
CIA trying to inject into Little Snitch - subroutine
http://i.imgur.com/JR5Ehbc.png
======
josefdlange
Stranger is that they feel like they need to open a "hidden" browser instance
to connect to the internet. A browser isn't really a necessary part of
establishing a connection -- unless there's some missing context here. Is my
grandmother running the CIA data ops division?

Edit: it's been made clear to me that of course this is one of few viable
vectors when approaching outbound network with a really restrictive firewall
(like Little Snitch). If a browser is already approved on making a given
connection, then using a headless instance to do network talking is a smart
way to do it. If you roll your own net code, a tool like LS will notify user
and/or block. Dumb me!

~~~
sly010
Exactly. Firewalls like Little Snitch primarily filter traffic primarily based
on the binary initiating the connection, and only secondarily based on the
target port or address. When little snitch pops up the 10th time in 30
seconds, you will just approve all traffic from your browser, so using the
browser to send all traffic is great way to avoid being caught.

As for what "injecting into little snitch" means, it could either mean
injecting code into little snitch, because little snitch probably doesn't
filter itself OR injecting a rule into little snitch.

~~~
nathancahill
Little Snitch does filter itself, but the Allow rules are there by default. I
remember on a previous version, one of the steps to pirate LS was adding a
rule to block it from connecting to it's servers.

~~~
15155
They've added internal protection against this in recent versions.

------
tptacek
This is clownish:

1\. Only a tiny minority of macOS users use Little Snitch, and they're not
necessarily the most sensitive/interesting targets.

2\. If you're competent and you have enough privileges to inject a DLL into
anything, the odds are overwhelming that you also own the kernel. Why would
you waste time with a goofy firewall add-on package?

I joked on Twitter but I'm "ha ha only serious" about this: if you had this
entire portfolio of tools and exploits 2 years ago, I'm not sure you could
have gotten a job at Immunity. The leak is fascinating. The technical details:
not so much.

I thought the Shadow Brokers/Equation Group dump demonstrated a not-
especially-skillful group of inexperienced-seeming pentesters who happened to
have acquired some interesting bugs on the black market. Today's dump shows a
team that's way less impressive even than that.

~~~
deft
The whole wiki that this leak released is full of the most basic configuration
options for vim/VS etc. They have version control tutorials. They can't be
hiring pros.

~~~
matthewbauer
You can't make a conclusion from that. Any large software org is going to have
similar type things.

------
burntwater
I'm just a little weirded out how this list is, in style, identical to many of
the lists I've created and have open right now. I need this to be a bit more
"henchmanny" and a bit less "average Joe/Jane sitting at their desk under the
florescent lights drinking coffee and idly thinking about the workweek ahead."

~~~
urs2102
This actually made me burst out laughing and conveyed my thoughts exactly.
It's like when you become old enough to realize your parents are fallible and
have been winging it the whole time.

------
Kalium
It's possible I've misunderstood, but I don't think they're trying to inject
Little Snitch. I think they're trying to inject _into_ Little Snitch, in order
to evade its restrictions.

~~~
tptacek
You haven't misunderstood. That's what they're talking about. This is a bad
headline.

~~~
dang
Ok, we injected an 'into' into 'inject Little Snitch'.

------
aaron695
Little Snitch is a host-based application firewall for Mac OS X. It can be
used to monitor applications, preventing or permitting them to connect to
attached networks through advanced rules.

[https://en.wikipedia.org/wiki/Little_Snitch](https://en.wikipedia.org/wiki/Little_Snitch)

------
Darthy
If you only need to send data once per week, and that data is less than 2K,
simply encrypt it, make it part of a URL that you control, then tell the
default browser to open that URL. Nearly everybody has configured Little
Snitch so that the browser can connect to anything (because the popups quickly
annoy). Then do a redirect on your server to something innocuous, and the user
will quickly forget.

~~~
_nalply
Or even better use window.close() then the user will only see the browser
window open briefly. Of course if the user has JavaScript disabled, use HTTP
302 Found or HTML meta refresh to redirect, blah blah.

------
golergka
So, apart from not demonstrating very high skill level (already discussed in
other comments written by people that seem knowledgeable), how is this even
remotely morally shady? They clearly discuss penetrating particular target
systems — isn't that exactly what you would expect your intelligence/counter-
intelligence service to do?

------
shabble
visions of [https://www.youtube.com/watch?v=sRcHt-
sxcPI](https://www.youtube.com/watch?v=sRcHt-sxcPI) (Defcon 24: various
bypasses of Little Snitch)

------
karmakaze
Why LS and not one of many other programs? Is it for the humour value of its
name to specifically alter it?

~~~
DaiPlusPlus
I'd wager LS users are more tech-savvy and less likely to be using more
mainstream tools like Norton or McAfee - they want one tool that gives them
control over what programs have network access, not a bloated adware platform.

------
neoncontrails
"Inject into" is their wording. The meaning is unclear. Is the goal to disable
a working installation of Little Snitch?

~~~
Kalium
Their goal is to suborn and evade it. In context, "inject into" should be
understood to mean "to inject code or configuration of choice into a software
package".

------
Exuma
Hmm... lame

