Kite telemetry code in Sublime package SideBarEnhancements
forum.sublimetext.comSo this is something I'm not sure I've ever said before, but if you work for Kite, you need to quit.
Like, I get working for even exploitative companies (though I won't)--economic insecurity is definitely a thing and we all gotta eat. But you can find a job that doesn't involve literally spying on the down-low. I promise you, you can.
Abandon these jerks before they bring you down with them. They've demonstrated a willingness to screw people and even if you don't really care about them screwing other people, they'll screw you too.
EDIT: Also, because it's on-topic and the post on HN seems to have gone ignored, somebody is typo-squatting `cross-env` on NPM and dumping environment variables to a Chinese server run by "HackTask", it probably deserves a signal boost: https://twitter.com/o_cee/status/892306836199800836 https://news.ycombinator.com/item?id=14901566
Reply to your npm edit: How do you know it is a Chinese server? it seems to be masked:
http://hacktask.net/ shows a "we'll be right back" message in Chinese. It could be misdirection, but I'm not exactly doing forensic analysis here.
Kite is a small fish in the bond... everyone working for FB and Google should be ashamed of themselves for working spy machines. I mean it. It sounds harsh but that's the way it is. But I guess money trumps morals.
Needs to be said more. Not to mention every telecom company, which are unofficial government entities at this point.
If you work for these companies in any capacity you're being highly unethical. End of discussion.
You forgot the other top 5 companies. Although Apple has plausible deniability.
How about, the people running Kite need to shut the company down? People who quit will just be backfilled.
Losing employees incurs a significant cost. Projects miss deadlines, recruiters need to be paid and executives need to divide their attention.
If a couple of employees leave, they'll be limping.
I wonder if part of the problem is VC demands in the first place.
Of course it is! But "don't be a shithead" is a moral imperative that you need to uphold over your investors leaning on you. I mean, not being a shithead won't get your chief growth hacker's blog all hype, but words fail me (and they rarely fail me) when I try to express how little I care about that.
That's also why I didn't try to say that the founders or the executive team should be better. I'm talking about the people who those founders and executives use to do bad shit and who they will screw whenever it makes a tiny bit of business sense to do so.
Plenty of people work for literal sociopaths. It's rare that you can just point and go "...duh?" about it, though.
This seems incredibly overblown. According to the diff, all they were collecting is time spent editing certain file extensions, along with a list of installed packages:
https://github.com/SideBarEnhancements-org/SideBarEnhancemen...
They're trying to figure out what languages people are actually editing on a day-to-day basis, and people here are calling for them to leave the company? Like, really?
People have been whipped up into a frenzy for data that a webapp wouldn't blink twice at collecting. But when it's installed locally it's somehow different than if we load a webapp in a browser?
I agree with you in principle, but it seems like people here didn't actually look at what was being collected. They just saw "data collection" and went absolutely nuts.
Yeah, collecting installed package names isn't really great, but it's pretty harmless, right? It's a stupid decision, but people seem to be looking for reasons to get upset.
They're not collecting filenames, and they take the sha1 hash of whatever could be personally identifiable. Why is any of this bad, or a violation of trust? They even say right in the readme that they're doing it and how to opt out: https://github.com/SideBarEnhancements-org/SideBarEnhancemen...
If they made it opt-in, no one would opt-in. I understand it's a slippery slope, but is this reaction appropriate?
1) Principle is what matters. This behavior is utterly and completely indefensible; screwing with people's private code for your whatever-nobody-cares startup is absolutely unacceptable at any level. I don't care how big your Series A round was or who your investors are, you just don't do it and you don't hide it and you don't lie about "forgetting" about it (and it should be considered a lie until proven otherwise because after the last couple weeks Adam Smith could fit in some Baghdad Bob photoshops).
2) Collecting non-bundled package names is another way to phrase "exfiltrating competitors' upcoming products." That by itself is sufficient evidence for me to want some heads.
Collecting file extensions bucketed by time plus a list of installed package names is spying on you?
I doubt they even thought of the competitor angle. I wouldn't have. Startups don't win by worrying what every new company is doing.
It wasn't a smart decision, but you're acting like they are uploading your entire source code tree. (I think someone even claimed that they were doing this at one point but was later shown to be mistaken.)
Man--I like you and I think you are a pretty awesome poster, so I'd like to go through an experiment with you. Upload the filenames of everything you've put through your editor in the last nine months. Pastebin it for me right now (and I say pastebin because I sure have no idea how secure Kite's stuff is so we're gonna be assuming that it's not, yeah?). The request is totally insane, right? Even beyond the pure principle of it, if you did that for half a dozen developers we'll find something you really don't want me to know about, be it business or personal. (Ever use, say, org-mode or vimwiki?)
