[HN Gopher] Block Facebook Servers
___________________________________________________________________
Block Facebook Servers
Author : prakhargurunani
Score : 201 points
Date : 2021-02-10 18:21 UTC (4 hours ago)
(HTM) web link (github.com)
(TXT) w3m dump (github.com)
| wooptoo wrote:
| I just block Facebook.com in NextDns together with the
| graph.facebook.com and connect.facebook.net domains. Messenger
| and WhatsApp still work fine.
|
| The same can be done in a hosts file.
| November-Echo wrote:
| Noob here. Is there any way to create a subscription for this in
| Little Snitch?
| salzig wrote:
| yes, there is a feature like that in little snitch.
|
| Go to your rules window, in the bottom left there is plus and
| by clicking you reveal the option to add "rule group
| subscriptions" https://help.obdev.at/littlesnitch4/lsc-rule-
| group-subscript...
| salzig wrote:
| btw, if any little snitch dev is reading this, please improve
| on this feature. I'm pretty sure this can be a selling point
| Triv888 wrote:
| Find all of Facebook's IP addresses here:
| https://whois.arin.net/ui/advanced.jsp
|
| Search by organization for Facebook, then click each organization
| and then, Related Networks
| gorgoiler wrote:
| You could just ignore AS32934:
| https://www.radb.net/query/?keywords=AS32934 ..?
|
| ...which includes the downtown Palo Alto address, hah. It's
| linked from facebook.com/peering/
|
| Here's a list of the IP prefixes:
|
| https://bgp.he.net/AS32934#_prefixes
|
| https://bgp.he.net/AS32934#_prefixes6
| xurukefi wrote:
| Programmatically retrievable via whois -h
| whois.radb.net -- '-i origin AS32934' | grep ^route
|
| Source:
| https://developers.facebook.com/docs/sharing/webmasters/craw...
| dontchooseanick wrote:
| Done, and used daily :
|
| https://github.com/smigniot/smigniot.github.io/blob/master/i.
| ..
|
| For the google part I had to recurse through the AS list
| first, and perform cidr merging
| megous wrote:
| Wouldn't ipset be easier to use and potentially faster?
| dontchooseanick wrote:
| Probably yes. It seems easier to write. As it's a set of
| IPs instead of a set of rules it should be faster.
| Thanks.
|
| However I can't seem to find the --match-set option for
| my Android's iptables version. I Will test.
| megous wrote:
| Dunno if it's enough, for example:
|
| https://whois.arin.net/rest/net/NET-63-150-141-224-1.html
|
| is Facebook's range not included above.
| specialist wrote:
| Sorry, am noob, ELI5 please.
|
| Those RADb responses include this line: mnt-by:
| MAINT-AS32934
|
| AS32934 is the account maintaining Facebook's public
| presence(s)? How'd you figure that out?
|
| Using routing table mainteners to DNS entries seems like a
| terrific why to create those ad-blocking lists. Is this how
| it's done? I always assumed those lists are manually collated
| and curated.
| gorgoiler wrote:
| Version 4 of The Internet (the popular one that blew up in
| the 1990s) is made up of 32 bit numeric addresses attached to
| physical things to which data has to be routed.
|
| In the 80s these would be bunched up by org in nice ways just
| like how phone numbers that were all in the same place would
| share an area code. MIT would be 1.1.x.y and you'd route
| their data to Cambridge MA. IBM would be 2.x.y.z and you'd
| route to them and let them deal with it internally. Some
| small outfit in France might've gotten 173.4.5.q: you'd send
| their data into the Atlantic fibre because "173.something"
| meant "Europe" and let the other end figure it out.
|
| In the 90s it all got messy because 32bits wasn't enough to
| keep things in a clean hierarchy that reflected how data was
| routed around the net. Orgs ended up accumulating fragments
| of IP address space from all over the place for the hosts at
| their physical site. The hierarchy of the address couldn't
| tell you how to route traffic and the rules for routing
| became highly extensive and dynamic.
|
| Enter _Autonomous Systems Numbers_ and BGP. It's a layer on
| top of IP addressing that only matters to internet core
| routers with many choices as to how to your traffic ("multi
| homed" sites). It helps map IP addresses to actual places --
| internet peers, aka fellow ISPs -- so they can agree with
| each other how traffic should be routed. BGP lets peers keep
| these routes updated and let's you know who owns what.
