> Have you ever wondered why a process you’ve never heard of before suddenly wants to connect to some server on the Internet? The Research Assistant helps you to find the answer. It only takes one click on the research button to anonymously request additional information for the current connection from the Research Assistant Database.
I'm so glad they built this feature.
The hardest part about using Little Snitch is trying to figure out whether processes that look like system or daemons are making legitimate connections.
Perfect example: Spotify is impossible to manually whitelist without spending well over an hour accepting or denying each of the exhaustingly large number of domains it touches. I bet that nearly every user simply gives up and whitelists the entire application, which defeats the purpose of paying for and installing an app like Little Snitch in the first place.
Little Snitch should be doing that work up front for its users. One person on their end spends a day or two figuring it out for an app, and saves tens of thousands of user hours having to individually perform that task. No anti-virus out there alerts a user to every filesystem read and write - they maintain databases of known threats. The same should be true for this kind of software.
Yes, it would require constant maintenance on their part. If they needed to up the price to make such a strategy viable, so be it. As it stands, I uninstalled out of frustration after using the demo for 6 hours. The alerts and interruptions never stop.
> one person [does the work] and saves [us] tens of thousands of user hours having to individually perform that task
If Little Snitch is listening, please do this. I would be willing to pay more.
I would totally accept some presets for apple services.
>> your decisions about what to block and when, are different from my decisions about what to block and when
It really would not be hard to offer sensible default presets per application. "Spotify is attempting to make its first connection. Would you like to a) block all connections, b) allow all connections, c) allow all connections required for standard operation only, or d) ask me for each connection (manual management)". Nobody is going to fine-tune every phone-home or analytics call; people who want them blocked will block them all, and people who don't mind won't block any of them.
The only reason it's a tough job is that applications can change frequently. Every time any app (ex: Spotify) releases a new version, it needs to be reviewed again to see if the "firewall database" needs updating. It would be useless to have a database of known connections if updates aren't disseminated to users within 1-2 days of a new release.
Does anyone know a similar utility for Ubuntu/Linux systems? Paid or free, doesn't matter.
Although I'll admit it doesn't mention what OS or what version except a small line on the downloads page:
Runs on OS X Yosemite (10.10) and later, including macOS Sierra (10.12).
You see screenshots of windows programs all the time with just a sidenote somewhere that is like "oh yeah, and for linux and mac too"
Perhaps others don't share this view but I don't care so much how it looks if it gets the job done, especially if there is no other alternative.
skype.com probably fits the bill of looks shit, but it shows android and windows 10 screenshots only.
obsproject.com shows a lot of screenshots that look pretty windows 10-ish... but it also announces "Latest Releases <platform logos>" right at the top of the page.
sublimetext.com shows windows only screenshots. And then mentions platforms at the bottom of the page.
https://slack.com/is shows only mac screenshots. I imagine this reflects more on the developers than the actual product. Im pretty sure its available on other platforms.
And my point was less about quality of programs, but availability. showing the window frame of a single OS does not mean that only that OS is available, sometimes that's just the only OS the marketing team uses.
It also doesn't require the kernel-level integration of Little Snitch.
Firewalls are way more about the backend than the frontend. They are not very portable at all.
Which direction? Does it have [plans for] learning mode or even process-based rules?
It's nowhere near as nice as Little Snitch, plus it doesn't block the socket call and then allow it after you acknowledge it. The call will fail and the app has to retry the connection.
Are there any better Windows solutions?
It tells you when an app is updated, and when an app is making an Internet connection, and you can shut them off from the Internet if you wished.
https://obsproject.com/ clearly shows it is cross platform.
https://adium.im/about/ clearly shows that it is not.
Either way it didn't cost the website owner much to lead on some people not in their target audience.
This is like the B2B SaaS marketspace - it's almost taken for granted that your app integrates with Salesforce. People are surprised if it isn't.
However, anyone who runs, Microsoft CRM, SugarCRM, Netsuite, etc. - are all used to hearing "Sorry, we don't integrate with X". I'd say ubuntu falls into a similar category....
> Runs on OS X Yosemite (10.10) and later, including macOS Sierra (10.12).
And yeah. Annoys the heck out of me too, in both situations.
I'd much rather see a screenshot of some app trying to connect to a sketchy or surprising domain. I think that would really drive home the app's purpose and make it look less like nuisance that's going to bug me every time I launch Apple Maps.
Does anyone use this for reasons other than blocking license validation checks on pirated software? Because that's the only reason I can think of for getting this.
But then I found others, like monitoring my banking websites reaching out to odd domains and ports. Or virus detection (some virii uninstall if they detect Little Snitch). The more I used it, the more I liked it. So I unblocked the Little Snitch license checks and bought a legit copy.
My workflow for the first system on a network is to install the OS offline, then install Little Snitch from a thumb drive from a trusted system.
