Little Snitch is one of the best pieces of software out there. It’s essential for every macOS user, works very well, and is a one-time payment. I truly hope it stays that way and doesn’t go down the same path as 1Password. I’m very grateful to the developers for creating such an excellent product. I wish more software were like this.
Is it? I'm interested in hearing why. I've been using macOS for ~15 years, so very familiar with Little Snitch. I think I owned a version many years ago but haven't for a long time. I don't really see what I'd use it for. I don't run dodgy software, I don't want to partially break the software I do run by nit picking what connections it can make as that wouldn't improve my experience and would most likely cause issues. I also mostly trust Apple's anti-malware efforts to protect me from other software I don't want to run, but if I didn't I'd run better anti-malware software before a firewall.
I caught a python ml library phoning home to a chinese server on a project that my company was building. My developer had no idea it was happening but I caught it first run thanks to lil snitch. If deployed this would've been a security escape that would need to be disclosed at a govt level.
Also, Apple. Their junk phones home just about everything you do. 50+ services constantly pinging Cupertino.
I owned several versions of Little Snitch too. It started to be annoying when you had to approve each request, especially when running command-line scripts. Then I moved to run in silent-approval mode. At that point, there was no reason to have LS any longer, so I uninstalled it. Haven't used it in years now. But not to discredit LS, it is an amazing software when you need it.
LS is beyond annoying for the first couple of days on a new computer. "Do you want to connect to gmail.com on port 443? What about kagi.com on port 443? What about your employer on port 443? Mind if Weather.app checks the weather?" After a couple of days, I have blanket rules like "allow Safari to connect to any host :443, except for googleadservices.com because nah".
It quickly tapers down to alerting about rare new connections, which is when it becomes hugely useful. RandomTool.app normally connects to cloud.randomtool.xyz. Why is it suddenly asking to connect to exfiltrate.ru?
> But not to discredit LS, it is an amazing software when you need it.
Yes! I perhaps didn't make this as clear as I should have. Little Snitch is fantastic software, no question. I'm just not sure that most people need it, I think a custom local firewall was always a bit of a power user tool, and nowadays with security being so much better than 20+ years ago, firewalls on personal machines just feel like an outdated concept to me.
I have grown weary of little snitch annoying me all the time but it was insightful about how much stuff Apple has me pinging by default: like yahoo.com for weather on boot just to name one.
This kind of angered me, I don’t want yahoo getting my ip anywhere I am in the world any time I turn on my computer. I think I found like 4-5 things that are baked into a clean Mac install these days that I took exception to and forbade.
Then Microsoft office and adobe are evil and constantly evading it and getting smacked down too.
Apple OSes maintain consistent connections to APNS (apple push notification service) using hardware-linked certificates, exposing your unique system and IP address (and thus city-level location) to Apple at all times.
What exactly does one learn from this normally? A leftover daemon is a bit of an edge case, and you could have learnt the same from looking at Activity Monitor, seeing a permissions pop-up, noticing higher energy use, etc, but learning that software connects to China seems... fine? Unless one wants to classify all connections to China as by-definition bad, which is discrimination that I don't want to engage in personally.
A bad actor can conceal whatever they want by renting a server anywhere they like. Meanwhile, there are many legit reasons why software might connect to China – maybe the company hosts services on Alibaba Cloud, maybe the software is from a Chinese producer and they chose local hosting.
>I don't want to partially break the software I do run by nit picking what connections it can make as that wouldn't improve my experience and would most likely cause issues.
Partially breaking web pages by blocking all connections to ad servers does wonders for my experience.
I did exaggerate a bit. Many users don’t care about where their connections are going and many users have only limited set of apps.
I wouldn’t mind like to correct myself and say “essential for me”. So many times I caught up software going to places where it should not go.
On top of that I often do local development without containers (guilty) and any random npm package can be compromised any time.
If I had a penny for every time I've blocked a tracker and broken critical functionality in an app or on a website because of it, I'd be rich.
I'm sad that that's the case, but in almost all circumstances, the relatively minor tracking of my email signing up for a service going into some advertising ROI calculation is outweighed by the fact I get to use that service.
Well technically it's like a "subscription with indeterminate renewal cycle". Every few years they release a new major version and sometimes you have to pay to upgrade.
