So this is something I'm not sure I've ever said before, but if you work for Kite, you need to quit.
Like, I get working for even exploitative companies (though I won't)--economic insecurity is definitely a thing and we all gotta eat. But you can find a job that doesn't involve literally spying on the down-low. I promise you, you can.
Abandon these jerks before they bring you down with them. They've demonstrated a willingness to screw people and even if you don't really care about them screwing other people, they'll screw you too.
Kite is a small fish in the bond... everyone working for FB and Google should be ashamed of themselves for working spy machines. I mean it. It sounds harsh but that's the way it is. But I guess money trumps morals.
Of course it is! But "don't be a shithead" is a moral imperative that you need to uphold over your investors leaning on you. I mean, not being a shithead won't get your chief growth hacker's blog all hype, but words fail me (and they rarely fail me) when I try to express how little I care about that.
That's also why I didn't try to say that the founders or the executive team should be better. I'm talking about the people who those founders and executives use to do bad shit and who they will screw whenever it makes a tiny bit of business sense to do so.
Plenty of people work for literal sociopaths. It's rare that you can just point and go "...duh?" about it, though.
This seems incredibly overblown. According to the diff, all they were collecting is time spent editing certain file extensions, along with a list of installed packages:
They're trying to figure out what languages people are actually editing on a day-to-day basis, and people here are calling for them to leave the company? Like, really?
People have been whipped up into a frenzy for data that a webapp wouldn't blink twice at collecting. But when it's installed locally it's somehow different than if we load a webapp in a browser?
I agree with you in principle, but it seems like people here didn't actually look at what was being collected. They just saw "data collection" and went absolutely nuts.
Yeah, collecting installed package names isn't really great, but it's pretty harmless, right? It's a stupid decision, but people seem to be looking for reasons to get upset.
They're not collecting filenames, and they take the sha1 hash of whatever could be personally identifiable. Why is any of this bad, or a violation of trust? They even say right in the readme that they're doing it and how to opt out: https://github.com/SideBarEnhancements-org/SideBarEnhancemen...
If they made it opt-in, no one would opt-in. I understand it's a slippery slope, but is this reaction appropriate?
1) Principle is what matters. This behavior is utterly and completely indefensible; screwing with people's private code for your whatever-nobody-cares startup is absolutely unacceptable at any level. I don't care how big your Series A round was or who your investors are, you just don't do it and you don't hide it and you don't lie about "forgetting" about it (and it should be considered a lie until proven otherwise because after the last couple weeks Adam Smith could fit in some Baghdad Bob photoshops).
2) Collecting non-bundled package names is another way to phrase "exfiltrating competitors' upcoming products." That by itself is sufficient evidence for me to want some heads.
Collecting file extensions bucketed by time plus a list of installed package names is spying on you?
I doubt they even thought of the competitor angle. I wouldn't have. Startups don't win by worrying what every new company is doing.
It wasn't a smart decision, but you're acting like they are uploading your entire source code tree. (I think someone even claimed that they were doing this at one point but was later shown to be mistaken.)
Man--I like you and I think you are a pretty awesome poster, so I'd like to go through an experiment with you. Upload the filenames of everything you've put through your editor in the last nine months. Pastebin it for me right now (and I say pastebin because I sure have no idea how secure Kite's stuff is so we're gonna be assuming that it's not, yeah?). The request is totally insane, right? Even beyond the pure principle of it, if you did that for half a dozen developers we'll find something you really don't want me to know about, be it business or personal. (Ever use, say, org-mode or vimwiki?)
I'm willing to be strident because heads on pikes are how you ensure this is not repeated in an amplified way. Kite might be dopey, stupid, careless, and mean instead of actively malicious. Doesn't matter. The next one will be if clear lines are not drawn.
Your posts are pretty good too! I completely agree that collecting filenames would be a blatant breach of trust. If they were doing that, I'd be the first one labeling the company as evil. But my hangup is that they didn't actually do that, and what they did do seems benign.
