Or “Adventures In Paranoid Security Admin?”… A Brief run down Paranoia Lane & Security Street…
So I’m taking the RockPro64 for a spin as a MariaDB station (and finding it isn’t as stable as I’d like; nor are the big CPUs needed) when this morning, again, it boots up to a black screen. So now I’m not sure an “update upgrade” fixed it last time and maybe it’s just a semi-random “does not play well with HDMI”? But that’s for working the issue after this posting.
To find the IP number it DHCP’ed so I can login to reboot it gracefully, I launched the PiHole administrator. (The PiHole is doing a marvelous job of advertising killing and some tracker like things too, but it is also my DHCP server on that network). Well the admin panel tells you lots of nice things about what’s trying to shove ads at you and who’s your tattle-tale. Little did I expect a board that had just been brought up to rank in the top set.
Canonical (makers of Ubuntu) shoved their “Unity” desktop at folks and then were found to be collecting data with it. This naturally raises the suspicion level for them; but I’m running xfce not Unity, so that ought not be a problem. Still, a bit of “Dig Here!” seems warranted.
The top machine is the wife’s Macbook. She often is visiting sites that sell stuff and various “say news gather info shove ads” sites. Not surprising she would have the most blocked ads. Then there are 3 Roku devices on the list so you can see what TV is on the most ;-) I was very surprised when I first discovered the PiHole blocks a lot of Roku ads, but also very happy ;-) Down at the bottom of the list is the spousal I-Phone with a surprising number of ads / snoops blocked – IF I ever get an I-Phone, I’ll need “Pocket Pi-Hole” to take with me when I travel… The “Office Router” hides my internal R&D network with anything really private on it, and the 192.x.x.x systems are various random things I’ve not configured on the house network ( So pop up something like a misc laptop or burner phone on WiFi… or just the random WiFi chip on a Pi M3)
That leaves two systems in the middle. My “main daily driver” where I do a lot of this web posting / browsing / story search stuff on the “Pi M3 Workstation” and that RockPro64 that was just installed with Ubuntu and had MariaDB and some test script stuff done along with Python reports. I DID pop a browser (both Chromium & FireFox) on it to do the postings while I did the testing, but I didn’t do a whole lot of “random browsing” and didn’t have nearly as many “open tabs” as tend to hang around on the Pi M3 “Daily Driver”.
So why did the Ubuntu RockPro64 rank #3 on the Top Clients Last 24 Hours List?
Top Clients (total) Client Requests Frequency spousal-air.chiefio.home 2097 livingrmroku.chiefio.home 1942 rockpro64.chiefio.home 1091 pim3workstation 681 bedroomroku.chiefio.home 659 officeroku.chiefio.home 588 spousaliphone.chiefio.home 275 officenetrouter 189 192.168.6.74 148 192.168.6.60 37
But it gets worse. Here’s the list of “Blocked Only”. That is, those systems that asked for the most “crap” or spent the most time trying to send out information to blocked destinations. Now the Ubuntu box is #2. Beating out even the advertising driven Roku services that are on most of the day.
Now, in fairness, the Devuan Pi M3 did come in 3rd with almost as much. 154 vs 200. But I typically have a dozen plus tabs open in those browsers and use it from first coffee to after midnight. It isn’t just a “boot up and test some stuff” station.
