the exploits are in Signal or break Signal Protocol encryption.”

The company went to say that because more online services are now using end-to-end encryption to prevent prying eyes from reading communications that are intercepted in-transit, intelligence agencies are being pushed “from undetectable mass surveillance to expensive, high-risk, targeted attacks.”

A tweet from Open Whisper Systems, the makers of the popular mobile privacy app Signal.

As limited as some of these exploits appear to be, the methodical approach of the countless CIA researchers who apparently collaborated to unearth these flaws is impressive and speaks to a key problem with most commercial hardware and software today: The vast majority of vendors would rather spend the time and money marketing their products than embark on the costly, frustrating, time-consuming and continuous process of stress-testing their own products and working with a range of researchers to find these types of vulnerabilities before the CIA or other nation-state-level hackers can.

Of course, not every company has a budget of hundreds of millions of dollars just to do basic security research. According to this NBC News report from October 2016, the CIA’s Center for Cyber Intelligence (the alleged source of the documents discussed in this story) has a staff of hundreds and a budget in the hundreds of millions: Documents leaked by NSA whistleblower Edward Snowden indicate the CIA requested $685.4 million for computer network operations in 2013, compared to $1 billion by the U.S. National Security Agency (NSA).

TURNABOUT IS FAIR PLAY?

NBC also reported that the CIA’s Center for Cyber Intelligence was tasked by the Obama administration last year to devise cyber attack strategies in response to Russia’s alleged involvement in the siphoning of emails from Democratic National Committee servers as well as from Hillary Clinton‘s campaign chief John Podesta. Those emails were ultimately published online by Wikileaks last summer.

NBC reported that the “wide-ranging ‘clandestine’ cyber operation designed to harass and ’embarrass’ the Kremlin leadership was being lead by the CIA’s Center for Cyber Intelligence.” Could this attack have been the Kremlin’s response to an action or actions by the CIA’s cyber center? Perhaps time (or future leaks) will tell.

Speaking of the NSA, the Wikileaks dump comes hot on the heels of a similar disclosure by The Shadow Brokers, a hacking group that said it stole malicious software from the Equation Group, a highly-skilled and advanced threat actor that has been closely tied to the NSA.

What’s interesting is this Wikileaks cache includes a longish discussion thread among CIA employees who openly discuss where the NSA erred in allowing experts to tie the NSA’s coders to malware produced by the Equation Group. As someone who spends a great deal of time unmasking cybercriminals who invariably leak their identity and/or location through poor operational security, I was utterly fascinated to read this exchange.

BUG BOUNTIES VS BUG STOCKPILES

Many are using this latest deluge from WikiLeaks to reopen the debate over whether there is enough oversight of the CIA’s hacking activities. The New York Times called yesterday’s WikiLeaks disclosure “the latest coup for the antisecrecy organization and a serious blow to the CIA, which uses its hacking abilities to carry out espionage against foreign targets.”

The WikiLeaks scandal also revisits the question of whether the U.S. government should instead of hoarding and stockpiling vulnerabilities be more open and transparent about its findings — or at least work privately with software vendors to get the bugs fixed for the greater good. After all, these advocates argue, the United States is perhaps the most technologically-dependent country on Earth: Surely we have the most to lose when (not if) these exploits get leaked? Wouldn’t it be better and cheaper if everyone who produced software sought to crowdsource the hardening of their products?

On that front, my email inbox was positively peppered Tuesday with emails from organizations that run “bug bounty” programs on behalf of corporations. These programs seek to discourage “full disclosure” approach — e.g., a researcher releasing exploit code for a previously unknown bug and giving the affected vendor exactly zero days to fix the problem before the public finds out how to exploit it (hence the term “zero-day” exploit). Rather, the bug bounties encourage security researchers to work closely and discreetly with software vendors to fix security vulnerabilities — sometimes in exchange for monetary reward and sometimes just for public recognition.

Casey Ellis, chief executive officer and founder of bug bounty program Bugcrowd, suggested the CIA WikiLeaks disclosure will help criminal groups and other adversaries, while leaving security teams scrambling.

