Little snitch -should I get it?

[Mikuro]

There are reports about that any program that installs its own Kernal Extension can "Phone Home" unbeknownst to Little Snitch.

There's quite a lot of discussion about this in the Little Snitch forum. The developer has posted a reply here: http://forums.obdev.at/viewtopic.php?t=577&postdays=0&postorder=asc&start=15

I'm still not quite sure what to make of it, myself, but yes, kernel extensions can bypass Little Snitch.

Just a simple question (apologies if I seem dumb), but if Little Snitch detects an app phoning home, how can one know what info it is obtaining from your mac to allow or disallow it?

Alas, you can't. Well, not easily anyway, and not with only Little Snitch. I generally just ask myself "why the heck should this app need an internet connection?" If there is no obvious answer I'm satisfied with (update checking does not satisfy me; I'll update my software when I'm good and ready, thanks), then I block it.

Little Snitch does tell you the server it's trying to connect to and the port, and in some cases that's all you need. For instance, I was a little nervous entering my Gmail password using third-party Gmail checkers like GmailStatus, but with Little Snitch I can verify that every network connection these apps make is to a trusted server, and I can allow connections ONLY to those servers.

If you want more details on what data is being sent, there are other tools such as tcpdump which will show you, but they only show you what's being sent AS it's being sent, not BEFORE. tcpdump is a command-line tool included with OS X. There are some easy-to-use interfaces for it, such as IPNetMonitorX, but I'm not aware of any that are free.

 

[Rhisiart]

..........Alas, you can't......

Thanks Mikuro.

At risk of over-simplification here, I consider there to be three types of computer users:

1. The completely naive, e.g. my father (he has skills in other areas).

2. Those a little bit savvy on some aspects of computer use and security (e.g. me).

3. Those that know quite a lot (e.g. many on this forum).

My lack of wholehearted enthusiasm for Little Snitch (and other similar programmes) is that I really don't feel that I know enough to make it worthwhile using.

I am certain I am not alone.

 

[jursamaj]

Thanks Mikuro.

At risk of over-simplification here, I consider there to be three types of computer users:

1. The completely naive, e.g. my father (he has skills in other areas).

2. Those a little bit savvy on some aspects of computer use and security (e.g. me).

3. Those that know quite a lot (e.g. many on this forum).

My lack of wholehearted enthusiasm for Little Snitch (and other similar programmes) is that I really don't feel that I know enough to make it worthwhile using.

I am certain I am not alone.

You don't need to be an expert to make a useful decision.

If it doesn't seem reasonable that the app should be calling *anywhere*, disallow it. (Why should a screensaver call anybody?)

If it's not calling *somewhere* that seems reasonable, disallow it. (If you're mail server is in USA and your new mail app wants to call Russia or Taiwan...)

At first, you can tell Snitch to disallow until the program quits. If the program won't then function, you can re-evaluate your decision (either allow it next time, or dump the program).

 

[Rhisiart]

You don't need to be an expert to make a useful decision.

If it doesn't seem reasonable that the app should be calling *anywhere*, disallow it. (Why should a screensaver call anybody?)

If it's not calling *somewhere* that seems reasonable, disallow it. (If you're mail server is in USA and your new mail app wants to call Russia or Taiwan...)

At first, you can tell Snitch to disallow until the program quits. If the program won't then function, you can re-evaluate your decision (either allow it next time, or dump the program).

jursamj, I can see the logic in your argument.

However, are you saying that every time LS notifies you that an app is calling home that you then check the home destination each time?

Perhaps that is what people do. It's just that something tells me that it requires a really high level or paranoia to do that.

*Major caveat here: you know I am only playing the devil's advocate!*

 

[jursamaj]

No, 1st I check if it should be calling at all. That kills most of then. Only if I think it has any business on the net do I consider where it's going and the port.

I don't look at it as paranoia. Just self-preservation.

 

[gbr56]

can anyone please guide me as to how i could block outgoing connections to apple if I hypothetically wanted to using little snitch 2.0.5?

 

[ora]

You'd go into the Little Snitch rule manager and create a new rule for Deny connection using 'any application', under server you'd use hostname then enter apple.com in the box.

Alternatively when an app tries to phone home you get up a dialogue box that allows you to allow or deny that particular connection either once, till quit or forever. Basically after about 4 days or funning LS you should have created all the rules you need.