facebook spying on us?

Glen_Kent · September 29, 2011, 1:13pm

Hi,

I see that i have multiple TCP sessions established with facebook.
They come up even after i reboot my laptop and dont login to facebook!

D:\Documents and Settings\gkent>netstat -a | more

Active Connections

  Proto Local Address Foreign Address State
  TCP gkent:3974 www-10-02-snc5.facebook.com:http ESTABLISHED
  TCP gkent:3977 www-11-05-prn1.facebook.com:http ESTABLISHED
  TCP gkent:3665
a184-84-111-139.deploy.akamaitechnologies.com:http ESTABLISHED

[clipped]

Any idea why these connections are established (with facebook and
akamaitechnologies) and how i can kill them? Since my laptop has
several connections open with facebook, what kind of information is
flowing there?

I also wonder about the kind of servers facebook must be having to be
able to manage millions of TCP connections that must be terminating
there.

Glen

Charles_Mills · September 29, 2011, 1:16pm

Could be something related to the earlier cookie controversy that was
discussed.

I did dig too deeply into exactly what they were doing however.

Chuck

Eric_Clark · September 29, 2011, 1:19pm

did you start your browser before looking at your connection list?

However, you're on a window's box, so it wouldn't surprise me if they helpfully started ie for you....

If you didn't start the browser you use to go to facebook (and its not ie), its fairly interesting.

Jason_Duerstock · September 29, 2011, 1:20pm

Use 'netstat -ao' to see which process(es) they are associated with.
Then use a sniffer to see what actual traffic they carry.

Jason

Alain_Hebert · September 29, 2011, 1:23pm

( Being this is a Windows box)

Want to scare yourself silly?

     . Power off the PC;
     . Plug it a switch;
     . Mirror the PC port into a Unix box running Wireshark;
     . Boot the PC

Enjoy all the info leakages from all the apps you installed over the years.

Patrick_Muldoon · September 29, 2011, 1:25pm

Hi,

I see that i have multiple TCP sessions established with facebook.
They come up even after i reboot my laptop and dont login to facebook!

D:\Documents and Settings\gkent>netstat -a | more

Active Connections

Proto Local Address Foreign Address State
TCP gkent:3974 www-10-02-snc5.facebook.com:http ESTABLISHED
TCP gkent:3977 www-11-05-prn1.facebook.com:http ESTABLISHED
TCP gkent:3665
a184-84-111-139.deploy.akamaitechnologies.com:http ESTABLISHED

[clipped]

Any idea why these connections are established (with facebook and
akamaitechnologies) and how i can kill them? Since my laptop has
several connections open with facebook, what kind of information is
flowing there?

Use a sniffer like wireshark, and see what the traffic is?

Are you using a chat program that supports facebook chat? Or perhaps a game or an application that uses facebook for something?

Really it could be anything as there are lots of applications that have grown up around the Facebook Eco system..

Also are you browsing the web? There are facebook like buttons and the such all over the web. So you don't even need to be logged in or have visited yet after the reboot.

I also wonder about the kind of servers facebook must be having to be
able to manage millions of TCP connections that must be terminating
there.

Lots of them. There is video of their new DC floating around that shows them..

http://www.datacenterknowledge.com/archives/2011/04/18/video-inside-facebooks-server-room/

-Patrick

Valdis_Kletnieks · September 29, 2011, 1:27pm

Any idea why these connections are established (with facebook and
akamaitechnologies) and how i can kill them? Since my laptop has
several connections open with facebook, what kind of information is
flowing there?

Probably you visited other pages that have links to Facebook on them. Try
installing NoScript or similar in your browser and don't allow Facebook javascript,
and see if these connections evaporate.

Akamai is a content-caching service, just means somebody paid to have their
content be (hopefully) nearer to you network-wise.

I also wonder about the kind of servers facebook must be having to be
able to manage millions of TCP connections that must be terminating
there.

Two words: Big Honkin' Load Balancers. OK, maybe more than two words.

Erik_Soosalu · September 29, 2011, 1:34pm

At least on a win 7 box, netstat -b gives the process that initiated the
connection.

Likely opened due to a link or something from some other web page.

Greg_Ihnen · September 29, 2011, 1:36pm

Install Ghostery on your browsers and you'll see even more connections pages want to make behind the scenes to tracking sites etc. It's not just javascript.

Greg

David_Hill1 · September 29, 2011, 2:20pm

:Hi,
:
:I see that i have multiple TCP sessions established with facebook.
:They come up even after i reboot my laptop and dont login to facebook!
:
:D:\Documents and Settings\gkent>netstat -a | more
:
:Active Connections
:
: Proto Local Address Foreign Address State
: TCP gkent:3974 www-10-02-snc5.facebook.com:http ESTABLISHED
: TCP gkent:3977 www-11-05-prn1.facebook.com:http ESTABLISHED
: TCP gkent:3665
:a184-84-111-139.deploy.akamaitechnologies.com:http ESTABLISHED
:
:[clipped]
:
:Any idea why these connections are established (with facebook and
:akamaitechnologies) and how i can kill them? Since my laptop has
:several connections open with facebook, what kind of information is
:flowing there?
:
:I also wonder about the kind of servers facebook must be having to be
:able to manage millions of TCP connections that must be terminating
:there.
:
:Glen
:

For the more paranoid open source users, I have found using the xxxterm
web browser to help quite a bit. You can read about it at
http://www.xxxterm.org

Keegan_Holley · September 29, 2011, 2:55pm

Well what's making the connection? It looks like unencrypted http, if your
social security number and last known addresses are streaming by you should
be able to see them. It's a bit of a jump to say that FB (not that I'm
particularly fond of them) is spying on you from a single netstat command.
You probably clicked login with facebook for some site and it's just
autologging you in or overzealous prefetching. Either way, I think we can
all stop making tinfoil hats now...

