91 comments

[ 3.0 ms ] story [ 179 ms ] thread
I have not used this list but I do block fb and ig servers in pi-hole. Though I will now move to using this list: https://github.com/jmdugan/blocklists/blob/master/corporatio...
Can pi hole do device specific blocking ?
You can enable or disable specific blocklists per device group
Yes, this was a new feature released fairly recently.
Yes. I do very aggressive blocking on my Android TV and less so on my work laptop.
I wanted to use Pi-Hole to block Microsoft servers too... but their updates and blocklists are on github !
GitHub has their own ASN though (all DNS records I tried resolving pointed to this AS), and you could just not block api.github.com or raw.githubusercontent.com.

https://bgp.he.net/AS54113

I use this list - one thing to remember is that in the long term you need to update it periodically. I set a yearly reminder to do so.
This container is a piece of art. Ever since using this, Facebook no longer has any "Off-Facebook Activity" about me.
Have you managed to verify this or you're just assuming it ? I'm just assuming it, that's why I'm asking. Like have you made a request for your data from Facebook / data brokers and it looks straight ? I trust Mozilla to the fullest and have made no effort to investigate.
You can verify it for yourself. Facebook lets you view this information. https://www.facebook.com/off_facebook_activity
Facebook collected this data for years but only recently started disclosing it. There's no reason to trust that they're disclosing all the data they're collecting.
I don't trust that this is all they have about me. Wasn't there reports that they were generating dark profiles about people not even on Facebook (by mining contact information from others)?
That skepticism is definitely healthy, but by the GDPR, this is required to be every single thing they have on you, under penalty of significant fines.

That doesn't mean it is everything... but it at least makes that a little more likely? Some light optimism for you, I guess.

Edit: seems even this isn't necessarily true.. damn.

They have to tell you everything they know about you, by law... but that doesn’t mean this webpage contains every information they collected. And getting everything is rather complicated: https://ruben.verborgh.org/facebook/
Thank you very much for that link. I didn’t know about it.
Interesting...I've been using the Facebook container for well over a year and have been very careful to only access facebook from it....but they still list very recent (like yesterday) data in my off_facebook_activity. This is very frustrating.
Use umatrix to block all trackers. You are probably getting caught by third party trackers
You can check this in the settings. They really obfuscate and have dark patterns here but last time I checked it was there.
Facebook managed to get some off-Facebook activity from me even using this. The site in question was also loaded in a Private Browsing window and Facebook claimed it was from pixel tracking. I'm guessing they've inferred it based on IP, especially as I live by myself.

How this is legal under GDPR, given I'm a UK citizen, I'm really not sure.

Is the GDPR still in effect in the UK, now you've left the EU?
Yes. It’s not like all the EU laws the UK had adopted before Brexit suddenly went out the window overnight.
Not necessarily true, since regulations are EU law that is immediately enforceable in member states, and are not generally transposed into state law.
I guess it depends on the country. In Poland my experience is that every time EU passes some regulation Polish parliament passes the corresponding bill implementing it. So even if we left EU tomorrow those bills will still be in effect.

Also, I'm not sure about this "immediately enforceable" part - I recall some cases where member states delayed implementing EU laws for years, sometimes ending up being sued to European Court of Justice.

EU Regulations and Decisions directly affect member states. Whereas EU Directives require member states to enact new laws.

As the GDPR is a regulation, it directly applied to member states.

When the UK left the EU they made a paralled law

> The GDPR has been incorporated into UK data protection law as the UK GDPR see: https://ico.org.uk/for-organisations/dp-at-the-end-of-the-tr...

GDPR directly doesn't apply to the UK anymore (except for organisations that handle data of EU citizen, of course) but the UK chose to enact the GDPR into UK law via the Data Protection Law of 2018, which is aptly dubbed "UK GDPR".
Yes, the UK has the DPA-2018 legislation which basically implements GDPR in the UK. [1] Its application is supervised by the ICO. Subject Access Request can be issued to pretty much any public institution / company [2]

"You have the right to find out if an organisation is using or storing your personal data. This is called the right of access. You exercise this right by asking for a copy of the data, which is commonly known as making a 'subject access request"

[1] https://en.wikipedia.org/wiki/Data_Protection_Act_2018

[2] https://ico.org.uk/your-data-matters/your-right-to-get-copie...

