# Little snitch -should I get it?



## tigrr (Dec 14, 2007)

I've been using Little snitch (in demo mode) for a while now (it has a very generous 3 hour session limit. After that you just have to enter its configuration and tell it to go into demo mode again, for another 3 hours!).

It seems like a very useful tool (I've even caught some spyware this way), and since I like to keep track of which software goes online and for what purpose I think I need a "firewall" for preventing outwards traffic.
There is apparently another similar application called GlowWorm which I downloaded the demo of. I haven't had the time to look closely at it, so I really can't tell how it compares with Little Snitch, but I read some negative stuff about it -the people behind it using it to harvest email addresses or something.

In any case this has got me thinking: how can we trust software like this which is supposed to keep us safe? It's like an anti-virus program: who better to spread viruses around than the makers of anti-virus software, and who better to spy on us than the makers of any-spyware.
Just thought I'd like to hear what you guys have to say about it and if Little snitch is worth getting, or if there's something better out there?

I really liked Zone-Alarm on the PC. It was effective and uncomplicated to use. Little snitch isn't quite there yet, but I haven't found anything better..


----------



## Rhisiart (Dec 16, 2007)

The firewall that comes with 10.5 is easy to use and in my opinion obviates the need to purchase Little Snitch or anything like it. Using a hardware firewall router for internet connections adds security.

I'm surprised that you say you have caught some spyware. What exactly did you find?


----------



## Damrod (Dec 16, 2007)

Seriously: LittleSnitch is one of the most single useful software I've seen so far on OS X. They added a lot of interesting new features in v2.x, and it's more reliable than ever. 

I for one still distrust the 10.5 firewall. I deactivated it, and configured the ipfw that was used in 10.4 using Flying Buttress. To pretty much shut up your computer you only need about three or four rules. I trust it a lot more than the new one that leaves processes running with root-privileges being accessible from the net.


----------



## tigrr (Dec 16, 2007)

rhisiart said:


> The firewall that comes with 10.5 is easy to use and in my opinion obviates the need to purchase Little Snitch or anything like it. Using a hardware firewall router for internet connections adds security.



I'm still running 10.4.11 here (frankly I don't see join the upgrade craze when it works fine as it is and I haven't taken full advantage of it yet), and as far as I know there isn't any way to prevent applications from "phoning home" in the MacOS firewall. I honestly don't know much about the MacOS firewall, but looked into its settings it seems pretty limited and restricted to me, only allowing or disallowing things in its entirety.

As I have a DSL broadband connection I also have a firewall built into the router.




> I'm surprised that you say you have caught some spyware. What exactly did you find?



First of all it seems that I constantly come across software which connects to the Internet by default without asking for my consent. A lot of these have to do with update checking (personally I prefer to check this on my own if/when I see the need for it), but there are lots of unknown online connections which often don't make any sense at all as the application in question doesn't have anything to do with the Internet. One such application is Finder Cleaner which conducts has some suspicious activity. I'm not the only one who thinks so (just read the comments at that page).
I've also noticed that a few applications go online even when I've told them not to! Apple software update is one of them. 


Little snitch seems like a very useful tool in preventing this sort of activity, but I just wanted to ask around to see if there was something better, or if there's any reason I shouldn't use Little Snitch before paying for it.


----------



## tigrr (Dec 16, 2007)

Damrod said:


> Seriously: LittleSnitch is one of the most single useful software I've seen so far on OS X. They added a lot of interesting new features in v2.x, and it's more reliable than ever.



Seems like you're wholeheartedly recommending me to buy it! 



> I for one still distrust the 10.5 firewall. I deactivated it, and configured the ipfw that was used in 10.4 using Flying Buttress. To pretty much shut up your computer you only need about three or four rules. I trust it a lot more than the new one that leaves processes running with root-privileges being accessible from the net.



I've found the firewall to be quite complicated, but also pretty limited in its options. I wouldn't know where to start, so I've closed everything apart from the "Windows sharing" option (so I can transfer files to/from a PC connected to the same router).

