zlacker

i always worry about tools like this, maintained by small teams, that are so universal that even if only a small fraction of installs are somehow co-opted by malicious actors, you have a wide open attack surface on most tech companies.

e.g. iTerm, Cyberduck, editors of all shades, various VSCode extensions, etc.

>>jmole+(OP)
Similarly I worry about how these apps automatically update themselves. I know it can be done securely. I also doubt that these companies invest the engineering effort to do so.

>>jmole+(OP)
If you think large companies are somehow immune to this, you’re gonna have a bad time.

>>hsbaua+X
It's not a matter of "immune" - larger organizations generally have more resources to allocate to things like this. That doesn't mean they get it right 100% of the time, but they are at least able to try, while small teams or volunteer projects often simply don't have the hours to spend on things like this.

>>Araina+p1
and unlike GPL software, there is typical an army of lawyers, an expressed warranty, legal liability, etc.

>>jmole+(OP)
I don’t get it, why don’t you all—absolutely all of you reading—use Little Snitch? [1]

It really doesn’t compute in my head why would any macOS user not use a network firewall like this, or similar, to block unwanted outgoing HTTP(s) requests. You can easily inspect the packet with tools like Wireshark or Burp Suite Professional (or Community) edition, or any other proxy tool, of which there are many in the macOS ecosystem.

And this is not unique to macOS, this is all possible in Windows, Linux and any other OS.

[1] https://www.obdev.at/products/littlesnitch/index.html

>>calvin+T1
Terms of use typically disclaim all liability.

>>guessm+r2
Isn't Little Snitch exactly the sort of application they're worried about?

>>guessm+r2
It’s a false sense of security, more or less. If an application wants to talk to a C2 they don’t have to make a connection at all, just proxy a connection through something already allowed, or tunnel through DNS. Those juicy cryptocurrency keys? Pop Safari with them in the URL and they’re sent to the malicious actor instantly. If you’re owned Little Snitch does nothing at all for you except give you the impression that you’re not.

>>guessm+r2
It wouldn't protect against this attack though. The Notepad++ update servers were hijacked. Presumably you would allow Notepad++ updates through Little Snitch so you would be equally as vulnerable.

>>scratc+u3
No, why would you allow automatic updates? It makes no sense. You should audit every update as if each payload could contain malware. It’s a paranoid way to live, but that’s what it takes.

We also need better computer science education in high schools, teaching students how to inspect network packets, verify SSL certificates, and evaluate whether a binary blob might contain malicious code.

People have gotten complacent about the internet, which is why they still get hacked, when it should be the other way around. With everything we’ve learned over the years, why are breaches more common than ever? I don’t understand why people are so careless about online security today, compared to decades ago when we were taught not to share personal information and not to trust anything on the internet.

>>drum55+p3
I find it difficult to believe that there is levels of cooperation between different companies that would allow this to work.

Source. I work for a company for longer than the internet has been alive.

>>guessm+04
Do you go by the smell of the executable or just general vibes? Nobody has never reviewed even a tiny fraction of the software they run, closed source or open source.

>>worthl+m4
My example is “living off the land”, safari already has access to everything, open it and use it to communicate. Needs no permissions, bypasses little snitch entirely.

>>guessm+r2
because i dont want to deal with constant whitelist management and i simply don't install applications i don't trust. if there's anything really absolutely essential or damaging if it were to leak i would not put it on a internet connected device to begin with

>>guessm+04
So you only run software on an operating system and on hardware that you have personally vetted each line of code for?

>>drum55+v4
Ah . I was thinking of non web apps.

>>jonas2+k3
Zing!

The state of the world is such that I have started running everything inside VMs. Baseline OS install + virtual machine management and that is it. Which is still not immune, but makes me feel a lot better than core OS utilities are probably getting better vetting than nifty-utility-123 on which I depend.

>>drum55+p3
Especially in this case where the attackers could've proxied you to their malicious servers through npp's good/trusted servers

>>worthl+m4
You have worked for the same company for >55 years? That's wild. Can you share the industry?

>>Araina+p1
lol larger organizations don’t spend money on this, they add some useless ‘secops’ tools to their CI and call it a day. They are certainly not doing things like reproducible builds, lol half of them don’t deploy signature verification.

>>guessm+r2
If an application wants to talk to AWS, how am I supposed to know if it's legit or not?

>>guessm+04
Tell me about your auditing workflow and procedures.

>>Araina+p1
I've sat in some pretty large orgs and my own experience was the "resources allocated" went to the PR team. I can assure you that they would have had a more boring, corporate sounding announcement with multiple references to their legal team and the actions they would have taken, alongside some useless information about being PCI compliant or something. I'm not convinced the practical output is any better.

>>guessm+04
You don't understand because you compare a mythical view of the past with the current reality

>>guessm+r2
Now you have to worry about Little snitch not "snitching" on all your traffic.

>>drum55+p3
That's at the very least harder and less likely; security is not all or nothing.

>>g947o+7a
If it began doing it after an update, you know that it's better to check if it's supposed to do it

>>3eb798+08
Qubes OS?

>>dfc+l9
IBM, although I consider internet and arpanet different things.

Like saying pstn and fiber are different things.

>>sjnonw+4m
There’s an open source alternative: https://objective-see.org/products/lulu.html

>>guessm+r2
I used to love Zone Alarm's ability to notify me on an application's first attempt to connect to the internet, and allow me to approve or deny it. I really wish there was still such an interface today.

Having said that, I absolutely despised the implementation that stole keyboard focus; if it popped up when I was typing it frequently disappeared before I head a chance to read it and I had to go into settings to try and find what had changed. Nothing should ever steal keyboard focus unless it's urgent, and then it should website that you can't accidentally manipulate it with a keyboard (see UAC prompt where it opens in the background if the calling program is in the background, and where once you activate it, you have to hold alt+y/n or tab to a button before it accepts the input; just hitting the y/n key alone won't do anything).

>>drum55+p3
This is far too cynical of a take. LittleSnitch might not save you from well-established malware on your machine, but it will certainly hamper attempts to get payloads and exploits on your machine in the first place

>>scratc+u3
No you wouldn't allow updates with Notepad++

>>veloci+7o
No, poor man's Qubes with manually assembled VMs. I keep meaning to take the plunge, but have been too lazy to rebuild my system.