“In this mix there are the targeted vendors who, before today, were likely unaware of the specific vulnerabilities these exploits were targeting,” Ellis said. “Right now, the security teams are pulling apart the Wikileaks dump, performing technical analysis, assessing and prioritizing the risk to their products and the people who use them, and instructing the engineering teams towards creating patches. The net outcome over the long-term is actually a good thing for Internet security — the vulnerabilities that were exploited by these tools will be patched, and the risk to consumers reduced as a result — but for now we are entering yet another Shadow Brokers, Stuxnet, Flame, Duqu, etc., a period of actively exploitable 0-day bouncing around in the wild.”

Ellis said that — in an ironic way, one could say that Wikileaks, the CIA, and the original exploit authors “have combined to provide the same knowledge as the ‘good old days’ of full disclosure — but with far less control and a great many more side-effects than if the vendors were to take the initiative themselves.”

“This, in part, is why the full disclosure approach evolved into the coordinated disclosure and bug bounty models becoming commonplace today,” Ellis said in a written statement. “Stories like that of Wikileaks today are less and less surprising and to some extent are starting to be normalized. It’s only when the pain of doing nothing exceeds the pain of change that the majority of organizations will shift to an proactive vulnerability discovery strategy and the vulnerabilities exploited by these toolkits — and the risk those vulnerabilities create for the Internet — will become less and less common.”

Many observers — including a number of cybersecurity professional friends of mine — have become somewhat inured to these disclosures, and argue that this is exactly the sort of thing you might expect an agency like the CIA to be doing day in and day out. Omer Schneider, CEO at a startup called CyberX, seems to fall into this camp.

“The main issue here is not that the CIA has its own hacking tools or has a cache of zero-day exploits,” Schneider said. “Most nation-states have similar hacking tools, and they’re being used all the time. What’s surprising is that the general public is still shocked by stories like these. Regardless of the motives for publishing this, our concern is that Vault7 makes it even easier for a crop of new cyber-actors get in the game.”

This almost certainly won’t be the last time KrebsOnSecurity cites this week’s big CIA WikiLeaks trove. But for now I’m interested to hear what you, Dear Readers, found most intriguing about it? Sound off in the comments below.

from https://krebsonsecurity.com/2017/03/wikileaks-dumps-docs-on-cias-hacking-tools/

WikiLeaks Dumps Docs on CIA’s Hacking Tools

WikiLeaks on Tuesday dropped one of its most explosive word bombs ever: A secret trove of documents apparently stolen from the U.S. Central Intelligence Agency (CIA) detailing methods of hacking everything from smart phones and TVs to compromising Internet routers and computers. KrebsOnSecurity is still digesting much of this fascinating data cache, but here are some first impressions based on what I’ve seen so far.

First, to quickly recap what happened: In a post on its site, WikiLeaks said the release — dubbed “Vault 7” — was the largest-ever publication of confidential documents on the agency. WikiLeaks is promising a series of these document caches; this first one includes more than 8,700 files allegedly taken from a high-security network inside CIA’s Center for Cyber Intelligence in Langley, Va.

The home page for the CIA’s “Weeping Angel” project, which sought to exploit flaws that could turn certain 2013-model Samsung “smart” TVs into remote listening posts.

“Recently, the CIA lost control of the majority of its hacking arsenal including malware, viruses, trojans, weaponized ‘zero day’ exploits, malware remote control systems and associated documentation,” WikiLeaks wrote. “This extraordinary collection, which amounts to more than several hundred million lines of code, gives its possessor the entire hacking capacity of the CIA. The archive appears to have been circulated among former U.S. government hackers and contractors in an unauthorized manner, one of whom has provided WikiLeaks with portions of the archive.”

Wikileaks said it was calling attention to the CIA’s global covert hacking program, its malware arsenal and dozens of weaponized exploits against “a wide range of U.S. and European company products, include Apple’s iPhone, Google’s Android and Microsoft’s Windows and even Samsung TVs, which are turned into covert microphones.”

The documents for the most part don’t appear to include the computer code needed to exploit previously unknown flaws in these products, although WikiLeaks says that stuff may show up in a future dump. This collection is probably best thought of as an internal corporate wiki used by multiple CIA researchers who methodically found and documented weaknesses in a variety of popular commercial and consumer electronics.

For example, the data dump lists a number of exploit “modules” available to compromise various models of consumer routers made by companies like Linksys, Microtik and Zyxel, to name a few. CIA researchers also collated several pages worth of probing and testing weaknesses in business-class devices from Cisco, whose powerful routers carry a decent portion of the Internet’s traffic on any given day. Craig Dods, a researcher with Cisco’s rival Juniper, delves into greater detail on the Cisco bugs for anyone interested (Dods says he found no exploits for Juniper products in the cache, yet).