Jones_Barry · September 29, 2011, 7:11pm

Hey all.
A little off topic, but wanted to share... I purchased a home storage Synology DS1511+. After configuring it on the home net, I did some captures to look at the protocols, and noticed that the DS1511+ is making outgoing connections to 59.124.41.242 (www) and 59.124.41.245 (port 81 & 89) on a regular basis. These addresses are owned by Synology and Chungwa Telecom in Taiwan.

So far, I've not been able to find much information on their support sites, or Synology's wiki, but I wanted to put it out there.

GET / HTTP/1.1
Host: 59.124.41.245:81
Accept: */*

HTTP/1.1 200 OK
Server: Apache/2.2.16 (Unix) mod_ssl/2.2.16 OpenSSL/1.0.0c PHP/5.3.3
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Vary: Accept-Encoding
Content-Length: 103
Content-Type: text/html

Leo_Bicknell1 · September 29, 2011, 7:34pm

In a message written on Thu, Sep 29, 2011 at 12:11:48PM -0700, Jones, Barry wrote:

A little off topic, but wanted to share... I purchased a home storage Synology DS1511+. After configuring it on the home net, I did some captures to look at the protocols, and noticed that the DS1511+ is making outgoing connections to 59.124.41.242 (www) and 59.124.41.245 (port 81 & 89) on a regular basis. These addresses are owned by Synology and Chungwa Telecom in Taiwan.

So far, I've not been able to find much information on their support sites, or Synology's wiki, but I wanted to put it out there.

GET / HTTP/1.1
Host: 59.124.41.245:81
Accept: */*

Perhaps a little further digging was in order? For instance, putting
the IP and port in a web browser (http://59.124.41.245:81) which
returns:

<html><head><title>Current IP Check</title></head><body>Current IP Address: REDACTED</body></html>

Looking at Synology's web page we find:
http://www.synology.com/dsm/internet_connection.php?lang=us

If they are going to do things like UPNP to open a port, and then DDNS
to let you get there from the outside world than the box needs to know
your outside NAT address, and simple relays like this are the best bet.
It's another ugly hack to get around the problems of a NAT in the
middle. I bet the box also checks for a new version of software from
time to time.

While I would like vendors to better disclose the "phone home" behavior
of their devices, virtually every computing device does this in some way
or another if only to check for new software. Windows and Mac's check a
web server to know if you are "connected to the internet" or not. NAT
traversal often uses a relay. DDNS registrations need the real IP, and
so on.

Not much to see here, really, other than how ugly some of our protocols
are in the real world.

_Matt_Palmer · September 29, 2011, 9:30pm

And this is why the prudent home admin runs a firewall device he or she can
trust, and has a "default deny" rule in place even for outgoing connections.

- Matt

Nathan_Eisenberg · September 29, 2011, 9:58pm

And this is why the prudent home admin runs a firewall device he or she can
trust, and has a "default deny" rule in place even for outgoing connections.

- Matt

The prudent home admin has a default deny rule for outgoing HTTP to port 80? I doubt it.

Jay_Ashworth · September 29, 2011, 10:40pm

Why not? You can poke holes in it specific to *workstations*; anything that
isn't a workstation doesn't generally need to be phoning home without you
knowing about it...

Cheers,
-- jra

Jones_Barry · September 29, 2011, 11:13pm

Yep!

Jones_Barry · September 29, 2011, 11:16pm

Or, open those specific ports as needed, then close. PITA though (pain in the @ss)

Robert_Bonomi · September 30, 2011, 12:46am

From: Nathan Eisenberg <nathan@atlasnetworks.us>
Subject: RE: Synology Disk DS211J
Date: Thu, 29 Sep 2011 21:58:23 +0000

> And this is why the prudent home admin runs a firewall device he or she
> can trust, and has a "default deny" rule in place even for outgoing
> connections.
>
> - Matt
>
>

The prudent home admin has a default deny rule for outgoing HTTP to port
80? I doubt it.

No, the prudent nd knowledgable prudent home admin does not have default deny
rule just for outgoing HTTP to port 80.

He has a defult deny rule for _everything_. Every internal source address,
and every destination port. Then he pokes holes in that 'deny everything'
for specific machines to make the kinds of external connections that _they_
need to make.

Blocking outgoing port 80, _except_ from an internal proxy server, is not
necessrily a bad idea. If the legitimte web clients are all configured
to use the proxy server, then _direct_ external connection attempts are
an indication that something "not so legitimate" may be runningunning.

Joel_Jaeggli · September 30, 2011, 2:10am

From: Nathan Eisenberg <nathan@atlasnetworks.us>
Subject: RE: Synology Disk DS211J
Date: Thu, 29 Sep 2011 21:58:23 +0000

And this is why the prudent home admin runs a firewall device he or she
can trust, and has a "default deny" rule in place even for outgoing
connections.

- Matt

The prudent home admin has a default deny rule for outgoing HTTP to port
80? I doubt it.

No, the prudent nd knowledgable prudent home admin does not have default deny
rule just for outgoing HTTP to port 80.

He has a defult deny rule for _everything_. Every internal source address,
and every destination port. Then he pokes holes in that 'deny everything'
for specific machines to make the kinds of external connections that _they_
need to make.

Tell me how that flys with the customers in your household...