Big Hoodie
is watching you.
Facebook's apology-and-explanation machine grinds on, with The Social Network™ posting detail on one of its most controversial activities – how it tracks people who don't use Facebook. The company explained that the post is a partial response to questions CEO Mark Zuckerberg was unable to answer during his senate and …
Now all you have to do is make sure that any of your friends who do use use facebook don't have your phone number or email address, and that they never share a photo of you. Oh, and that you don't use any other service that integrates with facebook, and just hope that you blacklisted all their domains and didn't miss any like tfbnw.net
or m.me
.
Yup. Blocking all of their domains at the network level is really the best way to make sure your computer isn't infected by the Facebook cancer. As long as you don't share a network with f*c*book users, it's best to block them at the router if you can.
Another alternative is to install a f*c*book blocking extension in your browser.
Re: Big Hoodie
That's why all Facebook domains are 0.0.0.0 in my hosts file...
You might want to add this to your hostfile, FarceBook is all over IPv6.............
::1 localhost #[IPv6]
::1 facebook.com
::1 www.facebook.com
::1 login.facebook.com
::1 www.login.facebook.com
::1 fbcdn.net
::1 www.fbcdn.net
::1 fbcdn.com
::1 www.fbcdn.com
::1 static.ak.fbcdn.net
::1 static.ak.connect.facebook.com
::1 connect.facebook.net
::1 www.connect.facebook.net
::1 apps.facebook.com
::1 edge-star6-shv-02-ams2.facebook.com
Interestingly, my wife came to me this evening and asked how she could remove "Google" from her smartphone...
She now uses DuckDuckGo and Firefox with tracking protection turned on. Unfortunately, you can only do so much to shun Google and Facebook from your life.
With NoScript, for example, most Google subdomains, like analytics, are blocked.
They're not actually. they get loaded, they're just not allowed to run. So the fact that they get loaded allows tracking to happen. If you want to prevent them from getting loaded, you need uMatrix - which blocks them at the domain.
You also want to use something like uBlock Origin for ads or (my personal choice) adNauseum.
Add in Decentraleyes to deal with resources and CanvasBlocker to limit fingerprinting. LocationGuard can muddy the waters on occasion (just don't expect all sites to refrain from querying your IP).
Thanks for the pointer to Decentraleyes and CanvasBlocker.
And yes, I realise that NoScript doesn't completely block analytics, but for me at least, it had more to do with not allowing scripts from third parties at the beginning. But as time goes by, I'm starting to rethink everything else.
Thanks for the pointer to Decentraleyes and CanvasBlocker.
If they ever make a return to FF Quantum, I'd also recommend Random Agent Spoofer, Google Disconnect/Twitter Disconnect and Calomel SSL Validation (possibly WorldIP as well).
And yes, I realise that NoScript doesn't completely block analytics, but for me at least, it had more to do with not allowing scripts from third parties at the beginning. But as time goes by, I'm starting to rethink everything else.
I only recently discovered the difference between the two thanks to NoScript not being available on FFQ and my having used uMatrix in Comodo's 'Dragon' browser for years in lieu of NoScript. So, I added UMatrix to FFQ rather than go without a blocker. Then I was reading something recently that explained how the two work and thought "Really? That's interesting.".
I've re-added NoScript in the interim and use both now. Which is really annoying and often makes me want to hurl the computer out of the window if not hunt down the website designer(s) and do some very painful things to them for a very long time, get plastic surgery, a new identity, move to Peru, become a cocoa bean farmer and never use the Web again.
It has been very informative, however.
With just uMatrix enabled, if I go to Youtube and want to watch something, I need to authorise the *-aigd.googlevid XHR objects and nothing else.
For one video, for instance, that was 23 objects out of a total of 146, including one cookie from www.youtube.com specifically (another ten from <somewhere>.youtube.com.), two stylesheets from www.youtube.com … (another two from fonts.gstatic.com.), thirteen objects from unspecified external sources that redirector.google.com will load, twenty unspecified ‘other’ things from www.google.com and all the other things I’m not going to bore us with by listing them here but 58 of which are cross-hosted.
Meaning a minimum of 84% of the items coming with it serve you no purpose whatsover if all you want to do is watch the video. 84% (123 objects) are there for someone else’s benefit, not yours. I wonder what benefit they get from them … because they don’t display the video or let me control it in any way - that’s what at least some of the other 23 do. Those 23 also appear to enable the autoplay feature … because it still works if you don’t load anything else. At most twenty-three of them are necessary to watch the video, so what are the other thirty-five doing exactly - and why?
So then, when it became available again, I added NoScript, because 23 unidentified XHR objects that seemingly do an awful lot more than I anticipated is a bit concerning - NoScript might identify them for me once they make it to the browser and I can be even choosier about what I authorise.
