Hardening privacy with a custom hosts file

I don’t care for companies casually collecting data on my web browsing habits, so one of the first things I set up on a new computer is a custom hosts file. The hosts file maps human-readable domain names (whatever.com) to IP addresses (192.168.0.1) and on most operating systems is consulted before checking an upstream DNS server, which means you can block domains you would prefer your computer not contact.

(Note that on some earlier versions of OS X, it is not true that hosts is consulted first. However, in 10.9 and 10.0, it appears to be.)

The reason I do this is not to block ads — it’s primarily to block tracking. Most ads bring tracking along for the ride, so it has the side effect of blocking a lot of ads. However, I’m happy to accept ads from web pages that are in HTML and do not include tracking.

A custom hosts file can also provide a baseline level of protection against known malware and phishing sites.

The easiest way to set this up is with a hosts file updater that will track trusted host blocking lists and reload them for you when they change. On OS X, I use Gas Mask. On Windows, I use HostsMan.

There are several blocking lists to choose from. I settled on the following three:

– http://someonewhocares.org/hosts/hosts
– http://winhelp2002.mvps.org/hosts.htm
– http://www.malwaredomainlist.com/hostslist/hosts.txt

On Gas Mask, simply add these three URLs as remote sources and activate them as a combined hosts file. The process is similar in HostsMan.

That’s pretty much all there is to it. To make sure it’s working, pop open a Terminal window and try to ping one of the domains. It should be unsuccessful.

Allowing a remote entity to change your hosts file does introduce the possibility of a MITM attack (for example, if one of the above source URLs gets hijacked) so be mindful of that should you decide to go this route.

I find that on very rare occasions a website’s core functionality fails to work because it is unable to source JavaScript from a blocked domain. If this happens, simply restore the original (empty) hosts file temporarily. Don’t forget to put your shields back up when you’re done.

The second best way to protect your privacy is to uninstall (or never install) Flash or the Java runtime. Do this too, while you’re in there! At a minimum, install a browser extension that prevents Flash or Java content from running unless you explicitly allow it, such as ClickToPlugin or ClickToFlash.

No technique that I know of prevents all tracking, so this is certainly not foolproof, but I find it more comforting than having my presence effortlessly scooped up and data-mined by sites using conventional analytics tools.

Prying parents: Phone monitoring apps flourish in S. Korea

“Last month, South Korea’s Korea Communications Commission, which has sweeping powers covering the telecommunications industry, required telecoms companies and parents to ensure Smart Sheriff or one of the other monitoring apps is installed when anyone aged 18 years or under gets a new smartphone.”

PirateBox

“PirateBox is a DIY anonymous offline file-sharing and communications system built with free software and inexpensive off-the-shelf hardware.”

An Asshole Theory of Technology

“[The Apple Watch] is, in this view, a tool for correcting problems created by the device to which it must be paired to operate. The Apple Watch is supposed to be a filter between you and your gaping attention-suck hellworld smartphone; we will give it permission to intervene because it is slightly easier to look at while reducing our what’s-going-on-over-there-by-which-I-mean-in-my-pocket anxiety just enough to keep us sane. It provides a slight buzz, hopefully just enough, at a lower social cost. So it’s a little like… methadone?”

Hidden backdoor API to root privileges in Apple OS X

“The Admin framework in Apple OS X contains a hidden backdoor API to root privileges. It’s been there for several years (at least since 2011), I found it in October 2014 and it can be exploited to escalate privileges to root from any user account in the system.

[…]

Apple has now released OS X 10.10.3 where the issue is resolved.”