Ubuntu As Advertiser Monster?

Or “Adventures In Paranoid Security Admin?”… A Brief run down Paranoia Lane & Security Street…

So I’m taking the RockPro64 for a spin as a MariaDB station (and finding it isn’t as stable as I’d like; nor are the big CPUs needed) when this morning, again, it boots up to a black screen. So now I’m not sure an “update upgrade” fixed it last time and maybe it’s just a semi-random “does not play well with HDMI”? But that’s for working the issue after this posting.

To find the IP number it DHCP’ed so I can login to reboot it gracefully, I launched the PiHole administrator. (The PiHole is doing a marvelous job of advertising killing and some tracker like things too, but it is also my DHCP server on that network). Well the admin panel tells you lots of nice things about what’s trying to shove ads at you and who’s your tattle-tale. Little did I expect a board that had just been brought up to rank in the top set.

Canonical (makers of Ubuntu) shoved their “Unity” desktop at folks and then were found to be collecting data with it. This naturally raises the suspicion level for them; but I’m running xfce not Unity, so that ought not be a problem. Still, a bit of “Dig Here!” seems warranted.

The top machine is the wife’s Macbook. She often is visiting sites that sell stuff and various “say news gather info shove ads” sites. Not surprising she would have the most blocked ads. Then there are 3 Roku devices on the list so you can see what TV is on the most ;-) I was very surprised when I first discovered the PiHole blocks a lot of Roku ads, but also very happy ;-) Down at the bottom of the list is the spousal I-Phone with a surprising number of ads / snoops blocked – IF I ever get an I-Phone, I’ll need “Pocket Pi-Hole” to take with me when I travel… The “Office Router” hides my internal R&D network with anything really private on it, and the 192.x.x.x systems are various random things I’ve not configured on the house network ( So pop up something like a misc laptop or burner phone on WiFi… or just the random WiFi chip on a Pi M3)

That leaves two systems in the middle. My “main daily driver” where I do a lot of this web posting / browsing / story search stuff on the “Pi M3 Workstation” and that RockPro64 that was just installed with Ubuntu and had MariaDB and some test script stuff done along with Python reports. I DID pop a browser (both Chromium & FireFox) on it to do the postings while I did the testing, but I didn’t do a whole lot of “random browsing” and didn’t have nearly as many “open tabs” as tend to hang around on the Pi M3 “Daily Driver”.

So why did the Ubuntu RockPro64 rank #3 on the Top Clients Last 24 Hours List?

Top Clients (total)
Client	Requests	Frequency
spousal-air.chiefio.home	2097	
livingrmroku.chiefio.home	1942	
rockpro64.chiefio.home	        1091	
pim3workstation	                 681	
bedroomroku.chiefio.home	 659	
officeroku.chiefio.home	         588	
spousaliphone.chiefio.home	 275	
officenetrouter	                 189	                 148	                  37	

But it gets worse. Here’s the list of “Blocked Only”. That is, those systems that asked for the most “crap” or spent the most time trying to send out information to blocked destinations. Now the Ubuntu box is #2. Beating out even the advertising driven Roku services that are on most of the day.

Now, in fairness, the Devuan Pi M3 did come in 3rd with almost as much. 154 vs 200. But I typically have a dozen plus tabs open in those browsers and use it from first coffee to after midnight. It isn’t just a “boot up and test some stuff” station.

Top Clients (blocked only)
Client	Requests	Frequency
spousal-air.chiefio.home	861	
rockpro64.chiefio.home	        200	
pim3workstation	                154	
livingrmroku.chiefio.home        48	
bedroomroku.chiefio.home         26	
officenetrouter	                 24	
officeroku.chiefio.home	         13	                 13	
joansmihsiphone.chiefio.home	  3

Might there be a clue in the top blocked domains? Maybe, but this is over all devices so will be heavily biased by the spousal Mac and the Roku mob:

