I'd also like separate lists for
* "this wifi is public, be extra cautious"
* "this wifi is public, be nice and don't torrent, do backups, etc"
* "I'm on a metered connection (e.g. LTE), don't run torrents, backups, etc"
edit: for anyone looking for a monetizable idea: this post has 41, no 42, no 43 points in about an hour. Probably a good idea...
Personally, I don't find these to be breaking issues for my use. My only issue is that the PiHole interface's administrative features are authenticated via the PiHole's service user account password. This is the Ubuntu user password for the user the service runs under when installed on Raspbian or whatever. There's no secondary credential store. There isn't even a list of users. To log in, you enter the user's password. If there was a way to assign credentials to network users and allow them to whitelist/blacklist entries and audit that, it could easily be much more non-technical user friendly.
One final half complaint. If a link is direct to a blocked site that is served over ssl, you won't get the nice "This site has been blocked" page. It will just show the standard Chrome/Safari/Firefox "could not connect" error. As a technical user, this is normal and makes sense. For others, it makes "the internet" appear "broken". Obviously this isn't something a PiHole can fix on it's own, and I don't expect it to. It's a slippery slope to add a trusted root or intermediary cert to each of my network devices and allow a random box on my network to dynamically "poison" my DNS and serve fraudulent dynamically generated site certificates just to show me an informational page to allowing a random box on my network proxy and DPI my SSL traffic. It's not something I'm comfortable with maintaining.
Also to people redirecting ad servers to 0.0.0.0, that can cause page damage particularly with things like iframes. Pi-hole instead redirects them to its own webserver and serves up 1x1 pixel transparent images to avoid this.
Plus, you get free ad blocking for most of the native apps on your mobile devices when using wifi at home or outdoors with VPN (haven't tested the latter yet).
It's true it's security through obscurity and won't slow down a spear fisher, but I always change the SSH port to something like 22022 when I have to expose it to the internet and find this eliminates almost all of the portscanning/doorknob rattling. Same thing with wordpress, changing the /wp-admin directory is immensely helpful.
ie., turn Apple Telemetry on or off.
I’m sure if Google made such a list there would be another HN article about how Google is evil and trying to cut out competition.
It's not perfect, and frequently it isn't even helpful.
So would you want just the curated list, or an application that uses said list and provides feedback to the user? Either? Both?
Because I've _sort_ of done this on my personal Mac-though for reasons more pertaining to an infrastructure I maintain for a client, scaling this to a type of service wouldn't be TOO difficult.
The links listed below allow you to select filter lists for use in your browser provided that you are using a compatible ad blocker (tested with Adblock Plus, AdBlock and uBlock Origin). Furthermore, EasyPrivacy Tracking Protection List is available for Internet Explorer 9 and higher.
I would rather commit to running a certain number of compute jobs a month to trade cpu or storage or whatever. And do that forever.
I barter my unused cpu for your whitelist service that aggregates community activity.
I guess it depends on the monthly fee? $10/month, nope. $12/year-$1/monthly or $10/year-1payment to get monthly updates, quite possibly. i do understand updating/maintaining a fresh list will cost someone somewhere money.
Personally I avoid using third party DNS, but if there is demand for this...
As an added bonus As a service you could point the dns entries to your own web server and serve up cat pictures or motivational pictures in place of ads.
I think its great that more users, through DNS-based ad blocking projects, may see how controlling their own DNS is useful, perhaps in ways they might not have imagined.
However the last time I looked at it, I recall this project was defaulting to using open resolvers run by third parties, e.g. Google. Maybe I am remembering incorrectly since so many projects like to use these third party resolvers.
In any event, that is not how my solutions work. A third party with such delegated (ultimate) authority from the user is not part of the solutions I designed for myself.
Also, I never used dnsmasq as part of any solution. I have a strong bias against it for a number of reasons. If I recall correctly, pi-hole relies on dnsmasq.
(I used to do this for myself. Then I stopped using caches altogether. Now I do everything with tinydns, cdb and a customized stub resolver.)
