Little Snitch 1.2.2 is a valuable application that picks up where Mac OS X’s built-in firewall leaves off. Whereas the firewall software that Apple provides only screens incoming traffic (attempts to access your computer from the outside), Little Snitch watches for outgoing traffic—connections from software running on your Mac to addresses elsewhere on the Internet. Aimed at the increasing population of users whose computers are constantly online, the software could prove useful for providing an early warning that a malicious program is running on your Mac and attempting to connect to other systems.
Staying safe
You can configure the Mac firewall to block outgoing traffic, but you have to use commands in Terminal, edit the firewall’s settings files, or use a third-party tool such as Brian Hill’s Flying Buttress. Even if you’re enough of an expert to configure your firewall to block certain kinds of Internet connections, the tricky part is knowing what to allow, and what to block. That’s where Little Snitch shines: It tells you what software on your computer is trying to make outgoing connections, then asks you whether you want to allow or block the connection, and if you want to do so one time or forever.
For instance, your chat software may connect to the AIM or Yahoo! server. But before it does that, it may try to contact the author’s Web server to check for an updated version. It’s nice that the software can inform you about software updates, but you may not want it to—and not all programs let you choose whether to allow such checks. Little Snitch lets you decide if you want to permit these programs to phone home, or whether you’d rather remain anonymous.
While Little Snitch guards you from overeager applications, it can also protect you from software you didn’t know was running on your Mac. Potential malware threats include keyloggers that record everything you type and send the information back to a home base; hidden caches of illegal song or movie files served up upon request; and bots that send out spam. Little Snitch reveals all of these problems by asking you what to do about unexpected network connections. And although most of these threats exist on the Windows side, Mac users—especially those who do a lot of downloading—can never be too careful about possible new exploits.
Little Snitch may also warn of connections when software on your computer is responding to normal incoming connection attempts. For example, nmbd (NetBIOS name server) is part of your Mac’s Windows-compatible file sharing feature, and it will attempt to respond whether a Windows user is legitimately trying to access your files, or a Windows virus that takes advantage of NetBIOS is attempting to attack. Unless you’re expecting a Windows user to log on to your Mac, you can safely reject such connections, but I wish Little Snitch would more clearly explain such situations.
Permission granted, or denied
Little Snitch is easy to install, but plan on spending a few minutes teaching it about your normal habits—network connections it should always allow, such as retrieving new e-mail or visiting your online banking service. In fact, the software includes a set of common connections you’ll probably want to always allow, such as Web-page access through Safari or Internet Explorer, QuickTime streaming video, and clock checks via the network time feature. It would have been nice to see a few more entries for common connections, but it’s very easy to approve connections for another Web browser (such as Camino) or your chat software.
I was a bit surprised when Little Snitch asked me to approve connections that I had told it to allow forever (for instance, iDisk syncing). But when I contacted tech support about the issue, I got a quick and friendly response explaining that sometimes the same hostname represents more than one numeric IP address—often to balance a number of requests at one time—and for safety’s sake, Little Snitch keeps track only by IP address (since hostnames might be too easy to spoof). The company recommended that I configure Little Snitch to recognize a range of IP addresses, such as 192.168.0.0 through 192.168.0.128. This solution worked well.
Macworld’s buying advice
Little Snitch 1.2.2 strikes a good balance between automatically blocking potential problems and letting users decide what connections to allow. This is a great tool for anyone who uses a wide variety of software, especially if you tend to download programs from a lot of new sources.
[ Mark H. Anbinder is an IT specialist at Cornell University and a contributing editor to TidBITS.]
The MirrorAgent process for synchronizing a user’s iDisk is one common connection that Little Snitch doesn’t recognize out of the box. Little Snitch doesn’t make it clear when software, such as the benign nmbd (NetBIOS name server), might be responding to a connection from a sketchy-looking address, rather than initiating a connection.