Little Snitch, ZoneAlarm, Outbound Firewalls, Blech!

| Editorial

On last week's Mac Geek Gab Podcast episode 208, I got into a frothy rant about Little Snitch and other applications like it. My podcasting compatriot, John F. Braun, disagreed with me "on air," and John Martellaro, esteemed writer on the TMO staff, wrote an editorial doing the same.

There are a few things to set straight because, clearly, they've both been mislead. 

For the record, I do not mean to single out Little Snitch here, though clearly he's the fall guy in all of this (and I'm sure the kind folks at Objective Development have some unkind opinions of my words!). My concern extends beyond that one app and out to the whole class of "outbound firewall" applications and system monitors that go out of their way to tell users exactly what's going on with the traffic leaving their computers. In addition to Little Snitch, these tools include components of ZoneAlarm, Norton Internet Security, and NetBarrier. My full and complete loathing of these tools comes from the fact that they are marketed to everyone despite the fact that they're really only valuable to a small subset of the computing world. Moreover, they're quite dangerous to everyone else.

What do they do?

In a nutshell, an "outbound firewall" monitors all the traffic and requests leaving your computer, allowing you to ensure that nothing malicious is happening and that no sensitive data is being sent without your approval. On the surface this sounds like a very good thing. The marketing departments at these various companies know this and capitalize on it with phrases like, "keeps your online identity safe," "protect your privacy," and "extreme security." These all sound like things I want to do, and likely so do you.

Complacency Training

The problem with these apps comes in the implementation. None of these programs truly knows what YOU define as private, sensitive, or safe. To be fair, they all in some way try to be a little intelligent about it, but they have to err on the side of caution. After all, if the application developer decides that revealing your data to Apple's servers is OK but you do not, then the application fails. So these apps have to be written to be over-protective, by default, and that's the problem.

Most casual users will buy into the marketing message, install one of these apps, and then be treated to an onslaught of notifications. For testing purposes, I installed Little Snitch this morning after which I had to reboot. When my machine came back up I was presented with twenty-two (yes, 22!) individual confirmation dialogs, most of which were quite cryptic. After about 4 of these I was ready to call it quits but I hung in there just for you. After 15, my mousing hand and fingers were trained to click "Any Connection" and "Forever" just to get the things out of my way. Very quickly, the shift was made. Instead of me training Little Snitch, it was training me... to ignore it. That's right, before I even launched my first app I learned how to get Little Snitch out of my way quickly so I could get to work.

Little Snitch Warning

The Gear's Up, and Your Coffee Is Getting Cold

In his retort, John Martellaro likened Little Snitch's alerts to the "gear still up" warning light in an aircraft. He posited that no pilot would opt to disable that warning light even if he or she never accidentally set a plane down on its belly. I agree wholeheartedly with John's presumption of every pilots' wishes in this regard. But there's a flaw with John's example that I'd like to fix. Instead of the "gear still up" light coming on just when the plane slows down and, you know, the gear's still up, let's turn it on any time the plane slows down, regardless of whether or not the gear is up. Let's also turn it on if the pilot's seatbelt isn't fastened. Oh and how about when it gets a little chilly in the back for the passengers? That sounds like a good thing for the pilot to know, as well. I also think it's important the pilot's aware if there are other planes within several miles. Let's go ahead and use the same light for that. Now we're getting closer to the behavior of Little Snitch and other outbound firewall apps. That *single* light will now come on for important and trivial purposes. If I were the pilot, I'd take the pen out of my logbook and bash the light until it went dark forever. At the very least, I would learn to ignore it.

Experience Dictates Opinion

It's my years as a computer consultant that make me very wary of apps like this. If my interaction with outbound firewalls were limited to just me using my computer, I wouldn't have as much of an issue here. I understand what each and every one of these warnings mean and, for the most part, I fully grok the subtle nuances of allowing or denying each type of traffic. But casual users, almost by definition, do not. I can't tell you how many times I was called (and how many hours I billed!) because someone was having a problem with their computer that they had caused (or allowed) due to one of these outbound firewalls. Either the user was lulled into a false sense of security just because it was installed (despite the fact that they "allowed" every bit of traffic to pass) or they had erred on the side of caution and, like the listener to our podcast that prompted all of this, unknowingly denied some activity that they actually wanted to allow, in turn causing their computer to malfunction.

