It's by far the most common phrase I've heard used to wipe+reinstall a system in the past 20 years? 25 years? Not just the most popular colloquialism, the most popular phrase, period.
My experience is US/West Coast/Tech companies, for reference.
I’ve spent 20+ years in tech in roles ranging from IT to engineering at west coast and midwest companies and this thread is the first time I’ve heard “nuke and pave”.
At the places I’ve been, systems got “wiped” or “re-imaged” most commonly. I suspect this terminology is hyper local.
I've worked in tech in the Bay Area for 30 years, started in IT at UC Berkeley and then at Sendmail. Never heard this term before. We always "wiped and re-imaged".
Probably because it is a leftover from the 1990s/2000s when you had to completely reinstall your os. That’s no longer necessary, as long as you’re not using windows.
Little Snitch is one of the best pieces of software out there. It’s essential for every macOS user, works very well, and is a one-time payment. I truly hope it stays that way and doesn’t go down the same path as 1Password. I’m very grateful to the developers for creating such an excellent product. I wish more software were like this.
The UI is Electron, especially on Linux as it was the move to Electron that allowed them to do a Linux port. The data layer is all Rust and shared widely across their ecosystem as I understand it.
Honestly the whole UI thing was overblown. It's a great Electron app, and their macOS app was always a little iffy (old AppKit oddities). The port unlocked: Linux, a fully featured Windows client, noticeably faster improvements (Watchtower, family sharing, improved SSH and CLI support), and seems to have allowed for much better apps on iOS and Android, all at likely no user cost.
I think they’re referring to the forced changeover to cloud hosting and subscription services.
For years you could buy 1Password and then store your vault on your own syncing service like Dropbox. You owned the software and controlled your data. Then they switched to subscription-only and forced you to use their cloud. Really changed the nature of their software for many of us.
Well technically it's like a "subscription with indeterminate renewal cycle". Every few years they release a new major version and sometimes you have to pay to upgrade.
Of course you can choose to not upgrade... but then you don't get the new features, and it's unclear if the old version will support all newer macOS releases.
> Then every 3 years or so you spent $300 again to get the updated version. It was a much better system!
By your math it was. 10x12x3=360 > 300. Subscriptions cost more than buying the actual software. Why do you think most companies switched to a subscription model?
It was a better system, because if I didn't need the new features, I could keep using the version of Microsoft Word that I bought 15 years prior. That's why they stopped selling it that way.
Apples and ladybugs are both red but (I imagine) they taste quite differently. Which one you should use probably depends on whether you’re baking a pie or dealing with pests in your garden.
Declaring them equal based on a single metric like color would be as silly as suggesting subscriptions and purchases are the same because their costs over an arbitrary period of time are roughly similar.
Even if the price is the same, "old" distribution models have benefits. If you're satisfied with your current version and it still works, no need to continue paying. If you maintain older systems, your software still works without continuing to pay in perpetuity.
I much prefer buying software licenses outright than renting them forever.
You’re not wrong, with a lot of Mac apps (this one included) you need the latest version to use it with the latest macOS release.
When there’s a new mandatory paid upgrade every couple years then it’s not far from a subscription service.
The situation seems worse on Mac where software has much shorter lifespans without new releases. On Windows I’m still using some engineering software I bought over a decade ago and it’s like nothing ever changed.
There have been roughly 18 major macOS releases since Little Snitch was released.
In that time, there have been 6 major versions of Little Snitch.
macOS has undergone pretty major architectural changes during that time, necessitating mandatory upgrades under some circumstances, but an OS update does not always force a LS upgrade.
> When there’s a new mandatory paid upgrade every couple years then it’s not far from a subscription service.
I disagree and don’t think people should mentally model subscriptions this way.
Subscriptions almost universally cost more on average than standalone purchases did, and there are still situations where it’s possible to remain on old versions in perpetuity, e.g. and old Mac that is kept around for a specific purpose but no longer receives major OS updates.
I think both models fall under a larger overarching umbrella of “software maintenance costs”, but those costs have always existed and standalone purchases vs. subscriptions are two fairly different ways of covering those costs.
Agree that this all feels worse on macOS due to the regular updates, but unlike Windows, I actually feel better over time about privacy/security and this naturally forces more app updates across the board. Microsoft’s commitment to backward compatibility is both convenient and increasingly a liability.