You could just ignore AS32934: https://www.radb.net/query/?keywords=AS32934 ..?

...which includes the downtown Palo Alto address, hah. It’s linked from facebook.com/peering/

Here’s a list of the IP prefixes:

https://bgp.he.net/AS32934#_prefixes

https://bgp.he.net/AS32934#_prefixes6

Programmatically retrievable via

  whois -h whois.radb.net -- '-i origin AS32934' | grep ^route
Source: https://developers.facebook.com/docs/sharing/webmasters/craw...
Done, and used daily :

https://github.com/smigniot/smigniot.github.io/blob/master/i...

For the google part I had to recurse through the AS list first, and perform cidr merging

Wouldn't ipset be easier to use and potentially faster?
Probably yes. It seems easier to write. As it's a set of IPs instead of a set of rules it should be faster. Thanks.

However I can't seem to find the --match-set option for my Android's iptables version. I Will test.

Dunno if it's enough, for example:

https://whois.arin.net/rest/net/NET-63-150-141-224-1.html

is Facebook's range not included above.

    $ sudo nmap -sn 63.150.141.224-231
    [sudo] password for alice:

    Starting Nmap 7.40 ( https://nmap.org ) at 2021-02-11 06:41 CET
    Nmap done: 8 IP addresses (0 hosts up) scanned in 9.15 seconds
Well, good, though that doesn't mean other 50 similar FB IP ranges in other collocation facilities are also not responding to ping.
Sorry, am noob, ELI5 please.

Those RADb responses include this line:

  mnt-by:     MAINT-AS32934

AS32934 is the account maintaining Facebook's public presence(s)? How'd you figure that out?

Using routing table mainteners to DNS entries seems like a terrific why to create those ad-blocking lists. Is this how it's done? I always assumed those lists are manually collated and curated.

Version 4 of The Internet (the popular one that blew up in the 1990s) is made up of 32 bit numeric addresses attached to physical things to which data has to be routed.

In the 80s these would be bunched up by org in nice ways just like how phone numbers that were all in the same place would share an area code. MIT would be 1.1.x.y and you’d route their data to Cambridge MA. IBM would be 2.x.y.z and you’d route to them and let them deal with it internally. Some small outfit in France might’ve gotten 173.4.5.q: you’d send their data into the Atlantic fibre because “173.something” meant “Europe” and let the other end figure it out.

In the 90s it all got messy because 32bits wasn’t enough to keep things in a clean hierarchy that reflected how data was routed around the net. Orgs ended up accumulating fragments of IP address space from all over the place for the hosts at their physical site. The hierarchy of the address couldn’t tell you how to route traffic and the rules for routing became highly extensive and dynamic.

Enter Autonomous Systems Numbers and BGP. It’s a layer on top of IP addressing that only matters to internet core routers with many choices as to how to your traffic (“multi homed” sites). It helps map IP addresses to actual places — internet peers, aka fellow ISPs — so they can agree with each other how traffic should be routed. BGP lets peers keep these routes updated and let’s you know who owns what.

None of this matters if you have a single internet connection. Routing is easy: it’s either “local” or you send it to your ISP. But if you’re an ISP in the centre how do you know who gets what? You use The [Internet] Routing Table as maintained by the BGP system.

Some companies have so much traffic they have their own ASN. Because the internet is open, you get to see all the IP addresses which are bundled up inside that ASN, which is what I was linking to. It only works because FB is its own self-serving ISP with its own ASN.

(With IPv6 this should all have gone away not because of the number of addresses, but because the address space was 128-bits wide. You could hierarchically route 256 towns in 256 counties in 256 states in 256 countries and still only have used half the hierarchy. ISPs usually get a /32 of this but Facebook announce a bunch of /48s which I don’t understand.)

Edit: A warm mention of Steven Black's hosts, https://github.com/StevenBlack/hosts for those interested in more of OP's subject.

Use both methods instead of just one. They differ in nature, and can be implemented at different perimeters of your network. Maybe there exists certain chokeholds in the network where multiple devices can be protected in one go?

Personally, I would have pure IP blackhole routing performed in the router providing WAN access to internal networks. A blanket protection for all desktops and 802.11 devices inside.