If You Use It, You're On Your Own

There are definitely good reasons to use a piece of software like Little Snitch and its ilk. If you fully understand (or are willing to research to gain the understanding of) what the app is telling you and what the consquences for your choices are, Little Snitch can be an extremely valuable tool in protecting your privacy and computer security. John Martellaro and John F. Braun certainly fall into this category of user and, for them, I think Little Snitch is a good tool to use. But they're also the type of people who would rarely, if ever, solicit help for solving a problem on their computers. They are both pro-quality troubleshooters who, in almost all cases, easily have the understanding required to solve their own problems.

But if you're someone who would regularly call a consultant or knowledgeable friend for help, please do yourself and whomever you're going to call a favor and never install an application like this. It will waste your time and annoy the consultant.

Sign Up for the Newsletter

Join the TMO Express Daily Newsletter to get the latest Mac headlines in your e-mail every weekday.

24 Comments Leave Your Own

John Martellaro

And there you have it, readers.  Both sides of the story. As Mr. Hamilton pointed out, there are different personalities and different levels of expertise that come into play. The only right answer is the one that’s right for you.

-JM

Lemon

I think, bearing in mind that I’m sure I’ve heard you advocate software such as MenuMeters, another monitoring application that displays information the computer layman probably doesn’t understand or need to know about, you’re being a bit over the top here.

Fair enough, you don’t like LittleSnitch, but you don’t deny there is a need for software like this, just like there is a need for computer users to be a bit more savvy about what is going on inside and outside their machines to prevent the infection by and spread of malicious programs.  I am a fairly advanced Mac user and it was LittleSnitch that saved me when I noticed that someone had tapped into my sshd server without me knowing about it and was dragging stuff off my machine (I’d enabled the server and forgotten to protect it).  Without LS I would have been seriously compromised.  If people took the time to learn just what being on a network is all about, software - when it is done well like LittleSnitch - is an essential app.

mjkphoto

I bought Little Snitch as part of a bundle. Installed it. And immediately uninstalled it. In the right hands, it’s probably a great app. Not for me, however. Much too complicated for my mind to wrap around.

John Lockwood

Dave, you are totally right.

Little Snitch - et al, do serve a purpose but the way they are implemented does brainwash users (even highly experienced techies) to keep pressing accept.

I would go further and say that the way Microsoft have implemented “User Account Controls” has exactly the same sort of problems, UAC is so badly implemented - even in Windows 7, that users are ‘trained’ to either keep saying yes, or turn it off (or down) as much as possible.

As Apple with their equivalent of UAC have in my opinion got it just about right, I believe it is possible to solve.

With regards to to Little Snitch, Zone Alarm, etc. they have not, and unless I was looking for a specific already known type of activity to specifically block, I would also regard them as more of a hindrance than a benefit.

XSemper Idem5

Good rant on episode 208 Dave. I was laughing as you were describing the compulsive “Allow” clickers. I’ve had similar experiences. People ask for help but when you get there they click on everything without giving you a chance to even read it and then they wonder why they are in the situation they’re in. Is this something Windows has trained people to do? (I’ve even had people come to me in a panic because all of their files are gone from their USB flash drive. Seems they got a message asking them to format and they clicked the little “ok” without even thinking about it or knowing what it would do.) I decided to try out Little Snitch and yes, I was immediately bombarded with a screen quickly filling with notifications asking me what I wanted to do. I’m not claiming to be an expert but I’m also not a newbie. If you don’t truly know what you’re reading, then I would agree that you shouldn’t be messing with such Apps. But if you want to learn and have much free time then research all those notifications to learn what they truly mean. (And I mean much time). It can be a good learning experience if you don’t start randomly clicking just to get rid of pop-ups. Little Snitch is now gone from my comp. I will just clarify that I am not against all Apps that may fall into this category or similar categories. A comment by “Lemon” brings up MenuMeters, which I use and do find useful. It all comes down to use it if you truly know what you’re doing.

geoduck

With all respects to JM I have to agree. While these monitoring and firewall tools are fine for those of us who know what the alerts are and how to respons they are just annoying FOR THE AVERAGE USER.