Or what if I resolve all the ad server domains in the EasyList each day from various checkpoints around the world and publish an IP blocklist? Then users can import it into their application level firewalls.
Even without using authoritative DNS, if we only have a blocklist of IP addresses and some application-level firewall solution, we can examine outgoing HTTP headers in a client-side proxy and filter accordingly.
Connecting a powerful interpreter with potentially full control over the users computer to the open internet. Then believing this can be safe.
The user is granting use of this interpreter to third parties. In this thread we can see how users struggle to know which third parties can be trusted. All for the sake of keeping that interpreter open to "good" third parties to access at will over the internet. (Why is a good question.)
Early web browsers called on other, separate programs to do specific jobs outside of rendering HTML. Taking a cue from that history, I use simpler, limited programs with no built-in interpreter to do two specific jobs: sending and retrieving.
Third parties can return code in response to requests for content, but I am under no obligation to run the code, let alone run it from a popular browser with a powerful interpreter that is connected to the internet.
Cannot speak for others, but this approach has worked well for me as the www worsens.
But yeah, current situation is getting ridiculous. One could always expect malicious actors, but I didn't guess people will be routinely putting in the cloud things that have no business being Internet-dependent. Then again, I remember first reading pg's essays, in which he praised the benefits of running things on your server and delivering them as a webpage, instead of standalone software. I nodded along, and it only occurred to me many years later how incredibly user-hostile that is, too.
> If someone can devise a way for me to share my information while controlling how that information can be used later, it would go a long way to striking the right balance. I guess that's more or less "personal DRM" for our information.
It would not be easy to do this in a technical manner, as it could be defeated (as with most DRM). It sounds like a legislative solution would be best.
-> Homomorphic encryption is an active field of research. Legal is most likely the better solution. Probably.
Good. I sure hope only a small fraction of the population will be able to manually drive their car in the future. It would save lives, time, and money for everyone if the bulk of the idiots were unable to manually drive their car.
I'll give you "lives" and "money," but not necessarily time.
I live in a place where self-driving vehicles can be spotted fairly regularly. Once a week or so. You can tell by the special license plates. They are always very ponderous, careful drivers. It's fascinating to see them gently slow to a stop for a red light, then take off like a jackrabbit when it turns green.
Perhaps as the technology matures, they'll start to keep pace with traffic better.
I'm actually looking forward to self-driving cars. It's all the personal time benefits of mass transit (book reading, meditating, general mental health), without worrying about accidentally sitting in someone else's pee.
It would have to be a child being killed.
Later I switched to McAfee Corporate Firewall (in which I could even allow/block IPs/ports).
Now I am proudly using WFC that someone mentioned in another post earlier.
Our product can run completely locally and do a good job. Allow connectivity to other devices in the building and performance improves. Extend connectivity to our cloud servers and it gets a little better still. You can always revert to lower levels (and an Internet outage would simulate that, for example).
We regard your data as yours unless you want to share it for a specific reason.
Maybe that's why this problem exists now, because no one had thought of it?
Put in routes for your local networks and applications, set up a proxy server for any legitimate traffic that needs to "exit" the network (i.e., go to the Internet), and simply drop anything else.
I only wish it were cleaner and simpler. I don't think the Windows Firewall API is too bad, I should add this to my bucket list of open source software to write that I'll maybe get around to in the next 20 years....
> Simple tool to configure Windows Filtering Platform (WFP)
So much better than anything else I tested. Easy to import/export rules (XML) and there's also portable mode and advanced options (that goes beyond the simple UI you can see in the image).
This might be outdated but it's in the Control Panel or Action Center somewhere (Security and Maintenance area?). https://blogs.technet.microsoft.com/networking/2010/12/16/di...
I'm also using this simplewall option:
> Enable boot-time filters – Prevent data leak during system startup, even before "Base Filtering Engine" (BFE) service starts.
For example while the Little Snitch popup dialog is waiting for user input the affected application just sees an unusual latency spike and it will not complain immediately that internet access in not available. Afaik, this is not the case with the Windows Firewall: The connection will fail for the application while the frontend-app is still waiting for the user's decision.
I'm not sure how this app gets around it (if it does at all).
