Ubuntu As Advertiser Monster?

Or “Adventures In Paranoid Security Admin?”… A Brief run down Paranoia Lane & Security Street…

So I’m taking the RockPro64 for a spin as a MariaDB station (and finding it isn’t as stable as I’d like; nor are the big CPUs needed) when this morning, again, it boots up to a black screen. So now I’m not sure an “update upgrade” fixed it last time and maybe it’s just a semi-random “does not play well with HDMI”? But that’s for working the issue after this posting.

To find the IP number it DHCP’ed so I can login to reboot it gracefully, I launched the PiHole administrator. (The PiHole is doing a marvelous job of advertising killing and some tracker like things too, but it is also my DHCP server on that network). Well the admin panel tells you lots of nice things about what’s trying to shove ads at you and who’s your tattle-tale. Little did I expect a board that had just been brought up to rank in the top set.

Canonical (makers of Ubuntu) shoved their “Unity” desktop at folks and then were found to be collecting data with it. This naturally raises the suspicion level for them; but I’m running xfce not Unity, so that ought not be a problem. Still, a bit of “Dig Here!” seems warranted.

The top machine is the wife’s Macbook. She often is visiting sites that sell stuff and various “say news gather info shove ads” sites. Not surprising she would have the most blocked ads. Then there are 3 Roku devices on the list so you can see what TV is on the most ;-) I was very surprised when I first discovered the PiHole blocks a lot of Roku ads, but also very happy ;-) Down at the bottom of the list is the spousal I-Phone with a surprising number of ads / snoops blocked – IF I ever get an I-Phone, I’ll need “Pocket Pi-Hole” to take with me when I travel… The “Office Router” hides my internal R&D network with anything really private on it, and the 192.x.x.x systems are various random things I’ve not configured on the house network ( So pop up something like a misc laptop or burner phone on WiFi… or just the random WiFi chip on a Pi M3)

That leaves two systems in the middle. My “main daily driver” where I do a lot of this web posting / browsing / story search stuff on the “Pi M3 Workstation” and that RockPro64 that was just installed with Ubuntu and had MariaDB and some test script stuff done along with Python reports. I DID pop a browser (both Chromium & FireFox) on it to do the postings while I did the testing, but I didn’t do a whole lot of “random browsing” and didn’t have nearly as many “open tabs” as tend to hang around on the Pi M3 “Daily Driver”.

So why did the Ubuntu RockPro64 rank #3 on the Top Clients Last 24 Hours List?

Top Clients (total)
Client	Requests	Frequency
spousal-air.chiefio.home	2097	
livingrmroku.chiefio.home	1942	
rockpro64.chiefio.home	        1091	
pim3workstation	                 681	
bedroomroku.chiefio.home	 659	
officeroku.chiefio.home	         588	
spousaliphone.chiefio.home	 275	
officenetrouter	                 189	
192.168.6.74	                 148	
192.168.6.60	                  37	

But it gets worse. Here’s the list of “Blocked Only”. That is, those systems that asked for the most “crap” or spent the most time trying to send out information to blocked destinations. Now the Ubuntu box is #2. Beating out even the advertising driven Roku services that are on most of the day.

Now, in fairness, the Devuan Pi M3 did come in 3rd with almost as much. 154 vs 200. But I typically have a dozen plus tabs open in those browsers and use it from first coffee to after midnight. It isn’t just a “boot up and test some stuff” station.

Top Clients (blocked only)
Client	Requests	Frequency
spousal-air.chiefio.home	861	
rockpro64.chiefio.home	        200	
pim3workstation	                154	
livingrmroku.chiefio.home        48	
bedroomroku.chiefio.home         26	
officenetrouter	                 24	
officeroku.chiefio.home	         13	
192.168.6.74	                 13	
joansmihsiphone.chiefio.home	  3

Might there be a clue in the top blocked domains? Maybe, but this is over all devices so will be heavily biased by the spousal Mac and the Roku mob:

Top Blocked Domains
Domain	Hits	Frequency
ssl.google-analytics.com	102	
sb.scorecardresearch.com	 77	
pubads.g.doubleclick.net	 74	
pixel.wp.com	                 63	
www.google-analytics.com	 58	
www.googletagservices.com	 56	
googleads.g.doubleclick.net	 43	
www.googleadservices.com	 37	
stats.wp.com	                 34	
www.googletagmanager.com	 32	

Mostly it’s keeping Google’s Snout out of my kilt…

The “pixel.wp.com’ is something WordPress uses, I think as a tracker of who is viewing a page, maybe… similarly stats.wp.com. Which leaves that scorecard thing. A DuckDuckGo search (I’ve broken the embedded links):

scorecardresearch

All RegionsSafe Search: ModerateAny Time
Home Page – Scorecard Research
Search domain scorecardresearch DOT com htt scorecardresearch DOT com
ScorecardResearch, a service of Full Circle Studies, Inc., is part of the Comscore, Inc. market research community, a leading global market research effort that studies and reports on Internet trends and behavior.