To further beat the aviation analogy, I’d compare it to turning the gear up light on for a lot of things and putting one in front of every passenger. They don’t know what it means and can’t really do anything about it anyway. I know it sounds dismissive but I’ve found that on the whole your average user doesn’t want to know what’s going on behind the scenes. They want to turn it on and type. A pop-up box saying something is an annoyance and they quickly learn that they make it go away by clicking Yes. After a short time the system is trained to allow just about everything through anyway.

cb

This is getting almost as good as a Pillow Fight on Facebook :D

Bregalad

I bought Little Snitch as part of a bundle. I went through the sea of popups, Googling some of the more cryptic ones to find out if they were legitimate Unix processes or a trojan horse I’d inadvertently downloaded. It was a long process and even a few days later I was still seeing new popups as things like Software Update and the built-in version checking in my apps did their thing. I expected that Little Snitch would need to be trained so I didn’t get frustrated. In fact it was a great learning experience finding out what my Mac was doing behind my back.

All was not peaches and cream, however. The morning after the install my wife called me at work to yell at me. Little Snitch rules are user specific so all the configuring I’d done for myself needed to be done in her account too. I tried to calm her down by saying it was security software and that I’d get everything sorted out when I got home.

That evening we logged into her account and she did her normal tasks while I sat there to say “yes” or “no” to the firewall. Now if she encounters an outbound firewall warning it’ll be a legitimate cause for concern.

We’d have a lot fewer trojan horse attacks and a lot less spam if people were just a tiny bit smarter about how they use their computer. Going through the process of configuring an outbound firewall is a crash course in sensible computing everyone should take.

I have a much better aviation analogy for you. On the internet we don’t have pilots and passengers. Each “passenger” has their own plane and there is no process in place to see if they know how to fly one.

Chris

I completely with Bregalad.  Little Snitch (and other outbound firewalls) is only frustrating for the few days while it’s learning and establishing rules.  Once it knows your system and software it’s pretty smooth sailing.  So you happen to see a program trying to connnect that you’ve never heard, well a quick search of Google will tell you exactly why SystemUIServer wants to connect to UDP port 192 for example.  And _that_ knowledge is beneficial.  And after all if you didn’t have Little Snitch installed it would connect anyway.

geoduck

The morning after the install my wife called me at work to yell at me.

Oh man. I’ve been there…

Jeff

I have to say, I am stunned at the amazingly dimwitted opinions being expressed here.

“I hate outgoing firewalls because they show me that my computer is connecting out to the internet far more than I thought it did”

<sarcasm>
Yeah, the problem is clearly in the firewall software.
</sarcasm>

Anyone who is “quickly bombarded” by messages from LittleSnitch must be using BitTorrent or something similiar - there is no way a base-line OSX install needs to talk to the outside world as much as people are complaining about here.

If you have a program that you don’t care about, its one click to let it do anything forever. And if you can’t identify what a particular program is, don’t you think that perhaps you should search a little harder?

Bregalad

I don’t think anyone here is running an abnormally large number of strange things. Who doesn’t have “set date & time automatically” and Software Update turned on? Most apps these days do automatic version checking at start up and need to be given permission.

Here at work I have 88 user defined rules set up in Little Snitch. They range from obvious things like letting FireFox and iTunes connect on port 80 to the truly cryptic like allowing aosnotifyd and oscpd to make TCP connections. The latter two, and a bunch of others, are needed if you want MobileMe to work.

I am dismayed at the number of people who casually dismiss dialogs without understanding or even reading them. It’s no wonder 98% of email is spam and phishing schemes are everywhere.

Dave Hamilton

Anyone who is ?quickly bombarded? by messages from LittleSnitch must be using BitTorrent or something similiar - there is no way a base-line OSX install needs to talk to the outside world as much as people are complaining about here.

Indeed, you’d be surprised at what a “normal” setup of Mac OS X entails.  Some of it (NTP, etc) are pre-programmed to be “accepted” by Little Snitch, but quite a few other built-in services aren’t.  The 22 notifications I received were from:

SystemUIServer
aosnotify
dotmacsync
DropBox
WeatherCal
PTHPasteboard
Skitch
Growl

That’s only 8 separate apps/services (none of which are filesharing/torrent apps), which means many of these triggered multiple permission requests (the most were from the Mac OS X built-in stuff, believe it or not).  It seems you’re interested in knowing what this is really like.  If so, you’d be well-served to download and install the free Little Snitch demo. You may very well find you like it and, if so, that’s fantastic.

