Little Snitch is one of the best pieces of software out there. It’s essential for every macOS user, works very well, and is a one-time payment. I truly hope it stays that way and doesn’t go down the same path as 1Password. I’m very grateful to the developers for creating such an excellent product. I wish more software were like this.
Is it? I'm interested in hearing why. I've been using macOS for ~15 years, so very familiar with Little Snitch. I think I owned a version many years ago but haven't for a long time. I don't really see what I'd use it for. I don't run dodgy software, I don't want to partially break the software I do run by nit picking what connections it can make as that wouldn't improve my experience and would most likely cause issues. I also mostly trust Apple's anti-malware efforts to protect me from other software I don't want to run, but if I didn't I'd run better anti-malware software before a firewall.
I caught a python ml library phoning home to a chinese server on a project that my company was building. My developer had no idea it was happening but I caught it first run thanks to lil snitch. If deployed this would've been a security escape that would need to be disclosed at a govt level.
Also, Apple. Their junk phones home just about everything you do. 50+ services constantly pinging Cupertino.
I owned several versions of Little Snitch too. It started to be annoying when you had to approve each request, especially when running command-line scripts. Then I moved to run in silent-approval mode. At that point, there was no reason to have LS any longer, so I uninstalled it. Haven't used it in years now. But not to discredit LS, it is an amazing software when you need it.
LS is beyond annoying for the first couple of days on a new computer. "Do you want to connect to gmail.com on port 443? What about kagi.com on port 443? What about your employer on port 443? Mind if Weather.app checks the weather?" After a couple of days, I have blanket rules like "allow Safari to connect to any host :443, except for googleadservices.com because nah".
It quickly tapers down to alerting about rare new connections, which is when it becomes hugely useful. RandomTool.app normally connects to cloud.randomtool.xyz. Why is it suddenly asking to connect to exfiltrate.ru?
> But not to discredit LS, it is an amazing software when you need it.
Yes! I perhaps didn't make this as clear as I should have. Little Snitch is fantastic software, no question. I'm just not sure that most people need it, I think a custom local firewall was always a bit of a power user tool, and nowadays with security being so much better than 20+ years ago, firewalls on personal machines just feel like an outdated concept to me.
I have grown weary of little snitch annoying me all the time but it was insightful about how much stuff Apple has me pinging by default: like yahoo.com for weather on boot just to name one.
This kind of angered me, I don’t want yahoo getting my ip anywhere I am in the world any time I turn on my computer. I think I found like 4-5 things that are baked into a clean Mac install these days that I took exception to and forbade.
Then Microsoft office and adobe are evil and constantly evading it and getting smacked down too.
Apple OSes maintain consistent connections to APNS (apple push notification service) using hardware-linked certificates, exposing your unique system and IP address (and thus city-level location) to Apple at all times.
What exactly does one learn from this normally? A leftover daemon is a bit of an edge case, and you could have learnt the same from looking at Activity Monitor, seeing a permissions pop-up, noticing higher energy use, etc, but learning that software connects to China seems... fine? Unless one wants to classify all connections to China as by-definition bad, which is discrimination that I don't want to engage in personally.
A bad actor can conceal whatever they want by renting a server anywhere they like. Meanwhile, there are many legit reasons why software might connect to China – maybe the company hosts services on Alibaba Cloud, maybe the software is from a Chinese producer and they chose local hosting.
>I don't want to partially break the software I do run by nit picking what connections it can make as that wouldn't improve my experience and would most likely cause issues.
Partially breaking web pages by blocking all connections to ad servers does wonders for my experience.
I did exaggerate a bit. Many users don’t care about where their connections are going and many users have only limited set of apps.
I wouldn’t mind like to correct myself and say “essential for me”. So many times I caught up software going to places where it should not go.
On top of that I often do local development without containers (guilty) and any random npm package can be compromised any time.
If I had a penny for every time I've blocked a tracker and broken critical functionality in an app or on a website because of it, I'd be rich.
I'm sad that that's the case, but in almost all circumstances, the relatively minor tracking of my email signing up for a service going into some advertising ROI calculation is outweighed by the fact I get to use that service.