ScorecardResearch: What is it and what does it do …
Search domain www DOT theguardian DOT com/technology/2012/apr/23/scorecardresearch-tracking-trackers-cookies-web-monitoring htt www DOT theguardian DOT com/technology/2012/apr/23/scorecardresearch-tracking-trackers-cookies-web-monitoring
Apr 23, 2012 · ScorecardResearch is part of a company called Full Circle Studies, which is owned by comScore. To put the size of comScore into some context, its factsheet claims it tracks more than three million …

Preference Page – Scorecard Research
Search domain www DOT scorecardresearch DOT com/preferences-aspx?newlanguage=1 htt www DOT scorecardresearch DOT com/preferences-aspx?newlanguage=1
This opt-out will also prevent you from receiving invitations to participate in market research surveys from ScorecardResearch or VoiceFive, Inc. (an affiliate of Full Circle Studies, Inc., that offers surveys across the Internet).

While I’m glad that is being blocked, it doesn’t look like anything unique to the Ubuntu RockPro64. So I click on that systems name / entry in the list above to drill down into what it’s talking too:

Time	Type	Domain	Client	Status	Reply	Action
Time	Type	Domain	Client	Status	Reply	Action
2019-03-27 16:26:25	A	ntp.ubuntu.com	rockpro64.chiefio.home	OK (forwarded)	IP (24.3ms)	 Blacklist
2019-03-27 16:26:25	AAAA	ntp.ubuntu.com	rockpro64.chiefio.home	OK (forwarded)	IP (23.6ms)	 Blacklist
2019-03-27 16:26:02	SOA	local	rockpro64.chiefio.home	OK (forwarded)	N/A	 Blacklist
2019-03-27 16:26:01	SOA	local	rockpro64.chiefio.home	OK (forwarded)	N/A	 Blacklist
2019-03-27 07:19:05	A	public-api.wordpress.com	rockpro64.chiefio.home	OK (forwarded)	IP (24.3ms)	 Blacklist
2019-03-27 07:19:01	A	graph.facebook.com	rockpro64.chiefio.home	OK (forwarded)	CNAME (0.9ms)	 Blacklist
2019-03-27 07:19:00	A	s0.wp.com	rockpro64.chiefio.home	OK (cached)	IP (1.0ms)	 Blacklist
2019-03-27 07:19:00	A	s2.wp.com	rockpro64.chiefio.home	OK (cached)	IP (0.9ms)	 Blacklist
2019-03-27 07:19:00	A	s1.wp.com	rockpro64.chiefio.home	OK (cached)	IP (0.7ms)	 Blacklist
2019-03-27 07:18:22	A	public-api.wordpress.com	rockpro64.chiefio.home	OK (cached)	IP (0.8ms)	 Blacklist

Now realize, at the moment I have a black screen and can’t even log into the board. System time ATM is March 27 17:17 UTC (yes I run on UTC…) so those entries from 07:19 are from last night.

First thing I notice it that it is getting “Time” service from Ubuntu. OK, I forgot / didn’t bother to point it to my local time server. That’s one of those minor privacy things that’s just “nice to do”. It DOES finger when a given system is “up”, so when pointed to a given site, you must trust the privacy behaviours of your upstream time server. Debian (and Devuan) by default use a large pool of contributors, so at any given time you get a different mix of folks sharing times. Privacy by random mutation. I put that in front of all my other systems with an internal time server on the Pi servers doing Squid Proxy and DNS service / blocking. So not a big thing, but a minor sanitation measure. IF using an Ubuntu box, change your time server configuration.

Then it has some local activity and some wordpress stuff. I note that somewhere along the line a posting / comment I had in a page chatted with Facebook (so they got a track / notice and I got a graph). While I generally prefer to NEVER do ANYTHING with Facebook, I’m required to to keep the blog tidy, so OK, moving on.

