←back to thread

Apple's apps bypass firewalls like LittleSnitch and LuLu on macOS Big Sur

(twitter.com)
1183 points robenkleene | 4 comments | 20 Oct 20 15:51 UTC | HN request time: 0s | source
Show context
3pt14159 ◴[20 Oct 20 16:03 UTC] No.24838967[source]
This is one of those tough cases where software cuts both ways.

Some people are smart, informed developers that install a trusted tool to monitor their traffic and have legitimate reasons to want to inspect Apple traffic. They're dismayed.

Most people are the opposite and this move protects the most sensitive data from being easily scooped up or muddled in easily installed apps, or at least easily installed apps that don't use zero days.

Is the world better or worse due to this change? I'd say a touch better, but I don't like the fact that this change was needed in the first place. I trust Apple, but I don't like trusting trust.

replies(19): >>24838993 #>>24839043 #>>24839086 #>>24839126 #>>24839194 #>>24839419 #>>24840315 #>>24841406 #>>24841984 #>>24842961 #>>24843115 #>>24843241 #>>24844017 #>>24844287 #>>24844319 #>>24844636 #>>24845405 #>>24845660 #>>24845932 #
ballenf ◴[20 Oct 20 16:13 UTC] No.24839086[source]
I'd argue this opens up a giant attack surface where malicious software will try to route its command and control communication through a protected service. Do we really want to trust that Apple will keep all 50+ of these privileged services fully protected?

I think it makes the "world" slightly worse in that it will be harder to discover malware. Little snitch has a small user base, but it's been used to identify many forms of malware and protect many more people once the threat is identified.

replies(6): >>24840000 #>>24841973 #>>24843556 #>>24844470 #>>24844572 #>>24894460 #
comboy ◴[20 Oct 20 20:22 UTC] No.24841973[source]
The decision is questionable, but you can always inspect traffic from the machine outside it, I would even say that's preferable in context of malware.
replies(2): >>24842095 #>>24843750 #
1. gowld ◴[20 Oct 20 20:34 UTC] No.24842095[source]
Can you recommend a portable wifi firewall? Based on Raspberry Pi, perhaps?
replies(1): >>24842279 #
2. yayr ◴[20 Oct 20 20:55 UTC] No.24842279[source]
saw the GL.iNet+GL-MT300N-V2 recently - have not bought it yet, maybe it's time if it's good
replies(2): >>24843036 #>>24844282 #
3. rhizome ◴[20 Oct 20 22:40 UTC] No.24843036[source]
Ah, nice. I've been looking for something with which I can sniff my phone's activity, and that provides all of the keywords. And $20 ain't bad neither.
4. jasonjayr ◴[21 Oct 20 02:37 UTC] No.24844282[source]
Someone else here recommended those, and now I have 11 for myself + my staff. They are great 2-port devices, with free GPIO pins too! Can do on-device VPN (openvpn, wireguard + tor) with a policy that kills internet access unless it's through the VPN.