←back to thread

Apple's apps bypass firewalls like LittleSnitch and LuLu on macOS Big Sur

(twitter.com)
1183 points robenkleene | 1 comments | 20 Oct 20 15:51 UTC | HN request time: 0s | source
Show context
3pt14159 ◴[20 Oct 20 16:03 UTC] No.24838967[source]
This is one of those tough cases where software cuts both ways.

Some people are smart, informed developers that install a trusted tool to monitor their traffic and have legitimate reasons to want to inspect Apple traffic. They're dismayed.

Most people are the opposite and this move protects the most sensitive data from being easily scooped up or muddled in easily installed apps, or at least easily installed apps that don't use zero days.

Is the world better or worse due to this change? I'd say a touch better, but I don't like the fact that this change was needed in the first place. I trust Apple, but I don't like trusting trust.

replies(19): >>24838993 #>>24839043 #>>24839086 #>>24839126 #>>24839194 #>>24839419 #>>24840315 #>>24841406 #>>24841984 #>>24842961 #>>24843115 #>>24843241 #>>24844017 #>>24844287 #>>24844319 #>>24844636 #>>24845405 #>>24845660 #>>24845932 #
Wowfunhappy ◴[20 Oct 20 16:05 UTC] No.24838993[source]
If I install Little Snitch, it's because I trust Little Snitch to be responsible for my computer's network traffic, over and above anyone else.

I recognize that this won't necessarily apply to all users or all apps, but there needs to be a way for the user to designate trust. Apple services and traffic should not get special treatment.

replies(3): >>24839030 #>>24839084 #>>24842512 #
threatofrain ◴[20 Oct 20 16:12 UTC] No.24839084[source]
If you don’t trust Apple then you need something more than little snitch. Apple is responsible for both hardware and OS. What delta in security or trust is little snitch going to offer over Apple?
replies(2): >>24839186 #>>24842154 #
addicted ◴[20 Oct 20 16:20 UTC] No.24839186[source]
In this situation the question isn’t about whether or not Apple can be trusted.

Apple has clearly betrayed users’ trust in this situation.

People don’t install Little Snitch only to prevent nefarious third party activity. Some may want to know what traffic is going to and from their computers. Other may want to block all traffic for testing and/or research purposes.

I can trust that Apple is not doing something nefarious and still see that Apple is blatantly betraying the fact that people trusted when switching stuff like firewalls away from kext that it wouldn’t build backdoors for itself.

Also, any backdoors Apple builds for its own apps and services are simply an additional attack vector that could potentially be used by non Apple malicious actors.

replies(2): >>24839406 #>>24839483 #
threatofrain ◴[20 Oct 20 16:35 UTC] No.24839406{3}[source]
> any backdoors Apple builds for its own apps

Apple hasn't weakened the security of their devices to provide a secret way in, in fact, they made their systems even more robust.

The question absolutely is whether Apple can be trusted. Little Snitch works for other apps, just not Apple's apps. The remaining slice of the pie you're arguing for is whether or not we can trust Apple.

So what delta in security and trust over Apple are we getting by asking for this change, and how much insecurity and brittleness are we inviting to all other users with our ineffective software based firewall?

replies(3): >>24839460 #>>24839619 #>>24842479 #
1. _qulr ◴[20 Oct 20 16:51 UTC] No.24839619{4}[source]
> The question absolutely is whether Apple can be trusted.

This is a false dichotomy. I choose to use a Mac, but I also choose not to let my Mac phone home to Cupertino unless I allow it. Why can't I have that choice? Why does it have to be all or nothing? I'm only interested in the Mac, I have zero interest in Apple "services". It's a fine computing device, but I see no reason why the device has to continue to talk to Apple after I purchase it, except to download software updates — which I manually trigger.

It's not about trust, it's about choice.

EDIT: Now if Apple provided a way to easily disable all of those "services" that phone home, there would be a lot fewer complaints about this issue. But they don't.