Little Snitch
in [UK Mac]
|
Prev: Can Pages in iWork '09 do tables of contents on Page Layout documents?
Next: Replies appearing as new threads. Was Re: So who's getting an iPad?
From: Martin S Taylor on 29 Jan 2010 07:48 I've just installed Little Snitch, and I'm puzzled by a couple of things it's reporting on: 1. A process called rsmac_3630 keeps talking to cn1.redswoosh.akadns.net. (This seems to be connected with my trial version of Adobe CS.) But even though I've told LS to block all connections from rsmac_3630, and all connections to cn1.redswoosh.akadns.net, it keeps re-connecting. 2. Skype connects to lots of things, of course: this is how Skype works. But shortly after Skype connects to some address, processes from VM Fusion and Drobo Dashboard kick in, connecting to the same address Skype has just spoken to. This, even though I haven't used VM Fusion in months. What's going on? Martin S Taylor
From: Peter Ceresole on 29 Jan 2010 13:31 Martin S Taylor <mst(a)hRyEpMnOoVtEiTsHm.cIo.uSk> wrote: > I've just installed Little Snitch, and I'm puzzled by a couple of things it's > reporting on: I realise that this is not an answer to the specific question you asked, but I think, as usual, the best thing to do is to ignore anything Little Snitch tells you. -- Peter
From: Jaimie Vandenbergh on 29 Jan 2010 14:05 On Fri, 29 Jan 2010 18:31:53 +0000, peter(a)cara.demon.co.uk (Peter Ceresole) wrote: >Martin S Taylor <mst(a)hRyEpMnOoVtEiTsHm.cIo.uSk> wrote: > >> I've just installed Little Snitch, and I'm puzzled by a couple of things it's >> reporting on: > >I realise that this is not an answer to the specific question you asked, >but I think, as usual, the best thing to do is to ignore anything Little >Snitch tells you. Not in Martin's case, since he's trying to get his Mac to not spew mindless drivel across the network it's on. For normal users yes. For a security analyst being stealthy, no. Cheers - Jaimie -- "I have an asteroid named after me. Isaac Asimov's got one too. It's smaller and more eccentric." -- Arthur C. Clarke
From: James Taylor on 29 Jan 2010 15:42 Jaimie Vandenbergh wrote: > Peter Ceresole wrote: > >> Martin S Taylor wrote: >> >>> I've just installed Little Snitch, and I'm puzzled by a couple of >>> things it's reporting on: >> >> I realise that this is not an answer to the specific question you asked, >> but I think, as usual, the best thing to do is to ignore anything Little >> Snitch tells you. > > Not in Martin's case, since he's trying to get his Mac to not spew > mindless drivel across the network it's on. > > For normal users yes. For a security analyst being stealthy, no. Are you confusing Martin Taylor with me, James Taylor? -- James Taylor
From: James Taylor on 29 Jan 2010 16:25
Martin S Taylor wrote: > I've just installed Little Snitch, and I'm puzzled by a couple > of things it's reporting on: > > 1. A process called rsmac_3630 keeps talking to cn1.redswoosh.akadns.net. > (This seems to be connected with my trial version of Adobe CS.) But even > though I've told LS to block all connections from rsmac_3630, and all > connections to cn1.redswoosh.akadns.net, it keeps re-connecting. Little Snitch prevents things from making outbound connections, but it does not prevent them from *trying* to connect out. The Little Snitch network monitor flags up every attempted connection whether it succeeds or not. If commonly occurring notifications in the LS network monitor irritate you, or cause you to lose the signal in the noise, then you can tell LS to disable the notification for specific processes. Ctrl-click, or right-click on the notification itself to find this option on the menu. > 2. Skype connects to lots of things, of course: this is how Skype works. But > shortly after Skype connects to some address, processes from VM Fusion and > Drobo Dashboard kick in, connecting to the same address Skype has just spoken > to. This, even though I haven't used VM Fusion in months. That sounds very curious. I would need more information to discover what's really going on, but I'll hazard a guess that Skype is trying to use NAT-PMP or UPnP via all available interfaces to open a port on your router which can then be used by the rest of the Skype network to forward calls for other Skype users. Specifically this helps people behind non-traversable NAT devices make calls to each other (thus stealing your bandwidth for the commercial benefit of the already wealthy Skype Ltd). Given that an installation of VMware adds some virtual network interfaces, when Skype tries to send traffic over them, VMware components are invoked to handle it. Just guessing, but this is probably why you are seeing VMware realted entries when using Skype. Frankly, Skype is a very scary thing to be running on your computer if you care about security. It's closed proprietary code that may or may not contain intentional backdoors or unintentional security holes. It encrypts most of its communications so you have no way of knowing what kind of information it is sending from your computer out to the cloud of peers which, rather like a botnet, can pass information back and forth in so many ways it would be untraceable. There's no way you can keep track of all the IPs it connects to, or limit their number using Little Snitch, so if you want to run Skype usefully you have to tell LS to allow all connections from Skype, and that means you'll never notice when it does start sending your keystrokes or passwords to ether Skype Ltd or the hoards of faceless spooks and crooks that would salivate at the thought of being able to reap such a global harvest. Worst of all, Skype is, like all IM clients, something you normally keep running all the time to allow other people to contact you, and this means it is facing the Internet for longer than any web browser or email client and would be an ideal target for a fast spreading worm. My advice is that, if you're going to run Skype at all, run it in a clean VM guest that you keep separate from other VM guests. And make sure you disable UPnP and NAT-PMP on all your routers, AirPort devices, etc. -- James Taylor |