Vincent Danen describes the privacy-protecting software called Little Snitch for Mac OS X, which helps you keep track of outgoing connections and includes a network monitor.
Everyone knows the value of a good firewall. Firewalls are a first line of defense against malicious people that will attempt to hijack a computer for their own nefarious needs. Firewalls are by no means a silver bullet, but they are one of many tools to protect networks and individual systems. Running a computer or network without a good firewall these days is more than just foolish — it is plain old negligent.
So unsolicited connections coming at the computer are covered, but what about the other way around? Outbound connections can be just as problematic, particularly when viruses, trojans, and other malware abound. You can download some malware yourself, which gets it in past the firewall, and accidentally run it. The firewall won't protect you from a rogue process connecting to a remote machine when the connection is originating from your own system. If a connection is established from the inside heading out, most firewalls will assume it is a legitimate connection. It won't be able to distinguish whether the connection is from Safari, an email client, or a piece of malware.
Luckily, OS X users can use a program called Little Snitch to inform them of outgoing connections. Little Snitch is not free software but the $30 USD it costs is a small price to pay for the security and confidence Little Snitch provides.
Little Snitch comes with a very restrictive default set of rules. Almost everything on the system will be unknown, so as you use your applications, Little Snitch popups will occur. When they do, you are given a choice of allowing the outbound connection: you can allow the program to establish one connection until the program terminates; allow it forever; or deny it. You can also get specific: allow any connection the program makes; allow it to the specific port it is attempting to connect to; allow blanket connections to the host it is attempting to connect to; or only allow to the specific host and port.
This kind of flexibility is wonderful. For instance, if you are uncomfortable with a program "phoning home," you can deny all connections to the program's Web site, but allow connections to every other host.As new programs are installed, Little Snitch checks with you first as to whether the connection should be allowed or not. If you start seeing connection attempts from a program you do not recognize, however, then it's time to pay attention to what Little Snitch is telling you. There is a Show Details link in the popup that you can click to see exactly what is happening. This information is invaluable in determining what is going on if you don't recognize the software trying to make a connection, or if a popup appears when you're doing something completely different (i.e., this is from a program you did not tell to activate). The information provided includes the IP address (if the connection is to a hostname), the reverse DNS name, the full path of the program attempting to establish the connection, as well as the program's process ID and its running user ID, as in Figure A.
Little Snitch is an invaluable piece of software. It is one of the first programs I install when setting up a new computer or upgrading to a new version of OS X. Even the Network Monitor that it provides (viewable via the menu bar icon) is useful, as it shows in real-time what applications are making connections and to where. The rule editor is easy to use and gives an overview of what rules are in place, and even tells you if rules exist for programs that are no longer installed.
All told, Little Snitch is probably one of the most vital pieces of software on my computer. I would not want to run OS X without it.
Vincent Danen works on the Red Hat Security Response Team and lives in Canada. He has been writing about and developing on Linux for over 10 years and is a veteran Mac user.