And what I discovered was that there's an awful lot of youtube.com functionality hidden behind those 23 objects. If I go to youtube.com with just uMatrix, I see an awful lot of stuff load into my browser to give me a basic outline of the site. With NoScript running as well, I see virtually nothing at all and until I authorise the youtube.com and ytimg.com scripts in NoScript and scripts from s.ytimg.com in uMatrix that's how it will remain.
So those 23 XHR objects seem to include scripts as well as video and other (control) elements - which, of course, isn't declared explicitly in uMatrix because it just lists them as XHR objects.
It's interesting to see how many sites make use of google analytics too. I saw a recommendation for three new privacy orientated social networking solutions that referred to google analytics objects - I'm sure you can imagine how I laughed!
Even more fun is seeing how waiting for any of those extraneous objects to download delays the entire page (sloo connection, or simply lack of server response) - then multiply it by however many of them there are that delay the page in turn (if not in parallel)!
To prevent tracking by FaceBUTT, Gurgle, etc., I use Remove This Permanently add-on to remove their "bugs" (the little f, p or g). If on of these appear on a site you visit, word will be sent to one of those companies saying that you landed on that page. This applies to you even if you never agree to anything. They are so sweet. They even know if you looked at a toilet, without clicking on anything. BTW, my browser is Pale Moon.
Depending on the site's ToS, the fact that FB is monitoring and tracking non FB subscribers may be a violation of the ToS and agreement w Facebook.
Again this shouldn't be a surprise and why many w NoScript block FB scripts.
Of course not all browsers work w script blockers and addons.
This could be a major Class Action lawsuit against FB since none of those who were tracked gave permission for FB to track them.
Again, lets ask El Reg why they run Google's Analytics given that in today's world, its very easy for a competent admin to write their own tracking javascript. Note: While not FB, its an example of a major corporation spying on you without your knowledge or approval. It is also one way that FB , Google and others can spy on you and track you without the use of cookies.
For that matter why does this article (and probably all other El Reg articles) have a FB icon at the bottom (aside from the actual www.facebook.com link at the farthest bottom) with this property?
https://www.theregister.co.uk/design_picker/c00f80f04b0eaf0123d821f6c9488fc1cb55fd0a/graphics/icon/facebook.svg
Kinda looks like it tracks something of interest to FB...
When non-Facebook sites add a “Like” button (a social plugin, in Baser's terminology), visitors to those sites are tracked: Facebook gets their IP address, browser and OS fingerprint, and visited site.
Not if Facebook is in the noscript kill list and that is one damn good reason for it to be.
It's a great solution, provided you don't mind the rigmarole of whitelisting a bunch of sites every time you visit somewhere new...
Non-Facebook users shouldn't have to do anything at all to avoid being tracked.
Who's going to cause a fuss about this if the people who understand the issues just use a plug in and leave everyone else to be spyed on?
I don't need to, because the sites that have not been whitelisted by now are not going to be if I go to a new page and they are required.
My NoScript is set exactly how I like it, with the sites I know and trust whitelisted, and everything else consigned to oblivion.
That is how I surf in peace. If a website cannot work with my settings, it is not a website I wish to linger on.
That said, I agree with you that I shouldn't have to do anything to not be tracked, but hey, this is the Internet. Anyone can do what they want, and most do exactly that.
Who's going to cause a fuss about this if the people who understand the issues just use a plug in and leave everyone else to be spyed on?
The people who understand the issues generally don't particually want to be hassle and timedrain of creating a political movement to protest against a company doing something that can be blocked by configuring your own software.
This post has been deleted by its author
They can do that whatever you do: remember how much the EU legislation made? That's right, there's now just an annoying popup telling you that they've set cookies whether you like it or not and, no, you don't get to opt out, you just get to click the 'x' to make the popup go away.
The best one I used to use was Cookie Monster but that's gone the way of the dodo. Now the best solution I've found is uMatrix - although I couldn't say it were as effective as CM was.
I could do with a copy of your hosts file!
For maximum effect, block everything by default because there's so much crap out there, and not just Facebook. I also block 1st-party JS & cookies because it's gotten even more annoying than it was in 1999.
Instructions for (paranoid) umatrix noobs: Click umatrix icon, click blue box at top left, select "*". On the "all" line, css & images are green; click them off (should be pink). On "1st-party" line, click bottom half of cookies & scripts (should be red). Click lock icon to save settings.
Caveat: every time you visit a crap website, you have to open umatrix and figure out what to allow to make the site work. If that's too time consuming, ask yourself: why am I wasting my time surfing this Web of Shit?
"ask yourself: why am I wasting my time surfing this Web of Shit?"