Top Blocked Domains
Domain	Hits	Frequency
ssl.google-analytics.com	102	
sb.scorecardresearch.com	 77	
pubads.g.doubleclick.net	 74	
pixel.wp.com	                 63	
www.google-analytics.com	 58	
www.googletagservices.com	 56	
googleads.g.doubleclick.net	 43	
www.googleadservices.com	 37	
stats.wp.com	                 34	
www.googletagmanager.com	 32	

Mostly it’s keeping Google’s Snout out of my kilt…

The “pixel.wp.com’ is something WordPress uses, I think as a tracker of who is viewing a page, maybe… similarly stats.wp.com. Which leaves that scorecard thing. A DuckDuckGo search (I’ve broken the embedded links):


All RegionsSafe Search: ModerateAny Time
Home Page – Scorecard Research
Search domain scorecardresearch DOT com htt scorecardresearch DOT com
ScorecardResearch, a service of Full Circle Studies, Inc., is part of the Comscore, Inc. market research community, a leading global market research effort that studies and reports on Internet trends and behavior.

ScorecardResearch: What is it and what does it do …
Search domain www DOT theguardian DOT com/technology/2012/apr/23/scorecardresearch-tracking-trackers-cookies-web-monitoring htt www DOT theguardian DOT com/technology/2012/apr/23/scorecardresearch-tracking-trackers-cookies-web-monitoring
Apr 23, 2012 · ScorecardResearch is part of a company called Full Circle Studies, which is owned by comScore. To put the size of comScore into some context, its factsheet claims it tracks more than three million …

Preference Page – Scorecard Research
Search domain www DOT scorecardresearch DOT com/preferences-aspx?newlanguage=1 htt www DOT scorecardresearch DOT com/preferences-aspx?newlanguage=1
This opt-out will also prevent you from receiving invitations to participate in market research surveys from ScorecardResearch or VoiceFive, Inc. (an affiliate of Full Circle Studies, Inc., that offers surveys across the Internet).

While I’m glad that is being blocked, it doesn’t look like anything unique to the Ubuntu RockPro64. So I click on that systems name / entry in the list above to drill down into what it’s talking too:

Time	Type	Domain	Client	Status	Reply	Action
Time	Type	Domain	Client	Status	Reply	Action
2019-03-27 16:26:25	A	ntp.ubuntu.com	rockpro64.chiefio.home	OK (forwarded)	IP (24.3ms)	 Blacklist
2019-03-27 16:26:25	AAAA	ntp.ubuntu.com	rockpro64.chiefio.home	OK (forwarded)	IP (23.6ms)	 Blacklist
2019-03-27 16:26:02	SOA	local	rockpro64.chiefio.home	OK (forwarded)	N/A	 Blacklist
2019-03-27 16:26:01	SOA	local	rockpro64.chiefio.home	OK (forwarded)	N/A	 Blacklist
2019-03-27 07:19:05	A	public-api.wordpress.com	rockpro64.chiefio.home	OK (forwarded)	IP (24.3ms)	 Blacklist
2019-03-27 07:19:01	A	graph.facebook.com	rockpro64.chiefio.home	OK (forwarded)	CNAME (0.9ms)	 Blacklist
2019-03-27 07:19:00	A	s0.wp.com	rockpro64.chiefio.home	OK (cached)	IP (1.0ms)	 Blacklist
2019-03-27 07:19:00	A	s2.wp.com	rockpro64.chiefio.home	OK (cached)	IP (0.9ms)	 Blacklist
2019-03-27 07:19:00	A	s1.wp.com	rockpro64.chiefio.home	OK (cached)	IP (0.7ms)	 Blacklist
2019-03-27 07:18:22	A	public-api.wordpress.com	rockpro64.chiefio.home	OK (cached)	IP (0.8ms)	 Blacklist

Now realize, at the moment I have a black screen and can’t even log into the board. System time ATM is March 27 17:17 UTC (yes I run on UTC…) so those entries from 07:19 are from last night.