The thing is, market forces are pretty good at settling these issues. It's an open-source plugin, so everyone can see what they're doing. If they start being naughty, people can uninstall and switch to something else. But why are we punishing them before they did anything serious, along with locking down the ability of anyone else to ever collect any kind of usage data about their plugins? Even something harmless like "time spent trying to figure out the options screen"?
I hope it doesn't seem like I'm trying to defend spyware here. Collecting metrics about your product is the first step toward improving it. The motive seems like a positive one, not a negative greedy one.
"Yeah, we broke into your house and rummaged through your stuff, but it's okay, we were only there to count how many spoons you had.
Yes, I know, we could've asked you before we broke into your house, but we tried that before, and for some reasons we had no takers. And it was really important to our researchers that we get a good idea about the number of spoons!"
Collecting any data without request is unacceptable, and unlawful.
In fact, it might violate more than a dozen of laws in the EU.
This is a general matter of principle. You do not get to access anything that is mine without approval.
If no one opts in, that's your problem, and you need to rethink your business model - and not break into users systems and steal their data. This is malware.
I'll agree with you if you explain this: Why is it ok for a website to do it, but not ok for an editor plugin to do it? Just because the content is streamed from a server? That's a rather convenient distinction.
I don't endorse Kite's behavior, but our reaction here is so far over the top that it seems like normal onlookers will start to take us less seriously. We're talking about violations of law and data theft over answering the question "Which language are you editing today?"
Zero tolerance is a rejection of "Let the punishment fit the crime."
It's not okay for websites doing this, and any website doing this from May 2018 on will end up fined hundredthousands of dollars every time they do this.
The European General Data Protection Regulation [1] is coming, and everyone that doesn't comply with it will have more than just a little problem.
No site or program is allowed to track or store anything about me, to transmit anything to a third party, or to even connect to a third party without my explicit authorization, and I have to be able to opt out of it all, and still be able to use it.
This is a simple moral principle of consent. You don't get to access anything that is mine without my explicit consent.
I don't know anything about the regulation and just skimmed the Wikipedia article for a minute, but isn't this regulation unenforceable in practice? If I have a website, how am I supposed to know if a visitor is a citizen of the EU? If my company operates outside of the EU, the EU has no jurisdiction.
> Zero tolerance is a rejection of "Let the punishment fit the crime."
There's to say though, as a counterpoint, that said principle always takes into account repeated offenses (recidivism), and they are at strike 3 or something.
What they should be worried about is Kyllo v. United States[1]. When data collection is sufficiently normalized such that general public no longer expects privacy - crossing the bright line that currently makes police using the same type of data collection technology a search that requires a warrant.
If this it becomes commonplace for text editors to spy on some types of (meta)data, a warrant may not be required for the police to gather the same type of data without a warrant even if you do not use a "common" editor.
I think that there is a clique on HN (which I am a part of) that values their privacy and security that is more vocal and aware than the average user. Also, in the webapp example I think keeping private source code and software private is much more important than your pictures / (micro)blog.
Yes, the reaction is appropriate. You seem to agree that this is malicious action, so your position is kind of hazy.
> People have been whipped up into a frenzy for data that a webapp wouldn't blink twice at collecting. But when it's installed locally it's somehow different than if we load a webapp in a browser?
Well, yes. But it's even worse than that. This code was submarined into an unrelated open source tool and sent the data to a company with which the user had no relationship whatsoever. That's a little different from Google keeping track of how often I log into GMail, isn't it?
Even the README you linked to (probably not seen by many users) seems intentionally misleading, as it is careful not to state to whom the metrics are sent, leaving the reader with the impression that they are being sent to the project maintainer and not to Kite, Inc.
Even the README you linked to (probably not seen by many users) seems intentionally misleading, as it is careful not to state to whom the metrics are sent, leaving the reader with the impression that they are being sent to the project maintainer and not to Kite, Inc.
This is an important point, and it's one I overlooked. I've never used SideBarEnhancement. I assumed users knew it was related to Kite. If `urlopen('http://52.52.168.91/status', json_body)` is the only indication where the data is sent, then that's unacceptably vague.