Well technically it's like a "subscription with indeterminate renewal cycle". Every few years they release a new major version and sometimes you have to pay to upgrade.
Of course you can choose to not upgrade... but then you don't get the new features, and it's unclear if the old version will support all newer macOS releases.
> Then every 3 years or so you spent $300 again to get the updated version. It was a much better system!
By your math it was. 10x12x3=360 > 300. Subscriptions cost more than buying the actual software. Why do you think most companies switched to a subscription model?
It was a better system, because if I didn't need the new features, I could keep using the version of Microsoft Word that I bought 15 years prior. That's why they stopped selling it that way.
Even if the price is the same, "old" distribution models have benefits. If you're satisfied with your current version and it still works, no need to continue paying. If you maintain older systems, your software still works without continuing to pay in perpetuity.
I much prefer buying software licenses outright than renting them forever.
Apples and ladybugs are both red but (I imagine) they taste quite differently. Which one you should use probably depends on whether you’re baking a pie or dealing with pests in your garden.
Declaring them equal based on a single metric like color would be as silly as suggesting subscriptions and purchases are the same because their costs over an arbitrary period of time are roughly similar.
You’re not wrong, with a lot of Mac apps (this one included) you need the latest version to use it with the latest macOS release.
When there’s a new mandatory paid upgrade every couple years then it’s not far from a subscription service.
The situation seems worse on Mac where software has much shorter lifespans without new releases. On Windows I’m still using some engineering software I bought over a decade ago and it’s like nothing ever changed.
There have been roughly 18 major macOS releases since Little Snitch was released.
In that time, there have been 6 major versions of Little Snitch.
macOS has undergone pretty major architectural changes during that time, necessitating mandatory upgrades under some circumstances, but an OS update does not always force a LS upgrade.
> When there’s a new mandatory paid upgrade every couple years then it’s not far from a subscription service.
I disagree and don’t think people should mentally model subscriptions this way.
Subscriptions almost universally cost more on average than standalone purchases did, and there are still situations where it’s possible to remain on old versions in perpetuity, e.g. and old Mac that is kept around for a specific purpose but no longer receives major OS updates.
I think both models fall under a larger overarching umbrella of “software maintenance costs”, but those costs have always existed and standalone purchases vs. subscriptions are two fairly different ways of covering those costs.
Agree that this all feels worse on macOS due to the regular updates, but unlike Windows, I actually feel better over time about privacy/security and this naturally forces more app updates across the board. Microsoft’s commitment to backward compatibility is both convenient and increasingly a liability.
I own many more devices than just a Mac. I have an iPhone, Apple TV, Linux box, Windows PC, Nintendo Switch, Quest 2, Kindle. I'd prefer one piece of software that covers all of them over different software for each of them.
1. Sufficiently advanced routers that have such functionality are expensive and generally complex to manage
2. The reason tools like Little Snitch are valuable is they instantly indicate that a connection was attempted, indicate which binary/app attempted it, and allow you to decide whether or not to allow the connection in realtime
Being able to associate a specific action you’re taking (e.g. clicking a button in a specific app) with a specific network request isn’t really feasible when the device keeping track is not the device you’re currently using.
It’s significantly harder to retroactively analyze connections once you’ve completely lost the context of what initiated the connection.
The only way to make a centralized device achieve the same thing is to institute a default-deny policy, but carefully allowing only the connections you want becomes tedious and quickly leads to just giving up for practical reasons.
That probably depends on what you do with your computer.
If you regularly clone git repos and run code you didn’t write or run unsigned apps from untrusted developers, it’s probably a good idea to scrutinize the connections that code is making.
I think they’re referring to the forced changeover to cloud hosting and subscription services.
For years you could buy 1Password and then store your vault on your own syncing service like Dropbox. You owned the software and controlled your data. Then they switched to subscription-only and forced you to use their cloud. Really changed the nature of their software for many of us.
The UI is Electron, especially on Linux as it was the move to Electron that allowed them to do a Linux port. The data layer is all Rust and shared widely across their ecosystem as I understand it.