Is it? I'm interested in hearing why. I've been using macOS for ~15 years, so very familiar with Little Snitch. I think I owned a version many years ago but haven't for a long time. I don't really see what I'd use it for. I don't run dodgy software, I don't want to partially break the software I do run by nit picking what connections it can make as that wouldn't improve my experience and would most likely cause issues. I also mostly trust Apple's anti-malware efforts to protect me from other software I don't want to run, but if I didn't I'd run better anti-malware software before a firewall.
What exactly does one learn from this normally? A leftover daemon is a bit of an edge case, and you could have learnt the same from looking at Activity Monitor, seeing a permissions pop-up, noticing higher energy use, etc, but learning that software connects to China seems... fine? Unless one wants to classify all connections to China as by-definition bad, which is discrimination that I don't want to engage in personally.
A bad actor can conceal whatever they want by renting a server anywhere they like. Meanwhile, there are many legit reasons why software might connect to China – maybe the company hosts services on Alibaba Cloud, maybe the software is from a Chinese producer and they chose local hosting.
I owned several versions of Little Snitch too. It started to be annoying when you had to approve each request, especially when running command-line scripts. Then I moved to run in silent-approval mode. At that point, there was no reason to have LS any longer, so I uninstalled it. Haven't used it in years now. But not to discredit LS, it is an amazing software when you need it.
> But not to discredit LS, it is an amazing software when you need it.
Yes! I perhaps didn't make this as clear as I should have. Little Snitch is fantastic software, no question. I'm just not sure that most people need it, I think a custom local firewall was always a bit of a power user tool, and nowadays with security being so much better than 20+ years ago, firewalls on personal machines just feel like an outdated concept to me.
LS is beyond annoying for the first couple of days on a new computer. "Do you want to connect to gmail.com on port 443? What about kagi.com on port 443? What about your employer on port 443? Mind if Weather.app checks the weather?" After a couple of days, I have blanket rules like "allow Safari to connect to any host :443, except for googleadservices.com because nah".
It quickly tapers down to alerting about rare new connections, which is when it becomes hugely useful. RandomTool.app normally connects to cloud.randomtool.xyz. Why is it suddenly asking to connect to exfiltrate.ru?
I have grown weary of little snitch annoying me all the time but it was insightful about how much stuff Apple has me pinging by default: like yahoo.com for weather on boot just to name one.
This kind of angered me, I don’t want yahoo getting my ip anywhere I am in the world any time I turn on my computer. I think I found like 4-5 things that are baked into a clean Mac install these days that I took exception to and forbade.
Then Microsoft office and adobe are evil and constantly evading it and getting smacked down too.
Apple OSes maintain consistent connections to APNS (apple push notification service) using hardware-linked certificates, exposing your unique system and IP address (and thus city-level location) to Apple at all times.
I caught a python ml library phoning home to a chinese server on a project that my company was building. My developer had no idea it was happening but I caught it first run thanks to lil snitch. If deployed this would've been a security escape that would need to be disclosed at a govt level.
Also, Apple. Their junk phones home just about everything you do. 50+ services constantly pinging Cupertino.
>I don't want to partially break the software I do run by nit picking what connections it can make as that wouldn't improve my experience and would most likely cause issues.
Partially breaking web pages by blocking all connections to ad servers does wonders for my experience.
If I had a penny for every time I've blocked a tracker and broken critical functionality in an app or on a website because of it, I'd be rich.
I'm sad that that's the case, but in almost all circumstances, the relatively minor tracking of my email signing up for a service going into some advertising ROI calculation is outweighed by the fact I get to use that service.
I did exaggerate a bit. Many users don’t care about where their connections are going and many users have only limited set of apps.
I wouldn’t mind like to correct myself and say “essential for me”. So many times I caught up software going to places where it should not go.
On top of that I often do local development without containers (guilty) and any random npm package can be compromised any time.
That probably depends on what you do with your computer.
If you regularly clone git repos and run code you didn’t write or run unsigned apps from untrusted developers, it’s probably a good idea to scrutinize the connections that code is making.
I own many more devices than just a Mac. I have an iPhone, Apple TV, Linux box, Windows PC, Nintendo Switch, Quest 2, Kindle. I'd prefer one piece of software that covers all of them over different software for each of them.