I suppose it's best for Sublime to force plugins to be opt-in for data collection, but as someone who wishes devtools were better, it's unfortunate a few groups with terrible PR skills are ruining it for everyone. It didn't need to turn out this way. They just needed to be open about what they were doing. They weren't even collecting anything to warrant being sneaky.
> I've never used SideBarEnhancement. I assumed users knew it was related to Kite.
Considering how many posts you've made in this thread defending Kite, this seems like a major gap in your understanding. A simple ctrl-F of both the Github README and the PackageControl page show no mention of Kite.
True, though all the code was doing was collecting a list of installed packages and a list of file extensions you've edited. Judging by the reactions here, you'd think they were uploading your entire ~/ directory.
I'm curious how Kite got the telemetry into that extension if it's unaffiliated. https://github.com/titoBouzout seems like a fairly standard github account, though it's strange he had no commits for six months until this incident.
/u/michael0x2a on Reddit put together a nice tl;dr[1] of the story arc for those that don't want to dig through the thread.
tl;dr for that is basically:
Kite has been collecting "anonymous" data from sublime users with the SideBarEnhancements plugin installed. This has been happening for atleast a year and the data collected included activeNonBundledPackageNames which is basically a list of packages installed via Package Control.
It seems they were intentionally unclear about who the data was sent to and did not think to remove it from the plugin after the Atom Minimap incedent because:
What precisely is Kite collecting in this case? Ideally backed by a link to a github repo proving that they're collecting whatever people are saying they're collecting.
That class seems to be collecting time spent, identified by the variable `name`. But it's not immediately obvious what `name` is being set to. If it's set to a full file system path, then I agree it's a breach of trust. But if it's something generic like 'options screen' then clearly they're just trying to improve their product.
People here seem to be losing their minds over this, so I'm trying to figure out whether it's justified or if it's another game of telephone.
Am I misreading this, or is everyone losing their minds over collecting how much time was spent editing certain file extensions? The only thing that seems to be remotely dubious is "activeNonBundledPackageNames", and that doesn't seem sensitive.
It uses a machine-specific identifier (MAC address), making it traceable across the public IPs sending data. With some resolution due to the hourly pings. That could be valuable in the right/wrong scenarios, although there are tons of other things recording data like that of course (websites).
They apparently paid the author (Tito) to add it in. Originally he had pulled all of his packages from the default channel because he was unhappy that we require semver for all new packages (to allow newer features to work). After a bunch of users complained, he added SideBarEnhancements back (his most popular package), but apparently at some point later Kite paid him to add tracking code to it.
If an addon maintainer was successfully bribed to add something like this to their addon, that maintainer should probably be banned from the ecosystem along with everything Kite touches.
Kite is the primary corrupting force here, but the people who keep taking money to screw over their userbase need to be punished as well.
Sublime, Atom, and VSCode all need to step up right now and make it clear that this kind of behavior is 100% unacceptable
Edit:
Allowing this addon straight back into the Sublime ecosystem reflects extremely poorly on them as well.
Please see https://forum.sublimetext.com/t/rfc-default-package-control-... for the reason that SideBarEnhancements was re-added. In this case not re-adding it would lead to continued tracking of users, which seems to me would be the more negligent action on my part.
I'm not sure how Package Control handles removals of packages but if they are left installed in sublime then this was probably the best move.
If the package was left "orphaned" in the editor the telemetry would remain but I'm pretty sure PC updates packeges automatically by default so pushing an update without it makes sure the code is removed for most users.
I hate that we're even talking about your company and that we have to because it's a bad actor that's hurting people. Talking about what you're doing, even condemning this ratshit behavior most strongly, kind of empowers your company, and your company doesn't deserve press--even bad press. Kite deserves the equivalent of an unmarked grave.
So what's going on with the data collection? Do you still control the IP the system reports back to, or are users reporting their details to somebody else? Are you still using data arriving there?
I'd implement an industry-wide blacklist, personally. This is strike number, two? three? of this company subverting well-known packages with telemetry. Any package that is proven to be connecting to their servers should be removed, the authors should be banned, and the company should be thrown onto a list of Known Bad Actors to prevent any kind of package, add-on, or extension from ever accepting them again.
