XYMer's Home away from Home

In general, unless it's fairly obvious where it's coming from and it's needed, just deny first -- from experience, you develop a sense about when it sounds legitimate. Then, if something's broken, google the url in question, check with WOT (and maybe a few others if it looks suspicious) and if it looks OK, then go back and allow. Very often, if you deny, nothing gets broken and there's no reason to do any research, except out of curiosity. Sometimes, I'll google first before deciding whether to allow or deny, and leave the pop-up hanging until I decide. When you are being prompted to allow or deny, you can "Show Details" to get more information.

As soon as I installed 10.6.6 and after the first boot, Little Snitch prompted me to allow storeagent. I immediately denied and then set that as a permanent rule (how you do that is fairly intuitive.) Same for AppStore.

Yes, unless he's in on the game, this will drive Mr. H nuts. The trick is to get him to understand that you are a secret agent for MI5 and this is completely necessary for your covert operations.

Thanks, I didn't know anyone else was reading this blither of mine - loved your response!

_________________
Mrs H

Do these pop-ups keep popping up (and getting in the way? - I can just hear Mr H say - "what's going on here?..." or are they innocous? or constant? - do they show up whenever you are at a new site?)

Thanks for your help, WZZZ - good to see you in several places, old friends make new places more comfortable.

_________________
Mrs H

They aren't all that frequent. If he's already used to NoScript, he's a soft target.

Check out this older thread at the ob.dev forums. Big gaping hole. Wonder if it ever got fixed?

http://forums.obdev.at/viewtopic.php?f=1&t=146&start=0

Yes, we've got NoScript and WOT on both our macs.
This is good news.
Thanks,

_________________
Mrs H

Just to add, if an application has no reason to be communicating out over the internet, like say TextEdit, which simply edits files on your local system and literally is incapable of opening documents residing on a server someplace on the internet, there's no reason to allow it to communicate to a server on the internet. If it's a program like Firefox, which needs to talk to web servers (port 80 and 443), then you allow that communication to happen. If it's an FTP program, which needs to talk to an internet server over FTP in order for you to transfer files off that server onto your system, then you allow it to communicate over port... er... 21? 23? If it's a "free" game that doesn't support network play that for some mysterious reason is trying to talk to an IP address that doesn't resolve to a hostname, then you block it.

For most part it just requires you to sit back and think about things logically in that fashion, it's only when you get into cryptic stuff like destroying the App Store that it becomes mildly counter-intuitive and cryptic.

And the prompts on Little Snitch are somewhat informative, in that they always do a reverse DNS lookup, which (normally) changes an unintuitive IP address into a fully qualified server name (http://www.apple.com instead of 23.1.61.15), which makes it lot easier to figure out what's talking to where.

After a few days of firing up all your normal apps Little Snitch will literally be transparent, only prompting you when you add something new to your system.

Thanks for the added info.

So, if I spend a lot of time pouring through Google Images searching for a particular image, and sometime click on one - LS is not intervening here when I go somewhere (this is a WOT sorta' thing) but when, say, an app I have goes out of my Mac looking back to its source LS tells me it's doing so?

LS pops up in apps talking out to sites and not when you visit sites and they look at you? - that's the outgoing/incoming thing that LS talks about on its FAQ or forum page?

And, btw - in the LS forum I just read that now there is an Auto-Update feature recently added to LS which apparently is a big deal and a much desired feature that it had been lacking.

And one further question - 2 people, 2 Macs - we need 2 licenses? ("The single license permits either a single user to use the software on multiple computers or multiple users to use the software on a single computer. However, it does not allow multiple users to ever use the software on multiple computers, regardless of whether such use is concurrent') Does the trial version work and is it easy to install a paid version after the trial?

Probably should have started a new LS thread, but I've got everyone's attention here so I'm just continuing with my questions in this thread.

_________________
Mrs H

Is storeagent separate from the AppStore? I take it you didn't have to do the compress thing that Anon suggests, LS takes care of it.

The MI5 image is cunning, but I'm not sure Mr H would appreciate the joke.

He's resigned to my (call it) paranoia and he puts up with my installing things (like WOT) onto his MBP to keep the peace. I can't tell from your additional note added here whether LS will be more of an intrusive annoyance (though necessary) that at first I suspected.

