This is good news. Moving to the Network Extension framework means that Little Snitch's filtering will run entirely in user space, which is not only great for security but it will also allow the code to be written in a higher level language such as Swift.
That's not necessarily true. The article mentions this. While ObDev still doesn't have all the APIs necessary to implement all the features of Little Snitch using NetworkExtensions, they are working on it with Apple and feature-parity is not expected to be an issue for the 10.16 release.
What if that has an impact on performance? Kernel-user space communication usually means copying data into different portions of memory, plus a context switch.
Windows moved basic graphics driver functionality to user space many, many years ago. (Windows Vista)
>Badly written device drivers can cause severe damage to a system (e.g., BSoD and data corruption) since all standard drivers have high privileges when accessing the kernel directly. The User-Mode Driver Framework insulates the kernel from the problems of direct driver access, instead providing a new class of driver with a dedicated application programming interface at the user level of interrupts and memory management.
If an error occurs, the new framework allows for an immediate driver restart without impacting the system.
Has Windows suffered from this change or has the added stability of having a graphics stack capable of restarting itself on error instead of blue screening the entire machine been a good thing?
We shouldn't ever trade security for performance. Doing that is how Microsoft ended up putting shit like font rendering into the kernel. Made Windows very fast, but made it so much worse when a bug was found.
Apple will just slowly write itself into the equation so that little snitch can no longer mess with whatever muddled idea apple seems to think is important.
Already with Catalina you have to connect to apple and ask permission before you can even install little snitch. That means little snitch can't protect you from apple, even if you've told apple "my machine doesn't connect to the internet".
And your machine contacts apple every bit as often as microsoft machines even though their philosophy is supposed to be different.
bottom line: you should not have to ask apple permission to do anything with your machine.
It may be a technically superior API but even so I'm not thrilled that if I want to stay current with MacOS updates past the phase-out period then I have to pay for a Little Snitch 5 license. v4 works fine for me and without this API deprecation issue I almost certainly wouldn't be interested in upgrading.
Little Snitch 4 is a rather impressive piece of software. The map is my favorite part. It's not always accurate, but it's absolutely wild to see the places apps want to ship data off to.
Also if you interface directly to your WAN, you can see all the bots/worms/etc that try to connect to your IP. I got a surprising amount of netbios queries from Iran (I'm assuming from EternalBlue based malware trying to connect), but I highly recommend NOT doing this. It's the wild west outside your firewall.
You mean outside my $5 NAT WiFi router last updated 6 years ago (because the manufacturer won't maintain it any more and the ISP never gave me the admin password anyway)?
This right here is the very reason OpenWRT exists.
I never trust ISP provided equipment to do my routing, if I can't use it in modem mode (or provide my own modem) then a DMZ and port forwarding have to do ... but I'd sooner just choose another provider.
The LS proxy completely overwhelmed me. I thought I could be savvy and limit traffic. Yeaaaaah no. Once I started observing what was actually flying around it's... it's just insanity how many requests are made in just a few seconds. What else can I do but throw up my hands and hope for the best? But I guess it won't matter soon.
Little Snitch definitely needs a social feature where you can crowdsource good rules from other people and see what rules are common within the communities for certain apps.
I've been using Little Snitch since 2.0 and I agree, it's very impressive software. I had the same reaction to seeing the map features -- eye opening to say the least and a very, very interesting feature!
I'd like to see a similar map built into pihole. Seems like a natural fit. This way you could get a map for connections made by various apps on your phone too.
I always felt a little queasy installing a .kext from some random foreign-language websites (be it FTDI, or Alfa drivers, or even RealTek updates). I can feel the bias in me, "Oh no, this must be bad because it's foreign," which is absurd, but I still shouldn't be asked to sudo something when I buy offbrand hardware.
Potentially, though there are other solutions that could be used. There was a product they used a while back during the transition to x86 architecture that did code translation, for example.
https://en.m.wikipedia.org/wiki/QuickTransit
EDIT: I can't find anything that references kernel extensions in the conformance [2] section of the spec, so maybe 10.16 will adhere to the UNIX03 standard after all.
Anyone can buy UNIX certification. It just means you set fire to an appropriately sized bundle of cash. In return you get a nice sticker from the trademark holder. It is not especially meaningful.
> When will Little Snitch be updated to the new APIs?
> The replacements APIs that are currently available (NetworkExtension framework on macOS 10.15.4) are not yet completely sufficient to implement the full functionality of Little Snitch. But we are working closely with Apple to fill the remaining gaps and we expect that a beta version of macOS 10.16 (most likely available at the next WWDC) or even an upcoming version of 10.15 will provide what is missing. As soon as the APIs allow us, we will complete the transition of Little Snitch to the new NetworkExtension API. It’s our goal to provide a public beta in June 2020 and a stable version in October.
If they can (and Apple) can keep to that timeline, I expect they will.
"we are working closely with Apple to fill the remaining gaps" - definitely sounds like it. I think Apple has made the right call tightening security around kernel extensions but I'm glad they're working with 3rd party developers (even if it's only big ones) to ensure the functionality is still there. They also mentioned the existing version will still work, it will just need to be explicitly enabled.
Apple has really done a 180 degree turn from back in the early OS X days, when they actually did quite a bit of work to keep existing applications functional. Forget binary compatibility, now even existing APIs are disappearing left and right.
That makes sense right though. 15 years ago the number of people using OSX was a fraction of what it is today. They had to be very protective of that customer base.
Now the install base is huge and the threats are different.
Yes? Clearly the market is there. And writing kernel extensions is a major PITA. One benefit of working in user space is that you can (usually) do so in the language of your choosing. Little Snitch 0.0.1alpha would have been a lot easier to prototype in Swift than in C.