I can click back through several panels of this. In fact, the PiHole tells me it has 772 entries. I don’t think I’ll look at all of them…

Clicking on the “status” heading lets me filter to just “blocked” type. Here’s a chunk from page 13 of just them:

Previous1…121314…78Next
Time	Type	Domain	Client	Status	Reply	Action
Time	Type	Domain	Client	Status	Reply	Action
2019-03-26 18:44:30	A	googleads.g.doubleclick.net	rockpro64.chiefio.home	Blocked (gravity)	- (0.7ms)	 Whitelist
2019-03-26 18:44:30	A	pixel.wp.com	rockpro64.chiefio.home	Blocked (gravity)	- (0.7ms)	 Whitelist
2019-03-26 18:44:30	A	static.doubleclick.net	rockpro64.chiefio.home	Blocked (gravity)	- (0.9ms)	 Whitelist
2019-03-26 18:44:28	A	stats.wp.com	rockpro64.chiefio.home	Blocked (gravity)	- (0.9ms)	 Whitelist
2019-03-26 18:02:44	A	stats.wp.com	rockpro64.chiefio.home	Blocked (gravity)	- (0.8ms)	 Whitelist
2019-03-26 18:02:41	A	pixel.wp.com	rockpro64.chiefio.home	Blocked (gravity)	- (0.8ms)	 Whitelist
2019-03-26 17:58:53	A	pixel.wp.com	rockpro64.chiefio.home	Blocked (gravity)	- (0.8ms)	 Whitelist
2019-03-26 17:58:49	A	static.doubleclick.net	rockpro64.chiefio.home	Blocked (gravity)	- (0.7ms)	 Whitelist
2019-03-26 17:58:48	A	stats.wp.com	rockpro64.chiefio.home	Blocked (gravity)	- (0.7ms)	 Whitelist
2019-03-26 17:58:48	A	ssl.google-analytics.com	rockpro64.chiefio.home	Blocked (gravity)	- (0.6ms)	 Whitelist

That’s pretty much what the first 13 pages looked like. A mix of WordPress and Google. So most likely I was just my using the RockPro64 more on WordPress and with some Google stuff from pages in the blog and other stuff that was incidental to managing the blog. Essentially, for that one day, I was doing more page clicks on that box than on the Pi M3 (probably due to the way faster browsers; and that I was posting about results from that box so cut / paste / post on it.

So in the end I’m forced to realize it wasn’t Ubuntu. Canonical had used their desktop (at one time) to gather data about folks, and got roundly flamed for it. I’m not running “unity” so don’t know if they still have that issue. For xfce it doesn’t have an issue.

What did happen was that I used that system more for that day with WordPress and some random page reads, and that triggered “the usual suspects” of Google and WordPress. In the rest of the list (yes, I scanned all the blocked site list) there was a bit of Amazon (how Amazon got triggered on that system I can only surmise was an ad in some random article) and a few others But the bulk is the “big two” for me of WordPress (since I run it constantly) and Google (since it is an intrusive octopus).

But I did learn that I need to change the time server settings ;-)

AFTER I get it to boot to a screen again…

Postscript On Secrecy

IF for some reason you want your browsing history to be secret and your site list hidden, the PiHole ought to be configured to not keep as much history. It also has a nice “flush” button if you are in a hurry to dump the history… Here’s the config settings under “security”:

Privacy settings

DNS resolver privacy level

Specify if DNS queries should be anonymized, available options are:

Show everything and record everything
Gives maximum amount of statistics

Hide domains: Display and store all domains as “hidden”
This disables the Top Domains and Top Ads tables on the dashboard

Hide domains and clients: Display and store all domains as “hidden” and all clients as “0.0.0.0”
This disables all tables on the dashboard

Anonymous mode: This disables basically everything except the live anonymous statistics
No history is saved at all to the database, and nothing is shown in the query log. Also, there are no top item lists.

No Statistics mode: This disables all statistics processing. Even the query counters will not be available.
Note that regex blocking is not available when query analyzing is disabled.
Additionally, you can disable logging to the file /var/log/pihole.log using sudo pihole logging off.

The privacy level may be increased at any time without having to restart the DNS resolver. However, note that the DNS resolver needs to be restarted when lowering the privacy level. This restarting is automatically done when saving.

I’m presently set to the first one “Show everything and record everything”. If you want real privacy, use one of the more strict settings like the bold ones.

There’s also a nice fat button on the settings page with the title “Flush Logs” should you be in a hurry ;-) There are similar buttons to just stop logging for a while, or to both disable logging and flush logs. So if desired, you can just stop logging for a little while, get your stuff done, and then restart logging…

I do really like the PiHole design and how aware they are of the needs of adjustable security and privacy.

Subscribe to feed