Hacker News new | ask | show | jobs
by eropple 3245 days ago
So this is something I'm not sure I've ever said before, but if you work for Kite, you need to quit.

Like, I get working for even exploitative companies (though I won't)--economic insecurity is definitely a thing and we all gotta eat. But you can find a job that doesn't involve literally spying on the down-low. I promise you, you can.

Abandon these jerks before they bring you down with them. They've demonstrated a willingness to screw people and even if you don't really care about them screwing other people, they'll screw you too.

EDIT: Also, because it's on-topic and the post on HN seems to have gone ignored, somebody is typo-squatting `cross-env` on NPM and dumping environment variables to a Chinese server run by "HackTask", it probably deserves a signal boost: https://twitter.com/o_cee/status/892306836199800836 https://news.ycombinator.com/item?id=14901566
5 comments
paradite 3245 days ago
Reply to your npm edit: How do you know it is a Chinese server? it seems to be masked:

https://www.whois.com/whois/hacktask.net

link
eropple 3245 days ago
http://hacktask.net/ shows a "we'll be right back" message in Chinese. It could be misdirection, but I'm not exactly doing forensic analysis here.
link
cisanti 3245 days ago
Kite is a small fish in the bond... everyone working for FB and Google should be ashamed of themselves for working spy machines. I mean it. It sounds harsh but that's the way it is. But I guess money trumps morals.
link
65827 3245 days ago
Needs to be said more. Not to mention every telecom company, which are unofficial government entities at this point.

If you work for these companies in any capacity you're being highly unethical. End of discussion.

link
copperx 3245 days ago
You forgot the other top 5 companies. Although Apple has plausible deniability.
link
whipoodle 3245 days ago
How about, the people running Kite need to shut the company down? People who quit will just be backfilled.
link
omginternets 3245 days ago
Losing employees incurs a significant cost. Projects miss deadlines, recruiters need to be paid and executives need to divide their attention.

If a couple of employees leave, they'll be limping.

link
yuhong 3245 days ago
I wonder if part of the problem is VC demands in the first place.
link
eropple 3245 days ago
Of course it is! But "don't be a shithead" is a moral imperative that you need to uphold over your investors leaning on you. I mean, not being a shithead won't get your chief growth hacker's blog all hype, but words fail me (and they rarely fail me) when I try to express how little I care about that.

That's also why I didn't try to say that the founders or the executive team should be better. I'm talking about the people who those founders and executives use to do bad shit and who they will screw whenever it makes a tiny bit of business sense to do so.

Plenty of people work for literal sociopaths. It's rare that you can just point and go "...duh?" about it, though.

link
sillysaurus3 3245 days ago
This seems incredibly overblown. According to the diff, all they were collecting is time spent editing certain file extensions, along with a list of installed packages:

https://github.com/SideBarEnhancements-org/SideBarEnhancemen...

They're trying to figure out what languages people are actually editing on a day-to-day basis, and people here are calling for them to leave the company? Like, really?

People have been whipped up into a frenzy for data that a webapp wouldn't blink twice at collecting. But when it's installed locally it's somehow different than if we load a webapp in a browser?

I agree with you in principle, but it seems like people here didn't actually look at what was being collected. They just saw "data collection" and went absolutely nuts.

Yeah, collecting installed package names isn't really great, but it's pretty harmless, right? It's a stupid decision, but people seem to be looking for reasons to get upset.

They're not collecting filenames, and they take the sha1 hash of whatever could be personally identifiable. Why is any of this bad, or a violation of trust? They even say right in the readme that they're doing it and how to opt out: https://github.com/SideBarEnhancements-org/SideBarEnhancemen...

If they made it opt-in, no one would opt-in. I understand it's a slippery slope, but is this reaction appropriate?

link
eropple 3245 days ago
1) Principle is what matters. This behavior is utterly and completely indefensible; screwing with people's private code for your whatever-nobody-cares startup is absolutely unacceptable at any level. I don't care how big your Series A round was or who your investors are, you just don't do it and you don't hide it and you don't lie about "forgetting" about it (and it should be considered a lie until proven otherwise because after the last couple weeks Adam Smith could fit in some Baghdad Bob photoshops).

2) Collecting non-bundled package names is another way to phrase "exfiltrating competitors' upcoming products." That by itself is sufficient evidence for me to want some heads.

link
sillysaurus3 3245 days ago
Collecting file extensions bucketed by time plus a list of installed package names is spying on you?

I doubt they even thought of the competitor angle. I wouldn't have. Startups don't win by worrying what every new company is doing.

It wasn't a smart decision, but you're acting like they are uploading your entire source code tree. (I think someone even claimed that they were doing this at one point but was later shown to be mistaken.)

link
eropple 3245 days ago
Man--I like you and I think you are a pretty awesome poster, so I'd like to go through an experiment with you. Upload the filenames of everything you've put through your editor in the last nine months. Pastebin it for me right now (and I say pastebin because I sure have no idea how secure Kite's stuff is so we're gonna be assuming that it's not, yeah?). The request is totally insane, right? Even beyond the pure principle of it, if you did that for half a dozen developers we'll find something you really don't want me to know about, be it business or personal. (Ever use, say, org-mode or vimwiki?)