_________________
Mrs H

I suppose you do need 2 licenses. I don't know how they'd know, but since LS is about half the cost of the nearest comparable product...

For web browsers I allow them to talk to any server over port 80 and 443, otherwise every time you visit a new site it'll pop up a connection warning.

When Little Snitch pops up a warning it asks if you want to allow the connection over that port and only to that server, allow any connection to that server, any connections over that port to any server, and any connections over any port to any server. You can deny the connection using the same criteria, and for both you have the option of temporarily allowing/denying the connection or permanently allowing/denying the connection.

For something like a web browser, which inherently will connect to a ton of servers, you'll want to permanently allow port 80 and port 443 (http & https) to any server. For some streaming video applications I occasionally get prompted to open 1935 as well but I see them so rarely I just do a temporary allow for that port & server.

Helpful and instructional, thanks.
So if we choose allow "any server over port 80 and 443" while using Firefox or TenFourFox - when we are on Google Images, we can click on photos from sites we deem safe via WOT and we will not be interrupted by warnings? I hope I get what you are explaining.

Yeh, I figured we'd be required to get 2 licenses, I don't know how they'd know - yes I do - they probably call home and say we have 2 computers both running and both using LS.

_________________
Mrs H

Two for one: on one license they allow a desktop and one "portable." It's not according to users. I let LS do all the work. I haven't disabled the App Store in the way Anon suggests; Just dragged the icon off the Dock. If I can be certain it can't phone home, that's enough for me. Even though I dislike its presence on principle, I decided I can't be bothered to go any further in eradicating it.

Basically, yes, but unless you go in ahead of time and setup the rules manually it'll take two separate prompts for each web browser you run.

Your home page is probably an http:// site which means the first time you open it it will ask you if you want to allow communication on port 80 to the home page server, you just tick the "port 80 traffic to any server" option and hit the "allow always" button and it'll never prompt you again for normal http:// traffic. The first time you to go an https:// page it'll do the same thing, only for 443.

Really? That's great news but what if one of us uses the desktop and the other uses the MBP (laptop aka portable) at the same time? Did you see this 2 machine info in their lit?

So I don't have to get a family pack for our 2 Macs after all?

Not that I want to cheat them, I just am conserving the funds here.

Thanks for the info,

_________________
Mrs H

Worst case I'd just buy two single-user licenses and call it a day. You both have your root system (laptop vs. desktop) and can roam to the other system (desktop. vs. laptop) by the terms of each single-user license.

No, you don't need to buy a Family License. If you look on the right-hand column of this page: http://www.obdev.at/products/littlesnitch/order.html, you'll see it clearly says you (as in you, the buyer) can use it on multiple computers.

But you can't give it to others in your family, or friends, to use on whatever computer they may own now or in the future.

In other words, they're trusting you not to give it out or pirate it, but if you violate their trust, that just increases the cost of the software for everyone, or makes them go out of business due to the program being pirated instead of purchased.

The single license permits either a single user to use the software on multiple computers or multiple users to use the software on a single computer. However, it does not allow multiple users to ever use the software on multiple computers, regardless of whether such use is concurrent.


As we are talking about two people - two users - on two different systems, multiple licenses are technically required. However I don't believe a 5-user license is needed to cover 2 users on 2 systems, I think 2 single user licenses would work fine. At the end of the day you're purchasing software for each system, and the license restrictions are technically unenforceable legalese.

OTOH the multi-user package gives you a substantial discount over the purchase of single-user licenses, so if you were to need to, say, purchase 3 licenses then a 5-pack would probably make more sense.

Ummm, 2 single user licenses costs $.90 more than the Family pack.

Since we have the MBP, the iMac, 2 Dell mini 10v Hackintoshes (I did the hack ), and an iBook (that is on its last legs and can only boot from an external) a Family pack makes more sense. I assume I can install different versions on dif computers - the MBP (and nearly dead iBook) are running Tiger, the others are on various versions of SL.

Thanks,

_________________
Mrs H

Oh dear. I completely glossed over the family license, sorry. I thought you were talking about the multi-user license.