1. Sufficiently advanced routers that have such functionality are expensive and generally complex to manage
2. The reason tools like Little Snitch are valuable is they instantly indicate that a connection was attempted, indicate which binary/app attempted it, and allow you to decide whether or not to allow the connection in realtime
Being able to associate a specific action you’re taking (e.g. clicking a button in a specific app) with a specific network request isn’t really feasible when the device keeping track is not the device you’re currently using.
It’s significantly harder to retroactively analyze connections once you’ve completely lost the context of what initiated the connection.
The only way to make a centralized device achieve the same thing is to institute a default-deny policy, but carefully allowing only the connections you want becomes tedious and quickly leads to just giving up for practical reasons.
I feel like macOS has been going the direction of iOS, increasingly locking things down and pushing to a walled garden world. What’s the chance that the next major update or two make changes that prevent utilities from having the access they need to provide these power user capabilities?
There are actually two default firewalls. The firewall that's configurable in UI can only block inbound connections but not outbound connections. The other firewall (pf) doesn't have the concept of application so one cannot allow one app to access a remote IP but block another, and I also don't think it supports DNS.
As others have indicated, LuLu (like Little Snitch) notifies you when your machine is initiating an outbound connection and lets you grant or deny permission, and to set up a persistent rule for that app/connection.
It’s an HN “read the room” submission. It’s contextually related to earlier discussion about Apple Photos phoning home without a direct reference to it.
I'm pretty sure the only reason it works on macos at all was that it got in early. I believe Apple periodically tries to hobble it but there is pushback.
Did you happen to stop at the gas station that same day? What does “that very transaction caused a fraud alert” mean? It’s not unusual for multiple transactions to be marked as fraud, even legitimate ones, when a credit card is stolen.
No, literally didn't use that card anywhere else. Without doubt I can attribute the fraud activity to the LittleSnitch purchase attempt. It was the second I clicked "pay" for LittleSnitch I got an automated fraud warning from my bank - which was odd because I really did make that purchase. As a result I approved it.. and yet that is what then allowed folks to create a fake physical copy of my card somehow for in-store purchases - and there were at the opposite end of the country. Not likely someone would have been even able to fly it drove from my physical location to where these purchases were made.
Nothing against LittleSnitch - I used it after all. But this was my experience buying it, especially as a poor recent college graduate at the time.
This kind of work, collecting meta-data, mediating queries, altering a relational database processing language, on a DNS server through a Matching Code ID on Little Snitch is freakishly effective at times.
I’ve been using Little Snitch for ages. It been my go to on all my all new systems and they offer discounts on upgrades to new versions. Their support has been excellent the one time I needed it.
LS is excellent but if I'm going to go to the trouble of building firewall rules I'd rather them be at the network level so all my devices can benefit.
What would be really cool is the LS UI but tied into something like pfsense for the actual filtering.
I have had it for years, and every once in a while, there's a red light flashing in my menubar, making me smile as one more tracker goes empty-handed today.
"Will Little Snitch be available for iOS, tvOS and watchOS?
Unfortunately Apple's regulations and submission guidelines do not allow applications like Little Snitch that operate on the system level on the iOS (iPhone, iPad, iPod touch), tvOS (Apple TV), or watchOS (Apple Watch) platforms."
It appears Apple's "regulations" prohibit owner control and increased transparency. No such thing as an option for "experts only" when it comes to Apple computer owners; one size fits all. Apple are the only experts and the only ones entitled to control and transparency, over and into _other peoples'_ computers. Remarkable.
I love this product! It is a must-have app on macOS!
pro: you can literally control all Application Networks on your computer (sometimes it is funny to see completely off-line apps that don't need to collect any data trying to sync a bunch of stuff).
cons: it can be annoying when you install new apps and running it on with most secure options.
117 comments
[ 1331 ms ] story [ 3797 ms ] threadmostly good for monitoring for malware though. doesn't replace good inbound firewall rules.
My experience is US/West Coast/Tech companies, for reference.
At the places I’ve been, systems got “wiped” or “re-imaged” most commonly. I suspect this terminology is hyper local.
Honestly the whole UI thing was overblown. It's a great Electron app, and their macOS app was always a little iffy (old AppKit oddities). The port unlocked: Linux, a fully featured Windows client, noticeably faster improvements (Watchtower, family sharing, improved SSH and CLI support), and seems to have allowed for much better apps on iOS and Android, all at likely no user cost.