I'm willing to be strident because heads on pikes are how you ensure this is not repeated in an amplified way. Kite might be dopey, stupid, careless, and mean instead of actively malicious. Doesn't matter. The next one will be if clear lines are not drawn.

link
sillysaurus3 3245 days ago
Your posts are pretty good too! I completely agree that collecting filenames would be a blatant breach of trust. If they were doing that, I'd be the first one labeling the company as evil. But my hangup is that they didn't actually do that, and what they did do seems benign.

The thing is, market forces are pretty good at settling these issues. It's an open-source plugin, so everyone can see what they're doing. If they start being naughty, people can uninstall and switch to something else. But why are we punishing them before they did anything serious, along with locking down the ability of anyone else to ever collect any kind of usage data about their plugins? Even something harmless like "time spent trying to figure out the options screen"?

I hope it doesn't seem like I'm trying to defend spyware here. Collecting metrics about your product is the first step toward improving it. The motive seems like a positive one, not a negative greedy one.

link
ricardobeat 3245 days ago
> Collecting metrics about your product

This plugin is not their product, they are merely taking advantage of it's popularity for their own purposes.

> The thing is, market forces are pretty good at settling these issues

True, and the market seems to be unhappy with this approach and publicly taking a stance against it, right here. I believe this is as serious as any other case of hijacking a popular extension for collecting data, the specifics of what is being collected don't matter the littlest bit (and could change at their will).

On "positive intent": they did all of this with a commit message that doesn't mention 'Kite' at all, even uses a hardcoded IP address to avoid a domain name. It was clearly shady and meant to go unnoticed.

link
eropple 3245 days ago
They did do something serious, is what I'm saying. Consider people who use a text editor--the same text editor they write code with!--for, say, a list of notes. I have a list of meeting notes in Markdown, for example, in a git repo. Sure, I doubt Kite is paying attention to that I met with X on Y. But I really, really don't care that they're not paying attention (because I don't know who's gonna get ahold of it next--are they keeping it, are they packaging it for resale, is their server pwned, how do I know and how do they verify). Fundamentally, I care that they stole it. The act demonstrates either ill will or negligence so grave as to substitute for ill will.

"Telemetry" and "personally identifiable and sensitive data" are very different things both morally and legally and boy howdy do I have a different reaction to one or the other.

Market forces are only good at settling issues when the market participants have perfect information. Nine months of spying that somebody just happened to notice to reveal it? (Ditto the Atom thing?) The damage has already been done. "With many eyes, bugs are shallow" has a certain truth to it (although I have Heartbleed calling on line two), but nobody's auditing everything, nobody can audit everything, and the damage that can be done because nobody has that information has the potential to be both personal and very high.

link
AdmiralAsshat 3245 days ago
So, to use an analogy:

"Yeah, we broke into your house and rummaged through your stuff, but it's okay, we were only there to count how many spoons you had.

Yes, I know, we could've asked you before we broke into your house, but we tried that before, and for some reasons we had no takers. And it was really important to our researchers that we get a good idea about the number of spoons!"

link
hsod 3245 days ago
Or how about if the spoon company paid your cable guy to count how many spoons you have while he was in your house.
link
fooey 3245 days ago
Kite basically just invented a new spyware/malware industry that specifically targets the development community.

This kind of behavior needs to be stomped on hard and fast.

link
dahntrump 3245 days ago
i mean executing malicious dynamic code as a plugin of a legit tool isn't that different from a malicious browser plugin
link
kuschku 3245 days ago
Collecting any data without request is unacceptable, and unlawful.

In fact, it might violate more than a dozen of laws in the EU.

This is a general matter of principle. You do not get to access anything that is mine without approval.

If no one opts in, that's your problem, and you need to rethink your business model - and not break into users systems and steal their data. This is malware.

link
sillysaurus3 3245 days ago
I'll agree with you if you explain this: Why is it ok for a website to do it, but not ok for an editor plugin to do it? Just because the content is streamed from a server? That's a rather convenient distinction.

I don't endorse Kite's behavior, but our reaction here is so far over the top that it seems like normal onlookers will start to take us less seriously. We're talking about violations of law and data theft over answering the question "Which language are you editing today?"

Zero tolerance is a rejection of "Let the punishment fit the crime."

link
kuschku 3245 days ago
It's not okay for websites doing this, and any website doing this from May 2018 on will end up fined hundredthousands of dollars every time they do this.

The European General Data Protection Regulation [1] is coming, and everyone that doesn't comply with it will have more than just a little problem.

No site or program is allowed to track or store anything about me, to transmit anything to a third party, or to even connect to a third party without my explicit authorization, and I have to be able to opt out of it all, and still be able to use it.

This is a simple moral principle of consent. You don't get to access anything that is mine without my explicit consent.

