facebook spying on us?
Hi, I see that i have multiple TCP sessions established with facebook. They come up even after i reboot my laptop and dont login to facebook! D:\Documents and Settings\gkent>netstat -a | more Active Connections Proto Local Address Foreign Address State TCP gkent:3974 www-10-02-snc5.facebook.com:http ESTABLISHED TCP gkent:3977 www-11-05-prn1.facebook.com:http ESTABLISHED TCP gkent:3665 a184-84-111-139.deploy.akamaitechnologies.com:http ESTABLISHED [clipped] Any idea why these connections are established (with facebook and akamaitechnologies) and how i can kill them? Since my laptop has several connections open with facebook, what kind of information is flowing there? I also wonder about the kind of servers facebook must be having to be able to manage millions of TCP connections that must be terminating there. Glen
did you start your browser before looking at your connection list? However, you're on a window's box, so it wouldn't surprise me if they helpfully started ie for you.... If you didn't start the browser you use to go to facebook (and its not ie), its fairly interesting. On Sep 29, 2011, at 6:13 AM, Glen Kent wrote:
( Being this is a Windows box) Want to scare yourself silly? . Power off the PC; . Plug it a switch; . Mirror the PC port into a Unix box running Wireshark; . Boot the PC Enjoy all the info leakages from all the apps you installed over the years. ----- Alain Hebert ahebert@pubnix.net PubNIX Inc. 50 boul. St-Charles P.O. Box 26770 Beaconsfield, Quebec H9W 6G7 Tel: 514-990-5911 http://www.pubnix.net Fax: 514-990-9443 On 09/29/11 09:19, Eric Clark wrote:
On Sep 29, 2011, at 9:13 AM, Glen Kent wrote:
Use a sniffer like wireshark, and see what the traffic is? Are you using a chat program that supports facebook chat? Or perhaps a game or an application that uses facebook for something? Really it could be anything as there are lots of applications that have grown up around the Facebook Eco system.. Also are you browsing the web? There are facebook like buttons and the such all over the web. So you don't even need to be logged in or have visited yet after the reboot.
Lots of them. There is video of their new DC floating around that shows them.. http://www.datacenterknowledge.com/archives/2011/04/18/video-inside-facebook... -Patrick -- Patrick Muldoon Network/Software Engineer INOC (http://www.inoc.net) PGPKEY (http://www.inoc.net/~doon) Key ID: 0x370D752C Base 8 is just like base 10, if you are missing two fingers. - Tom Lehrer
At least on a win 7 box, netstat -b gives the process that initiated the connection. Likely opened due to a link or something from some other web page. -----Original Message----- From: Patrick Muldoon [mailto:doon.bulk@inoc.net] Sent: Thursday, September 29, 2011 9:25 AM To: Glen Kent Cc: nanog@nanog.org Subject: Re: facebook spying on us? On Sep 29, 2011, at 9:13 AM, Glen Kent wrote:
Use a sniffer like wireshark, and see what the traffic is? Are you using a chat program that supports facebook chat? Or perhaps a game or an application that uses facebook for something? Really it could be anything as there are lots of applications that have grown up around the Facebook Eco system.. Also are you browsing the web? There are facebook like buttons and the such all over the web. So you don't even need to be logged in or have visited yet after the reboot.
Lots of them. There is video of their new DC floating around that shows them.. http://www.datacenterknowledge.com/archives/2011/04/18/video-inside-face books-server-room/ -Patrick -- Patrick Muldoon Network/Software Engineer INOC (http://www.inoc.net) PGPKEY (http://www.inoc.net/~doon) Key ID: 0x370D752C Base 8 is just like base 10, if you are missing two fingers. - Tom Lehrer
On Thu, 29 Sep 2011 18:43:49 +0530, Glen Kent said:
Probably you visited other pages that have links to Facebook on them. Try installing NoScript or similar in your browser and don't allow Facebook javascript, and see if these connections evaporate. Akamai is a content-caching service, just means somebody paid to have their content be (hopefully) nearer to you network-wise.
