** DONE Blocking facebook on GNU/Linux via iptables                :blog:surveillance:linux:privacy:
CLOSED: [2017-03-21 Tue 19:41]
:PROPERTIES:
:ID: 2017-03-21-blocking-facebook
:CREATED:  [2017-03-21 Tue 19:16]
:END:
:LOGBOOK:
- State "DONE"       from "NEXT"       [2017-03-21 Tue 19:41]
:END:

I am not using facebook for [[id:2016-11-12-cloud][a broad variety of reasons]]. Unfortunately,
this does not stop facebook on tracking your online behavior with
their [[https://www.startpage.com/do/search?q=facebook+like+button+tracking][like-buttons]], [[https://www.startpage.com/do/search?q=facebook+permanent+cookie][permanent cookies]] and such. With this
top-of-the-art surveillance technology, [[http://www.pnas.org/content/112/4/1036][facebook knows you better than
most of your friends]].

When you have the fortune of not having to use facebook directly, you
can start thinking of radical ways to block most parts of facebook
from your life.

--------------------

For example, you can use your GNU/Linux =iptables= firewall to block
the IP ranges of facebook. Don't execute this script I got [[http://unix.stackexchange.com/questions/166453/how-to-completely-block-a-website-like-facebook][from here]]
unless you understand, what it does:

#+BEGIN_SRC sh
/usr/bin/whois -h "whois.radb.net" -- '-i origin AS32934' | \
    egrep "^route:" | \
    awk '{print $NF}' | \
    sed -r 's/(.*)/iptables -I OUTPUT -d \1 -j REJECT/' | \
    sudo -s source /dev/stdin
#+END_SRC

The script retrieves information of facebook via [[http://bgp.he.net/AS32934][their]] [[https://en.wikipedia.org/wiki/Autonomous_system_%2528Internet%2529][AS number]],
extracts the routing IPs, and sends them to the [[https://en.wikipedia.org/wiki/Iptables][iptables firewall]] to
reject outgoing packages directly to facebook once and for all.

I execute this via [[https://en.wikipedia.org/wiki/Cron][cron-job]] after each reboot in order to get the most
current IPs.

This is not bullet-proof. First of all, many sites cooperate with
facebook, sharing their data with facebook. Several information
retrieval scripts are not run by facebook directly and therefore use
different IPs than those registered by facebook.

And then there is the side-channel attack you can't avoid: your
friends and acquaintances who are happy to upload their contact
database (smartphone) to facebook in order to «find their friends in
the most convenient way». This data is therefore leaked to and stored
by facebook to [[https://www.startpage.com/do/search?q=facebook+shadow+profile][maintain your profile even when you don't have created
one by yourself]].

Minimizing the footprint is the way to go.