I set it to Silent, Deny All mode and turn off all rules except for the rules that allow software to make (not receive) connections to the local network. Then, and only then, I connect the network cable and try to pull an IP address. If you're using dhcp then this will fail. To deal with that, I create a profile that applies only when connected to my home network and then add an allow rule to let dhcpd/discoveryd (IIRC) to pull IP addresses.
I then try to open up Safari and browse to, say, Google. This will typically fail for two reasons: outgoing DNS queries are not allowed outside of the network and Safari doesn't have rights to connect outside the local network. If my DNS servers are outside of my local network I add a rule to allow the DNS lookup process to connect to only the DNS servers I have defined. I then give Safari allow rules for ports 80 and 443. Both of these rules are added to the home network only profile.
From there, I'll try to access the App Store and sort out what rules are needed for that, adding them and then adding them to my home network only profile. At this point, I'll take a firewall rules backup. Now, if I need to reinstall, I can load this rules backup and be able to browse the Internet, pull system updates, and then evaluate other software that needs network requests.
Software that tries to connect is logged, and each connection is logged. For software that is too "chatty", trying to talk to the network when it shouldn't, I'll add deny rules so they don't spam the failed connections log. Other software will have case-by-case exceptions made for it as necessary.
Generally, all of my allow rules will stay in my home network only profile, but there are a few that I'll always allow out. These are often SSH connections as they should be secure no matter where I'm at.
I still get the occasional popup, but now they're limited almost exclusively to newly installed apps that I'm running for the first time. That's still an eye-opener: no, I don't see a need for a calculator to connect to Google Analytics. Deny!
Except for gamed, of course. There's no rhyme nor reason to which hosts and ports it wants to talk to. If you ever want to hack a Mac running Little Snitch, call your process "gamed" and the own will allow it through (if they haven't already set "allow connections to any host and port because alert fatigue lol").
One possible way to do this well would be displaying information about how many people blocked/allowed. Then maybe following the crowd if it is converged enough, e.g. ≥1k votes with ≥95% same decision. But, this might be technically and socially challenging (people who care about this level of privacy may not want to share their rules; you need to make sure that no malware developer can game the system; people need to trust in that).
It's very similar to the venerable "Spybot S&D" on Windows (the "TeaTimer" functionality, now apparently called "Live Protection": https://www.safer-networking.org).
I have heard, "I never know what to do when I see these popups." Unfortunately, I don't think the research assistant will help them either.
Wow, that's amazing. Apple should buy them and make this feature default :-)
Data Loss Protection (DLP) for retail consumers.
DLP (see http://whatis.techtarget.com/definition/data-loss-prevention... for a definition) goes beyond what Little Snitch does and does packet inspection to ensure that credit card numbers (for example) are never sent out from your network / box. Ideally, you can add regular expressions to define other PII that shouldn't be allowed to be sent out (your name, address, etc;).
DLP products exist for corporate use, but I don't know of any lightweight + inexpensive one for personal use.
WireShark, Fiddler or Charles can incorporate this functionality, if I am not wrong. Not sure how one would MITM SSL with WireShark, though.
A prescriptive signature-based black list, as you point out, is easily fooled with simple obscurity.
An additional twist that seems daunting (but interesting) is to mark sensitive data at EVERY step in it's processing, with support from the OS and hardware, and never let out tainted data out without explicit permission. See Perl's tainted variables for the gist of the inspiration.
So if a = "User's name", which is protected data, and you do b = a, then b is tainted, too, and write(socket_fd, *b) would pop-up an alert.
All old hat, I bet, to security researchers. I'm just thinking out aloud.
It sounds good, and because compliance is about by making good-sounding things mandatory (weekly password rotation, yay! /s) it got mandated in a lot of places.
And it did catch mistakes, like accountants sending the wrong files or to external addresses. Which I guess is justification for it right there.
But it's billed as a stronger (ie hacker) protection, for which it's useless, so I never liked it.
I think the world would be safer with an email plugin that helped you by suggesting that you should not send a document to a given address, based on rules and observations. It'd only be a suggestion so nobody would expect miracles, but it'd stop all the unintentional mistakes our system stopped, for a fraction of the price.
>> Furthermore, it’s easy to control file downloads and you can even block the transfer of private data – such as phone and credit card numbers.
In my experience it either blocks false positives, or lets sensitive information out with the slightest obfuscation.
Edit based on gumby's response below: can it stop finder from littering in every directory it sees?
Spotlight maintains its own database in /
# remove any .DS_Store files
# (run in a subshell to suppress background job number info being printed)
( ag --hidden -u -l -g '\.DS_Store$' |xargs -n 1 rm -f & ) > /dev/null 2>&1
There are times where you don’t want to get interrupted by any network related notifications. With Silent Mode you can quickly choose to silence all connection warnings for a while. You can then later review the Silent Mode Log to define permanent rules for connection attempts that occurred during that time."