Two words: Big Honkin' Load Balancers. OK, maybe more than two words. ;)
On Thu, Sep 29, 2011 at 06:43:49PM +0530, Glen Kent wrote: :Hi, : :I see that i have multiple TCP sessions established with facebook. :They come up even after i reboot my laptop and dont login to facebook! : :D:\Documents and Settings\gkent>netstat -a | more : :Active Connections : : Proto Local Address Foreign Address State : TCP gkent:3974 www-10-02-snc5.facebook.com:http ESTABLISHED : TCP gkent:3977 www-11-05-prn1.facebook.com:http ESTABLISHED : TCP gkent:3665 :a184-84-111-139.deploy.akamaitechnologies.com:http ESTABLISHED : :[clipped] : :Any idea why these connections are established (with facebook and :akamaitechnologies) and how i can kill them? Since my laptop has :several connections open with facebook, what kind of information is :flowing there? : :I also wonder about the kind of servers facebook must be having to be :able to manage millions of TCP connections that must be terminating :there. : :Glen : For the more paranoid open source users, I have found using the xxxterm web browser to help quite a bit. You can read about it at http://www.xxxterm.org
Well what's making the connection? It looks like unencrypted http, if your social security number and last known addresses are streaming by you should be able to see them. It's a bit of a jump to say that FB (not that I'm particularly fond of them) is spying on you from a single netstat command. You probably clicked login with facebook for some site and it's just autologging you in or overzealous prefetching. Either way, I think we can all stop making tinfoil hats now... 2011/9/29 Glen Kent <glen.kent@gmail.com>
Hey all. A little off topic, but wanted to share... I purchased a home storage Synology DS1511+. After configuring it on the home net, I did some captures to look at the protocols, and noticed that the DS1511+ is making outgoing connections to 59.124.41.242 (www) and 59.124.41.245 (port 81 & 89) on a regular basis. These addresses are owned by Synology and Chungwa Telecom in Taiwan. So far, I've not been able to find much information on their support sites, or Synology's wiki, but I wanted to put it out there. GET / HTTP/1.1 Host: 59.124.41.245:81 Accept: */* HTTP/1.1 200 OK Date: Thu, 22 Sep 2011 00:11:00 GMT Server: Apache/2.2.16 (Unix) mod_ssl/2.2.16 OpenSSL/1.0.0c PHP/5.3.3 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Vary: Accept-Encoding Content-Length: 103 Content-Type: text/html ---------------------------------------- Barry Jones - CISSP GSNA Project Manager Sempra Energy Utilities www.sempra.com (760) 271-6822 P please don't print this e-mail unless you really need to. ---------------------------------------- The content contained in this electronic message is not intended to constitute formation of a contract binding Sempra Energy. Sempra Energy will be contractually bound only upon execution, by an authorized officer, of a contract including agreed terms and conditions or by express application of its tariffs. This message is intended only for the use of the individual or entity to which it is addressed. If the reader of this message is not the intended recipient, or the employee or agent responsible for delivering the message to the intended recipient, you are hereby notified that any dissemination, distribution or copying of this message is strictly prohibited. If you have received this communication in error, please notify us immediately by replying to the sender of this E-Mail or by telephone. --------------------------------
In a message written on Thu, Sep 29, 2011 at 12:11:48PM -0700, Jones, Barry wrote:
Perhaps a little further digging was in order? For instance, putting the IP and port in a web browser (http://59.124.41.245:81) which returns: <html><head><title>Current IP Check</title></head><body>Current IP Address: REDACTED</body></html> Looking at Synology's web page we find: http://www.synology.com/dsm/internet_connection.php?lang=us If they are going to do things like UPNP to open a port, and then DDNS to let you get there from the outside world than the box needs to know your outside NAT address, and simple relays like this are the best bet. It's another ugly hack to get around the problems of a NAT in the middle. I bet the box also checks for a new version of software from time to time. While I would like vendors to better disclose the "phone home" behavior of their devices, virtually every computing device does this in some way or another if only to check for new software. Windows and Mac's check a web server to know if you are "connected to the internet" or not. NAT traversal often uses a relay. DDNS registrations need the real IP, and so on. Not much to see here, really, other than how ugly some of our protocols are in the real world. -- Leo Bicknell - bicknell@ufp.org - CCIE 3440 PGP keys at http://www.ufp.org/~bicknell/
----- Original Message -----
From: "Nathan Eisenberg" <nathan@atlasnetworks.us>
Why not? You can poke holes in it specific to *workstations*; anything that isn't a workstation doesn't generally need to be phoning home without you knowing about it... Cheers, -- jra -- Jay R. Ashworth Baylink jra@baylink.com Designer The Things I Think RFC 2100 Ashworth & Associates http://baylink.pitas.com 2000 Land Rover DII St Petersburg FL USA http://photo.imageinc.us +1 727 647 1274
No, the prudent nd knowledgable prudent home admin does not have default deny rule just for outgoing HTTP to port 80. He has a defult deny rule for _everything_. Every internal source address, and every destination port. Then he pokes holes in that 'deny everything' for specific machines to make the kinds of external connections that _they_ need to make. Blocking outgoing port 80, _except_ from an internal proxy server, is not necessrily a bad idea. If the legitimte web clients are all configured to use the proxy server, then _direct_ external connection attempts are an indication that something "not so legitimate" may be runningunning.
