I Pushed Out Ublock Origin Across The Org & Stopped (some) Phishing
Posted by Krelik@reddit | sysadmin | View on Reddit | 148 comments
As the title states, I pushed out UBO via GPO and it stopped some phishing attempts.
I did this some time ago but I wanted to write about it now.
About two years ago when I joined my company, I was tasked with enforcing Edge as our standard browser as well as a lot of other GPO nonsense. I saw that I could add extensions in the GPO so I added UBO and then sent out an org-wide email about it and how to turn it off if pages don't render properly. My boss wasn't thrilled that I'd added it without clearing it with him first but I told him that even CISA has recommended that people use ad blocking.
He ultimately agreed but said we're going to "Try it out for a month or so"
Skip ahead two weeks, someone from AP did all of the things our phishing training said not to do but as soon as she clicked the link and was brought to the web page, UBO had flagged the site as malicious. She freaked out and submit a ticket. After that my boss said "Okay, Adblock stays"
Fallingdamage@reddit
Ive been pushing out AdBlock Plus for years. I trialed uBlock on a handful of users and as amazing as it is, I found it was too aggressive for use in the workplace as users didnt understand how to manage it when it blocked parts of sites we need.
Adblock is good and has a lighter tough while still being very powerful.
hutacars@reddit
I gave up on ABP after it popped up a page one too many times asking me to buy it or donate to it or whatever. Buddy, I use you to block ads, not to be ads! So reluctantly, I replaced it with uBO.
Fallingdamage@reddit
Yeah. I stopped reading Wikipedia for the same reason. I hate being asked to donate money to a good cause.
hutacars@reddit
If I visit Wikipedia and get an ad, that’s one thing (and also bad). ABP pops up on me in the middle of a browsing session unrelated to it, which is not cool at all.
blueblocker2000@reddit
I'd like to do this but I'm worried the extension will change hands down the road and go rogue. Don't want to filter ads at the firewall for the reasons OP gave.
Kinamya@reddit
What about every other piece of software?
blueblocker2000@reddit
It can happen with any software of course but I'm not worried about MS, Google, Adobe being bought out by cyber criminals and start pushing malware.
Reelix@reddit
*Gestures to the recent Bitwarden compromise*
blueblocker2000@reddit
Not the same. BW was compromised by an attacker. They didn't willing allow them in.
Reelix@reddit
And how did the attacker gain access?
Phished credentials? Compromised a developers account? Stole their API key?
You'll notice that the details are suspiciously missing :)
Kinamya@reddit
Sure, they just push other shit that can brick your computer.... Same thing.
macinmypocket@reddit
At least in those cases it's typically an accident or oversight, not malicious.
Malicious software is much more dangerous.
TexasDex@reddit
Like Microsoft Recall?
Kinamya@reddit
Damage done is damage done, but I can appreciate your sentiment. Best to not be on the bleeding edge of LARGE TECH COMPANY updates, they break tons of things these days ....
Ziegelphilie@reddit
I'd be worried about Adobe themselves pushing malware lmao
hutacars@reddit
They have in the past. That’s how Chrome spread itself in the early days. You downloaded Reader or Flash, you got an unwanted install of this Chrome browser thingy you never asked for as well. Yet somehow that piece of malware stuck around and now we all pay the price.
altodor@reddit
Again. They had a bug some years back that did an unbounded
rm -rf /on macOS.blueblocker2000@reddit
I'll concede there 😂
Justsomedudeonthenet@reddit
They don't need to get bought out though. Plenty of legitimate software has had problems with their infrastructure being hacked and used to push malware, or supply chain hacks from third party libraries they use.
altodor@reddit
Bitwarden had a supply chain attack last week. Axios not long before that. The Linux kernel in the last few days had a priv escalation one that impacts almost a decade of releases. So yeah, agreed. Problems can happen anywhere in your or your vendor's stack.
whythehellnote@reddit
Because it's already happened?
cdoublejj@reddit
that's sort of what happened to Ad Block Plus, i think they caved in to the money. then uBlock was born.
foom_3@reddit
And then uBlock was acquired by AdBlock, and uBlock Origin was born.
slickrickjr@reddit
TIL
twilighttwister@reddit
And uBO likely isn't going anywhere. Even if it did, a huge part of the functionality is actually the lists it uses - so long as the lists get updated and no one breaks it like google did in Chrome, the current version of uBO should keep working indefinitely.
