
Little Snitch 3 – Protect your privacy - ergot
https://www.obdev.at/products/littlesnitch/index.html
======
tedmiston
> Research Assistant

> Have you ever wondered why a process you’ve never heard of before suddenly
> wants to connect to some server on the Internet? The Research Assistant
> helps you to find the answer. It only takes one click on the research button
> to anonymously request additional information for the current connection
> from the Research Assistant Database.

I'm so glad they built this feature.

The hardest part about using Little Snitch is trying to figure out whether
processes that _look like_ system or daemons are making legitimate
connections.

~~~
developer2
Frankly, I don't think Little Snitch is usable because of this. And no, a
lookup tool is not good enough. For a paid program, I would expect them to
maintain a list of the "required/acceptable" connections and "unnecessary"
connections for popular programs, and automate the process of approval for
each app.

Perfect example: Spotify is impossible to manually whitelist without spending
well over an hour accepting or denying each of the exhaustingly large number
of domains it touches. I bet that nearly every user simply gives up and
whitelists the entire application, which defeats the purpose of paying for and
installing an app like Little Snitch in the first place.

Little Snitch should be doing that work up front for its users. One person on
their end spends a day or two figuring it out for an app, and saves tens of
thousands of user hours having to individually perform that task. No anti-
virus out there alerts a user to every filesystem read and write - they
maintain databases of known threats. The same should be true for this kind of
software.

Yes, it would require constant maintenance on their part. If they needed to up
the price to make such a strategy viable, so be it. As it stands, I
uninstalled out of frustration after using the demo for 6 hours. The alerts
and interruptions never stop.

~~~
reconbot
They do stop, and while I do agree it's annoying at first, your decisions
about what to block and when, are different from my decisions about what to
block and when. It's not about "threats" per-say but about privacy,
operational security and choice.

I would totally accept some presets for apple services.

~~~
computator
One preset that I would love is "maximum privacy while user initiated outbound
still works". So my browser would work because I initiated it, but everything
OSX or apps do in the background are blocked. Automatic updates are blocked?
Good! Network time sync is blocked? Fine by me. Only what I initiate gets
through. Can you do that as a preset please?

~~~
peteretep
That's my default until VPN is up; Firefox only + a few network services that
seem to be required

------
diggan
Why are OSX applications in general so bad at telling website users which
platforms they support? Like always, I have to keep digging around in the
website, just to find out that it only runs on OSX...

Does anyone know a similar utility for Ubuntu/Linux systems? Paid or free,
doesn't matter.

~~~
xd1936
Crossing my fingers that someone knows of an alternative for Linux, but my
hunch is, it'll be some crazy iptables scripts or something :/

~~~
blub
I was looking for such an app out of curiosity a while ago and found douanne.
Never used it myself, but it was open source and had similar features.

~~~
LordKano
This looks promising.

------
zitterbewegung
This is a prime example on how to make a landing page for a product. I
understand what you are selling and why I would want it. The product looks
great and I think I'll try it out after work.

~~~
skyo
It's pretty good, but I feel like the screenshots don't really convey the
app's value very well. Maps wants to connect to maps.apple.com? Of course it
should. Itunes wants to itunes.apple.com? Well, yeah.

I'd much rather see a screenshot of some app trying to connect to a sketchy or
surprising domain. I think that would really drive home the app's purpose and
make it look less like nuisance that's going to bug me every time I launch
Apple Maps.

~~~
josho
And that's why I fail to see the value for this.

Does anyone use this for reasons other than blocking license validation checks
on pirated software? Because that's the only reason I can think of for getting
this.

~~~
stmfreak
That was my first use case.

But then I found others, like monitoring my banking websites reaching out to
odd domains and ports. Or virus detection (some virii uninstall if they detect
Little Snitch). The more I used it, the more I liked it. So I unblocked the
Little Snitch license checks and bought a legit copy.

------
noja
Excellent product, but needs some kind of rule sharing feature. There are _so
many_ network requests from different components that it can be overwhelming
knowing what to allow.

~~~
mattkevan
Definitely agree. I like the idea of it, but when I installed it for the first
time and rebooted, it fired off _so many_ confirmation requests for various
cryptic services I had no idea what they were, I removed it just as soon as
I'd managed to click through them all.