So Flying buttress is a configuration program for the built in MacOS firewall? Or is it a completely different firewall altogether?
I've looked up the app's website, but I can't say I understand much about what it's for.


----------



## Mikuro (Dec 16, 2007)

The Tiger firewall is not at all comparable to Little Snitch. Typical firewalls, including Tiger's, block incoming connections, but make no effort to block outgoing connections. And Tiger's firewall can't do _anything_ on an app-by-app basis. Little Snitch can stop outgoing connections, and on an app-by-app basis.

Leopard's firewall is a whole new beast. I'm still on Tiger, so I don't know all the details.

I've been using Little Snitch for quite a while, and I recommend it. I haven't upgraded to 2.0 despite the fact that I own it already (thanks to the free upgrade I got from MacUpdate's bundle a while back), because even 1.x does what I want it to do. One of these days when I'm in a "let's fix what ain't broke!" kind of mood I will install 2.0. 

Keep in mind that Little Snitch is not a magic bullet. There are ways apps can bypass it. For example, if a nefarious application tell Mail.app to send an email containing sensitive data, then only Mail.app will be making a network connection, and since you'd probably "always allow" Mail.app to make connections, it would go through.

I've never actually seen an example of this, but it's possible, anyway.

The bottom line is, Little Snitch is a great tool, but no tool is a subtitute for caution and vigilance.


----------



## symphonix (Dec 16, 2007)

I would agree that Little Snitch is a very useful addition to the Mac's own firewall. It will let you know if an app is phoning home, which they do a lot more often than you would think.

The only thing I'd add is that if you are using Little Snitch and you enjoy playing online games (eg: Quake, Unreal, etc) then add them to Little Snitch's trusted list before launching the game, as the pop-up message usually isn't visible from inside the game when in full screen, meaning Little Snitch will block network traffic for that game. It took me days to work out why I wasn't getting any servers on UT2004.


----------



## fryke (Dec 16, 2007)

LittleSnitch is very useful and works fine. I recommend it.


----------



## Randy Singer (Dec 16, 2007)

Little Snitch is a reverse firewall.  It blocks outgoing connections.  Regular firewalls only handle incoming connections.

Little Snitch might be worth having if you don't like applications "phoning home."  However, I've rarely heard of any applications doing so for nafarious purposes.  Generally applications phone home for such innocuous purposes as checking for updates, making sure that you are registered, checking for other copies of the software on your network, etc.

Generally, the only people who find Little Snitch to be really useful are people who are pirating software.  Otherwise its probably just a waste of money.


----------



## fryke (Dec 16, 2007)

A little paranoia can be helpful. Sometimes it's interesting to find out what apps want to connect and when (and maybe why).


----------



## Satcomer (Dec 16, 2007)

With Little Snitch I am continually surprised about how many Applications call home even when I did not tell them to check for updates. 

Plus to be extra safe/paranoid I turn on Stealth mode on my wireless Apple Airport Extreme. I figure doing this is just a LEVEL of security. Security is a changing landscape and one has to keep a wary eye on the latest techniques used by the bad guys and the counterpoint protection routines.


----------



## Curiosity (Dec 17, 2007)

symphonix said:


> The only thing I'd add is that if you are using Little Snitch and you enjoy playing online games (eg: Quake, Unreal, etc) then add them to Little Snitch's trusted list before launching the game, as the pop-up message usually isn't visible from inside the game when in full screen, meaning Little Snitch will block network traffic for that game. It took me days to work out why I wasn't getting any servers on UT2004.


I do not quite understand why a game like Prey wants to communicate with the Internet, though.  The scenario does not lend itself to group play.  Whenever I start Prey, I get a synthesized voice message telling me that Little Snitch has prevented Prey from communicating with something online.


----------



## Curiosity (Dec 17, 2007)

I like Little Snitch.  It adds the outgoing component that the OS firewall lacks.  I tried GlowWorm, but it is not as good.