Thoughtulism@reddit
Fisheatingotherfishes.jpg
Ron-Swanson-Mustache@reddit
Yeah, now they are the pop up
Entegy@reddit
The creator of uBlock doesn't even accept donations. I don't think it's in danger of sale.
Reelix@reddit
Not many people say no to $10,000,000
blueblocker2000@reddit
Everybody has a price as they say. He might need hemorrhoid surgery one day and be unable to pay. That's when the slimey people come knockin'. This scenario assumes he's subject to the US healthcare system. If you don't have hemorrhoids before going to the Doc, you'll have them after 🤣
CharcoalGreyWolf@reddit
Single person developed, and has staunchly resisted this. It’s not like one can’t remove what they add via Intune or GPO.
If you don’t like uBlock Origin, look at EFF Privacy Badger. Not like the EFF is going to stiff you for bucks.
blueblocker2000@reddit
I know it can be removed as easily as it was installed, but how many hours, days go by till we all become aware of it's malicious behavior? What if I get up one morning and coworkers are emailing me about their cat pictures being passed around online?
CharcoalGreyWolf@reddit
How many hours and days go by with your people not being protected?
Literally millions of people use this. If it became malicious, Google would yank it from their marketplace in a heartbeat.
blueblocker2000@reddit
We're not flying naked on the net. We have content filtering enabled at the firewall for many categories, just not ads and ofc, security software installed on endpoints. Also have some things locked down on edge and chrome via gpo.
CharcoalGreyWolf@reddit
Never said you did. More saying that this developer has more than a decade of credibility and reputation among millions. To think he’d ruin that seems pretty far fetched. https://en.wikipedia.org/wiki/UBlock_Origin
blueblocker2000@reddit
I would hope he wouldn't but are you gonna sit here and tell me you wouldn't give it a thought if someone offered you a couple million bux for some extension you work on in your spare time?
03263@reddit
At this point your argument is applicable against using literally any software.
Let's just not use anything because it could get bought and turned into crap.
blueblocker2000@reddit
I think putting an extension dev in the same category as a large business entity selling license and support is a bit of a stretch.
seanl1991@reddit
There's literally a lawsuit in court right now because openAI wanted to start making money. You can't get much bigger in the AI software industry and even they are doing it
blueblocker2000@reddit
They're wanting to make money through legal channels, not as a rogue chrome extension dev that is silently stealing your passwords/PII and using it to conduct identity theft, black mail blah blah blah.
berryer@reddit
I honestly trust an individual dev way more than a corporation to not e.g. sell to Broadcom and change the deal quickly enough that users can't flee in time
03263@reddit
Businesses get bought and sold all the time, or "change direction" and decide to screw over their users.
Rentun@reddit
Ublock origin is open source. You can download the code, audit it, and build it from source right now and the hash will match the binary distribution.
Do you know how many tens of thousands of open source projects, some of them critical dependencies for extremely widely used software and websites are maintained by a single dev?
You can't use modern computers or smartphones without using code maintained by people that do it for free in their spare time. Drawing the line at ublock origin is completely arbitrary.
CharcoalGreyWolf@reddit
Let’s assume I did.
I’d certainly negotiate a period of transition in which it was publicly announced, so that anyone using it would have 90-180 days to make choices about continuing use.
If he put it under license (Apache Open, GNU, or whatever), it also would likely tie him to certain obligations as well.
He couldn’t just overnight hand the reins to Ask.com .
blueblocker2000@reddit
What's the consequences of violating the license? Will someone come after him? Asking cause I don't know.
Back to your scenario...