~~~
kstrauser
Little Snitch is noisy AF for the first day or so, but that's also kind of the
point, right? You're running it because you want to know which apps are doing
what. Those first sessions are enlightening. Wow, my laptop talks to all the
things! That drops very quickly, though, as you tell it "yes, allow Slack to
connect to" and "no, don't let Safari talk to sketchy.ru:8765".

I still get the occasional popup, but now they're limited almost exclusively
to newly installed apps that I'm running for the first time. That's still an
eye-opener: no, I don't see a need for a calculator to connect to Google
Analytics. Deny!

Except for gamed, of course. There's no rhyme nor reason to which hosts and
ports it wants to talk to. If you ever want to hack a Mac running Little
Snitch, call your process "gamed" and the own will allow it through (if they
haven't already set "allow connections to any host and port because alert
fatigue lol").

------
lazyjones
I tried an earlier version of this and was a bit disappointed by the
(apparent?) lack of information regarding these connections from applications,
since there's so much going on on OS X and it's hard to tell what's legitimate
and what isn't. It would be great if we could record traffic on a per-
application/process basis and display it comfortably, or even have some built-
in heuristics to identify common tasks like "Firefox update check" or "iCloud
authentication".

It's very similar to the venerable "Spybot S&D" on Windows (the "TeaTimer"
functionality, now apparently called "Live Protection": [https://www.safer-
networking.org](https://www.safer-networking.org)).

~~~
steinex
Besides the other replys that suggested Research Assistant: Little Snitch is
actually able to write pcaps per application so you can then analyze with
Wireshark. Killer feature, imo.

------
Hernanpm
I noticed no one mentioned
[https://www.tripmode.ch/](https://www.tripmode.ch/) I used to use Little
Snitch before but it was to complex for what I wanted to do, allow disallow
internet access to certain apps, tripmode does the trick in the simplest way
I've even seen.

~~~
salzig
»TripMode activates itself on networks where you used it before.«

Wow, that's amazing. Apple should buy them and make this feature default :-)

~~~
DavideNL
Little Snitch can do this also, called "Automatic Profile Switching".

------
vijucat
Please steal this idea and make a product; I'll be your first paying customer:

Data Loss Protection (DLP) for retail consumers.

DLP (see [http://whatis.techtarget.com/definition/data-loss-
prevention...](http://whatis.techtarget.com/definition/data-loss-prevention-
DLP) for a definition) goes beyond what Little Snitch does and does packet
inspection to ensure that credit card numbers (for example) are never sent out
from your network / box. Ideally, you can add regular expressions to define
other PII that shouldn't be allowed to be sent out (your name, address, etc;).

DLP products exist for corporate use, but I don't know of any lightweight +
inexpensive one for personal use.

WireShark, Fiddler or Charles can incorporate this functionality, if I am not
wrong. Not sure how one would MITM SSL with WireShark, though.

~~~
therealmarv
That is an interesting approach. But the simplest encryption (e.g. a simple
XOR) will go around this problem very easily.

~~~
snowwrestler
The only way to make this sort of idea work reliably is a managed learning
approach that creates a whitelist of known-good network traffic patterns, and
then only permits those.

A prescriptive signature-based black list, as you point out, is easily fooled
with simple obscurity.

~~~
vijucat
Rather, controlling what information software can get it's hands on (focusing
on the input rather than output) seems to the only way out? This is what app
permissions on phones and applet sandboxing, chroot jails & containers, etc;
try to do.

An additional twist that seems daunting (but interesting) is to mark sensitive
data at EVERY step in it's processing, with support from the OS and hardware,
and never let out tainted data out without explicit permission. See Perl's
tainted variables for the gist of the inspiration.

So if a = "User's name", which is protected data, and you do b = a, then b is
tainted, too, and write(socket_fd, *b) would pop-up an alert.

All old hat, I bet, to security researchers. I'm just thinking out aloud.

