Why?
What would be the right tool to harden in a similar way to little snitch on mac? Meaning intercepting any connection and whitelisting them reliably.
my question is... if the tracking maps fill up completely, does the daemon fail-open or fail-closed?
The DNS lookups, on the other hand, are LRU. If the table overflows too soon, we won't be able to derive names for IP addresses and name-based rules would fail.
really appreciate the honest answer, man. awesome work on this...!
> You can find Little Snitch for Linux here. It is free, and it will stay that way.
Don't worry, the authors know that there's no point in charging Linux users. Unlike Mac users.
So you might as well make it $0 and the (Linux) crowd goes wild that they don't need to pay a cent.
However...
> I researched a bit, found OpenSnitch, several command line tools, and various security systems built for servers. None of these gave me what I wanted: see which process is making which connections, and in the best case deny with a single click.
OpenSnitch is open source. You don't need to trust it as you can see the code yourself. Little Snitch on the other hand, is completely closed source.
Do you still trust them not to do self-reporting or phoning home, even though it is $0 and closed source?
If you trust Little Snitch on Mac, then yes.
They've been in business for over 20 years. They're not going to blow their entire business and reputation for a few Linux users.
I do wonder however, are they sufficiently careful about their processes and own machines to avoid a supply chain attack completely.
They must be a target for the various hacking groups out there.
On the Linux side, there is no single big vendor such as Apple who provides all the necessary libraries. I have tried to choose reputable sources from crates.io only, but to be honest, I don't know a secure solution to the problem.
A supply chain attack doesn't directly attack an end developer but rather a supplier of the developer. So who or what is the supplier in this case?
An attack on any of these things has nothing specifically to do with the developers of Little Snitch and would have vastly more widespread and important effects.
Why would you even be talking about Little Snitch if a compiler were compromised?!? Your paranoia here is bizarrely narrow. Little Snitch would be the least of our problems in that case.
This doesn't even make sense. You have no examples.
The comment was asking about preventing a compromised supplier for the developers.
A supply chain attack can be anywhere in the supply chain to the target. If I, the end user, am the target, then a supply chain attack compromising the developer of LittleSnitch is effective.
I may then be a conduit to compromising other software or components, and would both I and LittleSnitch would be part of the supply chain that could be attacked targeting them.
You're not a target, anonymous rando.
Are you going to have this same discussion about every piece of software every mentioned on Hacker News? Why are we having it for Little Snitch specifically?
No, not really. And I disagree with the premise, "They must be a target for the various hacking groups out there."
How would you even hack them? I'm a developer too; how would you hack me?
I'm not even going to respond to this ridiculousness.
I still don't know why anyone thinks that, among all developers in the world, a little indie Mac developer is getting targeted specifically.
I have the same thoughts about other Mac apps. e.g. iTerm2 - cause they "see" so much sensitive data.
That's not even remotely what I said.
> it’s not like applications or libraries such as axios
iTerm doesn't use NPM. Little Snitch doesn't use NPM. I don't use NPM.
If you wouldn't mind reviewing https://news.ycombinator.com/newsguidelines.html and taking the intended spirit of the site more to heart, we'd be grateful.
Why is it ridiculous? If you have electronic access to something of value and broadcast that fact on the internet, you’re at risk of a physical attack. That’s not controversial? Companies make employees do training about this for a reason.
You're talking as if all all "value" and all "risk" is equal, when they're definitely not. You can't equate a megacorporation with a little indie developer. Nobody cares about the latter.
I am a software developer, and I broadcast that fact on the internet. But nobody is coming to Wisconsin to hit me on the head with a wrench. That's just a silly paranoid fantasy.
If anyone hits me on the head with a wrench, it would be not be a nation-state but rather a two-bit local mugger who has no idea who I am and just wants cash from my wallet. I live in a pretty safe area though.
Access to little snitch would be worth millions to the right party.
> The same people who targeted the open source uncommercial library axios last week?
axios is an NPM package. Little Snitch doesn't use NPM. Thus, these people must be pretty damn incompetent if they were trying to target Little Snitch.
> Access to little snitch would be worth millions to the right party.
This is a bold claim with no evidence. I don't think it's true.
There's not one single way, so, no, you're just hand-waving here.
So are you going to have this same discussion in every HN submission that mentions any piece of software?