My wife has an old fitbit like app that tries to connect to China every 2 seconds. Papertrail is really useful to see patterns. I blocked outbound to every single country except for the country I live in (the embattled country of Binomo). Once I allowed the US and EU, it has been interesting to learn if a site is not US or EU.
These are the domains this week that were blocked leading me to allow a few more countries.
fromdual.com - Switzerland
mysqltuner.pl/scaleway.com - France
canary.tools - Ireland
rsyslog.com - Germany
It does have a crude ugly UI, so just don't expect it to look like Little Snitch (which I also endorse on MacOS) or Glasswire.
However, if you're willing to spend money, Sphinx's product seems to offer quite a bit more features, but then you might as well consider other products out there.
Also, Binsoft's WFC UI, especially that of the rules editor, slowed down for me pretty heavily with just a hundred rules.
I'm not sure how Sphinx W10FC handles it but the Binsoft WFC doesn't accept not pre-defined file types. So if you have a binary with a random suffix, like anti-cheating rootkits often do, you can only add a generic allow or deny rule. You can't configure the rule.
Unfortunately, version 2.0 is no longer free. Windows 10 Firewall Control looks pretty good functionality wise, but it would be better if it had Glasswire's interface or one that's even better.
Little Snitch was effective, but overly complex for the average user. I'm sure it's great for someone who configures networks on a regular basis, but as a Mac user, I just want to use my Mac. If I wanted to twiddle with security settings all day long, I'd still be on Windows.
This looks like it might be a good, simple, replacement. Hopefully as it evolves it doesn't get swamped by feature bloat.
I happily paid for Little Snitch and was comforted by the fact that I was the customer.
It does happen but users are waking up to the problem and companies are learning.
We do not share nor sell your data.
However you may be referring to the same notion that nothing stops someone from murdering someone else.
Following recent changes to law here in Australia, for example, metadata is essentially the property of the state.
I paid for it, too. But then the upgrades went from complimentary to paid, and I bailed.
If the new version has a lot of new features I would be OK paying for that.
Hmm, wait a minute...
I have to roll my eyes at someone who scoffs at a $25 upgrade every few years.
If they're not cool with funding any future development on the product, then they must be cool with not upgrading. But of course they instead entitle themselves to all of your future labor because they once threw some shekels your way.
I think they only charge for the new microphone / camera portions of the new version.
brew cask install lulu
"Currently, LuLu only supports rules at the 'process level', meaning a process (or application) is either allowed to connect to the network or not. As is the case with other firewalls, this also means that if a legitimate (allowed) process is abused by malicious code to perform network actions, this will be allowed."
It does say "currently", but I'm not sure how you would get around this flaw; at any rate, nobody has yet figured out how.
"Solve" not solve because, for me, setting up baseline rule sets was too intrusive to my workflow.
Ok, and what happens when I want to browse to a different site?
>for me, setting up baseline rule sets was too intrusive to my workflow
It seems like that would be true for anyone that wants to use their browser to go to more than a small number of websites.
This might be possible, if you start off with deny-all as the default and then start manually adding exceptions as you browse.
That would be nice, but it wouldn't fix the problem I've been talking about, because you would have to give your browser the internet access permission, and the OS has no way of knowing which of the connections your browser is making are legitimate and which are not. Only you know that, which means you would have to continually be interrupting your browsing to approve or disapprove connections.
There was a company called Packeteer that did traffic shaping/inspection....could any concepts be applied to firewalling as they were to traffic prioritization?
Which is unworkable if you visit more than a small number of websites, as I said in another subthread.
The answer to that, of course, is that if you are really serious about firewalling, said firewall must be a separate device.
Yes, of course. That's one of the reasons I run Linux.
> if you are really serious about firewalling, said firewall must be a separate device.
Yes. That's a key reason I run OpenWRT on a router I own instead of taking whatever my ISP wants to give me.
edit: there is an open issue about it: https://github.com/objective-see/LuLu/issues/4
2. The developer put a lot of effort into this and was generous enough to make this available for free with the source code open. Please be gracious, because belligerent feedback like this is what causes people to sometimes reconsider making software free or open source.