------
rbritton
Not related in any way, Little Flocker[0] is a similar program but for file
access. It's a little rough around the edges but has been improving steadily.

[0]: [https://www.littleflocker.com](https://www.littleflocker.com)

~~~
beagle3
Can it be used to stop OS X Spotlight from putting DS_store in every directory
it sees?

Edit based on gumby's response below: can it stop finder from littering in
every directory it sees?

~~~
gumby
Spotlight isn't putting that file there; that's where the Finder stores the
directory-specific preferences (window size/position, list vs icon display
etc). If you don't use the Finder (which I mostly don't) then you'll never see
these files.

Spotlight maintains its own database in /

------
bsmartt
why was this posted today? I bought Little Snitch 3 in January 2013. I was
thinking maybe this was a new major version but it's not.

~~~
whorleater
Someone probably stumbled upon it and found it useful? Little Snitch has been
an OS X staple for a while now, especially for those who were involved in the
pirated apps scene.

------
djsumdog
There's a great Defcon talk about someone breaking Little Snitch:

[https://www.youtube.com/watch?v=sRcHt-
sxcPI](https://www.youtube.com/watch?v=sRcHt-sxcPI)

~~~
jedisct1
There's an easy way to break it. Connect to random ports/IPs, so that the
machine becomes unusable due to the amount of Little Snitch popups showing up.
Until the user gives up and disables it.

~~~
DavideNL
"Silent Mode – Decide Later

There are times where you don’t want to get interrupted by any network related
notifications. With Silent Mode you can quickly choose to silence all
connection warnings for a while. You can then later review the Silent Mode Log
to define permanent rules for connection attempts that occurred during that
time."

------
jstoja
> A firewall protects your computer against unwanted guests from the Internet.
> > But who protects your private data from being sent out?

A firewall? No kidding, a firewall is not supposed to only block incoming
traffic...

~~~
tedmiston
The built-in OS X firewall blocks incoming connections only.

[https://support.apple.com/en-us/HT201642](https://support.apple.com/en-
us/HT201642)

------
mostafah
I’ve been using this happily for a long time. For those taken back by the
endless prompts on the first run: that’s only for the start. Select “forever”
for connections you trust and you’ll soon have much less prompts.

On a side note: the developers also have Micro Snitch, an app that warns when
the camera or the microphone on your mac is in use.

~~~
flanbiscuit
> On a side note: the developers also have Micro Snitch, an app that warns
> when the camera or the microphone on your mac is in use.

I did not know that, that's awesome. I'm going to check that out.

link for anyone that's interested:
[https://www.obdev.at/products/microsnitch/index.html](https://www.obdev.at/products/microsnitch/index.html)

------
mellamoyo
Any similar software recommendations for Windows?

~~~
Solsticea
Glasswire - [https://www.glasswire.com/](https://www.glasswire.com/)

~~~
drdaeman
Nope, it's quite different from Little Snitch.

They're nice-looking, but don't have anything that even remotely resembles
rules. All it can do is deny or allow all traffic, on per-application basis.
If you want your email client to talk to only your email server but not
anywhere else (as a security precaution) you'll have to use built-in Windows
firewall facilities to set up such a rule.

Rule management is coming in v2.0 - or so they say - but it's not yet here.

\---

Outpost Firewall used to be a powerful interactive firewall for Windows, but
it's dead those days.

------
koolba
How does this work? Does it override the networking DLLs to proxy the socket
creation calls?

~~~
coldtea
Like any other firewall... It's a kext (OS X kernel plugin)

------
iends
Those of you who own Little Snitch...do you regularly block outgoing
connections from applications you regularly use?

~~~
pidg
Yes - anything that doesn't need to be accessing the internet. Plus Google
things that phone home. It's fun to watch them get frustrated and light up red
in the activity monitor as they desperately try to send back metrics.

~~~
nosuchthing
If you use Google as your DNS server, sometimes various Google services will
just send the same requests over port 53 to 8.8.8.8 or 8.8.4.4 instead of the
normal IP.