Top Clients (blocked only) Client Requests Frequency spousal-air.chiefio.home 861 rockpro64.chiefio.home 200 pim3workstation 154 livingrmroku.chiefio.home 48 bedroomroku.chiefio.home 26 officenetrouter 24 officeroku.chiefio.home 13 192.168.6.74 13 joansmihsiphone.chiefio.home 3
Might there be a clue in the top blocked domains? Maybe, but this is over all devices so will be heavily biased by the spousal Mac and the Roku mob:
Top Blocked Domains Domain Hits Frequency ssl.google-analytics.com 102 sb.scorecardresearch.com 77 pubads.g.doubleclick.net 74 pixel.wp.com 63 www.google-analytics.com 58 www.googletagservices.com 56 googleads.g.doubleclick.net 43 www.googleadservices.com 37 stats.wp.com 34 www.googletagmanager.com 32
Mostly it’s keeping Google’s Snout out of my kilt…
The “pixel.wp.com’ is something WordPress uses, I think as a tracker of who is viewing a page, maybe… similarly stats.wp.com. Which leaves that scorecard thing. A DuckDuckGo search (I’ve broken the embedded links):
scorecardresearch
All RegionsSafe Search: ModerateAny Time
Home Page – Scorecard Research
Search domain scorecardresearch DOT com htt scorecardresearch DOT com
ScorecardResearch, a service of Full Circle Studies, Inc., is part of the Comscore, Inc. market research community, a leading global market research effort that studies and reports on Internet trends and behavior.ScorecardResearch: What is it and what does it do …
Search domain www DOT theguardian DOT com/technology/2012/apr/23/scorecardresearch-tracking-trackers-cookies-web-monitoring htt www DOT theguardian DOT com/technology/2012/apr/23/scorecardresearch-tracking-trackers-cookies-web-monitoring
Apr 23, 2012 · ScorecardResearch is part of a company called Full Circle Studies, which is owned by comScore. To put the size of comScore into some context, its factsheet claims it tracks more than three million …Preference Page – Scorecard Research
Search domain www DOT scorecardresearch DOT com/preferences-aspx?newlanguage=1 htt www DOT scorecardresearch DOT com/preferences-aspx?newlanguage=1
This opt-out will also prevent you from receiving invitations to participate in market research surveys from ScorecardResearch or VoiceFive, Inc. (an affiliate of Full Circle Studies, Inc., that offers surveys across the Internet).
While I’m glad that is being blocked, it doesn’t look like anything unique to the Ubuntu RockPro64. So I click on that systems name / entry in the list above to drill down into what it’s talking too:
Time Type Domain Client Status Reply Action Time Type Domain Client Status Reply Action 2019-03-27 16:26:25 A ntp.ubuntu.com rockpro64.chiefio.home OK (forwarded) IP (24.3ms) Blacklist 2019-03-27 16:26:25 AAAA ntp.ubuntu.com rockpro64.chiefio.home OK (forwarded) IP (23.6ms) Blacklist 2019-03-27 16:26:02 SOA local rockpro64.chiefio.home OK (forwarded) N/A Blacklist 2019-03-27 16:26:01 SOA local rockpro64.chiefio.home OK (forwarded) N/A Blacklist 2019-03-27 07:19:05 A public-api.wordpress.com rockpro64.chiefio.home OK (forwarded) IP (24.3ms) Blacklist 2019-03-27 07:19:01 A graph.facebook.com rockpro64.chiefio.home OK (forwarded) CNAME (0.9ms) Blacklist 2019-03-27 07:19:00 A s0.wp.com rockpro64.chiefio.home OK (cached) IP (1.0ms) Blacklist 2019-03-27 07:19:00 A s2.wp.com rockpro64.chiefio.home OK (cached) IP (0.9ms) Blacklist 2019-03-27 07:19:00 A s1.wp.com rockpro64.chiefio.home OK (cached) IP (0.7ms) Blacklist 2019-03-27 07:18:22 A public-api.wordpress.com rockpro64.chiefio.home OK (cached) IP (0.8ms) Blacklist
Now realize, at the moment I have a black screen and can’t even log into the board. System time ATM is March 27 17:17 UTC (yes I run on UTC…) so those entries from 07:19 are from last night.