First thing I notice it that it is getting “Time” service from Ubuntu. OK, I forgot / didn’t bother to point it to my local time server. That’s one of those minor privacy things that’s just “nice to do”. It DOES finger when a given system is “up”, so when pointed to a given site, you must trust the privacy behaviours of your upstream time server. Debian (and Devuan) by default use a large pool of contributors, so at any given time you get a different mix of folks sharing times. Privacy by random mutation. I put that in front of all my other systems with an internal time server on the Pi servers doing Squid Proxy and DNS service / blocking. So not a big thing, but a minor sanitation measure. IF using an Ubuntu box, change your time server configuration.

Then it has some local activity and some wordpress stuff. I note that somewhere along the line a posting / comment I had in a page chatted with Facebook (so they got a track / notice and I got a graph). While I generally prefer to NEVER do ANYTHING with Facebook, I’m required to to keep the blog tidy, so OK, moving on.

I can click back through several panels of this. In fact, the PiHole tells me it has 772 entries. I don’t think I’ll look at all of them…

Clicking on the “status” heading lets me filter to just “blocked” type. Here’s a chunk from page 13 of just them:

Time	Type	Domain	Client	Status	Reply	Action
Time	Type	Domain	Client	Status	Reply	Action
2019-03-26 18:44:30	A	googleads.g.doubleclick.net	rockpro64.chiefio.home	Blocked (gravity)	- (0.7ms)	 Whitelist
2019-03-26 18:44:30	A	pixel.wp.com	rockpro64.chiefio.home	Blocked (gravity)	- (0.7ms)	 Whitelist
2019-03-26 18:44:30	A	static.doubleclick.net	rockpro64.chiefio.home	Blocked (gravity)	- (0.9ms)	 Whitelist
2019-03-26 18:44:28	A	stats.wp.com	rockpro64.chiefio.home	Blocked (gravity)	- (0.9ms)	 Whitelist
2019-03-26 18:02:44	A	stats.wp.com	rockpro64.chiefio.home	Blocked (gravity)	- (0.8ms)	 Whitelist
2019-03-26 18:02:41	A	pixel.wp.com	rockpro64.chiefio.home	Blocked (gravity)	- (0.8ms)	 Whitelist
2019-03-26 17:58:53	A	pixel.wp.com	rockpro64.chiefio.home	Blocked (gravity)	- (0.8ms)	 Whitelist
2019-03-26 17:58:49	A	static.doubleclick.net	rockpro64.chiefio.home	Blocked (gravity)	- (0.7ms)	 Whitelist
2019-03-26 17:58:48	A	stats.wp.com	rockpro64.chiefio.home	Blocked (gravity)	- (0.7ms)	 Whitelist
2019-03-26 17:58:48	A	ssl.google-analytics.com	rockpro64.chiefio.home	Blocked (gravity)	- (0.6ms)	 Whitelist

That’s pretty much what the first 13 pages looked like. A mix of WordPress and Google. So most likely I was just my using the RockPro64 more on WordPress and with some Google stuff from pages in the blog and other stuff that was incidental to managing the blog. Essentially, for that one day, I was doing more page clicks on that box than on the Pi M3 (probably due to the way faster browsers; and that I was posting about results from that box so cut / paste / post on it.

So in the end I’m forced to realize it wasn’t Ubuntu. Canonical had used their desktop (at one time) to gather data about folks, and got roundly flamed for it. I’m not running “unity” so don’t know if they still have that issue. For xfce it doesn’t have an issue.

What did happen was that I used that system more for that day with WordPress and some random page reads, and that triggered “the usual suspects” of Google and WordPress. In the rest of the list (yes, I scanned all the blocked site list) there was a bit of Amazon (how Amazon got triggered on that system I can only surmise was an ad in some random article) and a few others But the bulk is the “big two” for me of WordPress (since I run it constantly) and Google (since it is an intrusive octopus).

But I did learn that I need to change the time server settings ;-)

AFTER I get it to boot to a screen again…

Postscript On Secrecy

IF for some reason you want your browsing history to be secret and your site list hidden, the PiHole ought to be configured to not keep as much history. It also has a nice “flush” button if you are in a hurry to dump the history… Here’s the config settings under “security”:

Privacy settings

DNS resolver privacy level

Specify if DNS queries should be anonymized, available options are:

Show everything and record everything
Gives maximum amount of statistics

Hide domains: Display and store all domains as “hidden”
This disables the Top Domains and Top Ads tables on the dashboard

Hide domains and clients: Display and store all domains as “hidden” and all clients as “”
This disables all tables on the dashboard

Anonymous mode: This disables basically everything except the live anonymous statistics
No history is saved at all to the database, and nothing is shown in the query log. Also, there are no top item lists.

