Little Snitch Being Bypassed By Developers?

General discussions about Little Snitch

Post by Guest » Wed Nov 14, 2007 2:56 am

We can thwart things like Flexnet if we know what IP addresses and/or ports they use, in order to manually enter rules, but its not easy to know the required info. I hope LS will have an answer for this by monitoring requests made between applications, or perhaps in the meantime Objective Development can create a place on this website for users to post this information, perhaps searchable by application and let all the more advanced network people fill it in with info gleaned from tcpdump or other utilities.


Post by Guest » Thu Nov 22, 2007 7:19 am

This is a very interesting subject, I wanted to know if anyone tried Netbarrier instead of little snitch to see if the same results happen?


Post by Guest » Fri Nov 23, 2007 4:36 am

On Windows XP with ZoneAlarm installed, you must allow FLEXnet licensing service to access the internet for Adobe CS3 applications to activate. This is of course in addition to allowing the CS3 applications themselves to access the internet.

Adobe has created a scenario where their applications not only call home to ensure proper licensing, but will not work without said communication. That is just the way it is these days.

But as far as LS is concerned, I am curious as to why it's Windows world equivalent is picking up on FLEXnet's outbound communications that it fails to.

Head in the sand or not, Objective Development should realize that the number one reason people are using it's products is to avoid piracy detection. Yes there are other more ethical uses, but the economic factors outweigh the ethical ones.

Speaking of economics, Adobe has more resources than Objective Development and will ultimately create ways to protect their intellectual property despite products like LS.


Post by Guest » Fri Nov 23, 2007 7:17 am

So, what does a company like Adobe or Apple generally do, if a user copies a software and enters a serial number they find on the Internet to try it out (and later either buy it or don't buy it), if they don't use Little Snitch, and the App phones home? Do these phone-home mechanisms send the serial number of the computer, or what else?


Post by Guest » Fri Nov 23, 2007 10:32 pm

What does Adobe do? Generally nothing, unless you are a site license customer like a large company that is using more than it's purchased allotment. In that case, you are a much more likely target for Adobe's legal team, or that of the Business Software Alliance. Since you are already a paying customer, your company is expected to pay for what it is using.

I suspect things are very different for individual users though. I've always been of the opinion that Adobe allows a certain amount of piracy in the education sector specifically because what better way to get a potential customer "hooked" on your product than to allow free use in the early stages. Then as you graduate college, and get a job, you are reliant on Adobe products and more likely to purchase the software. This is of course compared to a person who has never used Adobe for free for instance, and never became reliant on the product. Why would they suddenly purchase such an expensive product? The fact is they wouldn't. Allowing certain type of piracy may create more demand for their products. They are more than likely aware of this phenomenon.

Back to Objective Development and the future of Little Snitch; if they don't find a way to keep Adobe off the casual pirate's back, they are losing their largest audience. Like it or not, this is the usage of LS, and will continue to be.


Post by Guest » Sat Nov 24, 2007 11:41 am

I love it when some anonymous person makes sweeping generalities such as the above poster who makes all of those claims about LS market. No data just pontification... it's true because they said so with such authority (even though they couldn't be bothered to sign their name to the assertion).

Many many of us buy the product in order to keep track of the security of our machines. For anyone to assume we are the minority is more a statement of which orifice last enclosed their head than a statement of objective reality.

BTW, LS just helped me catch a break-in on one of my systems this evening. Looks like a user has had their SSH handle compromised. Caught it and shut it down via the LS connection reporting.

Mr. X from Y

Post by Mr. X from Y » Sun Nov 25, 2007 12:28 am

Head in the sand or not, Objective Development should realize that the number one reason people are using it's products is to avoid piracy detection.

Speak for yourself. I use it to block privacy violations. Unfortunatly, many software developers are incredibly snoopy. Case in point: Ulysses. Every time you start this program, it connects to their servers, even if update checks are disabled. I am a legitimate user of Ulysses (and I hate cheapskates who pirate software), but I block these connections because they are dubious attempts to transmit data without my knowing. When asked about these connection attempts on their forum, the devs admitted that they check serial numbers on startup, but while my serial number is legitimate, these connections are not, since they aren't mentioned anywhere in their privacy statements or help files. Their serials are bound to the name and billing address of the purchaser, and I don't want these guys to know when and how often I, Mr. X from Y, start their app, because this is none of their business. I use LS only because there are too many developers who have no respect for the privacy of their customers.


Post by Guest » Mon Nov 26, 2007 4:34 pm

Developers - any plans to add a feature to control apps making requests of browsers or other apps to access the Internet?