3. You also falsely claim Patrick Wardle is aware of the issue and refuses to change it, even though he hasn’t commented on the issue you cited, at least as I write this.
 cf. every discussion board or mailing list where issues like this have come up.
2. I'm very aware of the efforts of free or open source software authors and I'm grateful for them. In fact, I occasionally take time to thank them and make donations to them (although I should do it more). This doesn't mean that inaccurate statements should not be corrected and I don't see anything `belligerent` about reporting them, as would be the case for reporting a bug.
3. You're right on this, I wrongfully assumed one of the person answering in the issue was the author. I changed my comment.
Then someone comes along wagging his finger online saying no, no, no, that’s not what that word means. Just like with “could care less”. You know what? I think the battle is lost. Language doesn’t work that way, and I’m going to call it: Open Source means open source, i.e. source is open. And we would do ourselves a great favour switching to a different term, because we’re swimming upstream in this one.
While we’re on the subject of poor names: the worst mistake Stallman made was calling his movement Free Software. He would have turned a strong undercurrent of PR in his favour [e: by calling it Freedom Software] instead of having to constantly battle the semantics of “Free as in Freedom of Speech, not Free as in Free Beer.”
When people say naming things is one of the two hardest things in programming, I’m wondering if it’s just because programmers are really bad at it.
open-source == source code is open
Open Source == licensed compliant with the OSI's OSD
(Yes, I believe I understand your position, but I think you're going to have to rephrase your objection.)
Not right. The problem with this definition is that it doesn't confer any extra rights. It doesn't mean very much if you can read the source code if you're not allowed to use it, study it, modify it or release modified copies. Microsoft does this, actually. They release the source code of the C runtime library, but it's All Rights Reserved, so you can't really do anything with it except use it for debugging. You have no extra rights to it than if they didn't release it and you reverse-engineered it from the CRT binaries instead. Even your right to study it is in question. You can't contribute to the Wine CRT if you've seen the official CRT source.
So, for a program to be "open source," under the commonly understood definition, it must confer some rights. Most organizations that deal in free and open source software, like the OSI, FSF, and Debian, have agreed that this includes the right to use the program for any purpose, including commercial purposes.
Non-commercial use clauses for software are really troublesome, too. For example, if a small family-owned business uses the same computer for personal and business work, are they allowed to use LuLu at all? If another Objective C developer is reading LuLu's source code and they come across a utility or widget or something that they want to use in their own software, can they use it without the troublesome non-commercial use restriction coming with it? (Probably not.)
Does anybody have any recommendations for good ways to get fine-tuned control of Windows' default firewall?
Gosh, I really wish that people would follow a convention for named options on the command line. I don't even really care which one, as long as they were all consistent in picking one.
I wonder if there's a complete list somewhere.
> python -v
> python —-version
> ls -alR
> ls -a -l -R
There are also a number of looser conventions about the meaning of certain short-form options .
That's verbose mode, not Version. You want a capitalized V.
1) To be able to choose the exact host/subnet/domain that an application can access with a good UX
2) Have someone else curate a list that I subscribe to that handles most cases
3) Work on desktop and mobile
For choosing the exact host/subnet/domain on a per-application basis, the best UX I've seen on any platform is FirewallIP, the unmaintained software on a jailbroken iPhone. So many desktop solutions only let you choose Allow everything or Deny everything, Little Snitch and Windows 10 Firewall Control are exceptions, but even they are limited.
The curated list option should be easy enough to support on most platforms. Easylist has shown how well it can work on the browser when combined with uBlock Origin. Install it for someone who is technically naive and they'll just see no ads with no negative experience.
The mobile platform is harder to support as under Android you need to root the phone to get access to the underlying iptables firewall with something like Afwall+, or you run a fake VPN back to the device and filter there which is prone to failure (is it working? has it stopped itself for some reason) and has less flexibility. Under unjailbroken IOS, products like Surge, Potatso2 and Shadowrocket run a local proxy that is similar to the fake VPN under Android, but requires manually editing a text file for configuration and seem to be designed to get around the Chinese internet restrictions rather than privacy.
