This comment seems a bit confused. A supply chain attack doesn't directly attack...

emmelaich · 2026-04-09T02:00:19 1775700019

They don't build their own machines or write their compilers or write their own crpyto code or ... so many other things.

lapcat · 2026-04-09T02:24:10 1775701450

> They don't build their own machines or write their compilers or write their own crpyto code or ... so many other things.

An attack on any of these things has nothing specifically to do with the developers of Little Snitch and would have vastly more widespread and important effects.

Why would you even be talking about Little Snitch if a compiler were compromised?!? Your paranoia here is bizarrely narrow. Little Snitch would be the least of our problems in that case.

emmelaich · 2026-04-09T04:01:09 1775707269

Their copy of the compiler. Just an example. ¯\_(ツ)_/¯

lapcat · 2026-04-09T10:10:59 1775729459

> Their copy of the compiler.

This doesn't even make sense. You have no examples.

LamaOfRuin · 2026-04-09T02:20:35 1775701235

That seems... not correct?

The comment was asking about preventing a compromised supplier for the developers.

A supply chain attack can be anywhere in the supply chain to the target. If I, the end user, am the target, then a supply chain attack compromising the developer of LittleSnitch is effective.

I may then be a conduit to compromising other software or components, and would both I and LittleSnitch would be part of the supply chain that could be attacked targeting them.

lapcat · 2026-04-09T02:35:26 1775702126

> If I, the end user, am the target

You're not a target, anonymous rando.

microtonal · 2026-04-09T06:24:24 1775715864

Many supply chain attacks aim to run malware on the end-users machine to harvest authentication tokens, etc. So pretty much everyone here who is a developer is the target.

lapcat · 2026-04-09T10:12:06 1775729526

> So pretty much everyone here who is a developer is the target.

Are you going to have this same discussion about every piece of software every mentioned on Hacker News? Why are we having it for Little Snitch specifically?

hsbauauvhabzb · 2026-04-09T01:29:08 1775698148

This seems pedantic and I think you know what they’re questioning and why.

lapcat · 2026-04-09T01:35:50 1775698550

> I think you know what they’re questioning and why.

No, not really. And I disagree with the premise, "They must be a target for the various hacking groups out there."

How would you even hack them? I'm a developer too; how would you hack me?

heartbreak · 2026-04-09T01:47:02 1775699222

Options range from carefully targeted phishing or social engineering attacks to poor opsec and a five dollar wrench.

lapcat · 2026-04-09T02:16:04 1775700964

> a five dollar wrench.

I'm not even going to respond to this ridiculousness.

I still don't know why anyone thinks that, among all developers in the world, a little indie Mac developer is getting targeted specifically.

emmelaich · 2026-04-09T04:03:41 1775707421

Some targets are more valuable than others. A firewall product has obvious security value. The fact that it requires high privilege is another reason.

I have the same thoughts about other Mac apps. e.g. iTerm2 - cause they "see" so much sensitive data.

lapcat · 2026-04-09T10:12:43 1775729563

> I have the same thoughts about other Mac apps. e.g. iTerm2

You need to take a chill pill.

hsbauauvhabzb · 2026-04-09T10:59:45 1775732385

Yeah just yolo install whatever, it’s not like applications or libraries such as axios which have a decade of trusted history would all of a sudden become malicious and do nasty things to developer machines, just chill, everything’s fine.

lapcat · 2026-04-09T11:27:23 1775734043

> Yeah just yolo install whatever

That's not even remotely what I said.

> it’s not like applications or libraries such as axios

iTerm doesn't use NPM. Little Snitch doesn't use NPM. I don't use NPM.

hsbauauvhabzb · 2026-04-09T11:52:29 1775735549

[flagged]

tomhow · 2026-04-09T14:06:29 1775743589

WTF? This is not an acceptable comment on HN, no matter who or what you're replying to. This style of commenting is not what this site is for, and destroys what it is for.

If you wouldn't mind reviewing https://news.ycombinator.com/newsguidelines.html and taking the intended spirit of the site more to heart, we'd be grateful.

heartbreak · 2026-04-09T11:12:50 1775733170

> I'm not even going to respond to this ridiculousness.

Why is it ridiculous? If you have electronic access to something of value and broadcast that fact on the internet, you’re at risk of a physical attack. That’s not controversial? Companies make employees do training about this for a reason.

lapcat · 2026-04-09T11:40:56 1775734856

> If you have electronic access to something of value and broadcast that fact on the internet, you’re at risk of a physical attack. That’s not controversial? Companies make employees do training about this for a reason.

You're talking as if all all "value" and all "risk" is equal, when they're definitely not. You can't equate a megacorporation with a little indie developer. Nobody cares about the latter.

I am a software developer, and I broadcast that fact on the internet. But nobody is coming to Wisconsin to hit me on the head with a wrench. That's just a silly paranoid fantasy.

If anyone hits me on the head with a wrench, it would be not be a nation-state but rather a two-bit local mugger who has no idea who I am and just wants cash from my wallet. I live in a pretty safe area though.

balamatom · 2026-04-09T12:44:05 1775738645

Nobody that you know of.

hsbauauvhabzb · 2026-04-09T10:57:24 1775732244

The same people who targeted the open source uncommercial library axios *last week*?

Access to little snitch would be worth millions to the right party.

lapcat · 2026-04-09T11:30:16 1775734216

>> I still don't know why anyone thinks that, among all developers in the world, a little indie Mac developer is getting targeted specifically.

> The same people who targeted the open source uncommercial library axios last week?

axios is an NPM package. Little Snitch doesn't use NPM. Thus, these people must be pretty damn incompetent if they were trying to target Little Snitch.

> Access to little snitch would be worth millions to the right party.

This is a bold claim with no evidence. I don't think it's true.

hsbauauvhabzb · 2026-04-09T11:54:31 1775735671

Shell (and probably root) access to tens of thousands of development machines wouldn’t be worth millions to the right party?

emmelaich · 2026-04-09T02:01:47 1775700107

?! The same way every other developer that has been hacked. You surely cannot be suggesting you're un-hackable. That seems ludicrously hubristic.

lapcat · 2026-04-09T02:15:21 1775700921

> The same way every other developer that has been hacked.

There's not one single way, so, no, you're just hand-waving here.

emmelaich · 2026-04-09T04:01:47 1775707307

Just saying developers have been hacked. Underrated existence proof.

lapcat · 2026-04-09T10:13:34 1775729614

> Just saying developers have been hacked.

So are you going to have this same discussion in every HN submission that mentions any piece of software?

hsbauauvhabzb · 2026-04-09T10:48:20 1775731700

What software do you actually develop? You clearly don’t give a shit about your users and I want to make sure I’m not using your software .

BoredPositron · 2026-04-09T01:44:19 1775699059

If they trust the devs why would they not trust them to not yolo deploy new versions?

hsbauauvhabzb · 2026-04-09T02:14:40 1775700880

Because it might not be the developers doing the deploying, but a malicious actor?

dylan604 · 2026-04-09T01:53:21 1775699601

because a company worthy of trust doesn't yolo their versions. a company that does yolo versions is not trustworthy.