Suppose you're struggling, about to lose your house and you're you got people depending on you? I'm not going to sit here and say I'm above it if things got bad enough.
CharcoalGreyWolf@reddit
Your analogies are either wildly different or so overly broad that I could ask the same question of any software available. With that in mind, I wish you a good day.
Geminii27@reddit
Google yanks a lot of things.
drummerboy-98012@reddit
Well, the guy who created VLC has turned down millions of dollars to keep it ad-free, so let’s hope guys like these have billion dollars price tags if they do have a price. 🤓
Entegy@reddit
No idea where he's from.
sarosan@reddit
Québec, Canada.
Entegy@reddit
lolwut? The developer of uBlock Origin is a fellow Québécois? This is the first I’ve ever heard of this and I can’t find anything about that.
sarosan@reddit
Yep, it was mentioned on his GitHub profile.
Catsrules@reddit
Hate to burst your bubble but we are all probably running a number of random software in our environments that is maintained by a some random person in there spare time.
https://xkcd.com/2347/
Yes it can get very very scary. If that person gets compromised or replaced. For example see XZ Utils
Bit long but there is an amazing documentary about it. https://youtu.be/aoag03mSuXQ
Short-Legs-Long-Neck@reddit
This is a classic IT logic, we all do this sometimes.. But you miss out on all the benefit in the meantime, and when something so widely used as ublock, it gets detected quicker than something with a small user based, the risk is actually kind of tiny and much much less than not using it at all.
pdp10@reddit
There's always a risk, but uBO is used so widely that you'd hear about it quickly if something happened.
SharpDressedBeard@reddit
This subreddit is so bush league sometimes it makes me shocked any of you get paid to do this.
mn-wolfpack@reddit
Not sure what to make of this comment. Bush league that they didn't roll it out sooner, or that they rolled it out at all?
SharpDressedBeard@reddit
The fact that you have to ask proves my point.
mn-wolfpack@reddit
Not sure why you're being such an obtuse prick, what's with the hostility? You can't make a simple clarification?
ABarkingCow@reddit
You're a douche.
bfodder@reddit
If you can't tell then be concerned.
bfodder@reddit
Seriously I would be rightfully fired for doing this.
SharpDressedBeard@reddit
Yeah if someone on my team did this they wouldn't see the end of the day and I would also be in hot water.
gurilagarden@reddit
I'm very close to unsubbing after more than a decade. This place is just, ugh.
assissippi@reddit
Just looks like an ad for ublock
fosf0r@reddit
me as hell right now
SirLoremIpsum@reddit
Just to address this point ... Everything you do should have a change ticket and be approved or discussed at some form of management/Change Board meeting.
You're gonna ruffle a lot of feathers and make a mistake at some point if you don't socialise what you're planning on doing and get a second set of eyes on it.
Like it's good it stopped this one thing. But work with your team to push out company wide changes, don't just do it and tell them after wards.
honnymmijammy-@reddit
You poor brainwashed admin, asking for forgiveness is the start of good change.
Anything that isn't forbidden or already decided is for you to change, and for the rest of the org to judge.
Our server name where a mess of random name and version number that ger change every other day, did I ask for permission to change it and wait 2 fiscal years to get a answer? No, I made up some rule about what they could be name for they use with proper capitalise letter and did it. By the time the boss noticed, I already rename 800 of them and other people rename another 200. 4 months later, we got official instructions to use my names rule.
The rule of your org are clear, the rest is up to you. And if you know what you doing, you can't be stop because other people are gona complain about that new helpful thing that get removed and they want back.
SirLoremIpsum@reddit
Jesus christ...
Just write "i am a hero. I don't need to answer to anyone" it's a lot quicker.
If it takes you 2 fiscal years to do something then you're doing it wrong. Get help
honnymmijammy-@reddit
Decades ago, someone created a number a alert in case anything break, anything from memory issues to vandalism, all very useful going to IT.
2 buildings later, those alert are in the exact same configuration, but IT move so we stop getting them in real time, someone as to phone to inform us.
