A question that comes to mind reading this. Is it possible to block/limit outbound traffic of a docker-container?
I'm thinking of a situation where I want to run a precompiled binary, but only want it to talk to an other container and not the outside world. How would I do that?
If anyone is interested in something (open source) like this for Windows: We are building Portmaster, which is a bit less nerdy, but features a "fancy" UI, advanced search and more: https://safing.io/
Edited to add: Linux is also supported, but IMHO this is the wrong target group for that. Not here to draw users from OpenSnitch, as it is great and fits perfectly for its use case. Very nice to have it included in debian. Big win for privacy!
We have all the required data, but not put on a map yet.
You can group connections by country in the meantime to get a feel for where things are going. (You can also group by multiple values for a bit more detail.)
Pretty much. As far as I understood, NDIS was replaced by WFP (Windows Filtering Platform). We built our own driver that uses WFP and as such is on the same level as the Windows firewall itself, meaning we can veto its decisions.
Personally I'm really happy about this. Opensnitch is extremely user friendly in my opinion and while not a silver bullet, can certainly improve security posture.
I would love to keep an eye on outbound traffic at home mostly out of interest at what my corporate laptop is up to. Can I run OpenSnitch on another machine though, and still get information about what my laptop is up to with enough useful detail? I would imagine packet inspection to get URLs only works locally?
At least in 2019, it was possible. The GUI connects to the daemon through a TCP socket, and all info passed through that connection (no direct file access from the GUI). It was possible to set it up with the daemon on one machine, and the GUI on another -- though I vaguely remember having to set up an SSH tunnel so that the connection would come from 127.0.0.1 on the daemon machine (not sure it was needed, but I think that's how I set it up).
Is @evilsocket still actively working on this? I remember him stepping back from the pwnagotchi project to chill out a bit and learn guitar (and it's been fun following his insta and seeing him get really damn good really quickly).
It should perhaps be pointed out that the linked "blog post claiming MacOS X recently started scanning local files and reporting information about them to Apple" is pure BS, FUD.
As has been described in detail on many[1] places[2] on the internet. Apple are NOT spying on you. This is a VLU feature. Otherwise known as "Siri Suggestions".
Don't want the callback to Apple on images, disable "Siri Suggestions". End of story.
The false attempts at linking Siri to the discontinued Apple CSAM is pure BS, FUD.
1) In fact, Apple make this crystal clear if you can be bothered to look into "About Search & Privacy" in System Settings before firing up your blog editor and composing a completely unsubstantiated FUD-fueled rant ....
"About Search & Privacy"
You Have Choice and Control
If you do not want Suggestions from Apple to send your information to Apple, you can disable that option by going to System Settings > Spotlight > Search Results and deselecting Siri Suggestions. You can disable Safari Suggestions in Safari by going to Safari > Settings > Search and deselecting Include Safari Suggestions.
2) In addition, in relation to submitted information, Apple also make it crystal clear that IF you leave the feature enabled the data is not personally identifiable:
Any information sent to Apple does not identify you, and is associated with a 15-minute random, rotating, device-generated identifier. This information may include location, topics of interest (for example, cooking or football), your search queries, suggestions you have selected, apps you use and related device usage data. This information does not include search results that show files or content on your device. If you subscribe to music or video subscription services, the names of these services and the type of subscription may be sent to Apple. Your account name, number and password will not be sent to Apple.
This information is used to process your request and provide more relevant suggestions and search results, and is not linked to your Apple ID, email address or other data Apple may have from your use of other Apple services.
While the article may or may not have been FUD, Apple has in past transferred highly personal data to third parties. Including recording made by an apple watch while having sex.
First time you hear about this? Well, random strangers always rushing in to defend Apple and question the reporters integrity and motives are why we are where we are today...
> random strangers always rushing in to defend Apple and question the reporters integrity and motives
For every "random stranger defending Apple", there are about 100 random strangers rushing in to bash Apple.
Bashing Apple is an age-old bandwagon.
I'm not saying Apple are perfect. Not by any means.
What I am saying is that if you are going to go off on a rant about Apple, make a damn effort to substantiate it by facts. Actual facts, not "something a friend told me", not an "experience of one", not making random unsubstantiated pure-BS extrapolations (e.g. Siri vs CSAM) etc. etc.
Unsubstantiated Apple bashing is not helping anyone. It also makes the Apple basher themselves looks like an idiot when their FUD is easily disproved.
OpenSnitch is a GNU/Linux port of the Little Snitch application firewall - https://news.ycombinator.com/item?id=31876220 - June 2022 (75 comments)
OpenSnitch is a GNU/Linux port of the Little Snitch application firewall - https://news.ycombinator.com/item?id=22206116 - Jan 2020 (131 comments)
OpenSnitch: LittleSnitch clone for Linux - https://news.ycombinator.com/item?id=16566823 - March 2018 (6 comments)
OpenSnitch – A Linux clone of the Little Snitch application firewall - https://news.ycombinator.com/item?id=14245270 - May 2017 (103 comments)