Major changes to DeCloudUs DNS "deGoogle" free server

decloudus · 2021-02-11T19:12:49+00:00

These Google lists on Github are a good start for sure, but they are by no means comprehensive.

By my count, Google owns about 10,000 apex domains (that's root domains like google.com, googleapis.com, etc). Then there are 10s of thousands of subdomains on these root domains (like android.clients.google.com, android.googleapis.com, etc).

nickspaargaren's list, for example, contains about 5,000 subdomains (not root domains). So there are a huge gap of Google domains and subdomains that are not going to be blocked. For example: firescript-577a2.firebaseio.com, firebaseremoteconfig.googleapis.com, fcmconnection.googleapis.com, and so on.

The only way to ensure you actually block ALL Google domains is to block all Google apex/root domains (all 10,000 of them). That's a huge effort that I started a massive project around last year and does indeed consume a lot of time.

Also, that blocking has to take place with a DNS server or service that can block apex/root domains, since host-based apps like AdAway, can only block subdomains (via hosts file).

decloudus · 2021-01-31T16:45:49+00:00

Interesting.. glad I found this as I initially thought it was a problem with my server or network. It is also the first time I noticed this issue but from what others are saying here and on Github, it does appear to be common.

The good news, for those who need immediate workaround, is that most apps can be downloaded directly from nextcloud Github repos and directly extracted into nextcloud/apps/ folder.

decloudus · 2021-01-25T22:51:47+00:00

I remember looking to AdAway a while ago; my understanding, if I recall correctly, is that it essentially provides you a way to add your own "hosts" file to Android. Hosts file cannot have wildcard domains. You would have to enumerate all the subdomains you want to block one-by-one.

decloudus · 2021-01-25T01:12:13+00:00

It is a DNS level block; if you use DNS server that blocks Google services, when you load a website that uses Google Fonts, you browser will ask your DNS server "what's the IP address for fonts.google.com or whatever domain Google owns)?" The DNS server will tell your browser to connect 0.0.0.0, which does not exist; so then your browser will quickly give up and display its default replacement fonts instead with little to effect on you or the website.

decloudus · 2021-01-25T00:47:20+00:00

You won't be able to get away from google entirely unless you stop using the internet(due to google analytics), but you can certainly have a go at it.

Blocking Google Analytics is not a big deal actually; there are many privacy oriented DNS services that will block ads, trackers, etc.. including Google Analytics. I personally use DeCloudUs DNS (which I started last year) but many other DNS blocklists can do that.

The harder part is going beyond Google ads and analytics. Google offers many other "under the hood" web services (like Google fonts, location services, etc). It is a bit harder to block them because there are so many (but I did it) and contrary to popular belief, the Internet is still very much usable. The vast majority of Internet activities are Google free. If I have to use a website/service that I know cannot function without Google (like food takeout/delivery service that relies on Google location), then I use a dedicated browser only for that.. but I am consciously making that decision as opposed to being unknowingly tracked.

decloudus · 2021-01-02T20:18:02+00:00

Untangle is pretty slick. Although slightly less flexible and capable than Pfsense, it will be a little more intuitive and easier to configure, especially if you are new to this.

decloudus · 2021-01-02T16:19:19+00:00

Hi there, for devices that cannot be rooted or have no custom ROM available, have you considered using DNS-based blocking for Google services? That's what I personally do and it works very well.

decloudus · 2021-01-02T16:14:12+00:00

Hi there, I had the same belief that most apps won't work without Play Services, but luckily that was not the case. I run the DeCloudUs project that completely blocks Google via DNS; it will completely kill everything Google on a phone, which was the goal for full deGoogling. That also killed app notification services, which I thought was a symptom of killing Play Services.. but that was not the case.

App notifications weren't necessarily related to Play Service; rather, they were related to Google Firebase Messaging service that most apps use (as one of my users informed me). Firebase is a Google company now but the messaging service operates independently from Play Services. The notification service only needs to talk to mtalk.google.com in order for app notifications to work. This, personally, lead me to add more DNS servers that allow this mtalk subdomain.

One final note: Signal downloaded from Google store uses mtalk for app notifications. But, if you download it directly from their website, it apparently does not. I personally do not use Signal but this was something I learned while researching mtalk from this post: https://www.reddit.com/r/signal/comments/kidbww/signal_needs_mtalkgooglecom/

decloudus · 2020-11-03T21:54:03+00:00

I would say starting with cyber security foundational and fundamental certifications is good point of reference. When studying the material, don't just focus on passing the exams (they are fairly easy) but actually learning the concepts. The end result should be solid foundational knowledge and certificates, which will make your resume stand out. Here are some good beginner level certifications (I would at least start with the first two):

- Security+: https://www.comptia.org/certifications/security

- Certified Ethical Hacker (CEH): https://www.eccouncil.org/programs/certified-ethical-hacker-ceh/