I'm willing to be strident because heads on pikes are how you ensure this is not repeated in an amplified way. Kite might be dopey, stupid, careless, and mean instead of actively malicious. Doesn't matter. The next one will be if clear lines are not drawn.
Your posts are pretty good too! I completely agree that collecting filenames would be a blatant breach of trust. If they were doing that, I'd be the first one labeling the company as evil. But my hangup is that they didn't actually do that, and what they did do seems benign.
The thing is, market forces are pretty good at settling these issues. It's an open-source plugin, so everyone can see what they're doing. If they start being naughty, people can uninstall and switch to something else. But why are we punishing them before they did anything serious, along with locking down the ability of anyone else to ever collect any kind of usage data about their plugins? Even something harmless like "time spent trying to figure out the options screen"?
I hope it doesn't seem like I'm trying to defend spyware here. Collecting metrics about your product is the first step toward improving it. The motive seems like a positive one, not a negative greedy one.
> Collecting metrics about your product
This plugin is not their product, they are merely taking advantage of it's popularity for their own purposes.
> The thing is, market forces are pretty good at settling these issues
True, and the market seems to be unhappy with this approach and publicly taking a stance against it, right here. I believe this is as serious as any other case of hijacking a popular extension for collecting data, the specifics of what is being collected don't matter the littlest bit (and could change at their will).
On "positive intent": they did all of this with a commit message that doesn't mention 'Kite' at all, even uses a hardcoded IP address to avoid a domain name. It was clearly shady and meant to go unnoticed.
They did do something serious, is what I'm saying. Consider people who use a text editor--the same text editor they write code with!--for, say, a list of notes. I have a list of meeting notes in Markdown, for example, in a git repo. Sure, I doubt Kite is paying attention to that I met with X on Y. But I really, really don't care that they're not paying attention (because I don't know who's gonna get ahold of it next--are they keeping it, are they packaging it for resale, is their server pwned, how do I know and how do they verify). Fundamentally, I care that they stole it. The act demonstrates either ill will or negligence so grave as to substitute for ill will.
"Telemetry" and "personally identifiable and sensitive data" are very different things both morally and legally and boy howdy do I have a different reaction to one or the other.
Market forces are only good at settling issues when the market participants have perfect information. Nine months of spying that somebody just happened to notice to reveal it? (Ditto the Atom thing?) The damage has already been done. "With many eyes, bugs are shallow" has a certain truth to it (although I have Heartbleed calling on line two), but nobody's auditing everything, nobody can audit everything, and the damage that can be done because nobody has that information has the potential to be both personal and very high.
Wait, sorry, I think I missed something.
They did do something serious, is what I'm saying. Consider people who use a text editor--the same text editor they write code with!--for, say, a list of notes. I have a list of meeting notes in Markdown, for example, in a git repo. Sure, I doubt Kite is paying attention to that I met with X on Y. But I really, really don't care that they're not paying attention (because I don't know who's gonna get ahold of it next--are they keeping it, are they packaging it for resale, is their server pwned, how do I know and how do they verify). Fundamentally, I care that they stole it. The act demonstrates either ill will or negligence so grave as to substitute for ill will.
"Telemetry" and "personally identifiable and sensitive data" are very different things both morally and legally and boy howdy do I have a different reaction to one or the other.
If I'm reading this correctly, you're saying Kite has access to your meeting notes? How? According to the diff, they were only uploading the file extension.
If they're uploading PII (let alone the contents of code files), that's completely different, and I'd turn on them in a heartbeat. Did they do that?
What happens when the file name is "2017-02-12 - meeting with John Doe.md"?
(This is the same reason, scaled down, that people are angry and concerned about stuff like phone metadata collection.)
They split off the extension and only collect the ".md" part: https://github.com/SideBarEnhancements-org/SideBarEnhancemen... If it's an unrecognized extension, they set it to blank.
That's why I was so confused why people are upset.
Yup - I understand that; I looked at the code. But, and I think I expressed this poorly, I have no assurances except through forensics (i.e., having to go grovel through a bunch of code for a few frigging sidebar functions that have no reason to be sending anything anywhere in the first place!), that that's all they did. The breach of trust has been created and it has created a relationship (an unwitting one) that they could change at will.
Yeah, after thinking it over, I agree. It also wasn't clear to me that they were trying to hide the fact that they were submitting the statistics to Kite. I thought they were being up front about it. Your reaction (and everyone else's) makes complete sense in that context. It was strange that a list of file extensions caused such uproar, but it's doubly strange that they tried to be shady about collecting it.