----------



## Rhisiart (Dec 18, 2007)

I am happy to defer to the wisdom of others. 

Pre-Leopard I used Intego's Netbarrier including its Anti-Spyware facility (doing pretty much the same thing as Little Snitch). 

Perhaps I was naive in thinking that Leopard's upgraded firewall would obviate the need for such additional software. If root commands can still be maliciously accessed despite Leopard's firewall then what is it there for?

I am also inclined to agree with Mikuro. If a deviant wanted to access my computer I am sure s/he could get round programmes like Little Snitch via mail or other commonly used Internet connections.


----------



## tigrr (Dec 18, 2007)

I registered my copy of Little snitch earlier today, before reading these last postings (I'm still waiting for the key code though), but reading about Netbarrier I started wondering if I should have gotten that instead, even if it's more expensive.
Netbarrier seems to have a lot more advanced features, judging by their website. But are these really just hyped up features most of us don't need?


----------



## barhar (Dec 18, 2007)

'Little snitch - should I get it?' - yes. 

Particularly, to determine and manage applications / processes which 'phone home'.


----------



## Rhisiart (Dec 19, 2007)

tigrr said:


> I registered my copy of Little snitch earlier today, before reading these last postings (I'm still waiting for the key code though), but reading about Netbarrier I started wondering if I should have gotten that instead, even if it's more expensive.
> Netbarrier seems to have a lot more advanced features, judging by their website. But are these really just hyped up features most of us don't need?


Possibly. I'd say that a hard router firewall combined with Little Snitch should suffice. 

I'm not against Little Snitch and I can see why others like it. I was just hoping that Leopard's upgraded firewall would suffice.


----------



## jursamaj (Dec 20, 2007)

Randy Singer said:


> Little Snitch is a reverse firewall.  It blocks outgoing connections.  Regular firewalls only handle incoming connections.
> 
> Little Snitch might be worth having if you don't like applications "phoning home."  However, I've rarely heard of any applications doing so for nafarious purposes.  Generally applications phone home for such innocuous purposes as checking for updates, making sure that you are registered, checking for other copies of the software on your network, etc.
> 
> Generally, the only people who find Little Snitch to be really useful are people who are pirating software.  Otherwise its probably just a waste of money.



Pirates like it, of course, but it's useful for anybody.

Many freeware apps ut there install things along with want you want.  If you read the entire user agreement, it *might* mention them, but might not.  When they attempt to phone home, Little Snitch snitches.

And some apps don't even *ask* if you want to check for updates.  The ones that do, I turn off, because I can handle that all on my own, thanks.

For instance, Adobe Reader 8: every single time I start it, it wants to phone home.  Nowhere in it's preferences is there an option not to check for updates.  Only by accident did I find that to shut off update checks, you have to manually select Help->Check For Updates...

A) Why would I check for updates in order to not check for updates.
B) Auto check is shut off, and it *STILL* wants to phone home every time started.  Why?

There may be a perfectly reasonable explanation for this behavior, but I have a healthy distrust of corporations.  By definition, they only serve *my* interests to the extent that it makes them money.


----------



## VirtualTracy (Dec 21, 2007)

There are reports about that any program that installs its own Kernal Extension can _"Phone Home"_ unbeknownst to Little Snitch.  

Virtualisation programs are the type to install their own kext file and FileMaker Pro is another app that will circumvent the security measure Little Snitch puts in place. FlexNet, Macrovision's Software Protection System seems to be another one to get around Little Snitch.


----------



## Rhisiart (Dec 21, 2007)

Just a simple question (apologies if I seem dumb), but if Little Snitch detects an app phoning home, how can one know what info it is obtaining from your mac to allow or disallow it?


----------



## Mikuro (Dec 21, 2007)

VirgilTracy said:


> There are reports about that any program that installs its own Kernal Extension can _"Phone Home"_ unbeknownst to Little Snitch.