For years you could buy 1Password and then store your vault on your own syncing service like Dropbox. You owned the software and controlled your data. Then they switched to subscription-only and forced you to use their cloud. Really changed the nature of their software for many of us.
AKA IAP subscription cancer
Well technically it's like a "subscription with indeterminate renewal cycle". Every few years they release a new major version and sometimes you have to pay to upgrade.
Of course you can choose to not upgrade... but then you don't get the new features, and it's unclear if the old version will support all newer macOS releases.
What a novel idea. You mean once upon a time you didn’t have to pay a monthly racket for a piece of software you wanted..?
Then every 3 years or so you spent $300 again to get the updated version. It was a much better system!
/s
By your math it was. 10x12x3=360 > 300. Subscriptions cost more than buying the actual software. Why do you think most companies switched to a subscription model?
Declaring them equal based on a single metric like color would be as silly as suggesting subscriptions and purchases are the same because their costs over an arbitrary period of time are roughly similar.
my owned software doesn’t abruptly stop working when I don’t pay my “rent”
I much prefer buying software licenses outright than renting them forever.
When there’s a new mandatory paid upgrade every couple years then it’s not far from a subscription service.
The situation seems worse on Mac where software has much shorter lifespans without new releases. On Windows I’m still using some engineering software I bought over a decade ago and it’s like nothing ever changed.
In that time, there have been 6 major versions of Little Snitch.
macOS has undergone pretty major architectural changes during that time, necessitating mandatory upgrades under some circumstances, but an OS update does not always force a LS upgrade.
> When there’s a new mandatory paid upgrade every couple years then it’s not far from a subscription service.
I disagree and don’t think people should mentally model subscriptions this way.
Subscriptions almost universally cost more on average than standalone purchases did, and there are still situations where it’s possible to remain on old versions in perpetuity, e.g. and old Mac that is kept around for a specific purpose but no longer receives major OS updates.
I think both models fall under a larger overarching umbrella of “software maintenance costs”, but those costs have always existed and standalone purchases vs. subscriptions are two fairly different ways of covering those costs.
Agree that this all feels worse on macOS due to the regular updates, but unlike Windows, I actually feel better over time about privacy/security and this naturally forces more app updates across the board. Microsoft’s commitment to backward compatibility is both convenient and increasingly a liability.
Is it? I'm interested in hearing why. I've been using macOS for ~15 years, so very familiar with Little Snitch. I think I owned a version many years ago but haven't for a long time. I don't really see what I'd use it for. I don't run dodgy software, I don't want to partially break the software I do run by nit picking what connections it can make as that wouldn't improve my experience and would most likely cause issues. I also mostly trust Apple's anti-malware efforts to protect me from other software I don't want to run, but if I didn't I'd run better anti-malware software before a firewall.
You can quickly spot anomalous connections to countries/servers, and locate the specific process doing this.
I found a daemon left over from an uninstalled app which was attempting to connect to its mother ship in China. Very strange.
A bad actor can conceal whatever they want by renting a server anywhere they like. Meanwhile, there are many legit reasons why software might connect to China – maybe the company hosts services on Alibaba Cloud, maybe the software is from a Chinese producer and they chose local hosting.
To me, the map is mostly fear-mongering.
I don’t know how to monitor energy use, and if I have time, I will look it up.
For me, one app which not only notifies, also shows me where its connecting is a big advantage.
Thanks.
Yes! I perhaps didn't make this as clear as I should have. Little Snitch is fantastic software, no question. I'm just not sure that most people need it, I think a custom local firewall was always a bit of a power user tool, and nowadays with security being so much better than 20+ years ago, firewalls on personal machines just feel like an outdated concept to me.
It quickly tapers down to alerting about rare new connections, which is when it becomes hugely useful. RandomTool.app normally connects to cloud.randomtool.xyz. Why is it suddenly asking to connect to exfiltrate.ru?
This kind of angered me, I don’t want yahoo getting my ip anywhere I am in the world any time I turn on my computer. I think I found like 4-5 things that are baked into a clean Mac install these days that I took exception to and forbade.
Then Microsoft office and adobe are evil and constantly evading it and getting smacked down too.
Also, Apple. Their junk phones home just about everything you do. 50+ services constantly pinging Cupertino.
Partially breaking web pages by blocking all connections to ad servers does wonders for my experience.
