← Back to context

Comment by lapcat

8 days ago

> I think the type of users it attracts (techies, crypto ppl, etc) makes it worth more too.

No, this by itself doesn't make Little Snitch or any business worth $50M. You're dreaming. That's a crazy valuation.

11 comments

lapcat

Reply
scheme271  8 days ago

Various intelligence agencies are willing to pay 2-3M for a working exploit for iphone or android. I think that they would be fine with paying 50M for a userbase that has a high population of devs, admins, etc. Being able to backdoor someone like this in the right organization down the line is probably worth 50M.

  • lapcat  8 days ago

    > Various intelligence agencies are willing to pay 2-3M for a working exploit for iphone or android.

    Little Snitch is not a working exploit for iPhone or Android.

    > I think that they would be fine with paying 50M for a userbase that has a high population of devs, admins, etc. Being able to backdoor someone like this in the right organization down the line is probably worth 50M.

    No, sorry, this is absurd. A ton of products have a high population of devs, admins, etc. These are not getting acquired by intelligence agencies. Give me one example. There's nothing inherently valuable about this population.

    Who is a Little Snitch customer worth 50M to attack? Name them.

latexr  8 days ago

Depends on the target and what you can get. Think about Bartender, an app requiring an insanely high level of trust and permissions, which was quietly sold.

If you know of someone specific you want to target who uses it, the investment could pay off.

For example, we know from your blog posts that you use LittleSnitch. Someone who wanted to target you might do a lot to spy on you by buying LittleSnitch, probably.

Think of your own apps, too. I don’t think you’d do the same that Ben Surtees did and sell everything in secret, but then again I don’t personally know you. You may have a price that I’m not aware of. For that reason alone, even as I trust the current code is not nefarious, I can never give StopTheMadness access to every website and can only use it selectively, which is inconvenient.

  • lapcat  8 days ago

    > Depends on the target and what you can get. Think about Bartender,

    As I said in another comment, Bartender had no target! It was not an attack. An app was sold by one developer to another developer. End of story.

    > If you know of someone specific you want to target who uses it

    But you don't. And you don't in the case of Little Snitch either.

    You can dream up a bunch of absurd hypothetical scenarios, but they are not the reality.

    > Someone who wanted to target you

    Nobody wants to target me. Nobody cares about me. I am insignificant.

    • latexr  8 days ago

      > Bartender had no target! It was not an attack.

      The point is that it shows it can happen. You’re a browser extension developer, surely you know how often it happens that developers of popular extensions are approached by shady businesses and sometimes do even sell.

      > You can dream up a bunch of absurd hypothetical scenarios, but they are not the reality.

      As someone else has pointed out to you, not hypothetical.

      https://news.ycombinator.com/item?id=47699068

      > Nobody wants to target me. Nobody cares about me. I am insignificant.

      You give yourself too little credit. I know of several developers and other people with influence who use your extensions with complete trust. Compromising you means compromising them, which means compromising even more people. Jia Tan has aptly demonstrated you don’t need to directly attack your final target, only a link in the chain, even if it looks insignificant.

      4 replies →

pessimizer  7 days ago

Yes, the number is silly. But that makes the danger even more relevant. They could really get it for a couple million to a couple of people, and double or triple that payment (or stretch it out over a long period) to make sure everybody knows to shut up about it.

(Taking this reply as an excuse to write a concurring rant...)

Also, once you've compromised somebody's integrity and got them on the payroll, why not use them for other things? They can join other projects, they can sit on foundation boards, they can become tech media personalities, etc., etc....

There's nothing tinfoil about this. It's cheap and easy. You could subvert every open source project in the world for less than the cost of one fancy plane, or a few fancy missiles. The CIA went in on a crypto company, got it to weaken everyone's crypto, and likely killed the son who inherited it from the previous owner. "Nation-state buying Little Snitch" is not some crazy fantasy, it's a mundane scenario (I'm sounding like LLM today, I think.) Even though OpenSnitch could be compromised even more cheaply, they show all their code.

Also, aggressors don't just use carrots, they use sticks. The Altman sister stuff for example (true or not, works even better if it's true) certainly seems like a stick. Top of the world, then suddenly a jury (easily subverted by a state) puts you in prison or takes away control of your company, and now you're killed (or "kill yourself") in prison or otherwise. Now your widower and your sister own the company, and they say yes to everything. If my multi-billionaire brother molested me, you'd never hear about it because he would have trivially given me enough money to forget about it and him. I wouldn't be filing any lawsuit. Makes me suspect that he's being resistant to something.