CookieMonster2009

Dear Dave, et all

I’m a first time writer.

I was mad as heck tonight reading your LittleSnitch. Opinion, but then some reason came back into the discussion when I started reading all the retorts. I am satisfied that there are a lot of wise Mac people here, and just had to write to add my 2? worth on this specific subject, LittleSnitch.

I have been using it since it hit the street, and I, too, feel that it has saved my bacon more than once. I think it’s the greatest thing since sliced toast and just an extra security tool we don’t (Presently) have in X. And yes, it took a day and a half to mainly educate it a long time ago, but I sure did appreciate it again when it asked me just this morning about one I denied without enough identifying information, and there is never any consequence. This only happens rarely, but it has and regularly does happen.

I am a retired old Mac programer back in the Motorola days, but still feel like a Newby in X at times. LittleSnitch adds a new comfortable security level for me that doesn’t come with my Mac.

I have learned, on a few occasions, 207 accumulated Rules to be exact, that are necessary for me, and they are each bona fide outfits I need to have my computer automatically communicate when they are launched and running.

Of those 207 times over the years there are been maybe 5-6, I’ve had to use WhoIs to be satisfied that I should or shouldn’t allow it. It’s not difficult, and you might be surprised how many things are routinely talking to your computer without your knowledge and certainly not your approval.

It hasn’t happened, legitimately but maybe 15-20 times since original installation that LittleSnitch has interceded demanding external communications, but in each occurrence it was about to gain what they wanted when LittleSnitch intervened. Call me a Newby or naive, but I want to know and approve of all transmissions from my machine. I can’t imagine you wanting anything less.

I think that the main point not discussed here is LittleSnitch’s capabilities of an extra level of security. It’s just one tool, but it provides an improvement during an ever menacing Internet experience. I have run into some sites that refused to stop “checking my security” that I finally had to force quit my browser.

I believe every user would profit from using a program like LittleSnitch, and the smart ones will. There are bad guys out there.

Thanks for listening to my rant.

Zarko

Not to be the annoying “I’m a mac user and I’m immune to bugs” person, but to my knowledge nobody’s actually made a botnet of macs—convincing the entire mac community to embrace these programs is not going to stop spam e-mail.
I can respect that different people have different expectations or demands for internet privacy, but in general, I am convinced that keeping my personal data encrypted is a sufficient protection from malicious outbound traffic, and I have no problem with software developers retrieving metrics or google storing my search history.

DaMoose

Dave,

I couldn’t agree with you more. I downloaded Little Snitch and immediately got hit with dozens of messages “Do you want ....?”  Of course I clicked Forever but some of these I had no idea what thy meant. So, one time I said something like do not send. What I didn’t know was that was an email I was sending. Of course it didn’t reach its destination so I had to search for what happened. Finally found Little Snitch was the problem and deleted it. My problem was LS kept interrupting my work flow.

It would seem to me that the developers could come up with a way to allow the user to define what was good outgoing material and what was “evil” outgoing material.

Dan Robinson

Is everyone deliberately avoiding the issue of Little Snitch being used to stop pirated software from phoning home?

I can see no other reason for the average user to need outbound firewall applications.

Lancashire-Witch

It seems to me that this discussion has all the symptoms of the “Are You Sure?” syndrome. This syndrome has been around since the 1970s when the IT professionals designed the first on-line mainframe applications and, for the first time, “end-users” had a direct, instant connection with the application. In those days the likes of Tom Gilb and Edsger Dijkstra had a lot to say about system design. In particular, not confusing technical attributes with function; and the folly of presenting the user with choices that were either unnecessary or choices which couldn’t be made because the user did not have the requisite skill and knowledge.
Today this means that if you find the functions of Little Snitch useful and you have the skill and knowledge to use it and make the decisions it demands - then use it.
If not - Don’t!
And that’s no different to any other app.

