Defeating Little Snitch and thinking about piracy…

I have managed to bypass Little Snitch 3 hour limit with a one or two bytes patch (can’t remember and too lazy to check it now) three days after I had access to kernel debugging. A very well designed protection (at least it’s a pain to analyse) was defeated because there was a weak element (there is always at least one weak element) and I easily found it.

I have emailed Little Snitch company about this and asked if they would allow me to publish details. They replied asking me not to publish my finding because that could hurt their product sales. I will respect their decision (else I wouldn’t ask for it!) and not publish any details regarding this finding. The only thing I can say is that the weak element is into the kernel driver they install. So have fun doing some kernel debugging. If you manage to bypass it, please don’t publish it, I think they deserve it.

This takes me to something I wanted to write about a long time ago, piracy ! Check these posts:

The second link has a lengthy discussion about this subject. Keep in mind that most of it is related to iPhone apps, these having some specifics like lack of demos but we can generalize the discussion. There are a few arguments but I think most of them aren’t strong enough, be in “favour” of piracy or against it. It’s a common mistake to say that a pirated copy is a lost sale because most people wouldn’t even use the program if it wasn’t pirated. Saying piracy allows you to try and buy is another mistake in most cases (most software has decent demos that allow you to fully evaluate it). Lack of monetary resources and need to use that specific piece of software could be a better argument. If people start by using pirated software and then buy it, then it seems a good deal. But we all know that humans are greedy and most will not do this because that would mean less money in the pocket. There are companies with terrible support and not buying their software is a way to tell them something is wrong…

I don’t think there is a consensus into the effects of piracy. Most studies are from the side who have interest in reducing piracy and so they are skewed in favour of their arguments. Just look at the RIAA/MPAA bullshit!

I know very well the warez world. Most people there don’t have an economic purpose, meaning to earn money with it. Most do it because they can, because it’s fun and because you learn lots of things. Groups release because it’s a competition to see who can spit out more stuff, who can win the title of best and most respected group. This is the side I identify with. I do it for fun and for learning. Publishing details has a side effect, but the discussion of full disclosure is a long one. The benefits from full disclosure are bigger than it’s costs.

What to do with the information I publish here is a personal choice. But it’s a big mistake to think that censorship will remove the problem. Years ago, before the Internet, information was a privilege of a few, today it’s available to everyone. You can’t stop information flow and that’s why I think full disclosure is better than no disclosure. Copy protections can be beaten with more or less effort. Years ago, stack overflows were easy to take profit from. Today technology advanced (because there was a big incentive to it) and exploit coding is a much harder task. I hope this blog can give a little contribution for advances in Mac OS X copyright protections. Piracy is a side effect I can live with. Someone else out there can do it, I’m not the only one with such knowledge. Again, it’s a personal choice.

Conclusion: buy Little Snitch or other software, if you really use it, can afford to buy it and company/author supports the product!


6 thoughts on “Defeating Little Snitch and thinking about piracy…

  1. yep i bought it long time ago allready. 🙂
    Funny you wrote em and did not disclose the info. I just hope its nothing security-related since i think on that level it could be easy to get around the
    firewall mechanism? ^^

    1. I haven’t checked it’s security. If you can run code as root then you can bypass it’s protection (inject a kernel module or remove the socket filter implemented by it). This can be easily done by programs that ask for r00t permissions 😉

      From userspace it might be possible if there are any security holes in lsd daemon (this one runs as root!). Since it’s possible to communicate from userspace to lsd you might be able to do it. For example, you could inject Little Snitch exceptions into the rules from another program. But that requires to understand how LS user programs communicate with the lsd daemon. I know it’s via IPC mechanisms but haven’t explored much further (this was one of my ideas to crack LS).

      It might be an interesting project for the future 🙂

  2. It is funny that you discuss Little snitch

    I am a RE beginner, and I was about to try to bypass their protection.
    Disassembling the preferences was looking promising to me (see the Beginner 😉 )
    But I was unable to attach to any of their processes (GDB crashes) while looking for cues I hit your site again (which is the one I hit in the first place place looking for RE tutorial on OSX 🙂
    So they maybe millions sites out there but when you look for experts …. 😉 all road lead to Rome 🙂 Aka here
    So thank again for offering this wonderful site to the community

    1. Thanks 🙂

      Little Snitch is pretty advanced and has a well thought protection system.
      To play around with gdb you need to bypass the KAUTH framework. One way is to patch the kernel 🙂

Leave a Reply

Your email address will not be published. Required fields are marked *