Many devices today are locked-down and editing hosts records can be untrivial. Instead of relying on 0.0.0.0 routing through hosts, the same effect can be obtained by setting up a personal DNS server e.g. bind9 with RPZ's listing the targeted domains[1].

Why all that hassle? Because an unrooted smartphone with a Wireguard link to the DNS server (or full-on VPN using that DNS server), can have lookups made through the server you control. And that DNS service is available to use on any local network/Wi-Fi one has to use. IIRC 3G/4G/5G WAN routes were harder to get right, but I think it was possible. One could always route all traffic through a purposeful VPN.

Defense in depth.

---

[1]: fb.rpz.zone:

;RPZ $TTL 10 @ IN SOA rpz.zone. rpz.zone. ( 37; 3600; 300; 86400; 60 ) IN NS localhost.

.facebook.com IN A 0.0.0.0 .facebook.net IN A 0.0.0.0 .fbcdn.com IN A 0.0.0.0 .fbsbx.com IN A 0.0.0.0 .fbcdn.net IN A 0.0.0.0 .edgesuite.net IN A 0.0.0.0

Wouldn't it be more practical as a ublock list ? It has auto-updating and is easier to set than editing /etc/hosts file
These are provided in easylist format (among other formats) which is compatible with uBlock.
I block with dnsmasq on the main router, depending on your needs just using the domain name can be enough.

E.g.

address=/facebook.com/0.0.0.0 address=/fbcdn.net/0.0.0.0

Also block DoT ports, all known DoH resolvers (real pain in the ass), VPN services and proxy sites for the best results.

> all known DoH resolvers (real pain in the ass)

Yes, the whole point of DoH is to make it harder for us to keep control over our equipment

Noob here. Is there any way to create a subscription for this in Little Snitch?
yes, there is a feature like that in little snitch.

Go to your rules window, in the bottom left there is plus and by clicking you reveal the option to add "rule group subscriptions" https://help.obdev.at/littlesnitch4/lsc-rule-group-subscript...

btw, if any little snitch dev is reading this, please improve on this feature. I'm pretty sure this can be a selling point
Yeah but this format is different than the one OP provided, would need to be reformatted into .lsrules format, no?
Unfortunately this won't do much anymore, as Facebook and others are transitioning to server-side data transmission. Businesses now log data onto their own servers, then transmit it directly to adtech companies so that your device never directly touches the adtech server.
Source? The first rule of adtech is to not trust your publishers to not defraud you.
The first rule of running a megacorp is to tell your customers to take a hike if they don't like your terms.
No, that's the second rule.

The first rule of running a megacorp is... oh, wait.

FB: https://developers.facebook.com/docs/marketing-api/conversio... Google: https://developers.google.com/adwords/api/docs/guides/conver...

This is also why companies like Tealium and Segment are now worth billions of dollars. They provide a single integration point that funnels events to dozens of marketing companies' server-side APIs.

Why doesn't that qualify these Tealiums and Segments as "adtech servers" worthy of blocklisting?

Sounds like they make the blocklist-curators' job easier.

Your browser doesn't talk to them. The sites you visit do.
Then we're back to the First Rule of Adtech.

If "the sites you visit" are the ones talking to Tealiums and Segments, it is trivial for "the sites you visit" to lie about the browser IP address and make it look like requests are coming from all over the world instead of just one box sitting under $FRAUDSTER's desk running a script.

I think there's confusion here about personal data collection vs ad serving/metrics. Publishers have no reason to be fraudulent about the first one.
This isn’t publishers displaying ads and reporting how many views they get, this is to associate visitors with ads seen on other surfaces (Facebook, Google) for retargeting (show future ads to people who visited your landing page) or measurement purposes (for people who saw ad A, how many people eventually made a purchase?)
How do they track people across sites then?
There are a lot of tactics in use today.

For logged in users, it's trivial to match users across sites with an email address or a phone number.

If you're clicking between sites, there may be a unique ID appended to the outbound URL (on Google there's a gclid URL parameter). This ID will be logged on the destination site and can be continuously passed around to identify the same user on multiple sites.

If they don't need perfect matching, they'll use IP addresses, user agents, and other fingerprinting techniques for fuzzy matches.

Users should not stay "logged in". Always log out when done. Keeping tabs open, not logging out, is allowing much more tracking to be done than would be possible otherwise.