There's quite a lot of discussion about this in the Little Snitch forum. The developer has posted a reply here: http://forums.obdev.at/viewtopic.php?t=577&postdays=0&postorder=asc&start=15

I'm still not quite sure what to make of it, myself, but yes, kernel extensions can bypass Little Snitch.



rhisiart said:


> Just a simple question (apologies if I seem dumb), but if Little Snitch detects an app phoning home, how can one know what info it is obtaining from your mac to allow or disallow it?


Alas, you can't. Well, not easily anyway, and not with only Little Snitch. I generally just ask myself "why the heck should this app need an internet connection?" If there is no obvious answer I'm satisfied with (update checking does not satisfy me; I'll update my software when I'm good and ready, thanks), then I block it.

Little Snitch does tell you the server it's trying to connect to and the port, and in some cases that's all you need. For instance, I was a little nervous entering my Gmail password using third-party Gmail checkers like GmailStatus, but with Little Snitch I can verify that every network connection these apps make is to a trusted server, and I can allow connections ONLY to those servers.

If you want more details on what data is being sent, there are other tools such as tcpdump which will show you, but they only show you what's being sent AS it's being sent, not BEFORE. tcpdump is a command-line tool included with OS X. There are some easy-to-use interfaces for it, such as IPNetMonitorX, but I'm not aware of any that are free.


----------



## Rhisiart (Dec 21, 2007)

Mikuro said:


> ..........Alas, you can't......


Thanks Mikuro.

At risk of over-simplification here, I consider there to be three types of computer users: 

1. The completely naive, e.g. my father (he has skills in other areas).

2. Those a little bit savvy on _some_ aspects of computer use and security (e.g. me). 

3. Those that know quite a lot (e.g. many on this forum).

My lack of wholehearted enthusiasm for Little Snitch (and other similar programmes) is that I really don't feel that I know enough to make it worthwhile using.

I am certain I am not alone.


----------



## jursamaj (Dec 21, 2007)

rhisiart said:


> Thanks Mikuro.
> 
> At risk of over-simplification here, I consider there to be three types of computer users:
> 
> ...



You don't need to be an expert to make a useful decision.

If it doesn't seem reasonable that the app should be calling *anywhere*, disallow it.  (Why should a screensaver call anybody?)

If it's not calling *somewhere* that seems reasonable, disallow it.  (If you're mail server is in USA and your new mail app wants to call Russia or Taiwan...)

At first, you can tell Snitch to disallow until the program quits.  If the program won't then function, you can re-evaluate your decision (either allow it next time, or dump the program).


----------



## Rhisiart (Dec 21, 2007)

jursamaj said:


> You don't need to be an expert to make a useful decision.
> 
> If it doesn't seem reasonable that the app should be calling *anywhere*, disallow it.  (Why should a screensaver call anybody?)
> 
> ...


jursamj, I can see the logic in your argument.

However, are you saying that every time LS notifies you that an app is calling home that you then check the home destination each time?

Perhaps that is what people do. It's just that something tells me that it requires a really high level or paranoia to do that.

*Major caveat here: you know I am only playing the devil's advocate!*


----------



## jursamaj (Dec 21, 2007)

No, 1st I check if it should be calling at all.  That kills most of then.  Only if I think it has any business on the net do I consider where it's going and the port.  

I don't look at it as paranoia.  Just self-preservation.


----------



## gbr56 (Mar 25, 2009)

can anyone please guide me as to how i could block outgoing connections to apple if I hypothetically wanted to using little snitch 2.0.5?


----------



## ora (Mar 25, 2009)

You'd go into the Little Snitch rule manager and create a new rule for Deny connection using 'any application', under server you'd use hostname then enter apple.com in the box.

Alternatively when an app tries to phone home you get up a dialogue box that allows you to allow or deny that particular connection either once, till quit or forever. Basically after about 4 days or funning LS you should have created all the rules you need.


----------