[1] https://en.wikipedia.org/wiki/General_Data_Protection_Regula...

link
rankam 3245 days ago
I don't know anything about the regulation and just skimmed the Wikipedia article for a minute, but isn't this regulation unenforceable in practice? If I have a website, how am I supposed to know if a visitor is a citizen of the EU? If my company operates outside of the EU, the EU has no jurisdiction.
link
matty22 3244 days ago
I work for an email software company based in the US, but we are required to take GDPR very seriously. Large swaths of how our application stores and handles data has to be rewritten, because if a single one of our clients' emails is sent to a citizen of the EU, and we are not compliant with the new rules, we and our client are legally liable.

How that pertains to a normal website on the internet, I am not sure.

*Edit: At least this is my understanding and my company is already making development plans on how to comply with the new law.

link
kuschku 3245 days ago
This is an interesting thing, but, in response to the US applying their laws supraterritorially[1], the EU has decided that the EU GDPR will apply supraterritorial (aka, everywhere, globally, as soon as an EU citizen could be affected).

So, if you're outside the EU, and you violate it, you might suddenly experience that your bank accounts get frozen.

[1] Just look at the recent case where US citizen sued Saudi Arabia in a US court, and the US senate overrode a veto of President Obama to allow this to happen supraterritorially.

link
oAlbe 3245 days ago
> Zero tolerance is a rejection of "Let the punishment fit the crime."

There's to say though, as a counterpoint, that said principle always takes into account repeated offenses (recidivism), and they are at strike 3 or something.

link
the_common_man 3245 days ago
I commented about this just yesterday how google felt that data collection is now 'common' - https://news.ycombinator.com/item?id=14893700

I think developers are (rightly) afraid this trend now hits their editors.

link
pdkl95 3245 days ago
What they should be worried about is Kyllo v. United States[1]. When data collection is sufficiently normalized such that general public no longer expects privacy - crossing the bright line that currently makes police using the same type of data collection technology a search that requires a warrant.

If this it becomes commonplace for text editors to spy on some types of (meta)data, a warrant may not be required for the police to gather the same type of data without a warrant even if you do not use a "common" editor.

[1] https://en.wikipedia.org/wiki/Kyllo_v._United_States

link
zitterbewegung 3245 days ago
I think that there is a clique on HN (which I am a part of) that values their privacy and security that is more vocal and aware than the average user. Also, in the webapp example I think keeping private source code and software private is much more important than your pictures / (micro)blog.
link
hsod 3245 days ago
Yes, the reaction is appropriate. You seem to agree that this is malicious action, so your position is kind of hazy.

> People have been whipped up into a frenzy for data that a webapp wouldn't blink twice at collecting. But when it's installed locally it's somehow different than if we load a webapp in a browser?

Well, yes. But it's even worse than that. This code was submarined into an unrelated open source tool and sent the data to a company with which the user had no relationship whatsoever. That's a little different from Google keeping track of how often I log into GMail, isn't it?

Even the README you linked to (probably not seen by many users) seems intentionally misleading, as it is careful not to state to whom the metrics are sent, leaving the reader with the impression that they are being sent to the project maintainer and not to Kite, Inc.

link
sillysaurus3 3245 days ago
Even the README you linked to (probably not seen by many users) seems intentionally misleading, as it is careful not to state to whom the metrics are sent, leaving the reader with the impression that they are being sent to the project maintainer and not to Kite, Inc.

This is an important point, and it's one I overlooked. I've never used SideBarEnhancement. I assumed users knew it was related to Kite. If `urlopen('http://52.52.168.91/status', json_body)` is the only indication where the data is sent, then that's unacceptably vague.

I suppose it's best for Sublime to force plugins to be opt-in for data collection, but as someone who wishes devtools were better, it's unfortunate a few groups with terrible PR skills are ruining it for everyone. It didn't need to turn out this way. They just needed to be open about what they were doing. They weren't even collecting anything to warrant being sneaky.

link
hsod 3245 days ago
> I've never used SideBarEnhancement. I assumed users knew it was related to Kite.

Considering how many posts you've made in this thread defending Kite, this seems like a major gap in your understanding. A simple ctrl-F of both the Github README and the PackageControl page show no mention of Kite.

link
sillysaurus3 3245 days ago
True, though all the code was doing was collecting a list of installed packages and a list of file extensions you've edited. Judging by the reactions here, you'd think they were uploading your entire ~/ directory.

I'm curious how Kite got the telemetry into that extension if it's unaffiliated. https://github.com/titoBouzout seems like a fairly standard github account, though it's strange he had no commits for six months until this incident.

link
eropple 3245 days ago
They paid him, I do believe (saw this asserted by folks who'd know and saw no contesting it).
link
hsod 3245 days ago
> True, though all the code was doing was collecting a list of installed packages and a list of file extensions you've edited. Judging by the reactions here, you'd think they were uploading your entire ~/ directory.

OK, so you acknowledge that this was an unacceptable privacy breach, you're just a little less upset about it than some other people here. Damning with faint praise, I guess.

> I'm curious how Kite got the telemetry into that extension if it's unaffiliated.

They probably paid him.

link