WHILE MY SMART TV GENTLY WEEPS

Some of the exploits discussed in these leaked CIA documents appear to reference full-on, remote access vulnerabilities. However, a great many of the documents I’ve looked at seem to refer to attack concepts or half-finished exploits that demand more work and that may be limited by very specific requirements — such as physical access to the targeted device.

The “Weeping Angel” project’s page from 2014 is a prime example: It discusses ways to turn certain 2013-model Samsung “smart TVs” into remote listening devices; methods for disabling the LED lights that indicate the TV is on; and suggestions for fixing a problem with the exploit in which the WiFi interface on the TV is disabled when the exploit is run.

ToDo / Future Work: Build a console cable

Turn on or leave WiFi turned on in Fake-Off mode

Parse unencrypted audio collection Clean-up the file format of saved audio. Add encryption??

According to the documentation, Weeping Angel worked as long as the target hadn’t upgraded the firmware on the Samsung TVs, and that the firmware upgrade eliminated the “current installation method,” which apparently required the insertion of a booby-trapped USB device into the TV.

Don’t get me wrong: This is a serious leak of fairly sensitive information. And I sincerely hope Wikileaks decides to work with researchers and vendors to coordinate the patching of flaws leveraged by the as-yet unreleased exploit code archive that apparently accompanies this documentation from the CIA.

But in reading the media coverage of this leak, one might be led to believe that even if you are among the small minority of Americans who have chosen to migrate more of their communications to privacy-enhancing technologies like Signal or WhatsApp, it’s all futility because the CIA can break it anyway.

Perhaps a future cache of documents from this CIA division will change things on this front, but an admittedly cursory examination of these documents indicates that the CIA’s methods for weakening the privacy of these tools all seem to require attackers to first succeed in deeply subverting the security of the mobile device — either through a remote-access vulnerability in the underlying operating system or via physical access to the target’s phone.

As Bloomberg’s tech op-ed writer Leonid Bershidsky notes, the documentation released here shows that these attacks are “not about mass surveillance — something that should bother the vast majority of internet users — but about monitoring specific targets.”

By way of example, Bershidsky points to a tweet yesterday from Open Whisper Systems (the makers of the Signal private messaging app) which observes that, “The CIA/Wikileaks story today is about getting malware onto phones, none of the exploits are in Signal or break Signal Protocol encryption.”

The company went to say that because more online services are now using end-to-end encryption to prevent prying eyes from reading communications that are intercepted in-transit, intelligence agencies are being pushed “from undetectable mass surveillance to expensive, high-risk, targeted attacks.”

A tweet from Open Whisper Systems, the makers of the popular mobile privacy app Signal.

As limited as some of these exploits appear to be, the methodical approach of the countless CIA researchers who apparently collaborated to unearth these flaws is impressive and speaks to a key problem with most commercial hardware and software today: The vast majority of vendors would rather spend the time and money marketing their products than embark on the costly, frustrating, time-consuming and continuous process of stress-testing their own products and working with a range of researchers to find these types of vulnerabilities before the CIA or other nation-state-level hackers can.

Of course, not every company has a budget of hundreds of millions of dollars just to do basic security research. According to this NBC News report from October 2016, the CIA’s Center for Cyber Intelligence (the alleged source of the documents discussed in this story) has a staff of hundreds and a budget in the hundreds of millions: Documents leaked by NSA whistleblower Edward Snowden indicate the CIA requested $685.4 million for computer network operations in 2013, compared to $1 billion by the U.S. National Security Agency (NSA).

TURNABOUT IS FAIR PLAY?

NBC also reported that the CIA’s Center for Cyber Intelligence was tasked by the Obama administration last year to devise cyber attack strategies in response to Russia’s alleged involvement in the siphoning of emails from Democratic National Committee servers as well as from Hillary Clinton‘s campaign chief John Podesta. Those emails were ultimately published online by Wikileaks last summer.

NBC reported that the “wide-ranging ‘clandestine’ cyber operation designed to harass and ’embarrass’ the Kremlin leadership was being lead by the CIA’s Center for Cyber Intelligence.” Could this attack have been the Kremlin’s response to an action or actions by the CIA’s cyber center? Perhaps time (or future leaks) will tell.

