Little Snitch and the deprecation of kernel extensions

> great for security

That depends doesn't it? You'll be safe from Little Snitch but Little Snitch will have less power to protect you.

What if that has an impact on performance? Kernel-user space communication usually means copying data into different portions of memory, plus a context switch.

no.

Apple will just slowly write itself into the equation so that little snitch can no longer mess with whatever muddled idea apple seems to think is important.

Already with Catalina you have to connect to apple and ask permission before you can even install little snitch. That means little snitch can't protect you from apple, even if you've told apple "my machine doesn't connect to the internet".

And your machine contacts apple every bit as often as microsoft machines even though their philosophy is supposed to be different.

bottom line: you should not have to ask apple permission to do anything with your machine.

It may be a technically superior API but even so I'm not thrilled that if I want to stay current with MacOS updates past the phase-out period then I have to pay for a Little Snitch 5 license. v4 works fine for me and without this API deprecation issue I almost certainly wouldn't be interested in upgrading.

> It's the wild west outside your firewall.

You mean outside my $5 NAT WiFi router last updated 6 years ago (because the manufacturer won't maintain it any more and the ISP never gave me the admin password anyway)?

I use both Little Snitch and Micro Snitch.

The LS proxy completely overwhelmed me. I thought I could be savvy and limit traffic. Yeaaaaah no. Once I started observing what was actually flying around it's... it's just insanity how many requests are made in just a few seconds. What else can I do but throw up my hands and hope for the best? But I guess it won't matter soon.

I've been using Little Snitch since 2.0 and I agree, it's very impressive software. I had the same reaction to seeing the map features -- eye opening to say the least and a very, very interesting feature!

It's kind of peaceful watching attacks crash against your webserver/firewall, like waves at shore.

I'd like to see a similar map built into pihole. Seems like a natural fit. This way you could get a map for connections made by various apps on your phone too.

I always felt a little queasy installing a .kext from some random foreign-language websites (be it FTDI, or Alfa drivers, or even RealTek updates). I can feel the bias in me, "Oh no, this must be bad because it's foreign," which is absurd, but I still shouldn't be asked to sudo something when I buy offbrand hardware.

If they keep all third parties out of their kernel, could this ease a possible x86-to-ARM transition?

And Apple takes another step closer toward a proprietary OS away from UNIX. Perhaps 10.16 will lose certification [1].

[1] https://www.opengroup.org/openbrand/register/

EDIT: I can't find anything that references kernel extensions in the conformance [2] section of the spec, so maybe 10.16 will adhere to the UNIX03 standard after all.

[2] https://pubs.opengroup.org/onlinepubs/009695399/

From the very end of the article:

> When will Little Snitch be updated to the new APIs?

> The replacements APIs that are currently available (NetworkExtension framework on macOS 10.15.4) are not yet completely sufficient to implement the full functionality of Little Snitch. But we are working closely with Apple to fill the remaining gaps and we expect that a beta version of macOS 10.16 (most likely available at the next WWDC) or even an upcoming version of 10.15 will provide what is missing. As soon as the APIs allow us, we will complete the transition of Little Snitch to the new NetworkExtension API. It’s our goal to provide a public beta in June 2020 and a stable version in October.

If they can (and Apple) can keep to that timeline, I expect they will.

"we are working closely with Apple to fill the remaining gaps" - definitely sounds like it. I think Apple has made the right call tightening security around kernel extensions but I'm glad they're working with 3rd party developers (even if it's only big ones) to ensure the functionality is still there. They also mentioned the existing version will still work, it will just need to be explicitly enabled.

> Yes. We are going to release an update of Little Snitch that will be compatible with macOS 10.16.

At least a future version of LS will work with 10.16.

I hope this goes over better than the Sign in with Apple deadline that was attempted. That seemed like a pretty big flop.

That makes sense right though. 15 years ago the number of people using OSX was a fraction of what it is today. They had to be very protective of that customer base.

Now the install base is huge and the threats are different.

During the early OS X days Apple was battling for survival, the were pretty much like this during the Mac OS days.

Plus it isn't like they aren't providing an upgrade path.

They've been taking that direction for years.

"Here's to the crazy ones..." Oh wait, there are none left.

Yes? Clearly the market is there. And writing kernel extensions is a major PITA. One benefit of working in user space is that you can (usually) do so in the language of your choosing. Little Snitch 0.0.1alpha would have been a lot easier to prototype in Swift than in C.

If you have hackintosh level access, you would be able to inject kexts anyways.

(Small typo correction: 10.16, 10.6 is Snow Leopard).

I think we will be able to go forward with custom kernels or some hack failing that.

Interesting. I get 256 on Catalina (0-255), as opposed to 4 (0-3) on Mojave. /dev doesn't appear to be dynamic as it is on Linux, so they've chosen to pre-create more device files. More importantly, on Catalina the permissions are now ug=rw (0660) and with a group name of "access_bpf", whereas on Mojave they were u=rw (0600) and "wheel".

So, yeah, looks like Catalina was a stepping stone.

I think dtrace monitoring can be enabled, but requires removing some system security settings, if I remember correctly, so I guess if they go that route they still need to beef up security.

there is a project called opensnitch that supposedly does similar things on linux

https://github.com/evilsocket/opensnitch

I'm not sure how active it is (no recent activity and there seem to be a lot of forks)

The difference is granularity - inside your computer you know which application is doing it. On a network level you only see which device it is.

Maybe there's something with a central server and an agent installed on every device connecting but I doubt it's as easy and pretty as LS.

No. Hackintosh is a hardware and firmware platform, mostly at a lower level than macOS. Barring custom Apple hardware, anything that runs on Apple hardware will run on Hackintosh. Even custom hardware can be worked around as long as it is not critical (eg a custom CPU).

Maybe because it is not comparable?

> Google changes extension model for Chrome, breaking ad blockers, reaction seems to be that it's an obvious power grab.

Interestingly, Apple made this exact change in Safari first.