First thing I notice it that it is getting “Time” service from Ubuntu. OK, I forgot / didn’t bother to point it to my local time server. That’s one of those minor privacy things that’s just “nice to do”. It DOES finger when a given system is “up”, so when pointed to a given site, you must trust the privacy behaviours of your upstream time server. Debian (and Devuan) by default use a large pool of contributors, so at any given time you get a different mix of folks sharing times. Privacy by random mutation. I put that in front of all my other systems with an internal time server on the Pi servers doing Squid Proxy and DNS service / blocking. So not a big thing, but a minor sanitation measure. IF using an Ubuntu box, change your time server configuration.
Then it has some local activity and some wordpress stuff. I note that somewhere along the line a posting / comment I had in a page chatted with Facebook (so they got a track / notice and I got a graph). While I generally prefer to NEVER do ANYTHING with Facebook, I’m required to to keep the blog tidy, so OK, moving on.
I can click back through several panels of this. In fact, the PiHole tells me it has 772 entries. I don’t think I’ll look at all of them…
Clicking on the “status” heading lets me filter to just “blocked” type. Here’s a chunk from page 13 of just them:
Previous1…121314…78Next Time Type Domain Client Status Reply Action Time Type Domain Client Status Reply Action 2019-03-26 18:44:30 A googleads.g.doubleclick.net rockpro64.chiefio.home Blocked (gravity) - (0.7ms) Whitelist 2019-03-26 18:44:30 A pixel.wp.com rockpro64.chiefio.home Blocked (gravity) - (0.7ms) Whitelist 2019-03-26 18:44:30 A static.doubleclick.net rockpro64.chiefio.home Blocked (gravity) - (0.9ms) Whitelist 2019-03-26 18:44:28 A stats.wp.com rockpro64.chiefio.home Blocked (gravity) - (0.9ms) Whitelist 2019-03-26 18:02:44 A stats.wp.com rockpro64.chiefio.home Blocked (gravity) - (0.8ms) Whitelist 2019-03-26 18:02:41 A pixel.wp.com rockpro64.chiefio.home Blocked (gravity) - (0.8ms) Whitelist 2019-03-26 17:58:53 A pixel.wp.com rockpro64.chiefio.home Blocked (gravity) - (0.8ms) Whitelist 2019-03-26 17:58:49 A static.doubleclick.net rockpro64.chiefio.home Blocked (gravity) - (0.7ms) Whitelist 2019-03-26 17:58:48 A stats.wp.com rockpro64.chiefio.home Blocked (gravity) - (0.7ms) Whitelist 2019-03-26 17:58:48 A ssl.google-analytics.com rockpro64.chiefio.home Blocked (gravity) - (0.6ms) Whitelist
That’s pretty much what the first 13 pages looked like. A mix of WordPress and Google. So most likely I was just my using the RockPro64 more on WordPress and with some Google stuff from pages in the blog and other stuff that was incidental to managing the blog. Essentially, for that one day, I was doing more page clicks on that box than on the Pi M3 (probably due to the way faster browsers; and that I was posting about results from that box so cut / paste / post on it.
So in the end I’m forced to realize it wasn’t Ubuntu. Canonical had used their desktop (at one time) to gather data about folks, and got roundly flamed for it. I’m not running “unity” so don’t know if they still have that issue. For xfce it doesn’t have an issue.
What did happen was that I used that system more for that day with WordPress and some random page reads, and that triggered “the usual suspects” of Google and WordPress. In the rest of the list (yes, I scanned all the blocked site list) there was a bit of Amazon (how Amazon got triggered on that system I can only surmise was an ad in some random article) and a few others But the bulk is the “big two” for me of WordPress (since I run it constantly) and Google (since it is an intrusive octopus).
