GitHub has their own ASN though (all DNS records I tried resolving pointed to this AS), and you could just not block api.github.com or raw.githubusercontent.com.
Have you managed to verify this or you're just assuming it ? I'm just assuming it, that's why I'm asking. Like have you made a request for your data from Facebook / data brokers and it looks straight ? I trust Mozilla to the fullest and have made no effort to investigate.
Facebook collected this data for years but only recently started disclosing it. There's no reason to trust that they're disclosing all the data they're collecting.
I don't trust that this is all they have about me. Wasn't there reports that they were generating dark profiles about people not even on Facebook (by mining contact information from others)?
That skepticism is definitely healthy, but by the GDPR, this is required to be every single thing they have on you, under penalty of significant fines.
That doesn't mean it is everything... but it at least makes that a little more likely? Some light optimism for you, I guess.
Edit: seems even this isn't necessarily true.. damn.
They have to tell you everything they know about you, by law... but that doesn’t mean this webpage contains every information they collected. And getting everything is rather complicated: https://ruben.verborgh.org/facebook/
Interesting...I've been using the Facebook container for well over a year and have been very careful to only access facebook from it....but they still list very recent (like yesterday) data in my off_facebook_activity. This is very frustrating.
Facebook managed to get some off-Facebook activity from me even using this. The site in question was also loaded in a Private Browsing window and Facebook claimed it was from pixel tracking. I'm guessing they've inferred it based on IP, especially as I live by myself.
How this is legal under GDPR, given I'm a UK citizen, I'm really not sure.
I guess it depends on the country. In Poland my experience is that every time EU passes some regulation Polish parliament passes the corresponding bill implementing it. So even if we left EU tomorrow those bills will still be in effect.
Also, I'm not sure about this "immediately enforceable" part - I recall some cases where member states delayed implementing EU laws for years, sometimes ending up being sued to European Court of Justice.
GDPR directly doesn't apply to the UK anymore (except for organisations that handle data of EU citizen, of course) but the UK chose to enact the GDPR into UK law via the Data Protection Law of 2018, which is aptly dubbed "UK GDPR".
Yes, the UK has the DPA-2018 legislation which basically implements GDPR in the UK. [1] Its application is supervised by the ICO. Subject Access Request can be issued to pretty much any public institution / company [2]
"You have the right to find out if an organisation is using or storing your personal data. This is called the right of access. You exercise this right by asking for a copy of the data, which is commonly known as making a 'subject access request"
I do this, but to every webpage - so there should be much less cross-site talk. Not that the advertising machine doesn't have a million other ways of getting though.
AS32934 is the account maintaining Facebook's public presence(s)? How'd you figure that out?
Using routing table mainteners to DNS entries seems like a terrific why to create those ad-blocking lists. Is this how it's done? I always assumed those lists are manually collated and curated.
Version 4 of The Internet (the popular one that blew up in the 1990s) is made up of 32 bit numeric addresses attached to physical things to which data has to be routed.
In the 80s these would be bunched up by org in nice ways just like how phone numbers that were all in the same place would share an area code. MIT would be 1.1.x.y and you’d route their data to Cambridge MA. IBM would be 2.x.y.z and you’d route to them and let them deal with it internally. Some
small outfit in France might’ve gotten 173.4.5.q: you’d send their data into the Atlantic fibre because “173.something” meant “Europe” and let the other end figure it out.
In the 90s it all got messy because 32bits wasn’t enough to keep things in a clean hierarchy that reflected how data was routed around the net. Orgs ended up accumulating fragments of IP address space from all over the place for the hosts at their physical site. The hierarchy of the address couldn’t tell you how to route traffic and the rules for routing became highly extensive and dynamic.
Enter Autonomous Systems Numbers and BGP. It’s a layer on top of IP addressing that only matters to internet core routers with many choices as to how to your traffic (“multi homed” sites). It helps map IP addresses to actual places — internet peers, aka fellow ISPs — so they can agree with each other how traffic should be routed. BGP lets peers keep these routes updated and let’s you know who owns what.