It took 1 and a half year and 12 people approval for us too get approval to change that.
screampuff@reddit
In my org, IT can self approve those kinds of changes, acknowledging and taking ownership of the risks.
Why are you pretending the only 2 options are the wild-west and 1.5 years with dozens of approval steps?
assissippi@reddit
This has to be bait with how poorly it is written
man__i__love__frogs@reddit
Thanks cowboy , can you tell us more about your mom and pop shop experiences?
Krelik@reddit (OP)
Thanks for your post. My boss and I have a really good relationship
This was pre change management. Our org had some considerable tech and process debt when I was onboarded and id be lying I said I didn't take advantage of it.
A few months after this we established a CAB and all changes are now tracked.
Some of the other tech/process debt was
The list goes on. But DNS was eventually put to use, NAC policies, etc etc etc.
It's been a real busy 2 years.
SirLoremIpsum@reddit
It's good that there is proper change management. That should be the goal of every org.
So many people here hate it for some reason...
Michelanvalo@reddit
OP making a mass change like that probably woke his boss up to needing a CM process. Sometimes people need to be driven by example.
mrchillbro@reddit
lmao this whole post is insane.
Xidium426@reddit
Why do you think they even have a board to report to? Not everything is a Fortune 500 company, in most SMBs this change wouldn't make it past middle management.
SirLoremIpsum@reddit
I mean if you want to take it literally like that, that's up to you.
But every company from a 2 man shop to a fortune 500 needs to have some form of change process.
I wrote "some form of management" as well if you missed that part...?
Just because they're not a Fortune 500 doesn't mean you can't log a ticket, get your 1/2/3/5/10 colleagues in once a week "i am planning on doing these changes, what do you think? Do you approve? Any problems with my approach"
That is literally why I wrote
Even if it's ONE manager you chat to. Get it approved. Discuss your plans.
Why do you think just cause it's a 2 person shop you can just fire at the hip? Why do you think there's no space for best practices even at small companies?
This attitude of "processes are for big boys. i am small and agile I can just do what I like" will get you making a mistake at some point.
Testing, approving changes and discussing with your team - the horror man... the horror
blarknob@reddit
Done this for years, cuts off a large vector of attacks. Was bummed I had to move my users to UBO lite for chrome.
Don't let your users bareback the internet.
overflow_@reddit
Why use ublock origin instead of a DNS filtering service, though?
osxdude@reddit
uBlock Origin can be turned off by the user if something from the page doesn't work. Granted, DNS filtering would be better for larger orgs so the blocking can be centralized...but in a small company it'll work "fine."
dnsfilter@reddit
Fair point on uBlock for smaller shops. I'm biased (obviously), but one thing to consider is that DNS-level filtering handles ad/tracker blocking at the network layer without touching page rendering, so you don't get the "this site is broken, let me just disable it" problem. Users can't toggle it off because there's nothing on their machine to toggle.
You also get visibility into what's actually being blocked across the org, which matters when someone from AP clicks something they shouldn't and you need to figure out what happened.
Not saying UBO doesn't have a place -- it clearly worked here and that's a great outcome. But the centralized management piece scales differently.
Michelanvalo@reddit
One of the issues I found with this is that our marketing team had trouble viewing the marketing metrics because the DNS filter was filtering it out as ads. UBo I could give them a list of exclusions so they could view their metrics on the sites they needed to.
courageous_liquid@reddit
lots of pages get butthurt when you don't render ads though and won't load properly
03263@reddit
Hmm, DNS can too if you are using DoH configured within a browser.
Probably the best setup would be use DNS filtering at the network level but only blocking using phishing and malware lists, nothing more aggressive, then push the more aggressive blocking to the browser where it can be easily toggled.
Quite the opposite of my home network where I focus only on blocking ads and junk I just don't want to see, both at DNS level (OpenWRT adblock) and via browser level ad blockers.