------
alphonsegaston
Little Snitch is at once both great and horrifying. If you watch the day to
day stuff that happens on MacOS, you'll see that Apple's reputation for
security and user privacy is a pretty low bar. Aside from the constantly
pinging Apple defaults, so many third party apps are just all the time phoning
home to corporate servers when they're not even in use. Chrome can really just
look for updates when I open it, not check in with Google about god knows what
every thirty minutes.

------
therealmarv
Serious question: Can I use only profiles (e.g. no connection until VPN is
connected) and the rest of the time Little Snitch should behave like it's not
installed? I'm not a big fan of watching every connection... have done this in
the distant past with Zone Alarm and Windows and it was more bothering than
anything else. I also doubt it increases my personal security a lot....
especially when I think about my normal Android phone which is sitting beside
my PC.

~~~
herghost
Yes, I used to use it and had it set up like this. You create one profile
which basically allows only the VPN negotiation daemon to access the network,
and then another profile where there is no alerting or blocking.

Your Mac will be very unhappy when on the first profile though - seemingly
everything will constantly attempt to call out because it can see an active
connection.

I ended up removing Little Snitch because I felt that it was causing
instability. I could never pinpoint the issue, but things seemed much more
flaky when it was running. YMMV, and I was using it a major release ago so
things might be better now.

~~~
therealmarv
Thanks for your in detail answer! Makes me think I should probably not invest
in Little Snitch.

------
rwinn
First thing I install on any new system, couldn't recommend it more!

And the ability to do per-application captures and open them in wireshark is
excellent for debugging.

------
libeclipse
Something like this would be brilliant on Android. Anyone know anything
related?

It'd be great if it was for non-root too, but I'm not sure if it's possible.

~~~
ChrisGranger
I've been using NoRoot Firewall [1] for blocking access to the internet on a
per-app basis and haven't had any issues with it.

[1]
[https://play.google.com/store/apps/details?id=app.greyshirts...](https://play.google.com/store/apps/details?id=app.greyshirts.firewall)

~~~
bostand
That looks really good, thanks!

I assume it works as a proxy?

------
jedisct1
Little Snitch is a fantastic way for people to shoot themselves in the foot.

Most people using it have no clue what they are doing, block random things,
and prevent software from working as expected. Not only this can make things
less secure by breaking features such as automatic updates, it also makes
developer's life miserable by having to provide support to people running
their software in a half broken environment.

~~~
Sykox
Oh Really! what about those malicious developers who want to snoop in and
steal our data or bloatware or ad serving compaines who just want to intrude
in our system. or what about adobe who runs a fucking system level service to
update a simple reader which i want to control when and how to update. One
should be in absolute control how the network and data is consumed that to
clearly and transparantly

~~~
khana
Yes!

------
andrenotgiant
I wish something like this could run at the router level. I am certain my low-
end IoT devices are sending out data I don't know about.

~~~
ComodoHacker
You want to see a warning every time a host in your home network tries to
connect to the Internet?

~~~
bisby
A proper config could easily fix that. Either whitelist certain devices for
unrestricted access. Or blacklist devices to have to obey the config
parameters. And then parameters for which ports and destinations things should
be allowed access to on a per device level...

Which is literally describing a firewall/iptables once you drop the
"established" incoming rule and block outgoing.

Basically, "I want a router iptables configurator with notifications"

------
problems
Does Little Snitch catch process injections (ie: I am currently running in
EvilMalware, I open up Chrome, create a new page, write my code into it and
create a new thread in it), or is it vulnerable to the same problems of
Windows firewall applications before LeakTest and the like. The good Windows
firewalls now are able to catch this kind of thing.

~~~
post_break
I think I understand what you're saying (not very technical) but I have used
LS for years. I know that I have blocked microsoft word from specific network
abilities and tried to open word files that phone home and LS catches those.

------
mkj
Objective Development (the developers) are a nice company, also providing
V-USB - a bitbanging USB implementation for AVR microcontrollers without USB
support.
[https://www.obdev.at/products/vusb/index.html](https://www.obdev.at/products/vusb/index.html)

------
bisby
4-5 years ago when I last used a mac for work, there was a program that had an
unlimited evaluation period and was just setup to nag on launch (like winzip).
using little snitch just blocked the nag (literally the license did was remove
the nag, so it didnt affect functionality). In the end, I wound up not using
the program anyway - I really was just trying to evaluate it without the nag.
For some reason sublime text comes to mind? I think I wound up just going back
to vim

Installing little snitch, I got overwhelmed by how much stuff was trying to
make calls in and out. It really does serve its purpose, but you also have to
have an idea of what you should be letting out, you can easily break things
and if you just "allow all" it somewhat ruins the point of having it.

------
Sykox
Is there one absolutely similar to windows? Closest i found was GlassWire