Disabling Javascript and using a forward proxy, it is easy to not send User Agents and other points needed for fingerprinting.

Tracking IP address is expected and will always be acceptable. All the rest is stuff users are voluntarily transmitting even when it is not necessary, making tracking much easier and more productive for the marketers.

There are many tactics to make tracking much more difficult and more expensive. However, few are using them.

> Users should not stay "logged in".

Is this the reason why so many websites log you out on their own? Like, you go to do something on a website that requires an account but you see a login form instead. No one wants that. Everyone hates that. IMO if you're using the concept of time in your session management code, you're doing it wrong.

I should be more clear. First the comment is directed at users, not developers. I am referring to sites that can keep you "logged in" by sending a cookie that is then saved across sessions. By "sessions", I mean, for example, you can "disconnect" from the network and as long as you still have the cookie when you re-connect, days, weeks , months, even years later, you are still "logged in". You do not need to send a password again. The cookie has replaced the password. This may be convenient but it opens possibilities for tracking (not to mention security issues) that you would not have, for example, if you were just sending a password each time you log in.

Do bank websites let you "stay logged in" for hours, days, weeks, or longer because you have some cookie you received when you logged in some time in the past. Are they "doing it wrong".

Doesn't this bear the risk for the businesses to violate the GDPR because they actively transmit data to a third party?
There are different responsibilities for the "controller" and the "processor" under GDPR.

Facebook and Google are recognized as processors in this situation. The websites that send them the data are the controllers and are subject to the vast majority of the regulation, while the processors can assume that the controller has obtained user consent until informed otherwise.

It's legally important to recognize that Facebook and Google are not blindly sucking up data from around the internet. Websites/apps are actively transmitting this data to them and other adtech platforms for their own benefits.

That's what I meant. Before the companies that used Facebook und Googles tracking have denied any responsibility because they just embeded the tracking scripts. So in their view any violation was Facebook's or Google's fault. But now they are the active part collecting the data and transmitting it intentionally to a third party.
Is there an effective way to remove Facebook and Instagram ads on a iPhone? I have tried DNS solutions like blockada however they don’t work
Delete the apps and use Safari with an ad blocker.
I use Firefox Focus on iOS 11 for Facebook. It worked OK until a few days ago. Now, I cannot see my messages unless I request for a desktop version of the website. Even when that option is turned on, I noticed that the site kicks me out after a couple of minutes, 10 min or so.
Instagram serves ads as part of the feed API response. If you use the app, there's no way to remove them without patching the app. I did do that for Android, but on iOS it's impossible without jailbreak.
AdGuard can run a local VPN that intercepts HTTPS traffic and blocks ads even within HTTPS traffic. It's a little sketchy since they man-in-the-middle your encrypted traffic in order to do this, but they exclude extended validation certs (the ones where the name shows up next to the lock) and over 1,300 other exceptions (https://kb.adguard.com/en/general/https-filtering). That should be able to block a lot more, including ads via apps.

This can do a lot more than a normal VPN or DNS blocker because it's actually intercepting and decrypting HTTPS traffic (rather than just passing it through).

However, Facebook has been very good at making ads that are hard to block, even if you have access to everything. They've been pretty aggressive about getting around things like uBlock Origin even on desktop browsers.

DNS-based blocking also likely wouldn't have much impact on a company that could serve ad content and regular content off the same domain names - or that could just rotate domain names too much.

Also, AdGuard's local-VPN/HTTPS-intercepting feature is a pay-for feature (I believe $5/year or a $10 one-time charge).

What about HPKP? This would prevent such a MITM attack.
IP-based firewalling, if available, perhaps.
(comment deleted)
Within Safari there are Content Blockers. This is a cool iOS concept because unlike a traditional browser extension, all it can do is tell Safari what to block, it doesn't get to see your activity itself.

I use this app which, among other things, lets you hook up remote sources as block lists: https://apps.apple.com/us/app/adblock/id691121579

This means you can for example hook it up directly to this repository (which I've done) and automatically get updated lists

bruh merge or decline your PRs
I just block Facebook.com in NextDns together with the graph.facebook.com and connect.facebook.net domains. Messenger and WhatsApp still work fine.

The same can be done in a hosts file.