----- Original Message -----
From: bmanning@vacation.karoshi.com
I'm pretty sure that was a "wife approval factor"/"not everyone's a geek" observation, Bill. Cheers, -- jra -- Jay R. Ashworth Baylink jra@baylink.com Designer The Things I Think RFC 2100 Ashworth & Associates http://baylink.pitas.com 2000 Land Rover DII St Petersburg FL USA http://photo.imageinc.us +1 727 647 1274
On 09/30/2011 06:13, Jay Ashworth wrote:
"not everyone's a geek"
Right! Doug (wait, what?!?) -- Nothin' ever doesn't change, but nothin' changes much. -- OK Go Breadth of IT experience, and depth of knowledge in the DNS. Yours for the right price. :) http://SupersetSolutions.com/
On Thu, Sep 29, 2011 at 07:10:10PM -0700, Joel jaeggli wrote:
Perfectly fine. My users know not to go plugging random devices in, and I properly configure the firewall to account for all legitimate traffic before the device is commissioned. - Matt
The easy way around the unhappy significant other/minion shaped offspring solution is to put all of the "end user" devices On a separate VLAN, and then treat that as an open DMZ. Then everything operational (ironic in a home) on your secured production network (restrict all outbound/inbound except what is needed). If you really want to complicate it you should even put your wireless into a separate VLAN as well, and secure it as appropriate. Gives you the ability firewall between networks, thus making sure that when your minions eventually get something nasty going on the PC they use, it doesn't spread through the rest of the network. Also means you can deploy some form of content filtering policies through various solutions to prevent your minions from discovering the sites running on the most recent TLD addition. This assumes that most people reading this email have the ability to run multiple routed subnets behind their home firewall. Be it a layer 3 switch with ACL's or multiple physical interfaces and the ability to have them act independently. Personally I run 8 separate networks (some with multiple routed subnets). Wireless data, management network, voice networks, game consoles, storage, internal servers, DMZ servers and Project network. Only reason why there is no "end user" network is that there are no wired drops anywhere in the house, so that falls under the wireless data. That network gets internet access and connectivity to file sharing off the internal servers and all internet traffic runs through Anti-Virus/Anti-Spyware before going outbound and inbound. Blake -----Original Message----- From: Matthew Palmer [mailto:mpalmer@hezmatt.org] Sent: Friday, September 30, 2011 12:19 AM To: nanog@nanog.org Subject: Re: Synology Disk DS211J On Thu, Sep 29, 2011 at 07:10:10PM -0700, Joel jaeggli wrote:
Perfectly fine. My users know not to go plugging random devices in, and I properly configure the firewall to account for all legitimate traffic before the device is commissioned. - Matt
In a message written on Fri, Sep 30, 2011 at 01:56:42PM +0000, Blake T. Pfankuch wrote:
Personally I run 8 separate networks (some with multiple routed subnets). Wireless data, management network, voice networks, game consoles, storage, internal servers, DMZ servers and Project network. Only reason why there is no "end user" network is that there are no wired drops anywhere in the house, so that falls under the wireless data. That network gets internet access and connectivity to file sharing off the internal servers and all internet traffic runs through Anti-Virus/Anti-Spyware before going outbound and inbound.
You've inspired me to go invest in Alcoa stock. NYSE AA for anyone else interested. The tin-foil demand in this thread alone must have them running an extra shift. :) -- Leo Bicknell - bicknell@ufp.org - CCIE 3440 PGP keys at http://www.ufp.org/~bicknell/
On 09/30/2011 08:56 AM, Blake T. Pfankuch wrote:
The easy way around the unhappy significant other/minion shaped offspring solution is to put all of the "end user" devices On a separate VLAN, and then treat that as an open DMZ. Then everything operational (ironic in a home) on your secured production network (restrict all outbound/inbound except what is needed). If you really want to complicate it you should even put your wireless into a separate VLAN as well, and secure it as appropriate. Gives you the ability firewall between networks, thus making sure that when your minions eventually get something nasty going on the PC they use, it doesn't spread through the rest of the network. Also means you can deploy some form of content filtering policies through various solutions to prevent your minions from discovering the sites running on the most recent TLD addition.