A firewall? No kidding, a firewall is not supposed to only block incoming traffic...
On a side note: the developers also have Micro Snitch, an app that warns when the camera or the microphone on your mac is in use.
I did not know that, that's awesome. I'm going to check that out.
link for anyone that's interested: https://www.obdev.at/products/microsnitch/index.html
But how do you know what to trust?
They're nice-looking, but don't have anything that even remotely resembles rules. All it can do is deny or allow all traffic, on per-application basis. If you want your email client to talk to only your email server but not anywhere else (as a security precaution) you'll have to use built-in Windows firewall facilities to set up such a rule.
Rule management is coming in v2.0 - or so they say - but it's not yet here.
Outpost Firewall used to be a powerful interactive firewall for Windows, but it's dead those days.
In windows I use the built in windows firewall with WFC to configure it but as much as it gives you a notification when an app tries to connect to somewhere, due to how it works it unfortunately blocks the request first and gives you the notification later, so you always have to retry/restart the offending app unlike little snitch where the app remains waiting while you decide if you want to let it connect or not.
This said I would not use windows without it, these days most applications seem to want to phone home all the time for some reason.
Since a lot of Windows apps are a conglomeration of EXEs just whitelisting the main app is often not enough.
Comodo is WAY more bloated than Tinywall but I use it because I can set it to alert me to everything that tries to access the internet, and choose to block it or not.
Which might be true, but two wrongs do not make one right. I.e., leaking data on mobile devices does not make leaking data on laptop ok.
Another benefit is that once I get over the initial rule configuration hump (and it is a real PITA for the first week or two) what I end up seeing are the anomalies and so I can pay closer attention to what has changed or where something is trying to connect that I might want to think about.
Little Snitch provides that: https://www.obdev.at/Images//littlesnitch/index/more_feature...
> limiting a lot of apps to loopback connections rather than full outgoing connectivity
At every launch, it connects to login.live.com and live.com.akadns.net.
Not sure what data it uploads but there is no info surrounding this.
It is a bit of a pain the first couple times you run a new app, but settles down fairly quickly. OS X upgrades are far worse - Apple seems to build a dozen new weird little things that want to connect to god knows what every release, and the right answer there is, for instance, `sudo defaults write /System/Library/LaunchAgents/com.apple.gamed Disabled -bool true`
Your Mac will be very unhappy when on the first profile though - seemingly everything will constantly attempt to call out because it can see an active connection.
I ended up removing Little Snitch because I felt that it was causing instability. I could never pinpoint the issue, but things seemed much more flaky when it was running. YMMV, and I was using it a major release ago so things might be better now.
And the ability to do per-application captures and open them in wireshark is excellent for debugging.
It'd be great if it was for non-root too, but I'm not sure if it's possible.
I assume it works as a proxy?
Most people using it have no clue what they are doing, block random things, and prevent software from working as expected. Not only this can make things less secure by breaking features such as automatic updates, it also makes developer's life miserable by having to provide support to people running their software in a half broken environment.
I absolutely use Little Snitch to block automatic updates of some apps that try to download updates over port 80---I don't trust them to have gotten the authentication right. I'd rather manage those through Homebrew & Caskroom.
I have and use Little Snitch. It is an important part of my professional toolkit.
But I have run into quite a number of non-programmer, non-sysadmin users who have tried to protect themselves with Little Snitch only to break their computers.
Which is literally describing a firewall/iptables once you drop the "established" incoming rule and block outgoing.
Basically, "I want a router iptables configurator with notifications"
Installing little snitch, I got overwhelmed by how much stuff was trying to make calls in and out. It really does serve its purpose, but you also have to have an idea of what you should be letting out, you can easily break things and if you just "allow all" it somewhat ruins the point of having it.
It works with the windows firewall. Only the registered version allows notifications for blocked outbound connections ($10 "Donation" required)
Anyway, I will probably buy this app, even if I share some concern others have about its own network calls.
It blocks connections to domains/IPs you want it to, and allows others.
You can easily verify that it behaves correctly with common network tools.
This is not some deep cryptography shit...
Track its behavior from an exit node of your network and see whether it matches your rules.
Not really much difference than manually checking some tens of thousands of lines of an open source application, or trusting that the binary you got from the repo corresponds to the source (and of course even hashes can be tampered).
Plus, even if it chose "to not show a specific application making requests" you'd still be blocking all others apps, and thus way better off than not having it installed.
I'm much less trusting of free software like most ad-blockers where I have to wonder how they're really making their money.
And prior to that, they were a well known developer for NeXT. Their LaunchBar app originated on NeXTSTEP.
Better don't start thinking about the other end...
i guess it can protect your privacy but also makes your system less secure to advanced attacks. Same thing can be said of AV-scanners.
By distributing Little Snitch as closed source you now need to place your trust in Little Snitch itself.