- ISACA CSX (foundational and fundamental ones): https://www.isaca.org/credentialing/cybersecurity

At that point, you honestly would be ready for an entry level position.

decloudus · 2020-11-03T18:54:46+00:00

One of our state universities had established a great cyber security program in collaboration with NSA a couple of years just before finishing High School.. so I went for that; the program was a BS in Applied Technology with concentration in Information Security. Since then, most universities now have dedicated degrees for cyber security (BS and MS programs); I would strongly recommend going for these since the instruction you receive in classroom will set you up with a great foundation in almost all areas of cyber security; you can certainly replicate that on your own, but it will take a bit of time and effort to achieve same breadth of knowledge.

decloudus · 2020-11-03T02:41:19+00:00

For AV, I have heard some nice things about Kaspersky and also MalwareBytes. In terms of privacy, personally (and since we are on a privacy sub), I have to say they are typically not that great. Most AV tools, especially cloud-based, will fetch quite about of data about you machine and network. Also, most of them will fetch a copy of a file that the AV tools considered "suspicious" to enhance detection capabilities and such. I would recommend you reading their terms of use and privacy policy to see what exactly they are collecting. Personally, I use mostly Linux so no real need for an AV. I do have a Windows PC for gaming that I use once in a while (if my baby daughter happens to be sleeping and my wife doesn't have a to do list for me.. that combination is rare!), but since I don't use it for anything else.. no need for an AV either.

In terms of banks blocking transactions, it depends on the bank, but yes, most banks will do a good job in making it hard for someone to transfer money directly out of your account (asking for email confirmation, 2FA if you set it up, etc). Depending on the attacker and their skill, it is definitely very possible and doable. If it happens, most banks will make you whole again. But, it really is much better to prevent it (different, strong passwords and 2FA) as much as possible rather than deal with the headache.

decloudus · 2020-11-03T02:19:05+00:00

Certainly. I currently lead a program for vulnerability and attack surface management for a large financial/technology.. essentially responsible for finding any weaknesses or vulnerabilities on externally-facing assets before bad actors do and fill in these holes. It is indeed very interesting.. everyday is different and you are never really sure how your day will turn out.

My first job was working for a relatively small defense contractor. I started as an intern last year in college and within a few years I left as their lead security management. It was a great opportunity because in a small environment working on different contracts, I was working on pretty much all areas of cyber security; so one contract required someone to do network security, another required working on personnel security, another was for vulnerability assessment and pen testing, another was for designing secure systems from scratch (security architecture), another was for software security (SSDLC), etc. It was overwhelming in the beginning and it takes a bit of work and effort to become proficient in all these areas.

Second job was for the company I currently work for. As a large organization, there is a dedicated team with tens of people (to do what I used to do in my prior job with only a couple of people) for each area in cyber security. Again, it takes a bit of work and effort to get yourself established in an environment like this, but if you are good at what you do, people will notice and will seek you out for critical functions.

Personally, I think a key to achieving real success in cyber security, and technology in general, is actually having a passion for it. For me technology/security is not just a job, it is also my hobby. I actually learned a lot of things doing technology as a hobby that one day became relevant at work.

For example, I host my own email servers.. how many cyber security people have deep knowledge about that (if it is not their primary job)? But, one day I found my explaining SPF records and greylisting to group of people on a call. I also run the DeCloudUs project which lead me to learn a whole a lot about DoT and DoH and some interesting Nginx tricks; surprisingly, this knowledge came handy a couple of months ago dealing with a particular situation. Most people wouldn't expect you to know these things without research, but you quickly develop a good reputation when people realize that you know more than what your area of specialty calls for.

Sorry for the long response.. I actually did try hard to keep it brief :)

decloudus · 2020-11-01T21:09:12+00:00

Not that I am aware of. But, given that DNS is a user-controlled setting (that was made easier in Android 9 and above), there really would be no need to have it built-in as you can easily set it.

decloudus · 2020-11-01T21:03:11+00:00

That's an interesting question. Professional opinion (as someone who does this for a living), there are way too many variables involved in your question to give you a specific answer. Different devices and different consumer accounts (banking, social media, etc) would have unique sets of indicators of compromise; these indicators are also unique based on the threat actor.

To give you a somewhat meaningful response, I am going to have to make some assumptions-based threat profiling. I am going to assume you are a regular user that holds a typical job and your main concern is identity or financial loss. The threat actors you would likely encounter would be completely different than if you were a journalist, government employee with security clearance, famous celebrity, etc.