Packet fence. Per user vlans. RADIUS back end auth with one time passwords. I'm trying to package all this into a turnkey distro for my own deployment across hundreds of sites. As such I need it anyway and don't mind open sourcing it. It's been an on again/off again project but it's really close to release.
This assumes that most people reading this email have the ability to run multiple routed subnets behind their home firewall. Be it a layer 3 switch with ACL's or multiple physical interfaces and the ability to have them act independently.
Routing on a stick to pfSense for me. Though I could use my l3 switch I guess. *shrugs*
Personally I run 8 separate networks (some with multiple routed subnets). Wireless data, management network, voice networks, game consoles, storage, internal servers, DMZ servers and Project network. Only reason why there is no "end user" network is that there are no wired drops anywhere in the house, so that falls under the wireless data. That network gets internet access and connectivity to file sharing off the internal servers and all internet traffic runs through Anti-Virus/Anti-Spyware before going outbound and inbound.
No. You aren't paranoid enough. See above. If it was turnkey, more people would use it.
-- Charles N Wyble charles@knownelement.com @charlesnw on twitter http://blog.knownelement.com Building alternative,global scale,secure, cost effective bit moving platform for tomorrows alternate default free zone.
Yep! -----Original Message----- From: Matthew Palmer [mailto:mpalmer@hezmatt.org] Sent: Thursday, September 29, 2011 2:31 PM To: nanog@nanog.org Subject: Re: Synology Disk DS211J On Thu, Sep 29, 2011 at 12:11:48PM -0700, Jones, Barry wrote:
And this is why the prudent home admin runs a firewall device he or she can trust, and has a "default deny" rule in place even for outgoing connections. - Matt
Or, open those specific ports as needed, then close. PITA though (pain in the @ss) -----Original Message----- From: Jones, Barry [mailto:BEJones@semprautilities.com] Sent: Thursday, September 29, 2011 4:14 PM To: 'Matthew Palmer'; nanog@nanog.org Subject: RE: Synology Disk DS211J Yep! -----Original Message----- From: Matthew Palmer [mailto:mpalmer@hezmatt.org] Sent: Thursday, September 29, 2011 2:31 PM To: nanog@nanog.org Subject: Re: Synology Disk DS211J On Thu, Sep 29, 2011 at 12:11:48PM -0700, Jones, Barry wrote:
And this is why the prudent home admin runs a firewall device he or she can trust, and has a "default deny" rule in place even for outgoing connections. - Matt
I can't tell you the kind of servers, but I can say that I was recently in Prineville, OR, where FB is building a data center (and a second data center). I was used to the ol data centers - you know, where there's raised floors, cabinets, cool air, a guard and a few guys around with some screens? But this was massive. I was amazed at the size - a few city blocks long and a city block wide, with a transformer and power line the size of a small city. I wonder if the Feds were involved. http://www.oregonlive.com/business/index.ssf/2010/01/facebook_picks_prinevil... "I also wonder about the kind of servers facebook must be having to be
able to manage millions of TCP connections that must be terminating there."
-----Original Message----- From: Keegan Holley [mailto:keegan.holley@sungard.com] Sent: Thursday, September 29, 2011 7:55 AM To: Glen Kent Cc: nanog@nanog.org Subject: Re: facebook spying on us? Well what's making the connection? It looks like unencrypted http, if your social security number and last known addresses are streaming by you should be able to see them. It's a bit of a jump to say that FB (not that I'm particularly fond of them) is spying on you from a single netstat command. You probably clicked login with facebook for some site and it's just autologging you in or overzealous prefetching. Either way, I think we can all stop making tinfoil hats now... 2011/9/29 Glen Kent <glen.kent@gmail.com>
hey joelja this August 2011 article in the Economist outlines some relevant info about the prineville, oregon FB datacenter. http://www.economist.com/node/21525237 steve
Steven G. Huter wrote:
Informative article..."It's the climate, stupid". Got a laugh out of: "The server racks are nearly silent, and their internal fans whirr almost imperceptibly. The only exceptions are network switches which, Facebook staff notes, are perversely designed by even the biggest firms to vent air out of their sides. As a result, they run loud and hot-and are openly sworn at."