I believe GP is saying that if the transition to kernel extensions had happened before Little Snitch was written, then LS could never be written after that point because they wouldn't have the required leverage to get Apple to expose the API they need.
What if we'll be missing out on other groundbreaking future apps that need kernel space information to function?
Little Snitch also nicely shows how Google will make increasingly desperate attempts to invisibly update its software in the background.
It starts with a request to Google.com from Google Software Updater. But if you block that and the follow ups enough times, in the end it will even try curl’ing directly to IP’s...
In the event that the entire concept of kernel extensions is removed (which seems unlikely), Hackintosh developers could just recompile the kernel. Or have the bootloader patch the kernel binary. (Fun fact: Clover already allows any user to do Find ==> Replace on aribitrary strings or hex sequences in the kernel.)
You can do this stuff on a real Mac too btw, as long as SIP is off.
Now, if Apple actually put a concerted effort into screwing Hackintosh users, they could probably kill the scene relatively easily. But, they don't seem interested in doing that. Their attitude since the initial Intel release of Tiger has seemingly been indifference.
Readit News
That depends doesn't it? You'll be safe from Little Snitch but Little Snitch will have less power to protect you.
>Badly written device drivers can cause severe damage to a system (e.g., BSoD and data corruption) since all standard drivers have high privileges when accessing the kernel directly. The User-Mode Driver Framework insulates the kernel from the problems of direct driver access, instead providing a new class of driver with a dedicated application programming interface at the user level of interrupts and memory management.
If an error occurs, the new framework allows for an immediate driver restart without impacting the system.
https://en.m.wikipedia.org/wiki/User-Mode_Driver_Framework
Has Windows suffered from this change or has the added stability of having a graphics stack capable of restarting itself on error instead of blue screening the entire machine been a good thing?
Apple will just slowly write itself into the equation so that little snitch can no longer mess with whatever muddled idea apple seems to think is important.
Already with Catalina you have to connect to apple and ask permission before you can even install little snitch. That means little snitch can't protect you from apple, even if you've told apple "my machine doesn't connect to the internet".
And your machine contacts apple every bit as often as microsoft machines even though their philosophy is supposed to be different.
bottom line: you should not have to ask apple permission to do anything with your machine.
Also if you interface directly to your WAN, you can see all the bots/worms/etc that try to connect to your IP. I got a surprising amount of netbios queries from Iran (I'm assuming from EternalBlue based malware trying to connect), but I highly recommend NOT doing this. It's the wild west outside your firewall.
You mean outside my $5 NAT WiFi router last updated 6 years ago (because the manufacturer won't maintain it any more and the ISP never gave me the admin password anyway)?
I never trust ISP provided equipment to do my routing, if I can't use it in modem mode (or provide my own modem) then a DMZ and port forwarding have to do ... but I'd sooner just choose another provider.
The LS proxy completely overwhelmed me. I thought I could be savvy and limit traffic. Yeaaaaah no. Once I started observing what was actually flying around it's... it's just insanity how many requests are made in just a few seconds. What else can I do but throw up my hands and hope for the best? But I guess it won't matter soon.
How does combo help you not be overwhelmed?
https://developer.apple.com/system-extensions/
https://en.wikipedia.org/wiki/FTDI
[1] https://www.opengroup.org/openbrand/register/
EDIT: I can't find anything that references kernel extensions in the conformance [2] section of the spec, so maybe 10.16 will adhere to the UNIX03 standard after all.
[2] https://pubs.opengroup.org/onlinepubs/009695399/
https://blackberry.qnx.com/en/resource-center/qnx-certificat...
UNIX certification doesn't say anything about how a kernel should be implemented, or what kind of driver architecture is used.
> When will Little Snitch be updated to the new APIs?
> The replacements APIs that are currently available (NetworkExtension framework on macOS 10.15.4) are not yet completely sufficient to implement the full functionality of Little Snitch. But we are working closely with Apple to fill the remaining gaps and we expect that a beta version of macOS 10.16 (most likely available at the next WWDC) or even an upcoming version of 10.15 will provide what is missing. As soon as the APIs allow us, we will complete the transition of Little Snitch to the new NetworkExtension API. It’s our goal to provide a public beta in June 2020 and a stable version in October.
If they can (and Apple) can keep to that timeline, I expect they will.
At least a future version of LS will work with 10.16.
Now the install base is huge and the threats are different.
Counterpoint: Microsoft's install base is enormous and has been for decades. They very very rarely intentionally break backwards compatibility.
Plus it isn't like they aren't providing an upgrade path.
Apple is working closely with Little Snitch to provide them with APIs with the features they need. Fine.
But would Little Snitch exist if there were no Kernel Extensions?
"Here's to the crazy ones..." Oh wait, there are none left.
What if we'll be missing out on other groundbreaking future apps that need kernel space information to function?
It starts with a request to Google.com from Google Software Updater. But if you block that and the follow ups enough times, in the end it will even try curl’ing directly to IP’s...
In the event that the entire concept of kernel extensions is removed (which seems unlikely), Hackintosh developers could just recompile the kernel. Or have the bootloader patch the kernel binary. (Fun fact: Clover already allows any user to do Find ==> Replace on aribitrary strings or hex sequences in the kernel.)
You can do this stuff on a real Mac too btw, as long as SIP is off.
Now, if Apple actually put a concerted effort into screwing Hackintosh users, they could probably kill the scene relatively easily. But, they don't seem interested in doing that. Their attitude since the initial Intel release of Tiger has seemingly been indifference.