|
| None of this matters if you have a single internet
| connection. Routing is easy: it's either "local" or you send
| it to your ISP. But if you're an ISP in the centre how do you
| know who gets what? You use _The [Internet] Routing Table_ as
| maintained by the BGP system.
|
| Some companies have so much traffic they have their own ASN.
| Because the internet is open, you get to see all the IP
| addresses which are bundled up inside that ASN, which is what
| I was linking to. It only works because FB is its own self-
| serving ISP with its own ASN.
|
| (With IPv6 this should all have gone away not because of the
| number of addresses, but because the address space was
| 128-bits wide. You could hierarchically route 256 towns in
| 256 counties in 256 states in 256 countries and still only
| have used half the hierarchy. ISPs usually get a /32 of this
| but Facebook announce a bunch of /48s which I don't
| understand.)
| rakoo wrote:
| Wouldn't it be more practical as a ublock list ? It has auto-
| updating and is easier to set than editing /etc/hosts file
| milkey_mouse wrote:
| It is a ublock list, or at least ublock compatible. You can
| import e.g.
| https://raw.githubusercontent.com/jmdugan/blocklists/master/...
| as a custom ublock list and it will work fine. I've had these
| lists enabled in uBlock for years.
| nix0n wrote:
| These are provided in easylist format (among other formats)
| which is compatible with uBlock.
| kgog wrote:
| I have not used this list but I do block fb and ig servers in pi-
| hole. Though I will now move to using this list:
| https://github.com/jmdugan/blocklists/blob/master/corporatio...
| BlueTemplar wrote:
| I wanted to use Pi-Hole to block Microsoft servers too... but
| their updates and blocklists are on github !
| judge2020 wrote:
| GitHub has their own ASN though (all DNS records I tried
| resolving pointed to this AS), and you could just not block
| api.github.com or raw.githubusercontent.com.
|
| https://bgp.he.net/AS54113
| shadykiller wrote:
| Can pi hole do device specific blocking ?
| kgog wrote:
| Yes. I do very aggressive blocking on my Android TV and less
| so on my work laptop.
| ig0r0 wrote:
| You can enable or disable specific blocklists per device
| group
| leesalminen wrote:
| Yes, this was a new feature released fairly recently.
| blackbear_ wrote:
| I have (also) been blocking their IP ranges [1] with ufw, just in
| case they try to bypass DNS.
|
| [1] https://gist.github.com/Whitexp/9591384
| marketingtech wrote:
| Unfortunately this won't do much anymore, as Facebook and others
| are transitioning to server-side data transmission. Businesses
| now log data onto their own servers, then transmit it directly to
| adtech companies so that your device never directly touches the
| adtech server.
| grishka wrote:
| How do they track people across sites then?
| marketingtech wrote:
| There are a lot of tactics in use today.
|
| For logged in users, it's trivial to match users across sites
| with an email address or a phone number.
|
| If you're clicking between sites, there may be a unique ID
| appended to the outbound URL (on Google there's a gclid URL
| parameter). This ID will be logged on the destination site
| and can be continuously passed around to identify the same
| user on multiple sites.
|
| If they don't need perfect matching, they'll use IP
| addresses, user agents, and other fingerprinting techniques
| for fuzzy matches.
| 1vuio0pswjnm7 wrote:
| Users should not stay "logged in". Always log out when
| done. Keeping tabs open, not logging out, is allowing much
| more tracking to be done than would be possible otherwise.
|
| Disabling Javascript and using a forward proxy, it is easy
| to not send User Agents and other points needed for
| fingerprinting.
|
| Tracking IP address is expected and will always be
| acceptable. All the rest is stuff users are voluntarily
| transmitting even when it is not necessary, making tracking
| much easier and more productive for the marketers.
|
| There are many tactics to make tracking much more difficult
| and more expensive. However, few are using them.
| judge2020 wrote:
| Source? The first rule of adtech is to not trust your
| publishers to not defraud you.
| marketingtech wrote:
| FB: https://developers.facebook.com/docs/marketing-
| api/conversio... Google: https://developers.google.com/adword
| s/api/docs/guides/conver...
|
| This is also why companies like Tealium and Segment are now
| worth billions of dollars. They provide a single integration
| point that funnels events to dozens of marketing companies'
| server-side APIs.
| KirillPanov wrote:
| Why doesn't that qualify these Tealiums and Segments as
| "adtech servers" worthy of blocklisting?
|
| Sounds like they make the blocklist-curators' job easier.
| isbvhodnvemrwvn wrote:
| Your browser doesn't talk to them. The sites you visit
| do.