JwCS8pjrh3QBWfL@reddit
They're complimentary
Zlayr@reddit
Complementary
Nether_Nemesis@reddit
Elementary
bjc1960@reddit
fundamentally
qervem@reddit
enthusiastically
CharcoalGreyWolf@reddit
Exactly. Using Quad9 can do both at no charge.
centizen24@reddit
Why not use both?
Mrpuddikin@reddit
there are things DNS cant block tho right? that uBO can? I use adguard on my smartphone, and IMDB has amazon banner ads that dont get filtered for example. With uBO thats blocked
03263@reddit
Yes it only blocks hostname resolution, not any content from servers you can resolve.
Krelik@reddit (OP)
Honest answer was this was just faster.
Tangential_Diversion@reddit
There's definitely use cases for users on corporate devices who might not be on the corporate network while working, e.g., client-facing people and remote workers.
cdoublejj@reddit
FYI some shit renders borked as hell with purely DNS filtering
bjc1960@reddit
Are you using Lite, or is there a full one for Chrome manifest 3?
FendaIton@reddit
No one is using chrome anymore in my experience. We also pushed edge for this reason.
JwCS8pjrh3QBWfL@reddit
Man I would have to pry Chrome out of my users' cold, dead fingers. The devs at my old job completely refused to even QA their app against Edge.
knd775@reddit
They don't need to, it's the same thing.
JwCS8pjrh3QBWfL@reddit
I'm aware, but the business also refused to allow us to centralize on Edge because of Dev's nonsense.
bjc1960@reddit
An end user convinced against his will, is of the same opinion still.
They don't want to hear they are both Chromium
hutacars@reddit
I wish I lived in your reality.
pm_me_domme_pics@reddit
Im pushing edge for this purpose but I would guess most users are on chrome in the vast majority of businesses
PTCruiserGT@reddit
We are seeing most users on Edge ever since the manifest v3 crap that Chrome pulled.
statikuz@reddit
lmao wut
illicITparameters@reddit
Thats false.
D4M3@reddit
Edge still supports the V2 extension, Chrome does not.
tejanaqkilica@reddit
This. That's why Edge is king.
mitharas@reddit
And I still wonder how long this will hold. Microsoft certainly likes their ads.
tejanaqkilica@reddit
Hardly, Bingads or whatever they're called, brings a fraction of the revenue compared to enterprise users. This is staying for a while.
FlibblesHexEyes@reddit
I am concerned that eventually Edge will have to remove v2 support if it’s also removed from the common upstream project Chromium.
Krelik@reddit (OP)
Regular UBO
ext id:
odfafepnkmbhccpbejgmiehpchacaeak
Icedman81@reddit
The only problem I see coming down like a freight train, heading to take your head off...
Manifest V3 and Google's shitty policies. Eventually the proper version of uBlock Origin will be nerfed. So, good luck with Chromium crap.
whythehellnote@reddit
Classic example of "better to ask for forgiveness than seek permission"
Kurgan_IT@reddit
I personally use it and cannot even think about not having it. Still it's a big, enormous risk if it gets compromised. So better NOT auto update it, and manually update every now and then, better if you manually install the update 15 days after it has been published. At that time I'd expect a compromised update to have been exposed as malicious.
Civil_Inspection579@reddit
that’s a great example of a small change making a real impact. even with training, people still click things, so having a layer like that helps a lot. love that it proved itself so quickly in a real scenario.
Cybertools4u@reddit
Honestly, this is a perfect example of security that actually helps users instead of just adding another training slide. People will always click things, so blocking the bad page at the browser level is a real control. The best part is that it proved itself in two weeks without a huge project or budget. Sometimes the boring GPO fix is more useful than another expensive phishing platform.
dav3n@reddit
Meanwhile we're not allowed to do it because the 4 people in our Media team need to be able to see the ads they pay for, and all the simple workarounds are entirely unreasonable to use.
mn-wolfpack@reddit
If it's rolled out with GPO then just security filter those users out with a security group.
dav3n@reddit
Definitely, but I don't think it ticks the box in Essential 8 as successfully implementing ad blocking..... also it wasn't my project and I have enough to do as it is
JohnnyMojo@reddit
Google Chrome only allows the 'lite' version which is a no-go. Edge still has a fork of it but Firefox is the only browser that has the original extension as it's meant to be. Use it with NextDNS and it's a powerful combo.
dKatsuro@reddit
There's nothing wrong with the lite version.