I was confident I didn't either, but Little Snitch has proven otherwise. The amount of 'instrumentation' in modern JS and Python libraries is insane.
I'm sad that that's the case, but in almost all circumstances, the relatively minor tracking of my email signing up for a service going into some advertising ROI calculation is outweighed by the fact I get to use that service.
I wouldn’t mind like to correct myself and say “essential for me”. So many times I caught up software going to places where it should not go. On top of that I often do local development without containers (guilty) and any random npm package can be compromised any time.
I feel like I’ve done many one-time payments to get the new version of Little Snitch through the years.
I’m not currently using it, but for a long time it was on my list of Mac apps that I feared having to pay to upgrade with every new macOS release.
If you regularly clone git repos and run code you didn’t write or run unsigned apps from untrusted developers, it’s probably a good idea to scrutinize the connections that code is making.
but even relatively established apps show connections to weird places.
Syncthing of all apps has made connections to 107 places.
2. The reason tools like Little Snitch are valuable is they instantly indicate that a connection was attempted, indicate which binary/app attempted it, and allow you to decide whether or not to allow the connection in realtime
Being able to associate a specific action you’re taking (e.g. clicking a button in a specific app) with a specific network request isn’t really feasible when the device keeping track is not the device you’re currently using.
It’s significantly harder to retroactively analyze connections once you’ve completely lost the context of what initiated the connection.
The only way to make a centralized device achieve the same thing is to institute a default-deny policy, but carefully allowing only the connections you want becomes tedious and quickly leads to just giving up for practical reasons.
You can’t do that outside of the device.
In many cases, when a new macOS comes out, you must pay for the next major version if you want to continue running Little Snitch.
Not a gripe, just a clarification.
Nicety: If you buy a single user license, you can use it on multiple devices.
https://objective-see.org/products/lulu.html
- https://vallumfirewall.com
- https://radiosilenceapp.com
It’s just a link to the main page of their website: nothing specific to warrant discussion.
See discussion:
https://news.ycombinator.com/item?id=25109724
https://news.ycombinator.com/item?id=37500237
If you want to monitor your own network I’ve heard good things about the pi-hole project
https://pi-hole.net/blog/2017/02/22/what-really-happens-on-y...
LS can easily block all Apple phone-home. (Some must be unblocked, specifically gs.apple.com, for UpdateBrainService, for OS updates to work.)
I have a few macs that don’t communicate with Apple at all except during system updates.
I'm pretty sure the only reason it works on macos at all was that it got in early. I believe Apple periodically tries to hobble it but there is pushback.
Rei Key - identify keyloggers: https://objective-see.org/products/reikey.html
Block Block - get an alert before an auto-start program gets registered: https://objective-see.org/products/blockblock.html
Oversight - identify when the mic or camera is active on your mac - https://objective-see.org/products/oversight.html
Ransomwhere - detect and block ransomware: https://objective-see.org/products/ransomwhere.html
Nothing against LittleSnitch - I used it after all. But this was my experience buying it, especially as a poor recent college graduate at the time.
They didn’t like that it exposed all their sneakware.
Work machines and personal software/data and vice versa don’t mix well in many jobs.
I didn’t argue with them, but kept using it on my personal kit.
I think it’s less useful, these days, as Apple is really battening down their I/O hatches. I know that Charles Proxy can miss stuff.
It would miss anything not using macOS high-level HTTP or socket APIs, right?
If you're concerned about apps surreptitiously phoning home, I wouldn't count on them using those, or otherwise respecting the system proxy settings.
Can it ask you on new connection by a specific app whether to allow it like little snitch does?
What would be really cool is the LS UI but tied into something like pfsense for the actual filtering.
Firewalling applications is relatively easy on a general purpose computer. Where it becomes excessivelky difficult is on a so-called "smartphone".
https://www.obdev.at/support/littlesnitch/bm3q8
"Will Little Snitch be available for iOS, tvOS and watchOS?
Unfortunately Apple's regulations and submission guidelines do not allow applications like Little Snitch that operate on the system level on the iOS (iPhone, iPad, iPod touch), tvOS (Apple TV), or watchOS (Apple Watch) platforms."
It appears Apple's "regulations" prohibit owner control and increased transparency. No such thing as an option for "experts only" when it comes to Apple computer owners; one size fits all. Apple are the only experts and the only ones entitled to control and transparency, over and into _other peoples'_ computers. Remarkable.