https://obdev.at/blog/little-snitch-for-linux/
The core issue is simple and uncomfortable: through automatic updates, a vendor can run any code, with any privileges, on your machine, at any time.
-----
If the author is serious about this, then they should make their own program completely open source, and make builds bit-for-bit reproducible.
For all I know, the proprietary Little Snitch daemon, or even the binaries they're distributing for the open source components, contain backdoors that can be remotely activated to run any code, with any privileges, on your machine, at any time.
[0]: https://en.wikipedia.org/wiki/ZoneAlarm
[1]: https://d2nwkt1g6n1fev.cloudfront.net/helpmax/wp-content/upl...
It can be manually configured with very detailed policies, but you have to know where to go to find those controls.
It's been a while since I used ZoneAlarm or Little Snitch, but the last time I used either one the default behavior was instead that any connection attempt or attempt to listen for which there was not a policy would result in a dialog showing all the details about what application is looking to connect to or receive connections from what as well as a variety of options for creating a policy or even not creating a policy and just deciding whether that one connection would be allowed.
Recently I was wondering how you really have to trust something like little snitch given its a full kernel extension effectively able to MITM your whole network stack.
So I went digging (and asked some agents to deep research), and I couldn't find much interesting about the company or it's leadership at all.
All a long way to say, anyone know anything about this company?
Yes, they are indie Mac developers who have been in business for more than 20 years, and Little Snitch for Mac is beloved by many users for a long time.
Isn't MacOS just *nix under the hood? Genuinely curious about this difference.
Where LittleSnitch is definitely ahead is showing process connections over time after said process has been allowed.
As software should be.
I've been a GlassWire user for years, which partially fills the role of LS, but not very well. Aside from the many performance issues I've seen, it's missing a lot of LS essentials. To be fair, I think the focus of GlassWire is more about visualizing traffic on your Windows computer, but I definitely believe there is a need for better Windows network software for power users.
If you or I guess anyone is curious sereno[hyphen]alpha[dot]ramble[thenumberoftechn9ne'sfavoriterum]@passinbox.com
Worth noting that it is closed source. Would be worth contributing patches to OpenSnitch to bring it up to parity with Little Snitch.
> You can find Little Snitch for Linux here. It is free, and it will stay that way.
Don't worry, the authors know that there's no point in charging Linux users. Unlike Mac users.
So you might as well make it $0 and the (Linux) crowd goes wild that they don't need to pay a cent.
However...
> I researched a bit, found OpenSnitch, several command line tools, and various security systems built for servers. None of these gave me what I wanted: see which process is making which connections, and in the best case deny with a single click.
OpenSnitch is open source. You don't need to trust it as you can see the code yourself. Little Snitch on the other hand, is completely closed source.
Do you still trust them not to do self-reporting or phoning home, even though it is $0 and closed source?
If you trust Little Snitch on Mac, then yes.
They've been in business for over 20 years. They're not going to blow their entire business and reputation for a few Linux users.
I do wonder however, are they sufficiently careful about their processes and own machines to avoid a supply chain attack completely.
They must be a target for the various hacking groups out there.
A supply chain attack doesn't directly attack an end developer but rather a supplier of the developer. So who or what is the supplier in this case?
The comment was asking about preventing a compromised supplier for the developers.
A supply chain attack can be anywhere in the supply chain to the target. If I, the end user, am the target, then a supply chain attack compromising the developer of LittleSnitch is effective.
I may then be a conduit to compromising other software or components, and would both I and LittleSnitch would be part of the supply chain that could be attacked targeting them.
You're not a target, anonymous rando.
An attack on any of these things has nothing specifically to do with the developers of Little Snitch and would have vastly more widespread and important effects.
Why would you even be talking about Little Snitch if a compiler were compromised?!? Your paranoia here is bizarrely narrow. Little Snitch would be the least of our problems in that case.
No, not really. And I disagree with the premise, "They must be a target for the various hacking groups out there."
How would you even hack them? I'm a developer too; how would you hack me?
I'm not even going to respond to this ridiculousness.
I still don't know why anyone thinks that, among all developers in the world, a little indie Mac developer is getting targeted specifically.
There's not one single way, so, no, you're just hand-waving here.
pi.hole is primarily billed as an ad blocker, but the fundamental way it works is by applying a curated set of DNS lists that are blocked (commonly telemetry and ad servers), and the admin dashboard which is just a web page (therefore works on all platforms, smartphones included) will do the same thing: it tells you every call that every app on every device on your network is making, and you can approve or deny it. You can curate your own list as well and block servers/connections you don't want on the network.
LS afaik operates in the same area where it's intended to be used for privacy. I guess I could see it being useful for people who don't have admin access to their router, but for people who do have such access I would think the benefits of network-wide DNS monitoring/blocking would outweight the costs of having to configure your router settings.
I would guess that to the extent the blocklists include things that are loaded by applications and not websites, they are almost entirely built by users of something like LittleSnitch or OpenSnitch. This is also entirely doable with wireshark logs, but I think that requires more infrastructure to build into usable lists.
> The macOS version can make stronger guarantees because it can have more complexity. On Linux, the foundation is eBPF, which is powerful but bounded: it has strict limits on storage size and program complexity. Under heavy traffic, cache tables can overflow, which makes it impossible to reliably tie every network packet to a process or a DNS name.
> And reconstructing which hostname was originally looked up for a given IP address requires heuristics rather than certainty. The macOS version uses deep packet inspection to do this more reliably.
> That's not an option here.
>
> Source: https://web.archive.org/web/20260409002901/https://obdev.at/products/littlesnitch-linux/index.html
Have you ever checked Calico or Cilium, or at least, Oryx?