But I did learn that I need to change the time server settings ;-)
AFTER I get it to boot to a screen again…
Postscript On Secrecy
IF for some reason you want your browsing history to be secret and your site list hidden, the PiHole ought to be configured to not keep as much history. It also has a nice “flush” button if you are in a hurry to dump the history… Here’s the config settings under “security”:
Privacy settings
DNS resolver privacy level
Specify if DNS queries should be anonymized, available options are:
Show everything and record everything
Gives maximum amount of statisticsHide domains: Display and store all domains as “hidden”
This disables the Top Domains and Top Ads tables on the dashboardHide domains and clients: Display and store all domains as “hidden” and all clients as “0.0.0.0”
This disables all tables on the dashboard
Anonymous mode: This disables basically everything except the live anonymous statistics
No history is saved at all to the database, and nothing is shown in the query log. Also, there are no top item lists.No Statistics mode: This disables all statistics processing. Even the query counters will not be available.
Note that regex blocking is not available when query analyzing is disabled.
Additionally, you can disable logging to the file /var/log/pihole.log using sudo pihole logging off.The privacy level may be increased at any time without having to restart the DNS resolver. However, note that the DNS resolver needs to be restarted when lowering the privacy level. This restarting is automatically done when saving.
I’m presently set to the first one “Show everything and record everything”. If you want real privacy, use one of the more strict settings like the bold ones.
There’s also a nice fat button on the settings page with the title “Flush Logs” should you be in a hurry ;-) There are similar buttons to just stop logging for a while, or to both disable logging and flush logs. So if desired, you can just stop logging for a little while, get your stuff done, and then restart logging…
I do really like the PiHole design and how aware they are of the needs of adjustable security and privacy.
I put this in a comment here:
https://chiefio.wordpress.com/2019/03/22/w-o-o-d-22-march-2019/#comment-110314
But it really belongs in this posting / comments.
The answer to why Ubuntu, despite my efforts with ntp configuration, was still polling ubuntu.com:
This is a somewhat edited version of that earlier comment:
I discovered that in /etc/systemd there’s a file named timesyncd.conf that forces time to sync, only once, with a specified server. Why? Especially when there’s been this wonder full command already debugged and working: ntpdate foo.time.org
or whatever server you like…
Though:
http://doc.ntp.org/4.1.1/ntpdate.htm
says the facility is now built in to ntpd so at some point the discrete command will end. Basically, this is a problem that has been solved, twice, and for a very long time. Long enough for one of the solutions to be on the path to deprecation in favor of the other.
So that’s why Ubuntu kept polling ntp.ubuntu.com despite my best efforts “in the usual way” to control my time servers and services… Because systemD was doing it’s own thing…
I’ve now pointed that, too, at my own time server. Attempts to get ntpd to behave as expected on Ubuntu are still marginal, though, so I think I’m not at the bottom of this particular well.
It uses my server at start up, and syslog says ntpd is started; but ntpq -c peers or ntpq -p both claim “no association ID’s returned” even though I’m using a config that’s debugged on other systems. My “guess” is SystemD(estroyer) has buried another “Easter Egg” Uber_Master_Controller_der_Furor!!! somewhere or other that’s breaking it, too.
It’s like someone who wasn’t very good at Systems Admin set about rewriting everything they didn’t know how to do in a not very nice way. “One Ring To Rule Them ALL!!!” and badly too.
If ever I was feeling like maybe it would be OK to use a SystemD system this is once again reminding me why I don’t want to use SystemD Systems. SystemDaft is just too obnoxious.
I was a happy Ubuntu user until they came out with the Unity interface.
Now I use Mint that is like Ubuntu used to be.
Mint does seem to have fixed most of the issues in Unity and other than SystemD “junk” the Ubuntu XFCE I’m running seems reasonably clean.
I’d still rather be using a Devuan / LXDE combo, but on this board that is a DIY creation and I’m too booked on other stuff ATM to do that… Besides, were I doing a “Roll My Own” on that board I’d likely just do the FreeBSD port and be done. Given how Red Hat, Micro$oft, and others are slowly corrupting Linux (along with the PC Army assaulting Linus) I’m seriously eying BSD again. No need to rip out all the “new crap” as it never got shoved in in the first place. It stayed pure Unix.