No Statistics mode: This disables all statistics processing. Even the query counters will not be available.
Note that regex blocking is not available when query analyzing is disabled.

Additionally, you can disable logging to the file /var/log/pihole.log using sudo pihole logging off.

The privacy level may be increased at any time without having to restart the DNS resolver. However, note that the DNS resolver needs to be restarted when lowering the privacy level. This restarting is automatically done when saving.

I’m presently set to the first one “Show everything and record everything”. If you want real privacy, use one of the more strict settings like the bold ones.

There’s also a nice fat button on the settings page with the title “Flush Logs” should you be in a hurry ;-) There are similar buttons to just stop logging for a while, or to both disable logging and flush logs. So if desired, you can just stop logging for a little while, get your stuff done, and then restart logging…

I do really like the PiHole design and how aware they are of the needs of adjustable security and privacy.

Subscribe to feed


About E.M.Smith

A technical managerial sort interested in things from Stonehenge to computer science. My present "hot buttons' are the mythology of Climate Change and ancient metrology; but things change...
This entry was posted in Tech Bits and tagged , , , . Bookmark the permalink.

3 Responses to Ubuntu As Advertiser Monster?

  1. E.M.Smith says:

    I put this in a comment here:

    But it really belongs in this posting / comments.

    The answer to why Ubuntu, despite my efforts with ntp configuration, was still polling ubuntu.com:

    This is a somewhat edited version of that earlier comment:

    I discovered that in /etc/systemd there’s a file named timesyncd.conf that forces time to sync, only once, with a specified server. Why? Especially when there’s been this wonder full command already debugged and working: ntpdate foo.time.org
    or whatever server you like…

    says the facility is now built in to ntpd so at some point the discrete command will end. Basically, this is a problem that has been solved, twice, and for a very long time. Long enough for one of the solutions to be on the path to deprecation in favor of the other.

    So that’s why Ubuntu kept polling ntp.ubuntu.com despite my best efforts “in the usual way” to control my time servers and services… Because systemD was doing it’s own thing…

    I’ve now pointed that, too, at my own time server. Attempts to get ntpd to behave as expected on Ubuntu are still marginal, though, so I think I’m not at the bottom of this particular well.

    It uses my server at start up, and syslog says ntpd is started; but ntpq -c peers or ntpq -p both claim “no association ID’s returned” even though I’m using a config that’s debugged on other systems. My “guess” is SystemD(estroyer) has buried another “Easter Egg” Uber_Master_Controller_der_Furor!!! somewhere or other that’s breaking it, too.

    It’s like someone who wasn’t very good at Systems Admin set about rewriting everything they didn’t know how to do in a not very nice way. “One Ring To Rule Them ALL!!!” and badly too.

    If ever I was feeling like maybe it would be OK to use a SystemD system this is once again reminding me why I don’t want to use SystemD Systems. SystemDaft is just too obnoxious.

  2. gallopingcamel says:

    I was a happy Ubuntu user until they came out with the Unity interface.
    Now I use Mint that is like Ubuntu used to be.

  3. E.M.Smith says:

    Mint does seem to have fixed most of the issues in Unity and other than SystemD “junk” the Ubuntu XFCE I’m running seems reasonably clean.

    I’d still rather be using a Devuan / LXDE combo, but on this board that is a DIY creation and I’m too booked on other stuff ATM to do that… Besides, were I doing a “Roll My Own” on that board I’d likely just do the FreeBSD port and be done. Given how Red Hat, Micro$oft, and others are slowly corrupting Linux (along with the PC Army assaulting Linus) I’m seriously eying BSD again. No need to rip out all the “new crap” as it never got shoved in in the first place. It stayed pure Unix.

Comments are closed.