 Glasswire on Windows, Douane and OpenSnitch on Linux, AFwall+ on Android
After uninstalling it the kernel crashes.
- stability - often their tools have memory leaks;
- consistent UX - each tool looks and behaves differently;
- stacking of dialogs - often by the time I click, a new popup replaces the old one, and I approve something I don't even get a chance to see!
Weird choice of license.
> We recommend against using Creative Commons licenses for software. Instead, we strongly encourage you to use one of the very good software licenses which are already available. We recommend considering licenses made available by the Free Software Foundation or listed as “open source” by the Open Source Initiative.
As in this case, (reading the above threads) there's confusion as to the no commercial use clause extends to the content or the outcome of its processes. That is to say, NoCommercialUse for a book clearly means for derivative works. Nobody would ever suggest you can't read a book while in a commercial establishment. But in software we routinely place use restrictions on the end-user. Kind of bizarre, when you think about it.
Software is different because copying software is a necessary part of using it. So CC-BY-NC for software could quite reasonably be read to restrict its use in a commercial environment because you (notionally) need a license to make that copy from the internet to your hard drive, and from your hard drive to system RAM so that you can use it.
To the extent using software inherently means creating copies - so does reading. The image of the page is transferred to my retinas and encoded in the volatile storage of an organic neural network.
As to your second point... Ha! Fair enough. But IIRC case law has actually recognized that the copies created on a computer as you install and execute a program count as "copies" for the purpose of needing a license for an activity that would otherwise violate copyright. That is why EULAs are, to some extent, considered valid and enforceable. No such case has been made for your retinas encoding the light bouncing off a page and transferring that pattern to your neurons.
It's probably due to the absurd amounts of logging it does (every single connection tracked on a world map), which I didn't find a way to disable... I probably have an abnormal number of connections too due to torrenting (only Linux distros obviously). The Macbook CPU isn't high performance either.
But at-least macOS has little snitch, closest for Linux was opensnitch which was announced on HN few months back -
https://github.com/evilsocket/opensnitch/ but I'm not sure whether it's actively being developed though.
Second, is the business model of Objective-See to offer open source alternatives for Objective Development's products (LuLu instead of Little Snitch; OverSight instead of Micro Snitch)?
How do I know if I want to sign up for your newsletter if I haven't been able to look at your site yet?
* Reporting domain names rather than just reporting destination IPs.
* Inbound monitoring & rules
* Temporary rules that auto-expire (e.g. Once, next 15 mins, etc.)
* Fine-grained control over protocol/domain/subdomain in blocking rules (at least when prompted)
* Graphical monitor of recent blocked/allowed traffic
* Profiles to easily change rule sets based on network, etc.
* Unclear whether LuLu provides special handling of connection attempts during startup, software updates, etc.
* Graphical installer, polish, support, etc.
...OTOH, LuLu does provide features I don’t recall seeing in LS:
* Icon indicating whether originating binary has been signed by system/third party/unsigned
* Button to optionally check binary hash against VirusTotal
git clone https://some.url/repo
So, it doesn't seem very functional, but it is an alpha, so that is likely expected.
If you plan on doing same thing in windows be aware you need to disable Dnscache service. Its impossible in windows to screen loopback network interface, means you cant filter which programs get DNS access while "DNS Client" is running, its all or nothing. DNS is a very popular covert exfiltration channel.
Always love new projects like this, just curious though.
> Do I need LuLu if I've turned on the built-in macOS firewall?
> Yes! Apple's built-in firewall only blocks incoming connections. LuLu is designed to detect and block outgoing connections, such as those generated by malware when the malware attempts to connect to it's command & control server for tasking, or exfiltrates data.
Also: Radio Silence?
One problem to maybe take care of next iteration:
$ top -o cpu
Second like others are saying there is no conflict here because they are in completely different sectors
Think about how many cities have "Great Wall" Chinese restaurants.
Most people only know trademarks at a national level. In the United States, at least, each state can grant its own trademarks. I've done it in Illinois ($50/10 years), and Texas ($10/10 years).