~~~
j45
I used to use something called Tiny Firewall, was quite capable and similar.
Not sure what happened to it.

[http://www.oldversion.com/windows/tiny-personal-
firewall/](http://www.oldversion.com/windows/tiny-personal-firewall/)

------
twsted
I think these features should be included in every OS nowadays, like we have
firewalls.

Anyway, I will probably buy this app, even if I share some concern others have
about its own network calls.

------
markneub
Has anyone figured out how to stop Google's autoupdate process (ksfetch) from
tripping LS nonstop? It spawns multiple new temporary processes when checking
for updates, and LS requires a path to a specific process file to block it.
This has made LS unusable for me since uninstalling all Google products isn't
an option for me.

------
Khaine
Little Snitch is great. You need to have a strong understanding of networking
and the apps that you use, to use it successfully. It is great at opening your
eyes to what apps are trying to connect where, and by catching a cap you can
investigate what they are sending.

------
icanhackit
Long time LS user and love it - yes the constant notifications will tax your
Qi but once you've set up the bulk of your rules it'll give you a lot of peace
of mind. Also grab Lingon X if you're serious about control.

------
mattcoles
Is it open source? Couldn't find anything on their site which is
disappointing.

~~~
middleclick
I realize that not everything can be made open source, but I personally don't
trust closed source security applications.

~~~
coldtea
What's to trust exactly?

It blocks connections to domains/IPs you want it to, and allows others.

You can easily verify that it behaves correctly with common network tools.

This is not some deep cryptography shit...

~~~
mattcoles
I don't trust that it's not doing data collection of it's own.

~~~
jslabovitz
The app costs $35. I presume this is a workable business for the developer,
and therefore little economic incentive for data collection or other
backdoor/nefarious tactics.

I'm much less trusting of free software like most ad-blockers where I have to
wonder how they're really making their money.

~~~
tedmiston
They've also been on the Mac for 10+ years.

~~~
leejoramo
Objective Development were there from the very beginning of Mac OS X.

And prior to that, they were a well known developer for NeXT. Their LaunchBar
app originated on NeXTSTEP.

------
lwfitzgerald
I'm currently using LS, but one of the problems I have is that it doesn't
support wildcard domain rules. This means ephemeral hosts quickly build up a
large number of rules which soon become redundant.

~~~
noja
Yes it does. You click the domain in the popup an change it to the part of the
domain you need. Then you view your invalid rules and it will show you which
rules are no longer needed.

------
benologist
One day consumer rights protection agencies are going to scrutinize what we
are doing in the background just like they're starting to do to ads.

------
FullMtlAlcoholc
If anyone is looking for a summer application that won't inundate you with so
much information, try radio silence

------
watersb
FWIW, I love Little Snitch and have used it for at least ten years.

------
admax88q
Protect your privacy by running this proprietary application!

~~~
lrem
On a proprietary hardware, with a proprietary firmware and communicating over
a network you don't control end-to-end!

Better don't start thinking about the other end...

;)

~~~
admax88q
You're right! The situation isn't perfect so we should just give up!

------
thehashrocket
Little Snitch reminds me of Zone Alarm from back in the day.

------
teaearlgraycold
This seems like a joke given that it's not open source.

~~~
eps
Care to elborate on such bold statement?

~~~
teaearlgraycold
This software seems to exist for people who (correctly) don't trust their own
computer's software, and want to keep tabs on it.

By distributing Little Snitch as closed source you now need to place your
trust in Little Snitch itself.