None of this matters if you have a single internet connection. Routing is easy: it’s either “local” or you send it to your ISP. But if you’re an ISP in the centre how do you know who gets what? You use The [Internet] Routing Table as maintained by the BGP system.
Some companies have so much traffic they have their own ASN. Because the internet is open, you get to see all the IP addresses which are bundled up inside that ASN, which is what I was linking to. It only works because FB is its own self-serving ISP with its own ASN.
(With IPv6 this should all have gone away not because of the number of addresses, but because the address space was 128-bits wide. You could hierarchically route 256 towns in 256 counties in 256 states in 256 countries and still only have used half the hierarchy. ISPs usually get a /32 of this but Facebook announce a bunch of /48s which I don’t understand.)
Use both methods instead of just one. They differ in nature, and can be implemented at different perimeters of your network. Maybe there exists certain chokeholds in the network where multiple devices can be protected in one go?
Personally, I would have pure IP blackhole routing performed in the router providing WAN access to internal networks. A blanket protection for all desktops and 802.11 devices inside.
Many devices today are locked-down and editing hosts records can be untrivial. Instead of relying on 0.0.0.0 routing through hosts, the same effect can be obtained by setting up a personal DNS server e.g. bind9 with RPZ's listing the targeted domains[1].
Why all that hassle? Because an unrooted smartphone with a Wireguard link to the DNS server (or full-on VPN using that DNS server), can have lookups made through the server you control. And that DNS service is available to use on any local network/Wi-Fi one has to use. IIRC 3G/4G/5G WAN routes were harder to get right, but I think it was possible. One could always route all traffic through a purposeful VPN.
Defense in depth.
---
[1]: fb.rpz.zone:
;RPZ
$TTL 10
@ IN SOA rpz.zone. rpz.zone. (
37;
3600;
300;
86400;
60 )
IN NS localhost.
.facebook.com IN A 0.0.0.0
.facebook.net IN A 0.0.0.0
.fbcdn.com IN A 0.0.0.0
.fbsbx.com IN A 0.0.0.0
.fbcdn.net IN A 0.0.0.0
.edgesuite.net IN A 0.0.0.0
Unfortunately this won't do much anymore, as Facebook and others are transitioning to server-side data transmission. Businesses now log data onto their own servers, then transmit it directly to adtech companies so that your device never directly touches the adtech server.
This is also why companies like Tealium and Segment are now worth billions of dollars. They provide a single integration point that funnels events to dozens of marketing companies' server-side APIs.
If "the sites you visit" are the ones talking to Tealiums and Segments, it is trivial for "the sites you visit" to lie about the browser IP address and make it look like requests are coming from all over the world instead of just one box sitting under $FRAUDSTER's desk running a script.
This isn’t publishers displaying ads and reporting how many views they get, this is to associate visitors with ads seen on other surfaces (Facebook, Google) for retargeting (show future ads to people who visited your landing page) or measurement purposes (for people who saw ad A, how many people eventually made a purchase?)
For logged in users, it's trivial to match users across sites with an email address or a phone number.
If you're clicking between sites, there may be a unique ID appended to the outbound URL (on Google there's a gclid URL parameter). This ID will be logged on the destination site and can be continuously passed around to identify the same user on multiple sites.
If they don't need perfect matching, they'll use IP addresses, user agents, and other fingerprinting techniques for fuzzy matches.
Users should not stay "logged in". Always log out when done. Keeping tabs open, not logging out, is allowing much more tracking to be done than would be possible otherwise.
Disabling Javascript and using a forward proxy, it is easy to not send User Agents and other points needed for fingerprinting.
Tracking IP address is expected and will always be acceptable. All the rest is stuff users are voluntarily transmitting even when it is not necessary, making tracking much easier and more productive for the marketers.
There are many tactics to make tracking much more difficult and more expensive. However, few are using them.
Is this the reason why so many websites log you out on their own? Like, you go to do something on a website that requires an account but you see a login form instead. No one wants that. Everyone hates that. IMO if you're using the concept of time in your session management code, you're doing it wrong.