Posts: 12
Joined: Mon Nov 26, 2007 4:08 pm

Post by jakaj » Tue Nov 27, 2007 1:45 pm

What the above poster mentions is also the problem with interpreted languages like PHP and Ruby. You either allow all programs written in them access, or none :(


Flexnet and Little Snitch

Post by WADurant » Fri Dec 07, 2007 3:09 pm

Thanks to Johannes and OD, and to everyone who has posted so far.

I have spent a number of days and nights until sunup installing, taking off, reinstalling, running with various rules, gathering information on Flexnet / FNP / Little Snitch. Here is some of what I've figured out so far, off the top of my head. Pardon me if there are errors or incompleteness.

First of all, thanks again to Johannes and OD. I have no doubt in anything he has said. It is indeed possible, but it is not proven, that Flexnet drills through Little Snitch and successfully transmits information if you don't want it to.

The only way to resolve that is to set up a second, exterior machine as a router and 1) capture all communication and 2) correlate it with actions that are shown on Console/System and those which are not (e.g. Java internal operations, etc).

Macrovision (Europe) is the company that provides the Flexnet software to e.g. Adobe (CS3, Photoshop, etc), Filemaker, Ulysses, etc.

I am going to refer to CS3 / Acrobat only. Similar situation for other programs.

There are two levels of communication attempts by the CS3 programs.

1) "normal" or "everyday" - All of them phone home, and in more than one way to more than one site - e.g. starting Bridge immediately causes contact with up to 5 Adobe sites. They may transmit personal and/or licensing-related information - unknown. This is pretty normal stuff, and is totally controlled by LS.

2) "flexnet" / licensing - you will see Console log items when the flexnet calls comes up. It attempts to communicate, but it does not appear to wake up Little Snitch. But that doesn't prove that it successfully communicated or what it managed to send - that is yet to be definitively proven (via external machine used as router etc. etc.) For all I know it runs up against Little Snitch in a way that LS is silent about, and Flexnet gives up. I doubt it, but I can't be sure yet.

Photoshop and Acrobat are the "bosses" for the other applications. When any of them need to check activation, they rely on those two - that is to say, their related files and executables (if you don't install them, they still have e.g. adobeupdaterprefs.dat to check on what to do). The CS3 "core" is always installed and must be there to run, no matter which applications you have installed or not. Photoshop is a "boss" because Adobe started with that, and Acrobat is a "boss" because most people need a pdf reader or Flash.

Obviously application.sif is one "keychain" to the activation check. However, there are many more files involved. There are 3 sets of FNP files installed and necessary. There are other files involved in self-healing the Flexnet system. It should also be clear that deleting or damaging them is a waste of time - they either self-heal or the applications stops.

You should be away that there are a number of "invisible" files installed that are non-obvious. That is to say, using Spotlight and getting rid of "adobe" files etc won't do the trick. Ditto using Adobe's Uninstaller, and even if you use CleanSweep or whatever it's called. Some of the insible and secret files are still there, waiting for your next install attempt. For example, if you install trial-enabled software, you may laugh at how resilient your 30 day free trial counter is, even if there is no internet connection! Two days later, even if you clean up and reinstall, you have 28 days left, even with no connection.

Importantly, do not rely on Spotlight to find all the relevant files. Leaving aside reformatting your drive, you can find them via Unix in Terminal and/or OS 9 Find File with dotfiles turned on. The gold standard is using Unix compare functions to see what was there before and what is there now.

The Flexnet system is intelligent in that it does not do the same activation file installation every time, and it appears that it does not put the files in the same places every time. I had to wipe and rebuild my system dozens of times under controlled conditions to figure this out. Not difficult for Flexnet - if the system clock shows 111 time, it does 111a install etc, and it knows that if the files aren't in aaa then check in bbb, or ccc etc. I could be wrong - I had to try it so many times - a more rigorous approach could sort this out, but it might need a month of solid work.

Check invisible .adobe, .macrovision, and tmp/ (various) files, and all files containing fnp. And be aware that the adobe support files for Flash (used e.g. for your browser) are also hiding places for Flexnet, from one install to the next, if you leave any on. Ditto Adobe Reader. If you want to be sure, get rid of any invisibles and all Adobe stuff of any kind. Obviously, be careful - don't wreck your system. I trust you know what you're doing.

With admin (root) permission, Flexnet can do anything it wants. It appears to employ a long string of java calls that disappear down a rabbit hole (nothing discernable past a certain point in the java log file). It appears to me that even when I have locked Little Snitch's rules, with root privileges Flexnet could modify them and then cover its tracks.