Of course you can choose to not upgrade... but then you don't get the new features, and it's unclear if the old version will support all newer macOS releases.
> Then every 3 years or so you spent $300 again to get the updated version. It was a much better system!
By your math it was. 10x12x3=360 > 300. Subscriptions cost more than buying the actual software. Why do you think most companies switched to a subscription model?
It was a better system, because if I didn't need the new features, I could keep using the version of Microsoft Word that I bought 15 years prior. That's why they stopped selling it that way.
Even if the price is the same, "old" distribution models have benefits. If you're satisfied with your current version and it still works, no need to continue paying. If you maintain older systems, your software still works without continuing to pay in perpetuity.
I much prefer buying software licenses outright than renting them forever.
Apples and ladybugs are both red but (I imagine) they taste quite differently. Which one you should use probably depends on whether you’re baking a pie or dealing with pests in your garden.
Declaring them equal based on a single metric like color would be as silly as suggesting subscriptions and purchases are the same because their costs over an arbitrary period of time are roughly similar.
You’re not wrong, with a lot of Mac apps (this one included) you need the latest version to use it with the latest macOS release.
When there’s a new mandatory paid upgrade every couple years then it’s not far from a subscription service.
The situation seems worse on Mac where software has much shorter lifespans without new releases. On Windows I’m still using some engineering software I bought over a decade ago and it’s like nothing ever changed.
There have been roughly 18 major macOS releases since Little Snitch was released.
In that time, there have been 6 major versions of Little Snitch.
macOS has undergone pretty major architectural changes during that time, necessitating mandatory upgrades under some circumstances, but an OS update does not always force a LS upgrade.
> When there’s a new mandatory paid upgrade every couple years then it’s not far from a subscription service.
I disagree and don’t think people should mentally model subscriptions this way.
Subscriptions almost universally cost more on average than standalone purchases did, and there are still situations where it’s possible to remain on old versions in perpetuity, e.g. and old Mac that is kept around for a specific purpose but no longer receives major OS updates.
I think both models fall under a larger overarching umbrella of “software maintenance costs”, but those costs have always existed and standalone purchases vs. subscriptions are two fairly different ways of covering those costs.
Agree that this all feels worse on macOS due to the regular updates, but unlike Windows, I actually feel better over time about privacy/security and this naturally forces more app updates across the board. Microsoft’s commitment to backward compatibility is both convenient and increasingly a liability.
I own many more devices than just a Mac. I have an iPhone, Apple TV, Linux box, Windows PC, Nintendo Switch, Quest 2, Kindle. I'd prefer one piece of software that covers all of them over different software for each of them.
1. Sufficiently advanced routers that have such functionality are expensive and generally complex to manage
2. The reason tools like Little Snitch are valuable is they instantly indicate that a connection was attempted, indicate which binary/app attempted it, and allow you to decide whether or not to allow the connection in realtime
Being able to associate a specific action you’re taking (e.g. clicking a button in a specific app) with a specific network request isn’t really feasible when the device keeping track is not the device you’re currently using.
It’s significantly harder to retroactively analyze connections once you’ve completely lost the context of what initiated the connection.
The only way to make a centralized device achieve the same thing is to institute a default-deny policy, but carefully allowing only the connections you want becomes tedious and quickly leads to just giving up for practical reasons.
That probably depends on what you do with your computer.
If you regularly clone git repos and run code you didn’t write or run unsigned apps from untrusted developers, it’s probably a good idea to scrutinize the connections that code is making.
I think they’re referring to the forced changeover to cloud hosting and subscription services.
For years you could buy 1Password and then store your vault on your own syncing service like Dropbox. You owned the software and controlled your data. Then they switched to subscription-only and forced you to use their cloud. Really changed the nature of their software for many of us.
The UI is Electron, especially on Linux as it was the move to Electron that allowed them to do a Linux port. The data layer is all Rust and shared widely across their ecosystem as I understand it.
Honestly the whole UI thing was overblown. It's a great Electron app, and their macOS app was always a little iffy (old AppKit oddities). The port unlocked: Linux, a fully featured Windows client, noticeably faster improvements (Watchtower, family sharing, improved SSH and CLI support), and seems to have allowed for much better apps on iOS and Android, all at likely no user cost.