TU4AR@reddit
There is nothing wrong with life versions of anything if you are ok with missing features.
xCharg@reddit
Main point is - there's a clear difference between "no go" and "not as powerful". It is indeed not as powerful but it absolutely is a go.
SquareWheel@reddit
Gorhill just decided not to add that to Lite, for whatever reason. It's not a limitation of MV3. AdGuard does cosmetic filtering no problem.
Really, Lite is 98% as good as Origin ever was. Most people never touched the advanced filtering features, and rule filter updates are expedited so there's no review process.
JohnnyMojo@reddit
Good to know. I hadn't used it for a long time and I remember it not working as well initially. I also remember that it couldn't effectively block YouTube ads either.
timbotheny26@reddit
uBO Lite has had an element picker since some time last year iirc, and you can create an exception list. At least out-of-the-box and with filtering set to "Complete", I notice effectively zero difference between it and OG uBO.
dom6770@reddit
Why is the lite a no-go?
JohnnyMojo@reddit
Lite is ok and better than nothing. See my edited response.
bjc1960@reddit
that is my understanding.
JustOneMoreMile@reddit
been using that for years, on my personal and work systems. love it.
atw527@reddit
Agree on this and I did the same as well org-wide.
As OP mentioned, CISA recommends it. But also:
I do DNS add blocking on my network (pihole) and family/friends that ask me to help (NextDNS).
There is the moral question if it's right, is it piracy, etc. My response is that Google literally can't prevent malvertising links for "putty download" or "facebook login", so they gone. Maybe when network-wide ad blocking starts affecting their bottom line, they will vet their advertisers better.
PTCruiserGT@reddit
Was the CISA recommendation specifically for uBlock Origin or just ad-blockers in general?
cardinal1977@reddit
I'm baffled more places don't do this, ad networks are a huge attack vector. I do ad and tracker blocking at the DNS level. I dropped the amount of risky connections that were flagged by 90%.
The other bonus is an almost 50% drop in traffic overall. Not that we had a small pipe or noticed an increase in speed, but if you do have a smaller pipe and are pegging the needle, this will free up some bandwidth.
switched55@reddit
You can use smart screen filter which is native to Edge and can be set via GPO. Combined with managed endpoint protection that filters webpages, it would be a better solution. Centralised reporting being one of them.
disclosure5@reddit
Edge's filter isn't remotely comparable.
Source: I dealt with an MS fanboy who resisted uBlock for a long time.
Krelik@reddit (OP)
That's ultimately the route we're going to go. When I joined on the tech debt was massive. I *just* finished our InTune roll out that also includes MAM and all that goodness. Next is rolling out defender things.
As I stated in another post, this was quick and easy.
D1TAC@reddit
Dang no way I’d do that. Especially the extension potentially is selling info. Just get a firewall that does extensive filtering, fortinet is one of them.
letsgoiowa@reddit
Ads DEFINITELY sell info. There is maybe a 0.5% chance UBO sells info (it would've been caught easily ages ago).
Which is a bigger risk? Definitely or almost certainly not?
knd775@reddit
What?
The_Wkwied@reddit
Good read. I thought this was going go in the other direction for a minute there.
QuietThunder2014@reddit
My only worry is the sites it breaks functionality and will end up causing a lot of frustration. I o ow just disable it for that site but they’ll never figure that out.
ShoeBillStorkeAZ@reddit
Ublock gonna hit you with that non commercial use like oracle started doing lol. Jk I hope that doesn’t happen
cdoublejj@reddit
OP is it done domain wide or by department?
Krelik@reddit (OP)
Domain wide, targeting only end user workstations and citrix boxes.