This. I use NoScript rather than uMatrix, but the same principle applies. If I visit a site that doesn't work with my settings, and there isn't an extreme need to access that particular site, I just move on.
It's the safest and easiest way of handling it, and really, I lose nothing in doing so.
>For my purposes, uBlock does nothing that I need that NoScript doesn't do, so there's no point in running both.
uMatrix stops them loading from the domain, NoScript simply prevents them from running.
This means that the server can note which scripts are loaded into your browser using an "if this browser and version and this and that or the other" and then record that "I know this about you".
So, if you're hoping that NoScript will prevent more than the excesses attendant upon running the script(s) think again. It won't, it'll only prevent the final 'payload'. In the background, however, the fact that those scripts were ever even requested is giving away an awful lot about you that you can't prevent with NoScript, only with uMatrix.
Conversely, when you load the 23 objects hiding behind an 'XHR' or 'other' label, you have no idea what they are and are giving them carte blanche to do stuff without even knowing what class of object they are - NoScript will, however, prevent any loaded scripts from running.
if your use case only requires that loaded scripts be prevented from running and any extra script-like functionality resulting from clever CSS manipulation is of no concern, then fine, NoScript is all you need.
If, however, you wish not to be tracked or compromised in any other way, you need to be making use of a lot more than simply both but, at the very least you need to be using uMatrix to block stuff at source, including cookies, CSS, images, media, scripts, XHR and 'other' objects before they even reach your browser - otherwise, you might as well not even bother with NoScript either.
"uMatrix stops them loading from the domain"
I actually use firewalls to stop that -- all traffic, incoming and outgoing, is blocked by default. I have to whitelist sites I want to communicate with. I rely on NoScript to manage scripts (as well as prevent other common nastiness) coming from sites that I've whitelisted.
NoScript (and firewalls, for that matter) is just one part of a much more comprehensive defense plan. I rely as little as possible on browser-based defenses because they only help when dealing with the web, but my use of the internet is more expansive than just browsing the web. Also, keeping most of your defenses in one place, such as your browser, is a security weakness itself. It's a single point of failure -- should the browser be subverted, all of those defenses are gone at once.
Good points but they rely upon:
1. your being the only one who makes use of your system(s) and being able to rule out Failbook activity.
2. your never needing to access the 'net from anywhere else - which is when a liveDVD (at a pinch USBkey) with a linux install come in handy (along with a second one running portable Windows apps, for when rebooting the system isn't an option).
I take the point about single point of failure but that's why I don't use the 'net for anything but browser based activity (okay, OS updates too, but what you gonna do?) - the less I do and the more I limit access to a single vector, the smaller the attack surface and the more secure the system is.
I too have a firewall and (on Windows at least) it's not only Transport Layer but also Application Layer enabled; on top of which (it being Windows and all) HIPS, sandboxing, etc. - there's no point blocking everything outside the perimeter only to get stabbed in the back by one of my own apps.
But for your specific use case, yes, NoScript would seem sufficient; just bear the others in mind in case your circumstances should change (especially should it not be a matter of choice) - I recommend the belt and braces approach (it can't hurt).
"your being the only one who makes use of your system(s) and being able to rule out Failbook activity."
My firewall blocks all access to FB servers, so there's no risk there. I provide "red zone" internet access that is separated from my network for visitors who don't like my restrictions.
"your never needing to access the 'net from anywhere else"
When I access the net from somewhere else, I use a VPN that connects to my LAN, so all of my protections stay in place. I haven't needed to use someone else's machine for internet access (my smartphone does just fine, particularly when I connect a keyboard and mouse to it), but if I also carry a bootable USB stick as backup should I ever need to.
"that's why I don't use the 'net for anything but browser based activity"
Fair enough, but for me, that would eliminate about 75% of the usefulness of the internet. If I had to be browser-only, I may as well just stop using the internet.
"I recommend the belt and braces approach (it can't hurt)."
I agree. I don't consider security a "once and done" sort of thing. Threats change over time, and so security postures must as well.
Shut your *beep*ing face, Uncle *beep*a
You're a *beep* sucking, *beep* licking Uncle *beep*a
You're an Uncle *beep*a, yes, it's true
Nobody *beep*s uncles quite like you
no script all the way, it really _is_ worth the inconvenience.
Blame Zuckerberg!
Blame Zuckerberg!
He's not even a proper person anyway...
I think he's the reincarnation of the Emperor Caligula....
well, the commonly used side portrait shot reminds me of John Hurt from I Claudius.
Not the recent ones of him looking both uncomfortable in a suit and in the company of old people.
To see Zuck as a reincarnation of Caligula is an insult to the Emperor.May be he is rather a reincarnation of Cesare Borgia.
A new Caligula will have his slaves dig at sites clearly marked as Nuclear waste burial site. No do dig here!.