I should be more clear. First the comment is directed at users, not developers. I am referring to sites that can keep you "logged in" by sending a cookie that is then saved across sessions. By "sessions", I mean, for example, you can "disconnect" from the network and as long as you still have the cookie when you re-connect, days, weeks , months, even years later, you are still "logged in". You do not need to send a password again. The cookie has replaced the password. This may be convenient but it opens possibilities for tracking (not to mention security issues) that you would not have, for example, if you were just sending a password each time you log in.
Do bank websites let you "stay logged in" for hours, days, weeks, or longer because you have some cookie you received when you logged in some time in the past. Are they "doing it wrong".
There are different responsibilities for the "controller" and the "processor" under GDPR.
Facebook and Google are recognized as processors in this situation. The websites that send them the data are the controllers and are subject to the vast majority of the regulation, while the processors can assume that the controller has obtained user consent until informed otherwise.
It's legally important to recognize that Facebook and Google are not blindly sucking up data from around the internet. Websites/apps are actively transmitting this data to them and other adtech platforms for their own benefits.
That's what I meant. Before the companies that used Facebook und Googles tracking have denied any responsibility because they just embeded the tracking scripts.
So in their view any violation was Facebook's or Google's fault.
But now they are the active part collecting the data and transmitting it intentionally to a third party.
I use Firefox Focus on iOS 11 for Facebook. It worked OK until a few days ago. Now, I cannot see my messages unless I request for a desktop version of the website. Even when that option is turned on, I noticed that the site kicks me out after a couple of minutes, 10 min or so.
Instagram serves ads as part of the feed API response. If you use the app, there's no way to remove them without patching the app. I did do that for Android, but on iOS it's impossible without jailbreak.
AdGuard can run a local VPN that intercepts HTTPS traffic and blocks ads even within HTTPS traffic. It's a little sketchy since they man-in-the-middle your encrypted traffic in order to do this, but they exclude extended validation certs (the ones where the name shows up next to the lock) and over 1,300 other exceptions (https://kb.adguard.com/en/general/https-filtering). That should be able to block a lot more, including ads via apps.
This can do a lot more than a normal VPN or DNS blocker because it's actually intercepting and decrypting HTTPS traffic (rather than just passing it through).
However, Facebook has been very good at making ads that are hard to block, even if you have access to everything. They've been pretty aggressive about getting around things like uBlock Origin even on desktop browsers.
DNS-based blocking also likely wouldn't have much impact on a company that could serve ad content and regular content off the same domain names - or that could just rotate domain names too much.
Also, AdGuard's local-VPN/HTTPS-intercepting feature is a pay-for feature (I believe $5/year or a $10 one-time charge).
Within Safari there are Content Blockers. This is a cool iOS concept because unlike a traditional browser extension, all it can do is tell Safari what to block, it doesn't get to see your activity itself.
91 comments
[ 3.0 ms ] story [ 179 ms ] threadhttps://bgp.he.net/AS54113
Facebook Container
https://addons.mozilla.org/en-US/firefox/addon/facebook-cont...
That doesn't mean it is everything... but it at least makes that a little more likely? Some light optimism for you, I guess.
Edit: seems even this isn't necessarily true.. damn.
lol
I guess I though it would be something like https://www.facebook.com/shadow_profile_activity
How this is legal under GDPR, given I'm a UK citizen, I'm really not sure.
Also, I'm not sure about this "immediately enforceable" part - I recall some cases where member states delayed implementing EU laws for years, sometimes ending up being sued to European Court of Justice.
AFAIK it works pretty much the same in all countries and only depends on whether it's an EU regulation[0] or an EU directive[1].
[0]: https://en.wikipedia.org/wiki/Regulation_(European_Union)
[1]: https://en.wikipedia.org/wiki/Directive_(European_Union)
As the GDPR is a regulation, it directly applied to member states.
When the UK left the EU they made a paralled law
> The GDPR has been incorporated into UK data protection law as the UK GDPR see: https://ico.org.uk/for-organisations/dp-at-the-end-of-the-tr...
