Remix.run Logo
Remix clone Hacker News
new | show | ask | jobsGithub
rvz 7 hours ago

Also from [0].

> You can find Little Snitch for Linux here. It is free, and it will stay that way.

Don't worry, the authors know that there's no point in charging Linux users. Unlike Mac users.

So you might as well make it $0 and the (Linux) crowd goes wild that they don't need to pay a cent.

However...

> I researched a bit, found OpenSnitch, several command line tools, and various security systems built for servers. None of these gave me what I wanted: see which process is making which connections, and in the best case deny with a single click.

OpenSnitch is open source. You don't need to trust it as you can see the code yourself. Little Snitch on the other hand, is completely closed source.

Do you still trust them not to do self-reporting or phoning home, even though it is $0 and closed source?

[0] https://obdev.at/blog/little-snitch-for-linux/

papascrubs 7 hours ago | parent | next [-]

Two of the three components of LittleSnitch for Linux are open source. The eBPF (kernel portion) and UI are fully open source.

lapcat 7 hours ago | parent | prev [-]

> Do you still trust them not to do self-reporting or phoning home, even though it is $0 and closed source?

If you trust Little Snitch on Mac, then yes.

They've been in business for over 20 years. They're not going to blow their entire business and reputation for a few Linux users.

emmelaich 7 hours ago | parent [-]

Yep, I trust the obdev.at / Snitch guys.

I do wonder however, are they sufficiently careful about their processes and own machines to avoid a supply chain attack completely.

They must be a target for the various hacking groups out there.

lapcat 7 hours ago | parent [-]

This comment seems a bit confused.

A supply chain attack doesn't directly attack an end developer but rather a supplier of the developer. So who or what is the supplier in this case?

emmelaich 6 hours ago | parent | next [-]

They don't build their own machines or write their compilers or write their own crpyto code or ... so many other things.

lapcat 6 hours ago | parent [-]

> They don't build their own machines or write their compilers or write their own crpyto code or ... so many other things.

An attack on any of these things has nothing specifically to do with the developers of Little Snitch and would have vastly more widespread and important effects.

Why would you even be talking about Little Snitch if a compiler were compromised?!? Your paranoia here is bizarrely narrow. Little Snitch would be the least of our problems in that case.

emmelaich 4 hours ago | parent [-]

Their copy of the compiler. Just an example. ¯\_(ツ)_/¯

LamaOfRuin 6 hours ago | parent | prev | next [-]

That seems... not correct?

The comment was asking about preventing a compromised supplier for the developers.

A supply chain attack can be anywhere in the supply chain to the target. If I, the end user, am the target, then a supply chain attack compromising the developer of LittleSnitch is effective.

I may then be a conduit to compromising other software or components, and would both I and LittleSnitch would be part of the supply chain that could be attacked targeting them.

lapcat 5 hours ago | parent [-]

> If I, the end user, am the target

You're not a target, anonymous rando.

microtonal 2 hours ago | parent [-]

Many supply chain attacks aim to run malware on the end-users machine to harvest authentication tokens, etc. So pretty much everyone here who is a developer is the target.

hsbauauvhabzb 7 hours ago | parent | prev [-]

This seems pedantic and I think you know what they’re questioning and why.

BoredPositron 6 hours ago | parent | next [-]

If they trust the devs why would they not trust them to not yolo deploy new versions?

dylan604 6 hours ago | parent | next [-]

because a company worthy of trust doesn't yolo their versions. a company that does yolo versions is not trustworthy.

hsbauauvhabzb 6 hours ago | parent | prev [-]

Because it might not be the developers doing the deploying, but a malicious actor?

lapcat 6 hours ago | parent | prev [-]

> I think you know what they’re questioning and why.

No, not really. And I disagree with the premise, "They must be a target for the various hacking groups out there."

How would you even hack them? I'm a developer too; how would you hack me?

heartbreak 6 hours ago | parent | next [-]

Options range from carefully targeted phishing or social engineering attacks to poor opsec and a five dollar wrench.

lapcat 6 hours ago | parent [-]

> a five dollar wrench.

I'm not even going to respond to this ridiculousness.

I still don't know why anyone thinks that, among all developers in the world, a little indie Mac developer is getting targeted specifically.

emmelaich 4 hours ago | parent [-]

Some targets are more valuable than others. A firewall product has obvious security value. The fact that it requires high privilege is another reason.

I have the same thoughts about other Mac apps. e.g. iTerm2 - cause they "see" so much sensitive data.

emmelaich 6 hours ago | parent | prev [-]

?! The same way every other developer that has been hacked. You surely cannot be suggesting you're un-hackable. That seems ludicrously hubristic.

lapcat 6 hours ago | parent [-]

> The same way every other developer that has been hacked.

There's not one single way, so, no, you're just hand-waving here.

emmelaich 4 hours ago | parent [-]

Just saying developers have been hacked. Underrated existence proof.