| jtsiskin wrote:
| This isn't publishers displaying ads and reporting how many
| views they get, this is to associate visitors with ads seen
| on other surfaces (Facebook, Google) for retargeting (show
| future ads to people who visited your landing page) or
| measurement purposes (for people who saw ad A, how many
| people eventually made a purchase?)
| sithadmin wrote:
| The first rule of running a megacorp is to tell your
| customers to take a hike if they don't like your terms.
| mr-wendel wrote:
| No, that's the second rule.
|
| The first rule of running a megacorp is... oh, wait.
| croes wrote:
| Doesn't this bear the risk for the businesses to violate the
| GDPR because they actively transmit data to a third party?
| marketingtech wrote:
| There are different responsibilities for the "controller" and
| the "processor" under GDPR.
|
| Facebook and Google are recognized as processors in this
| situation. The websites that send them the data are the
| controllers and are subject to the vast majority of the
| regulation, while the processors can assume that the
| controller has obtained user consent until informed
| otherwise.
|
| It's legally important to recognize that Facebook and Google
| are not blindly sucking up data from around the internet.
| Websites/apps are actively transmitting this data to them and
| other adtech platforms for their own benefits.
| CA0DA wrote:
| I use this list - one thing to remember is that in the long term
| you need to update it periodically. I set a yearly reminder to do
| so.
| moneywoes wrote:
| Is there an effective way to remove Facebook and Instagram ads on
| a iPhone? I have tried DNS solutions like blockada however they
| don't work
| [deleted]
| grishka wrote:
| Instagram serves ads as part of the feed API response. If you
| use the app, there's no way to remove them without patching the
| app. I did do that for Android, but on iOS it's impossible
| without jailbreak.
| mdasen wrote:
| AdGuard can run a local VPN that intercepts HTTPS traffic and
| blocks ads even within HTTPS traffic. It's a little sketchy
| since they man-in-the-middle your encrypted traffic in order to
| do this, but they exclude extended validation certs (the ones
| where the name shows up next to the lock) and over 1,300 other
| exceptions (https://kb.adguard.com/en/general/https-filtering).
| That should be able to block a lot more, including ads via
| apps.
|
| This can do a lot more than a normal VPN or DNS blocker because
| it's actually intercepting and decrypting HTTPS traffic (rather
| than just passing it through).
|
| However, Facebook has been very good at making ads that are
| hard to block, even if you have access to everything. They've
| been pretty aggressive about getting around things like uBlock
| Origin even on desktop browsers.
|
| DNS-based blocking also likely wouldn't have much impact on a
| company that could serve ad content and regular content off the
| same domain names - or that could just rotate domain names too
| much.
|
| Also, AdGuard's local-VPN/HTTPS-intercepting feature is a pay-
| for feature (I believe $5/year or a $10 one-time charge).
| rubatuga wrote:
| What about HPKP? This would prevent such a MITM attack.
| dredmorbius wrote:
| IP-based firewalling, if available, perhaps.
| beervirus wrote:
| Delete the apps and use Safari with an ad blocker.
| auraham wrote:
| I use Firefox Focus on iOS 11 for Facebook. It worked OK
| until a few days ago. Now, I cannot see my messages unless I
| request for a desktop version of the website. Even when that
| option is turned on, I noticed that the site kicks me out
| after a couple of minutes, 10 min or so.
| bserge wrote:
| I block with dnsmasq on the main router, depending on your needs
| just using the domain name can be enough.
|
| E.g.
|
| address=/facebook.com/0.0.0.0 address=/fbcdn.net/0.0.0.0
|
| Also block DoT ports, all known DoH resolvers (real pain in the
| ass), VPN services and proxy sites for the best results.
| thih9 wrote:
| The project's readme [1] also mentions dnsmasq.
|
| [1]: https://github.com/jmdugan/blocklists#faq
| cromka wrote:
| https://github.com/evilneuro/FreeContributor gives 404
| iso1210 wrote:
| > all known DoH resolvers (real pain in the ass)
|
| Yes, the whole point of DoH is to make it harder for us to keep
| control over our equipment
| fnord77 wrote:
| bruh merge or decline your PRs
| 2112 wrote:
| Related ( user-side ) :
|
| Facebook Container
|
| https://addons.mozilla.org/en-US/firefox/addon/facebook-cont...
| davemtl wrote:
| This container is a piece of art. Ever since using this,
| Facebook no longer has any "Off-Facebook Activity" about me.