On 9/30/11 15:19 , Steven G. Huter wrote:
ambient cooling is important just like power is important, by sonic.net gets ~240days of ambient in santa rosa so it's feasible wholesale market prices a driven by availability from the largest producer. so you'll pay market price as benchmarked at the bonnevilla transmission yard just as is much of california and az the refence price is at palo verde az. there's only one coal plan in oregon and it's 600MW of generating capacity in boardman that's portland general electric. we've got a 20MW interuptable contract with siliconvalley power precisely becuase it's vanishingly close to the wholesale rate compared to PGEs pricing structure so if you ever wonder why the DCs are in sunnyvale and santa clara but not mountainview, there's a good reason.
steve
That comment about wholesale prices is not actually quite true here in the northwest where avoiding BPA actually sometimes results in cheaper power (ie grant, douglas and chelan counties whoes PUDs own their own dams and are obligated to service their customer and as non-profits actually sell to retail users at near the wholesale grid rates since they have nearly zero cost). Because pacificorp is a private utility they are actually only able to get the leftovers of the hydro from the northwest, BPA must sell to public utilities first (even if it is LA) so there are effectively two prices here in the northwest for wholesale and that is why pacificorp, portland general and puget sound energy all have far far higher rates than the public utilities, even the public utilities with no generation of their own. I was pretty surprised about facebook's choice as well, almost an identical climate can be found along the columbia river in the same places that the very cheapest power is located. They must have some other factors than just weather significantly contribute to the costs to justify not going for the cheapest power. John ________________________________________ From: Joel jaeggli [joelja@bogus.com] Sent: Friday, September 30, 2011 3:48 PM To: Steven G. Huter Cc: nanog@nanog.org Subject: Re: facebook spying on us? On 9/30/11 15:19 , Steven G. Huter wrote:
ambient cooling is important just like power is important, by sonic.net gets ~240days of ambient in santa rosa so it's feasible wholesale market prices a driven by availability from the largest producer. so you'll pay market price as benchmarked at the bonnevilla transmission yard just as is much of california and az the refence price is at palo verde az. there's only one coal plan in oregon and it's 600MW of generating capacity in boardman that's portland general electric. we've got a 20MW interuptable contract with siliconvalley power precisely becuase it's vanishingly close to the wholesale rate compared to PGEs pricing structure so if you ever wonder why the DCs are in sunnyvale and santa clara but not mountainview, there's a good reason.
steve
----- Original Message -----
From: "Barry Jones" <BEJones@semprautilities.com>
Data Center Knowledge posted about 20 minutes of very poorly shot video of Prineville. They're Open Compute servers in 'triplet' racks.
Their power supply (also open) runs across 2 legs of a 277/480 3-phase feed, which is usually what the substation supplies to your PDUs, which step it down further to 120/208. It also takes -48, and each pair of triplets has a 48V float string that will run the 180 servers for about 45 seconds. It's a nice setup. I plan to steal it. :-) (The substation input voltage is very often 13k2 to 13k8, though it can be even higher.) Cheers, -- jra -- Jay R. Ashworth Baylink jra@baylink.com Designer The Things I Think RFC 2100 Ashworth & Associates http://baylink.pitas.com 2000 Land Rover DII St Petersburg FL USA http://photo.imageinc.us +1 727 647 1274
It's a nice setup. I plan to steal it. :-)
That's what they want you to do - check out the specs on http://opencompute.org/ -- Simon.
On Thu, Sep 29, 2011 at 8:13 AM, Glen Kent <glen.kent@gmail.com> wrote:
For what it's worth, with some kernel tuning you can maintain 500k - 1MM persistent connections on a mid-range Linux box. Providers of mobile push-notification services seem to be the ones most actively pushing these limits publicly. Urban Airship has posted some information on how they maintain 500k connections on EC2 m1.large instances: http://urbanairship.com/blog/2010/08/24/c500k-in-action-at-urban-airship/ http://urbanairship.com/blog/2010/09/29/linux-kernel-tuning-for-c500k/ WhatsApp claim to be able to maintain 1MM connections on single machine, although details are thin: http://blog.whatsapp.com/index.php/2011/09/one-million/ http://news.ycombinator.com/item?id=3028547 (discussion) -n
participants (30)
-
Alain Hebert -
Blake T. Pfankuch -
bmanning@vacation.karoshi.com -
Callahan Warlick -
Charles Mills -
Charles N Wyble -
David Hill -
Doug Barton -
Eric Clark -
Erik Soosalu -
Glen Kent -
Greg Ihnen -
Jason Duerstock -
Jay Ashworth -
Joel jaeggli -
John van Oppen -
Jones, Barry -
Keegan Holley -
Leo Bicknell -
Matthew Palmer -
Michael Painter -
Nathan Eisenberg -
nick hatch -
Patrick Muldoon -
Pierre-Yves Maunier -
Robert Bonomi -
Seth Mattinen -
Simon Leinen -
Steven G. Huter -
Valdis.Kletnieks@vt.edu