"You have the right to find out if an organisation is using or storing your personal data. This is called the right of access. You exercise this right by asking for a copy of the data, which is commonly known as making a 'subject access request"
[1] https://en.wikipedia.org/wiki/Data_Protection_Act_2018
[2] https://ico.org.uk/your-data-matters/your-right-to-get-copie...
https://addons.mozilla.org/en-US/firefox/addon/temporary-con...
...which includes the downtown Palo Alto address, hah. It’s linked from facebook.com/peering/
Here’s a list of the IP prefixes:
https://bgp.he.net/AS32934#_prefixes
https://bgp.he.net/AS32934#_prefixes6
https://github.com/smigniot/smigniot.github.io/blob/master/i...
For the google part I had to recurse through the AS list first, and perform cidr merging
However I can't seem to find the --match-set option for my Android's iptables version. I Will test.
https://whois.arin.net/rest/net/NET-63-150-141-224-1.html
is Facebook's range not included above.
The links contain the IP ranges (4 and 6). Testing all those should be sufficient.
There are some small ranges in RIPE too: https://apps.db.ripe.net/db-web-ui/query?searchtext=facebook
Those RADb responses include this line:
AS32934 is the account maintaining Facebook's public presence(s)? How'd you figure that out?Using routing table mainteners to DNS entries seems like a terrific why to create those ad-blocking lists. Is this how it's done? I always assumed those lists are manually collated and curated.
In the 80s these would be bunched up by org in nice ways just like how phone numbers that were all in the same place would share an area code. MIT would be 1.1.x.y and you’d route their data to Cambridge MA. IBM would be 2.x.y.z and you’d route to them and let them deal with it internally. Some small outfit in France might’ve gotten 173.4.5.q: you’d send their data into the Atlantic fibre because “173.something” meant “Europe” and let the other end figure it out.
In the 90s it all got messy because 32bits wasn’t enough to keep things in a clean hierarchy that reflected how data was routed around the net. Orgs ended up accumulating fragments of IP address space from all over the place for the hosts at their physical site. The hierarchy of the address couldn’t tell you how to route traffic and the rules for routing became highly extensive and dynamic.
Enter Autonomous Systems Numbers and BGP. It’s a layer on top of IP addressing that only matters to internet core routers with many choices as to how to your traffic (“multi homed” sites). It helps map IP addresses to actual places — internet peers, aka fellow ISPs — so they can agree with each other how traffic should be routed. BGP lets peers keep these routes updated and let’s you know who owns what.
None of this matters if you have a single internet connection. Routing is easy: it’s either “local” or you send it to your ISP. But if you’re an ISP in the centre how do you know who gets what? You use The [Internet] Routing Table as maintained by the BGP system.
Some companies have so much traffic they have their own ASN. Because the internet is open, you get to see all the IP addresses which are bundled up inside that ASN, which is what I was linking to. It only works because FB is its own self-serving ISP with its own ASN.
(With IPv6 this should all have gone away not because of the number of addresses, but because the address space was 128-bits wide. You could hierarchically route 256 towns in 256 counties in 256 states in 256 countries and still only have used half the hierarchy. ISPs usually get a /32 of this but Facebook announce a bunch of /48s which I don’t understand.)
Use both methods instead of just one. They differ in nature, and can be implemented at different perimeters of your network. Maybe there exists certain chokeholds in the network where multiple devices can be protected in one go?
Personally, I would have pure IP blackhole routing performed in the router providing WAN access to internal networks. A blanket protection for all desktops and 802.11 devices inside.
Many devices today are locked-down and editing hosts records can be untrivial. Instead of relying on 0.0.0.0 routing through hosts, the same effect can be obtained by setting up a personal DNS server e.g. bind9 with RPZ's listing the targeted domains[1].
Why all that hassle? Because an unrooted smartphone with a Wireguard link to the DNS server (or full-on VPN using that DNS server), can have lookups made through the server you control. And that DNS service is available to use on any local network/Wi-Fi one has to use. IIRC 3G/4G/5G WAN routes were harder to get right, but I think it was possible. One could always route all traffic through a purposeful VPN.
