I just tried littlesnitch and it did not resolve very many ips to domains, which is pretty basic. It also failed to identify most processes, and they were grouped under "Not Identified". It appears these are known limitations of the Linux version [1]. So for that alone I need to stick with opensnitch.
[1] "Little Snitch for Linux is built for privacy, not security, and that distinction matters. The macOS version can make stronger guarantees because it can have more complexity. On Linux, the foundation is eBPF, which is powerful but bounded: it has strict limits on storage size and program complexity. Under heavy traffic, cache tables can overflow, which makes it impossible to reliably tie every network packet to a process or a DNS name. And reconstructing which hostname was originally looked up for a given IP address requires heuristics rather than certainty. The macOS version uses deep packet inspection to do this more reliably. That's not an option here." -- from https://obdev.at/products/littlesnitch-linux/index.html
Regarding unidentified processes: Little Snitch daemon must have been running when the process started in order to identify it reliably. It's best to reboot after installation so that Little Snitch starts before everything else. I should probably note this somewhere.
And regarding failed reverse DNS names: Little Snitch is sniffing DNS lookups. If lookups are encrypted, there is little it can do. We usually recommend DNS encryption at the systemd layer, not at app layer. This way we can see lookups on 127.0.0.53 and the actual lookup sent out is still encrypted.
Also, it's currently only sniffing UDP lookups, not TCP. The eBPF part is already very close to the complexity limits (700k instructions of allowed 1M) and adding TCP parsing would exceed this limit. It should be possible to forbid TCP port 53 with a rule, though. Some complex DNS lookups will fail, but routine things should still work.
Not all "hostname lookups" by applications happen over DNS (or the DNS is done by something like systemd-resolved, which is often using encrypted lookups), so in many cases, depending on NSS configuration (e.g. 'file', 'resolve', 'db', 'nis', 'mymachines', 'libvirt', 'winbind', ...) this would never work?
Yes. For these cases it won't work.
OpenSnitch intercepts the client side library for this reason. I would rather want to avoid this for the moment and wait for feedback.
The thing is, 127.0.0.53 is a fallback. The real default upstream is nss_resolve, which talks to systemd-resolved via non-DNS protocol on a UNIX-domain socket. Ubuntu disabled this in favor of the less-featured fallback. If you insist on sniffing DNS, you need to add instructions to disable the native nss_resolve module by not including it in /etc/nsswitch.conf.
Thanks for that hint! We still get the lookup if it leaves the machine unencrypted, but if you have both, the Unix domain socket and DNS encryption, we miss lookups.
If I don't know who my machine is talking to, the information is not very useful. So there needs to be a fallback on some level.
Perhaps there should be a mode where littlesnitch just does its own lookup using the system-configured rDNS, for example from the ui or for specific processes, etc? It should be cached if it is a recent lookup, so minimal performance implications; and offloaded to the system rDNS resolver, so minimal instruction set.
We do not want the reverse lookup name. For instance, if you look up a google.com name with dig, you get an IP address. If you then do the reverse lookup with dig -x, you get a 1e100.net name. That's as good as the IP address for our purpose.
Plus: We need to respond with a DROP or ALLOW verdict to a network packet without the ability to do any blocking requests. So we can only use information already available in the kernel to decide.
I guess that makes sense, since it's pretty new. OpenSnitch is great software in terms of functionality but I find the UI lacking. If LittleSnitch can keep the same functionality, while improving the UI, I'm switching. My other current concern here is that the LittleSnitch UI is just a Webview and I think it would be much better if there was a native option (ideally GTK-based for me, but Qt would also be acceptable). Webviews are slow and full of bloat.
Every time I try to change my user agent with a FF extension I get hit with brutal cloudflare captcha loops. How are you changing your user agent in a way that this is not a problem?
I had a problem to fix and one not only mentioned these "logs", but went on about things like "config", "tests", and a bunch of other unimportant nonsense words. It even went on to point me towards the "manual". Totally robotic monstrosity.
Unbelievable. Some dude makes an hn account after lurking who knows how long, makes his very first innocuous comment a day later, and is immediately attacked as a newb or a shill? Give people at least a little benefit of the doubt.
I find that receptacles tend to break prematurely if they are wet locations, even if 'protected' with a weatherproof box etc. You also need to know where the receptacle is and make sure it is accessible instead of behind a piece of furniture etc. Then some electricians misunderstand and put receptacles throughout the run (much more expensive than one breaker which is about 2x a receptacle), and in edge cases you need to know the order in which to reset them to get things working again. I much prefer to just have everything in the panel.
Yes, when tech gear is sold as 'enthusiast' gear, it is almost invariably the most expensive non-professional tier of equipment. That is roughly the common understanding: Expensive and focused on features more than security required for public use; while remaining within reach of at least some individuals, not only corporations.
I wouldn't say that's true or even likely. It's completely possible to be in a pit of vipers where every single snake is venomous, and that is pretty much what we are seeing: With technological advances, there is a certain subset of people that will use them primarily to solidify their power and control over others. There is no utopian society right now whose government doesn't look to spy through technology, which of course is best set up at time of manufacture.
Agreed. Unless you have full control over the production chain to fully produce a device, you are subject to the whims and desires of those who preside over such technological feats that we take for granted in our daily lives.
To the original point, it's safe to say that highlighting a nationality with regards to trust is baseless and without merit, as would be for any other topic (men/women from x are y, z food is better here, etc..). Real life is much more complicated and nuanced past nationalities. Some might call it FUD (fear, uncertainty and doubt) but there's always a deeper rationale at the individual level as well.
Rather than people being wary of Chinese in general, it's more that there is a high degree of government control exercised in China and they are known to be very strategic with long-term planning in regards to technology control both for spying and actual remote control of devices. We are all just looking for the least bad option. It's not like devices from other countries are immune, but they are often less organized so there is a better chance of avoiding the Chinese level of planned access.
It does seem like pretty low risk in this specific case so I agree OP's comment was bit over the top, but I would have no way to make anything resembling even an educated guess as to how far their programs go.
Yes, this is really what I was referring to. And the fact that the original comment I was replying to mentioned "modded Chinese hardware" from some unspecified, unvetted 3rd party which doesn't exactly fill me with confidence.
That's pretty much the entire point of what people are calling hypersonic missiles. All ballistic missiles fly at hypersonic speeds. The advance is being able to do so at low altitude with maneuverability.
You are correct, but I should point out that Russia has described its Kinzhal missiles as hypersonic, when they are really more of a traditional ballistic missile fired horizontally. So very fast (Mach 10), but not as maneuverable as what the U.S. has been calling hypersonic.
Since the original story here does not provide many details, we can't know which side of that fence this falls on (assuming it is real).
Was there any evidence that the Kinzhals fired, for example, toward Kyiv during the current conflict were fired on a depressed trajectory? I remember reading one account that looked like a plain old interception of a ballistic missile. (which is impressive enough to someone who remembers when "Patriot missile" was not exactly synonymous with excellence)
> That's pretty much the entire point of what people are calling hypersonic missiles.
Most missiles endowed with the "hypersonic" moniker are simply theater ballistic missiles used for standard ballistic missile things, which is part of why I asked the question.
> The advance is being able to do so at low altitude with maneuverability.
Hate to burst your bubble but arms dealers and governments are as capable as anyone else of marketing spin.
reply