The particular problem here is that some experts seem to be suggesting that even Casual Users (by Dave’s Definition) should have a) a need for outbound firewalls and b) the skill and knowledge to use them effectively. If that’s true then millions of Mac Casual Users should be worried ..... and Apple (not its customers) should do something about it.

James

I use Little Snitch and I do find it incredibly useful. Once it’s been trained and you’ve added your own rules to it, it isn’t intrusive in the slightest, really. I would agree though that it’s definitely more of an Admin tool, and the average user probably wouldn’t benefit much from it, but I think most people would be astonished how frequently their information is going out, even just to Apple from within the OS itself. If you know what you’re doing this is a handy little tool.

partner

The problem is not with the outbound firewalls, but with the intrusive, privacy-violating developers who write apps that phone home (and who knows where else), sending and receiving unknown information, without your knowledge or permission.

partner

And have I mentioned that I never want an application to automatically “update” itself to a new version that I have to buy a new license for?

Hooray! A New Version of CrappWare is available! Would you like to use it?
<YES! Bring me into the brave new world of CrappWare 2.0>
<no! I want to keep using the buggy, dangerous, obsolete CrappWare 1.0>

(Note: Installing CrappWare 2.0 will remove and/or disable your perfectly functional CrappWare 1.0 installation and will require an additional payment of $20 to keep working after the end of our extremely generous 30-day trial period.)

Daze001

Here’s the obvious - computers are complicated and computer security requires a good understanding of a lot of technical concepts from networking to programming but you don’t have to be a master.  The average user can go a long way toward protecting their assets by taking the time to research what applications like LS are telling them.  There is really no way around it.  Essentially it boils down to three options 1) spend the time doing your own homework and learn something valuable that will help your understanding for the long haul, 2) ask someone who knows, 3) forfeit the idea of security because it’s too complicated and there are no “just add water” products out there that work by way of magic.

With so much information posted to the Inet it seems highly unlikely that you couldn’t cp/paste key words from LS warnings to your favorite search engine and get some very solid online advice from reputable technical sources.  I don’t know of any security application that doesn’t require some initial up front tuning, whether it’s IDS, FW, etc.  It’s just the sad reality of a hostile Internet that, to achieve a reasonable level of security, the bar for the requisite level of understanding in the area of computer security for the average user has been elevated and is unlikely to come back down.  Programmers are not magicians and the sometime verbosity of security applications is actually their gift to us so that we can be well informed.  Whether we choose to take the time to make intelligent, informed decisions on what they’re telling us or just turn off the apps and stick our heads in the netsand is entirely up to us.

jkxo

Although I am new to this forum,
Macs have been my main personal computer since 1990.
I am also have over 10 years as a Unix developer and
maintainer.

I’m paranoid and snoopy, so I like Little Snitch.  Still, I can see both sides of the subject.  I removed Zone Alarm from my kid’s PCs because it was just too annoying.  Instead, I use a current /etc/hosts file from the Microsoft MVP guys (google ‘unwanted parasites’) and AVG.  I use a hosts file on my Macs, PCs and linux boxes. It just flat denies access for most annoyances.  On macs, I also use clamXav to avoid infecting PCs.  In Firefox I use NoScript and FlagFox to perform LS-type blocks of Java and JavaScript.

Note: early Mac ‘classic’ macs became infected in the public schools that caused many schools to switch to PCs.  Now the PCs used in schools have protected networks that prevent any creative searches of the internet.  Apple could have been more proactive there.

So while I use LS, it does have some significant shortcomings.  Some go with the territory but others could be helped by being able to save and see the text of the data being transmitted.  I have purged my LS user settings more than once in order to determine the cause of a slowdown.  Occasionally I get impatient enough to suspend both LS and Noscript.

All in all, I’m thankful for the freedom to choose from a wide variety of software concepts.

BTW: general purpose computers are abstract machines inherently capable of any information assault imaginable.
The best defense against this is to allow only safe inputs and outputs. Little Snitch is just one tool that helps us to put such limits in place.

jkxo

[Sorry about the grammatical typos above. I need to stop editing my stuff as I write it.]

I also use the blocking capability on my cable router to block (repetitive requests from known Chinese) malware IP addresses allowed by Comcast. It doesn’t improve my internet speed much but it does help the Mac hardware.

Log-in to comment