Honestly the whole UI thing was overblown. It's a great Electron app, and their macOS app was always a little iffy (old AppKit oddities). The port unlocked: Linux, a fully featured Windows client, noticeably faster improvements (Watchtower, family sharing, improved SSH and CLI support), and seems to have allowed for much better apps on iOS and Android, all at likely no user cost.
It’s an HN “read the room” submission. It’s contextually related to earlier discussion about Apple Photos phoning home without a direct reference to it.
I'm pretty sure the only reason it works on macos at all was that it got in early. I believe Apple periodically tries to hobble it but there is pushback.
I feel like macOS has been going the direction of iOS, increasingly locking things down and pushing to a walled garden world. What’s the chance that the next major update or two make changes that prevent utilities from having the access they need to provide these power user capabilities?
There are actually two default firewalls. The firewall that's configurable in UI can only block inbound connections but not outbound connections. The other firewall (pf) doesn't have the concept of application so one cannot allow one app to access a remote IP but block another, and I also don't think it supports DNS.
As others have indicated, LuLu (like Little Snitch) notifies you when your machine is initiating an outbound connection and lets you grant or deny permission, and to set up a persistent rule for that app/connection.
It's by far the most common phrase I've heard used to wipe+reinstall a system in the past 20 years? 25 years? Not just the most popular colloquialism, the most popular phrase, period.
My experience is US/West Coast/Tech companies, for reference.
I’ve spent 20+ years in tech in roles ranging from IT to engineering at west coast and midwest companies and this thread is the first time I’ve heard “nuke and pave”.
At the places I’ve been, systems got “wiped” or “re-imaged” most commonly. I suspect this terminology is hyper local.
I've worked in tech in the Bay Area for 30 years, started in IT at UC Berkeley and then at Sendmail. Never heard this term before. We always "wiped and re-imaged".
Probably because it is a leftover from the 1990s/2000s when you had to completely reinstall your os. That’s no longer necessary, as long as you’re not using windows.
"Will Little Snitch be available for iOS, tvOS and watchOS?
Unfortunately Apple's regulations and submission guidelines do not allow applications like Little Snitch that operate on the system level on the iOS (iPhone, iPad, iPod touch), tvOS (Apple TV), or watchOS (Apple Watch) platforms."
It appears Apple's "regulations" prohibit owner control and increased transparency. No such thing as an option for "experts only" when it comes to Apple computer owners; one size fits all. Apple are the only experts and the only ones entitled to control and transparency, over and into _other peoples'_ computers. Remarkable.
I love this product! It is a must-have app on macOS!
pro: you can literally control all Application Networks on your computer (sometimes it is funny to see completely off-line apps that don't need to collect any data trying to sync a bunch of stuff).
cons: it can be annoying when you install new apps and running it on with most secure options.
LS is excellent but if I'm going to go to the trouble of building firewall rules I'd rather them be at the network level so all my devices can benefit.
What would be really cool is the LS UI but tied into something like pfsense for the actual filtering.
I’ve been using Little Snitch for ages. It been my go to on all my all new systems and they offer discounts on upgrades to new versions. Their support has been excellent the one time I needed it.
I have had it for years, and every once in a while, there's a red light flashing in my menubar, making me smile as one more tracker goes empty-handed today.
This kind of work, collecting meta-data, mediating queries, altering a relational database processing language, on a DNS server through a Matching Code ID on Little Snitch is freakishly effective at times.
Did you happen to stop at the gas station that same day? What does “that very transaction caused a fraud alert” mean? It’s not unusual for multiple transactions to be marked as fraud, even legitimate ones, when a credit card is stolen.
No, literally didn't use that card anywhere else. Without doubt I can attribute the fraud activity to the LittleSnitch purchase attempt. It was the second I clicked "pay" for LittleSnitch I got an automated fraud warning from my bank - which was odd because I really did make that purchase. As a result I approved it.. and yet that is what then allowed folks to create a fake physical copy of my card somehow for in-store purchases - and there were at the opposite end of the country. Not likely someone would have been even able to fly it drove from my physical location to where these purchases were made.
Nothing against LittleSnitch - I used it after all. But this was my experience buying it, especially as a poor recent college graduate at the time.