| cnorthwood wrote:
| Facebook managed to get some off-Facebook activity from me
| even using this. The site in question was also loaded in a
| Private Browsing window and Facebook claimed it was from
| pixel tracking. I'm guessing they've inferred it based on IP,
| especially as I live by myself.
|
| How this is legal under GDPR, given I'm a UK citizen, I'm
| really not sure.
| josephg wrote:
| Is the GDPR still in effect in the UK, now you've left the
| EU?
| kachnuv_ocasek wrote:
| Yes. It's not like all the EU laws the UK had adopted
| before Brexit suddenly went out the window overnight.
| datenhorst wrote:
| Not necessarily true, since regulations are EU law that
| is immediately enforceable in member states, and are not
| generally transposed into state law.
| mamon wrote:
| I guess it depends on the country. In Poland my
| experience is that every time EU passes some regulation
| Polish parliament passes the corresponding bill
| implementing it. So even if we left EU tomorrow those
| bills will still be in effect.
|
| Also, I'm not sure about this "immediately enforceable"
| part - I recall some cases where member states delayed
| implementing EU laws for years, sometimes ending up being
| sued to European Court of Justice.
| codethief wrote:
| > I guess it depends on the country.
|
| AFAIK it works pretty much the same in all countries and
| only depends on whether it's an EU regulation[0] or an EU
| directive[1].
|
| [0]:
| https://en.wikipedia.org/wiki/Regulation_(European_Union)
|
| [1]:
| https://en.wikipedia.org/wiki/Directive_(European_Union)
| diroussel wrote:
| EU Regulations and Decisions directly affect member
| states. Whereas EU Directives require member states to
| enact new laws.
|
| As the GDPR is a regulation, it directly applied to
| member states.
|
| When the UK left the EU they made a paralled law
|
| > The GDPR has been incorporated into UK data protection
| law as the UK GDPR see: https://ico.org.uk/for-
| organisations/dp-at-the-end-of-the-tr...
| datenhorst wrote:
| GDPR directly doesn't apply to the UK anymore (except for
| organisations that handle data of EU citizen, of course)
| but the UK chose to enact the GDPR into UK law via the
| Data Protection Law of 2018, which is aptly dubbed "UK
| GDPR".
| 2112 wrote:
| Have you managed to verify this or you're just assuming it ?
| I'm just assuming it, that's why I'm asking. Like have you
| made a request for your data from Facebook / data brokers and
| it looks straight ? I trust Mozilla to the fullest and have
| made no effort to investigate.
| davemtl wrote:
| You can verify it for yourself. Facebook lets you view this
| information. https://www.facebook.com/off_facebook_activity
| megous wrote:
| "If you want to continue, you have to log in"
|
| lol
|
| I guess I though it would be something like
| https://www.facebook.com/shadow_profile_activity
| Nextgrid wrote:
| Facebook collected this data for years but only recently
| started disclosing it. There's no reason to trust that
| they're disclosing _all_ the data they 're collecting.
| TedDoesntTalk wrote:
| Thank you very much for that link. I didn't know about
| it.
| ramraj07 wrote:
| I don't trust that this is all they have about me. Wasn't
| there reports that they were generating dark profiles
| about people not even on Facebook (by mining contact
| information from others)?
| ketzo wrote:
| That skepticism is definitely healthy, but by the GDPR,
| this is _required_ to be every single thing they have on
| you, under penalty of significant fines.
|
| That doesn't mean it _is_ everything... but it at least
| makes that a little more likely? Some light optimism for
| you, I guess.
|
| Edit: seems even this isn't necessarily true.. damn.
| throwaway744678 wrote:
| Only for EU citizens.
| hadrien01 wrote:
| They have to tell you everything they know about you, by
| law... but that doesn't mean this webpage contains every
| information they collected. And getting everything is
| rather complicated: https://ruben.verborgh.org/facebook/
| _joel wrote:
| You can check this in the settings. They really obfuscate
| and have dark patterns here but last time I checked it was
| there.
| npteljes wrote:
| I do this, but to every webpage - so there should be much less
| cross-site talk. Not that the advertising machine doesn't have
| a million other ways of getting though.
|
| https://addons.mozilla.org/en-US/firefox/addon/temporary-con...
| thih9 wrote:
| Previous discussions:
|
| - https://news.ycombinator.com/item?id=11791052 (2016)
|
| - https://news.ycombinator.com/item?id=16632677 (2018)
___________________________________________________________________
(page generated 2021-02-10 23:02 UTC)