Defense in depth.
---
[1]: fb.rpz.zone:
;RPZ $TTL 10 @ IN SOA rpz.zone. rpz.zone. ( 37; 3600; 300; 86400; 60 ) IN NS localhost.
.facebook.com IN A 0.0.0.0 .facebook.net IN A 0.0.0.0 .fbcdn.com IN A 0.0.0.0 .fbsbx.com IN A 0.0.0.0 .fbcdn.net IN A 0.0.0.0 .edgesuite.net IN A 0.0.0.0
[1] https://gist.github.com/Whitexp/9591384
E.g.
address=/facebook.com/0.0.0.0 address=/fbcdn.net/0.0.0.0
Also block DoT ports, all known DoH resolvers (real pain in the ass), VPN services and proxy sites for the best results.
[1]: https://github.com/jmdugan/blocklists#faq
Yes, the whole point of DoH is to make it harder for us to keep control over our equipment
- https://news.ycombinator.com/item?id=11791052 (2016)
- https://news.ycombinator.com/item?id=16632677 (2018)
Go to your rules window, in the bottom left there is plus and by clicking you reveal the option to add "rule group subscriptions" https://help.obdev.at/littlesnitch4/lsc-rule-group-subscript...
The first rule of running a megacorp is... oh, wait.
This is also why companies like Tealium and Segment are now worth billions of dollars. They provide a single integration point that funnels events to dozens of marketing companies' server-side APIs.
Sounds like they make the blocklist-curators' job easier.
If "the sites you visit" are the ones talking to Tealiums and Segments, it is trivial for "the sites you visit" to lie about the browser IP address and make it look like requests are coming from all over the world instead of just one box sitting under $FRAUDSTER's desk running a script.
For logged in users, it's trivial to match users across sites with an email address or a phone number.
If you're clicking between sites, there may be a unique ID appended to the outbound URL (on Google there's a gclid URL parameter). This ID will be logged on the destination site and can be continuously passed around to identify the same user on multiple sites.
If they don't need perfect matching, they'll use IP addresses, user agents, and other fingerprinting techniques for fuzzy matches.
Disabling Javascript and using a forward proxy, it is easy to not send User Agents and other points needed for fingerprinting.
Tracking IP address is expected and will always be acceptable. All the rest is stuff users are voluntarily transmitting even when it is not necessary, making tracking much easier and more productive for the marketers.
There are many tactics to make tracking much more difficult and more expensive. However, few are using them.
Is this the reason why so many websites log you out on their own? Like, you go to do something on a website that requires an account but you see a login form instead. No one wants that. Everyone hates that. IMO if you're using the concept of time in your session management code, you're doing it wrong.
Do bank websites let you "stay logged in" for hours, days, weeks, or longer because you have some cookie you received when you logged in some time in the past. Are they "doing it wrong".
Facebook and Google are recognized as processors in this situation. The websites that send them the data are the controllers and are subject to the vast majority of the regulation, while the processors can assume that the controller has obtained user consent until informed otherwise.
It's legally important to recognize that Facebook and Google are not blindly sucking up data from around the internet. Websites/apps are actively transmitting this data to them and other adtech platforms for their own benefits.
This can do a lot more than a normal VPN or DNS blocker because it's actually intercepting and decrypting HTTPS traffic (rather than just passing it through).
However, Facebook has been very good at making ads that are hard to block, even if you have access to everything. They've been pretty aggressive about getting around things like uBlock Origin even on desktop browsers.
DNS-based blocking also likely wouldn't have much impact on a company that could serve ad content and regular content off the same domain names - or that could just rotate domain names too much.
Also, AdGuard's local-VPN/HTTPS-intercepting feature is a pay-for feature (I believe $5/year or a $10 one-time charge).
I use this app which, among other things, lets you hook up remote sources as block lists: https://apps.apple.com/us/app/adblock/id691121579
This means you can for example hook it up directly to this repository (which I've done) and automatically get updated lists
Search by organization for Facebook, then click each organization and then, Related Networks
The same can be done in a hosts file.