Speaking of the NSA, the Wikileaks dump comes hot on the heels of a similar disclosure by The Shadow Brokers, a hacking group that said it stole malicious software from the Equation Group, a highly-skilled and advanced threat actor that has been closely tied to the NSA.

What’s interesting is this Wikileaks cache includes a longish discussion thread among CIA employees who openly discuss where the NSA erred in allowing experts to tie the NSA’s coders to malware produced by the Equation Group. As someone who spends a great deal of time unmasking cybercriminals who invariably leak their identity and/or location through poor operational security, I was utterly fascinated to read this exchange.

BUG BOUNTIES VS BUG STOCKPILES

Many are using this latest deluge from WikiLeaks to reopen the debate over whether there is enough oversight of the CIA’s hacking activities. The New York Times called yesterday’s WikiLeaks disclosure “the latest coup for the antisecrecy organization and a serious blow to the CIA, which uses its hacking abilities to carry out espionage against foreign targets.”

The WikiLeaks scandal also revisits the question of whether the U.S. government should instead of hoarding and stockpiling vulnerabilities be more open and transparent about its findings — or at least work privately with software vendors to get the bugs fixed for the greater good. After all, these advocates argue, the United States is perhaps the most technologically-dependent country on Earth: Surely we have the most to lose when (not if) these exploits get leaked? Wouldn’t it be better and cheaper if everyone who produced software sought to crowdsource the hardening of their products?

On that front, my email inbox was positively peppered Tuesday with emails from organizations that run “bug bounty” programs on behalf of corporations. These programs seek to discourage “full disclosure” approach — e.g., a researcher releasing exploit code for a previously unknown bug and giving the affected vendor exactly zero days to fix the problem before the public finds out how to exploit it (hence the term “zero-day” exploit). Rather, the bug bounties encourage security researchers to work closely and discreetly with software vendors to fix security vulnerabilities — sometimes in exchange for monetary reward and sometimes just for public recognition.

Casey Ellis, chief executive officer and founder of bug bounty program Bugcrowd, suggested the CIA WikiLeaks disclosure will help criminal groups and other adversaries, while leaving security teams scrambling.

“In this mix there are the targeted vendors who, before today, were likely unaware of the specific vulnerabilities these exploits were targeting,” Ellis said. “Right now, the security teams are pulling apart the Wikileaks dump, performing technical analysis, assessing and prioritizing the risk to their products and the people who use them, and instructing the engineering teams towards creating patches. The net outcome over the long-term is actually a good thing for Internet security — the vulnerabilities that were exploited by these tools will be patched, and the risk to consumers reduced as a result — but for now we are entering yet another Shadow Brokers, Stuxnet, Flame, Duqu, etc., a period of actively exploitable 0-day bouncing around in the wild.”

Ellis said that — in an ironic way, one could say that Wikileaks, the CIA, and the original exploit authors “have combined to provide the same knowledge as the ‘good old days’ of full disclosure — but with far less control and a great many more side-effects than if the vendors were to take the initiative themselves.”

“This, in part, is why the full disclosure approach evolved into the coordinated disclosure and bug bounty models becoming commonplace today,” Ellis said in a written statement. “Stories like that of Wikileaks today are less and less surprising and to some extent are starting to be normalized. It’s only when the pain of doing nothing exceeds the pain of change that the majority of organizations will shift to an proactive vulnerability discovery strategy and the vulnerabilities exploited by these toolkits — and the risk those vulnerabilities create for the Internet — will become less and less common.”

Many observers — including a number of cybersecurity professional friends of mine — have become somewhat inured to these disclosures, and argue that this is exactly the sort of thing you might expect an agency like the CIA to be doing day in and day out. Omer Schneider, CEO at a startup called CyberX, seems to fall into this camp.

“The main issue here is not that the CIA has its own hacking tools or has a cache of zero-day exploits,” Schneider said. “Most nation-states have similar hacking tools, and they’re being used all the time. What’s surprising is that the general public is still shocked by stories like these. Regardless of the motives for publishing this, our concern is that Vault7 makes it even easier for a crop of new cyber-actors get in the game.”

This almost certainly won’t be the last time KrebsOnSecurity cites this week’s big CIA WikiLeaks trove. But for now I’m interested to hear what you, Dear Readers, found most intriguing about it? Sound off in the comments below.

from Amber Scott Technology News https://krebsonsecurity.com/2017/03/wikileaks-dumps-docs-on-cias-hacking-tools/