Microsoft Takes a Refreshing Plunge in the Scroogle Pool

  • Minimise my touchpoints with companies like Microsoft and Google. Don’t use their products or services, as far as is practical. (As far as Microsoft goes, I think I may be at zero. I even “left” LinkedIn when they bought it.)
  • Use browser extensions and also DNS poisoning to attack tracking that is embedded in web sites.
  • I’ve set some of my web sites to attempt to disable crawling.
  • Mail client blocks external images by default (e.g. tracking pixels).
  • Run my own incoming and outgoing mail server.

I certainly haven’t reached full disengagement from Big Tech. For example, I still buy from Amazon when an item can’t be obtained from a local supplier.

So I am moving to a position where neither “trust” nor “verify” is relevant - since I have no way to verify and since it is either known that trust should not be given or it is doubtful that trust should be given.

2 Likes

Never heard of this technique. What is it exactly?

I know Proton does this for tracking pixels.
Which Mail client are you using (especially for identifying/blocking tracking pixels)? Can this be done on ThunderBird via config or else some extension?

1 Like

I just meant like e.g. Pi Hole. So domains that you never want to visit (such as most domains that contain “google”) resolve, via DNS, to something invalid. I think Pi Hole uses a publicly available block list with thousands of privacy-invasive domains.

The result is that things that are phoning home and using a domain name to do so will fail to phone home.

Thunderbird. I doubt that TB can identify tracking pixels. I just meant: disable all external images by default. That is standard TB functionality.

2 Likes

I simply do not participate in such platforms. The only exception would be ICANN and its root servers, so I challenge that by using Tor onion services and other alternative networks.

Ah, Ok. I know Pi Hole, but don’t have such a setup. I feel I can pretty much achieve the same result by using very fine-grained UBO and NoScript rules locally in TBB (modified for clearnet only, no Onions)
I find this easier, because blocking javascripts execution is my default behaviour and whitelisting occasionnally used if really needed - and also the fact that one can modify things sorta “on-the-fly” from within the browsing session - no need to go and change a rule in another device. Personal preference, I would say.

That was precisely my question, because I like TB, but would also be willing to switch to some other Mail client if that can resolve this damn tracking pixels issue that has spread like pest!
But on the other hand, I am not ready to disable images globally - pretty much everything is sent HTML now. I wonder how ProtonMail does its filtering with such 100% pest control…

1 Like

Related:

Thank you for your suggestion.
I had such a bad time with Tutanota! They never let me create an account without having to give my precious (still uncompromised) phone # away…
They won’t accept Proton accounts for email registration. They also refuse any remailer they can spot. They ask for captcha that never can be solved. Then when everything seems alright, like you finally are about to sucessfully create your account, the next page will tell you “Sorry, we were unable to process your request - please try again later
Finally, I entirely gave up on them. Not even sure I want to read their lengthy support - but thanks for the link anyway.

2 Likes

Tuta(nota) does not require a phone number or recovery email address to use their services.

Otherwise, see my post on the Tor Project Forum for more webmail providers sharing similar criteria.

Which TB supports just fine. It is only by default that all remote images (all remote content) can be disabled. You can then override (“Exceptions”) on a per-sender, and/or per-image-source, and/or per-email basis. (Emphasis in the sentence above is because HTML these days is perfectly capable of embedding images within the HTML source and that is therefore not subject to this privacy threat.)

So, for example, you might choose to allow, by exception, email from friends and colleagues to include remote images in their emails but everyone else is by default blocked e.g. most of the companies that you deal with, who are spamming you and tracking you.

It is fairly difficult to identify tracking pixels because if you fetch the image, in order to examine it, then you have already failed. So any decision about whether to fetch the image or not can only be made on the basis of the information in the HTML e.g. alt text or, if specified, width and depth, or URL. Hence if the attacker controls the HTML (assumed to be the case) then there is little or no information to go on. One can imagine a range of possible approaches to dealing with that but I am pretty sure that TB does not use any of them. So effectively it defers to your judgement alone.

One benefit of an approach like Pi Hole is that it covers your whole network. (But for a mobile device that is also a disadvantage since it then doesn’t cover the device when the device is away from home, unless you run Pi Hole locally on the device.)

3 Likes

Sorry, that was not my experience. But this was quite some years ago, so their policies may have changed.

maybe not. But they do ask for one at registration - or else a phone number. They want some way of identification. True enough though, at some point they were plagued with bots and spam. They had strengthened their registration policies - so that it was not possible to register without giving some information that could be in some way linked to you. Also the fact that they would not accept ProtonMail for registration confirmation, that was really … (won’t even say the word!)