Yes, we support and uphold intellectual property rights (OK, so I did a hack... ) and would not pirate nor go against the rules - so if they say, as they do say, one user/one license then we'd go with 2 at least but a family pack is actually cheaper so that's the way to go.

This discussion resulted from the suggestion that we could install it on one desktop and one portable - but I guess I did not specify that there would be 2 users.

_________________
Mrs H

It's up to you, but, personally, I wouldn't get too crazy about there being two users.

EDIT: I'll amend this to say that when I bought it, it was my understanding that a single license allowed one to run it on a desktop and a portable. I see that's now been changed. Whether that was restricted to a single user or not, I don't remember. It might have been.

Since it looks like you would be installing it on a number of computers, with users within the same household, the Family License would be the absolutely kosher way to go.

BTW, one thing I learned the hard way. If you want to block a certain domain/URL in your browser, e.g. Firefox, you must set that rule up for Firefox, not in "All Applications." If you allow everything in Firefox for Port 80 and 443 (https), which you must, that will override a domain being blocked in "All Applications," and that domain will not be blocked.

I'm having trouble digesting all of this.
My homepage is Google http://www.google.com/webhp?complete=0 which is the Google that does not offer those annoying suggestions.
You say I want/need to allow all traffic to port 80 and 443 otherwise I'll have to allow each site separately?
LS looks at outgoing stuff from my Mac, right? And now I've allowed everything to go out unsupervised from my Mac to all websites? Am I understanding that that's what you are saying and that's the way to go? And, that's the way it is anyway without LS, yes?

Then I read WZZZ's BTW at the end of the post just above this reply and I'm totally flummoxed.

I'm planning to follow BDA's suggestion of waiting til I've updated to 10.6.8 to install LS. I've read some folks had trouble uninstalling the demo to go to the paid form - but I'll work on that when I get there. Now I'm just getting those ducks in order so I'll know what to do when I've done it - unfortunately I'm plagued with the need-to-know/learn-as-much-as-possible-before-proceeding disease.

Feeling pretty dumb here,
Mrs H

_________________
Mrs H

When Firefox goes to http://www.google.com/ it talks to http://www.google.com on port 80. Google then sends back information to your system so that you get the web page. When Firefox tries to make that initial connection to http://www.google.com, Little Snitch will pop up a warning telling you that Firefox is trying to communicate with http://www.google.com over port 80. Since you typically want to browse the web with a web browser, I typically choose the "allow port 80 communication with any server" option, instead of just allowing port 80 traffic with http://www.google.com, because allowing connections to each server would get tedious fast, as every web site would result in a new popup. I don't mind if Firefox communicates with a web server over port 80 - that's it's intended purpose.

The same process occurs with Firefox and port 443 (https) connections. Firefox tries to connect to http://www.google.com on port 443, which causes Little Snitch to pop up a warning letting you know a network connection attempt is being made, and you allow Firefox to communicate to any web server over port 443.

Understand that Little Snitch remembers and manages connection attempts on an application, not system, level. If you fire up Safari and try to talk to a web site, it's going to pop up the same kind of connection messages because it's not Firefox. So basically each application gets it's own set of connection filters that you choose to either allow or deny.

Typically malware will attempt to connect to systems over nonstandard ports, like IRC, so after allowing port 80 & 443 if Firefox suddenly wants to talk to an IRC server you know something strange is going on.

Basically the idea is to make Little Snitch popups an uncommon occurrence, so that when they do pop up, you're not reflexively hitting "Allow," you see them so rarely that you take the time to read what's on screen when it happens.

I hate AV systems that pop up warnings and messages constantly to the point that normal people never take the time to read them, they just click allow because it always lets them get on with what they were doing. But if you never see Little Snitch, and suddenly it pops up a warning, aha! You know something nefarious is afoot!

Thank you MonkeyBoy for the clear, concise explanation.

This makes it all so obvious. I don't know why I was having trouble understanding before, but it seems clear now.

As soon as I do the update to 10.6.8 I'll be sure to get the trial of LS and, as I said before, hopefully it will allow me to install the purchased edition afterwards without the hassles I've read about elsewhere.

Thanks again for your clarity.

_________________
Mrs H