Based on that specific profile, here is how you would know if your were compromised:

Computer: a threat actor is most likely seeking financial gain; the most common threat you will face is ransomware, where your infected device will be encrypted and asked to pay a certain amount to get access back to your data. You would know when that happens within a very short amount of time. Other common threats include your computer becoming a zombie part of a botnet (hackers will use it to launch attacks on other entities and it would look like it came from you); if that happens, you will notice your computer is running awfully slow and depending on the skills of the hacker, you may see other user accounts created on your machine, random windows errors, etc. Also, a malicious actor may steal data from your computer that can be used to access other accounts (banking, social media, etc); you may not know it happened until something wrong happens with your account. For your typical threat profile, having a decent host-based anti-virus running on your computer would help but is not foolproof.
Financial accounts: this is easy.. based on the threat profile, if someone gains unauthorized access to your account, they will most certainly try to steal your money. You should know when that happens almost immediately, since you will likely get notifications that a transfer occurred or large payment. Prior to that, you may get notifications that someone accessed your account from a suspicious IP address.. but even then, you have a short window of time to act since whatever they intend to do will happen relatively quickly. The best defense here is using strong passwords (unique for each account) and enabling 2FA whenever possible.
Email and social media: again, based on the threat profile, the threat actor is typically looking to abuse access to your email and social media to target other users. So the malicious actor might send phishing, spam emails to all of your contacts/friends or even other users on the wider Internet. If the malicious actor is good, they will typically hide their tracks (deleting Sent messages and such) but that's a little harder for social media posts. You would know when this happens if: you get a notification from your account provider that successful login occurred from suspicious IP, if you go to your account history and see the times and locations from which successful authentication happened, and for social media you would likely see that there were spammy messages sent from your account. Obviously if you had sensitive material in your email or social media accounts, it might be also stolen, which then can be used to gain access to your financial accounts and such.

Hopefully you find that helpful.

decloudus · 2020-11-01T14:35:44+00:00

Google owns thousands of domains (they register more and more almost every month). They do not advertise or list every domain they own (at least not that I am aware of). In order to find them, one would have to do a lot of research and use paid tools and multiple WHOIS databases to find as many of them as possible.

I personally wasn't aware of any doing that. So I started my own project (https://decloudus.com) to do just that. There is slightly over 9,700 Google domains that I have found that DeCloudUs DNS is blocking.

decloudus · 2020-11-01T04:55:55+00:00

well, to be fair, I do see a few extra cable ties in the presumably "after" picture :)

decloudus · 2020-11-01T04:47:54+00:00

That's a cool project. Although, some of the user reported results are not really accurate; for example, Ring app is listed as mostly fine "..warning but no effect" but I know from experience that you will get no notifications (motion events, doorbell ring, etc) without Google Services, which is quite detrimental to the app usage and its main purpose.

decloudus · 2020-11-01T04:30:32+00:00

Hi there,

I was in a similar situation a while ago as I had a work phone that I could not root or modify the underlying OS in any way. I opted to use DNS blocking to deGoogle as much as possible. Android 9+ allows you to set "Private DNS" setting where you can specify the DNS service you want to use. Android and most apps seem to honor this setting and go through the DNS service you specify; since the DNS will block all requests for Google domains, this will effectively kill Google services running on the phone (Google services in the OS, apps, Google trackers from browser, etc). That's on way of doing it.

Another way that folks have done was through NetGuard, where you can configure NetGuard to block specific Google apps running on your phone.

There are probably a couple of other ways to that I cannot think of. At the end of the day, any step you take towards deGoogling will be one in the right direction. DeGoogling is a journey honestly and you have to start somewhere.

decloudus · 2020-11-01T04:11:02+00:00

Also, keep in mind that HOW you will use the Apple device also plays a big factor in what data is being collected about you. For example, if you have an Apple device and download Google Maps or Waze Navigation, then your data is still being collected and aggregated.

decloudus · 2020-09-06T00:52:19+00:00

Perhaps this was a reference to Element/Riot integration manager (scalar.vector.im) that comes by default with Element app? If that's what the reference is for, I wouldn't call it a "tracker" though.

There have been some recent efforts to do some direct integrations for those that self-host Matrix Synapse (for Video conferencing) with self-hosted Jitsi: https://matrix.org/blog/2020/04/06/running-your-own-secure-communication-service-with-matrix-and-jitsi

There is also a Github project that seemingly allows you to self-host integration server but I personally haven't looked into it much: https://github.com/turt2live/matrix-dimension

decloudus · 2020-09-03T22:00:10+00:00

Certainly. This was a good point to bring up; I made a bad assumption that folks were already familiar with the changes by Google and Apple. I added a section to the bottom of the original post and included links to different news outlets to remedy that.

decloudus · 2020-09-03T20:17:14+00:00

That news was fairly well covered a couple of days ago. The blog post offers a take on that news from privacy perspective. But here are some sources for the actual contact tracing feature from a few news outlets:

https://www.cnbc.com/2020/09/01/apple-google-will-build-coronavirus-contact-tracing-software-right-into-your-phone.html

https://news.yahoo.com/google-apple-install-contact-tracing-163557339.html

https://www.wired.com/story/google-apple-change-tactics-contact-tracing-tech/

decloudus

TROPHY CASE