1 Like

Tuta(nota) does not ask for either during signup anymore.

The next page is the recovery code.

1 Like

Well, this is new information to me. As I said, I gave up on trying to register few years ago. So their privacy for the registration process has much improved. I will try again then.

1 Like

Note that the screenshot is from my Librem 5 USA using Firefox ESR, so if you are using Tor Browser, your experience may be different from mine.

You just gave me a good idea how to improve things slightly:

  • since I already compartmentalize all my email activity in many different Qubes AppVM instances for different groups, nature or purpose for communications, I can then locally adjust rules (e.g. only text for friends or family, images allowed for online ordering, etc) in each VM separately.
2 Likes

Or multiple lists, all at once. :slight_smile:
Examples: GitHub - StevenBlack/hosts: 🔒 Consolidating and extending hosts files from several well-curated sources. Optionally pick extensions for porn, social media, and other categories.

Fortunately, Pi-hole, given the right hosts file(s), should block these on your home network, even if you enable remote content.

This. Not just computing devices, but also IoT: “Smart” TV, streaming boxes, gaming devices, doorbell-cum-camera, fridge, robot vacuum, etc…

For the Librem 5 (or other computing devices, really), you could potentially copy one of the tracker-blocking lists to hosts… not sure if there’s a size limit there.
Or use OpenSnitch (See New Post: Snitching on Phones That Snitch on You). For Android - preferably degoogled - use a FOSS app like Blokada 5 or TrackerControl, which can make use of the established public blocklists. (Maybe similar for iPhones/iPads…?)

Also, many VPN providers offer DNS filtering, using some of the same blocklists.

I believe it’s also possible to connect to your network Pi-hole installation remotely, although that’s probably not a good idea.

1 Like

Where it can be difficult is e.g. your ISP sends you an email, the sender is something@yourisp.com, the email is HTML but does not contain embedded images, the HTML references images on yourisp.com

Clearly you aren’t going to Pi Hole yourisp.com (because e.g. you need that domain to manage your account).

So if you enable remote content, your ISP will know when you read their email, what your IP address was at the time you read their email, and potentially other information.

Where Pi Hole works best is for global snoops like doubleclick.net, googleanalytics.com, … who will show up all over the place.

So I use both: disable remote content by default and DNS poisoning.

2 Likes

But if yourisp.com’s emails (or website) do embed tracking pixels, and if the blocking file(s) you’ve loaded in Pi-hole block those specific tracking pixels, then even if you enable remote content in the email, the Pi-hole block list (or uBlockOrigin in the browser) will prevent the pixel from connecting. Even with remote content disabled, though, I imagine that if you click on a link in the email from yourisp.com and it takes you to their website, they will know you clicked from their email, despite the Pi-hole blocking.

If you view Stephen Black’s Unified hosts file targeting adware and malware, and search on the word “pixel,” it finds 241 instances (as of today) of such links, including e.g. pixel.facebook.com.

Again, though, if you’re connected to a VPN service, then Pi-hole is bypassed in favor of the VPN’s DNS servers, unless you can opt to use your own DNS server. Fortunately, my VPN service includes DNS filtering with similar hosts lists, and wildcard domain blocking, so I’m also covered when away from my home network.

2 Likes

That is usually called “DNS sinkhole” or “DNS blackhole”. DNS poisoning (aka DNS spoofing) generally means something different. DNS poisoning is usually part of an attack where something malicious attacks your DNS and/or DNS cache to redirect your requests to a malicious site. DNS spoofing - Wikipedia . By the way, these sorts of attacks are exactly why one doesn’t want to use systemd’s resolver since it is still not robust to such attacks.

1 Like

My assumption is that your ISP is wise to that. The tracking pixel is hosted on yourisp.com itself and so it is doubtful that you can use Pi Hole to block that domain.

Yes, VPN makes it more complicated still. (That is an argument for a local DNS server, which can filter out snooper domains, and then resolve the rest over the VPN. You would then disable filtering by the VPN provider - so that the experience is identical regardless of the network situation.)

Yep. There is an attack (class) that goes by that name. I am using the name to refer more generally to any kind of distortion away from true DNS results, regardless of who is doing it (a hacker, your government, yourself).

2 Likes

I don’t think my ISP is particularly wise to anything. :rofl: Their site is infested with the standard, ubiquitous Google prefab spyware.

I see what you mean, though.

2 Likes