You cannot fight this kind of malevolence with a finger-wag and a proposed solution that you simply inform the user next time before doing it. It will become buried inside the ToS and become ignored and commonplace. Stop it now and forever, while the spotlight is on it.
Seriously. Sublime, Atom, VSCode, and every other platform that supports plugins should all be in crisis mode over the crap Kite's been caught doing.
If we can't trust that an addon we installed yesterday is safe today, their platforms just turned into gigantic malware vectors that are totally wide open.
This kind of exploitation needs to be stopped immediately.
I work on VSCode. We are aware of the possibility of bad plugins or even good plugins that go bad. The real nightmare scenario would be what's happened with some Chrome plugins, where a widely used plugin is either co-opted or bought out and becomes malicious (even worse if it disguises its maliciousness).
All of these package ecosystems are similar to NPM in that they are built on trust and community policing. This is not enough. One possible way forward is to move towards an security model more like iOS's or Androids where apps need to explicitly get the user's permission before performing potentially dangerous operations like making network requests.
I'd be interested to hear how other platforms have tried tracking these sort of concerns
Explicitly asking the user before a plugin can make a network request would be great! I don't know what "sidebar enhancements" is/was, but it doesn't sound like that would need network access.
My concern would be that throwing internet connection under a consent flag may stop some shady apps, but the rest will just invent a bogus reason for why they need to connect: "We need to connect to the internet to check for updates!" How many Android apps have requested access to your Contacts, and waived the harvesting concerns away by saying it only needs to see your Contacts so that it can more easily pair you with your friends? Nevermind that they're also uploading the entire contact list to their servers...
Without an easy way to know who the package is connecting to, it only instills a false sense of security.
This has definitely always been a concern among certain users of the Package Control community. Since the Sublime Text python environment is run as the user, without a sandbox, it is possible a rogue package would upload all of your data somewhere.
So far we've operated under a model of requiring the end user trust the package developer, which isn't going to be the case 100% of the time. We are set up in such a way that the connection is required to be secure to prevent hijacking the connection and replacing packages with hacked versions. But if the package developer is choosing to add code, that is more of a policy issue than technology issue.
I agree, completely. It is a policy issue. For that reason, I am imploring the maintainers of packaging communities like Sublime Text, pip, CPAN, etc. to put forth a firm stance in their policy that says No, we will not tolerate this, period. If you don't, it sends the message that this sort of scummy behavior is acceptable so long as you disclose it. I don't think that's okay, I don't think any sane end-user thinks that's okay. What little defense of this I've seen inevitably comes from other developers, who invariably have monetization in the back of their minds.
/sarcasm Really looking forward to reading the Kite blog post this time around: "Staying Open (Still): Kite Responds To the SideBarEnhancements Issue." /sarcasm
Sorry Kite - fool us once, shame on you. Fool us twice, shame on us. There's now a 0% chance of my ever using your products or services.
Kite is plainly a bad actor. Sublime and GitHub/Atom should be taking steps to permanently remove them and the things they're infecting from their respective ecosystems
We now know of 3 different popular addons they've hijacked in various ways to snoop on code and to build up their business.
If one company is doing this, it makes me very concerned what else is going on, and what else is coming.
the sad thing is that this has been out for 9 months. If Kite was looking for stats to help inform their product development they already got all the data they need.
they're also obscuring who this log data is being sent to by just posting JSON to an ec2 IP address (52.52.168.91). The server tries hard to not let you know it belongs to Kite. You know someone is ashamed of what they're doing when they take efforts to mask who's doing it.
or maybe any plain ip address... Or the more solid precaution may be to interpose on the sublime supplied network interface api and give people a log of which packages are accessing the network and what addresses.
Deeply concerning that this has been in place for "the better part of a year", and that they "didn't remember" about their telemetry collection - how careless have they been with the actual data, if they don't even claim to be able to keep track of gathering it?
This is a complete destruction of their narrative from last week. They'll be sorry for being caught - again - and we'll have to be on continual lookout for this kind of thing in the future. I can't wait for the floodgates to open, once major tech companies figure out that there's not enough oversight to prevent this 100% of the time: I expect more than a few projects to be bought out similarly.