It may a) operate at a "high" level by using its privileges to modify LS rules and make invisible java routine invocations, covering its tracks after it has finished. That would be the most "honest" method.

It may also b) modify or install existing or parallel code on the fly, leaving no traces in any of the logs.

I can tell that Flexnet is very busy, but also that what it is doing is invisible after you see its initial system calls. However, that doesn't prove whether and what has been communicated, although clearly it is effective.

This is, of course, perhaps the most serious security hole on the Mac, and I read that two groups have already copied its methods to create sort-of Trojans. You have to grant privileges to some bogus install request, of course, for them to run, so they are not viruses and are barely Trojans. But the door has been opened by the buyers of Flexnet services.

As an aside, I did install and try Paranoid Android, and it does a bangup job of tracking attempts by one program to employ another to do its dirty work. However, Flexnet does not do anything that wakes up Paranoid Android - i.e. it is not using vanilla calls to other programs.

Johannes has pointed out that with it having root privileges, the only totally sure way to stop Flexnet is via hardware - or equivalently via software in another machine between Flexnet and the net. With more information, if Flexnet is not too too naughty, it might be possible to be more sure of control.

I figure Macrovision is unlikely to do anything overly bizarre (on the fly modification of kernel stuff) because it would make Apple sore at them if anything went wrong. I figure they're using just enough power to get the job done.

It's sort of like you lend your car keys to your sister for her date (you give admin to CS3 for its install) and your sister then lends your car to someone doing Break and Enters. Then someone borrows your car from the B&E artist and does ccc (the Trojans). And you just counted on your sis having a good date.

There are those who have defeated Flexnet by causing the programs that rely on it to feel satisfied no matter what Flexnet returns to them. Personally I don't care too much - Flexnet can call home all it wants. However, from a curiosity, trust and security point of view, I would really like to know more about how it does what it does.

The keys seem to be root privilege, Java, Little Snitch only incidentally (Flexnet with root could bypass any program, doesn't matter, it's not any fault of LS), and whatever extent of system-modifying/self-modifying/add-and-delete-on-the-fly code.

The key routines are obfuscated when you look inside them. It would be fun to comletely disassemble and reverse engineer, but there are more important things in life.

It should be pointed out that LS catches all of the "everyday" calls of CS3 and controls them perfectly.

I am at the limit of how much time I can put into this for curiosity's sake, but someone would have to set up a nice, controlled lab with e.g. a Mac that you can completely wipe and rebuild over and over, and a second machine to monitor, capture and disassemble all web traffic.

Keep up the discussion. I adore jigsaw puzzles, and this is a good one.


Post by Guest » Thu Dec 20, 2007 6:45 am

yes you can get around it, any process running with root/administrator can kill the daemon, and unload the kext, and do whatever it wants at that point, ive been able to do it with a 3 line shell script.

Rank 2
Rank 2
Posts: 40
Joined: Tue Nov 06, 2007 7:42 pm

LS 1.2.4 and Onyx

Post by mustbjones » Tue Jan 01, 2008 4:57 pm

I have LS 1.2.4 running on a second machine running 10.4.11. I just did an "Update Onyx" from the application menu and nothing popped up from LS. I checked the rules and I don't have anything specified for Onyx. Is this another example of a program being able to bypass LS?


TCPdump and flexnet

Post by anonymous1 » Thu Jan 03, 2008 5:05 am

Does anybody know if you can see what Flexnet is doing with tcpdump?


Application hijacking

Post by Kwak » Fri Jan 04, 2008 9:54 am

Application hijacking is the big problem because we don't see the real program but only the authorized program (web,mail).
On my PC, I use SSM (System Safety Monitor), an great HIPS.
Feature :
"SSM keeps track of the activity of all applications already started or being started and allows you to:
control which application can be started;
control which child application can be started by a selected one;
control which parent applications are allowed to start a selected one;
control whether a selected application is allowed to start if it was modified.........."
With this program and a tiny firewall, I can block all unauthorized programs and prevent my children to execute a bad program!!!
BUT I don't find an HIPS on MAC :(
Little Snitch seems good but not a real HIPS


HIPS for Mac

Post by Tarrant » Tue Jan 22, 2008 12:32 am

Have you heard of FileDefense by SubRosaSoft? It performs many of the functions of SSM. I haven't tried it myself since I don't have a Mac yet. (I'm still trying to decide whether I'm going to switch from a PC to a Mac or just dual boot some linux distro.) Anyway, the program sounds really interesting. If you do try it, post back here to let me know how it works. Also, you can use multiple non-administrative user accounts to in effect sandbox applications.

Post Reply