This is why I use Little Snitch. If there are any rogue outgoing connections, I will know about it. I am extremely selective with the connections I allow my machine to make.
So for those of us who aren't selective with the connections we allow, is it feasible to start using Little Snitch? I'd be interested in trying, but it seems like there would be dozens if not hundreds of "strange" connections that you'd have to filter through which ultimately turn out to be innocent (e.g. OS X update checks).
It provides and then remembers sane choices pretty well. It's easier if you have enough background to understand 'port', 'dns', and 'application', but once you spend a day or two teaching it your habits, it becomes a fantastic tool that is out of your way until the moment it notices something serious.
How does it work with browsers? You have to allow all outgoing traffic to port 80/443 regardless of host/ip? Or be asked every time you visit a different website if you want to allow it or not?
IIRC the default ruleset allows browsers to make any connections on 80/443. You could delete that rule and do it on a case-by-case basis, but it'd be painful.
There are probably browser extensions better suited to restricting browser connections. Maybe run LS on top of one of those so the browser can catch most of them witout making a ton of popups.
> (Ironically by visiting my blog post you are contributing to tracking by Google Analytics)
That's interesting, where's the opt-in for that on your blog? I don't see a modal that asks me before transmitting any of my data, or even giving my IP to a third party, or doing any tracking, as is required by EU law.
Interesting growth model by buying out developers of popular packages and add telemetry or the kite product.
You just kill all credibility on the way and you will be outlawed by maintainers etc.
We may be many but at certain bottlenecks ethics is still high and with OSS we are able to just fork packages.
As companies start to exploit developers trust we have to rethink the security model inside our IDE`s and probably move to a smartphone like sandbox model.
I really don't like the idea of having to wonder if the next plug-in/editor/IDE/etc I use is compromised by Kite or any other shady phone-home companies.
I just started picking up Python and was installing popular useful looking addons from Atom. Surprisingly I got some Kite installer running from a syntax highlighting package.
They seem to be very keen on paying addon developers to distribute their crapware.
It looks like we need to sandbox packages and put a permissions system in place for atom/vscode/sublime. There's no reason why SideBarEnhancements needs access to the internet.
Is there a single IDE with plugins that has a security model in place that would prevent plugins from being taken over by nefarious asshats?
I love vim and emacs... but what's to keep them from being affected by the same thing? Who has time to read all the source code of every plugin/dependency that they use?
It's all about trust and what Kite is doing is completely destroying the network of trust in each of the communities they choose to infect.
What I find most amusing about this company is that they even attempted to get away with spying on people in an justly-paranoid/vigilant industry like ours.
Like, did they not think that we wouldn't catch them in the act?
The current version on Github is clean (telemetry removed). You can always fork it yourself, or just download the repo files and add to Sublime Text 3\Installed Packages.
If you have the .sublime-package file still, you can unzip it to that directory and modify the extension
I modified the Stats.py file in the SideBarEnhancements.sublime-package on my computer to remove the line that references this IP address. I also made the file read-only so it won't get updated. Does anyone know if that will take care of the issue on my computer for now?
A new version of SideBarEnhancements is out with the stats removed. You should get automatically updated the next time you restart Sublime Text or manually upgrade the package.
At this point I'm really thinking that Atom, Sublime et al are lost causes. If plugins makers will add their own telemetry I'll just go back to vim and be done with it.
Like, I get working for even exploitative companies (though I won't)--economic insecurity is definitely a thing and we all gotta eat. But you can find a job that doesn't involve literally spying on the down-low. I promise you, you can.
Abandon these jerks before they bring you down with them. They've demonstrated a willingness to screw people and even if you don't really care about them screwing other people, they'll screw you too.
EDIT: Also, because it's on-topic and the post on HN seems to have gone ignored, somebody is typo-squatting `cross-env` on NPM and dumping environment variables to a Chinese server run by "HackTask", it probably deserves a signal boost: https://twitter.com/o_cee/status/892306836199800836 https://news.ycombinator.com/item?id=14901566