I guess it's best to enforce a blanket ban on this behavior. I still can't get over how dumb it was for Kite to do this. All they had to do was be open and honest about it and nobody would've cared too much. Crossing over into the realm of paid spyware is way too far.
So, to use an analogy:
"Yeah, we broke into your house and rummaged through your stuff, but it's okay, we were only there to count how many spoons you had.
Yes, I know, we could've asked you before we broke into your house, but we tried that before, and for some reasons we had no takers. And it was really important to our researchers that we get a good idea about the number of spoons!"
Or how about if the spoon company paid your cable guy to count how many spoons you have while he was in your house.
Kite basically just invented a new spyware/malware industry that specifically targets the development community.
This kind of behavior needs to be stomped on hard and fast.
i mean executing malicious dynamic code as a plugin of a legit tool isn't that different from a malicious browser plugin
Collecting any data without request is unacceptable, and unlawful.
In fact, it might violate more than a dozen of laws in the EU.
This is a general matter of principle. You do not get to access anything that is mine without approval.
If no one opts in, that's your problem, and you need to rethink your business model - and not break into users systems and steal their data. This is malware.
I'll agree with you if you explain this: Why is it ok for a website to do it, but not ok for an editor plugin to do it? Just because the content is streamed from a server? That's a rather convenient distinction.
I don't endorse Kite's behavior, but our reaction here is so far over the top that it seems like normal onlookers will start to take us less seriously. We're talking about violations of law and data theft over answering the question "Which language are you editing today?"
Zero tolerance is a rejection of "Let the punishment fit the crime."
It's not okay for websites doing this, and any website doing this from May 2018 on will end up fined hundredthousands of dollars every time they do this.
The European General Data Protection Regulation [1] is coming, and everyone that doesn't comply with it will have more than just a little problem.
No site or program is allowed to track or store anything about me, to transmit anything to a third party, or to even connect to a third party without my explicit authorization, and I have to be able to opt out of it all, and still be able to use it.
This is a simple moral principle of consent. You don't get to access anything that is mine without my explicit consent.
[1] https://en.wikipedia.org/wiki/General_Data_Protection_Regula...
I don't know anything about the regulation and just skimmed the Wikipedia article for a minute, but isn't this regulation unenforceable in practice? If I have a website, how am I supposed to know if a visitor is a citizen of the EU? If my company operates outside of the EU, the EU has no jurisdiction.
I work for an email software company based in the US, but we are required to take GDPR very seriously. Large swaths of how our application stores and handles data has to be rewritten, because if a single one of our clients' emails is sent to a citizen of the EU, and we are not compliant with the new rules, we and our client are legally liable.
How that pertains to a normal website on the internet, I am not sure.
*Edit: At least this is my understanding and my company is already making development plans on how to comply with the new law.
This is an interesting thing, but, in response to the US applying their laws supraterritorially[1], the EU has decided that the EU GDPR will apply supraterritorial (aka, everywhere, globally, as soon as an EU citizen could be affected).
So, if you're outside the EU, and you violate it, you might suddenly experience that your bank accounts get frozen.
[1] Just look at the recent case where US citizen sued Saudi Arabia in a US court, and the US senate overrode a veto of President Obama to allow this to happen supraterritorially.
> Zero tolerance is a rejection of "Let the punishment fit the crime."
There's to say though, as a counterpoint, that said principle always takes into account repeated offenses (recidivism), and they are at strike 3 or something.
I commented about this just yesterday how google felt that data collection is now 'common' - https://news.ycombinator.com/item?id=14893700
I think developers are (rightly) afraid this trend now hits their editors.
What they should be worried about is Kyllo v. United States[1]. When data collection is sufficiently normalized such that general public no longer expects privacy - crossing the bright line that currently makes police using the same type of data collection technology a search that requires a warrant.
If this it becomes commonplace for text editors to spy on some types of (meta)data, a warrant may not be required for the police to gather the same type of data without a warrant even if you do not use a "common" editor.
I think that there is a clique on HN (which I am a part of) that values their privacy and security that is more vocal and aware than the average user. Also, in the webapp example I think keeping private source code and software private is much more important than your pictures / (micro)blog.
Yes, the reaction is appropriate. You seem to agree that this is malicious action, so your position is kind of hazy.
> People have been whipped up into a frenzy for data that a webapp wouldn't blink twice at collecting. But when it's installed locally it's somehow different than if we load a webapp in a browser?
Well, yes. But it's even worse than that. This code was submarined into an unrelated open source tool and sent the data to a company with which the user had no relationship whatsoever. That's a little different from Google keeping track of how often I log into GMail, isn't it?
Even the README you linked to (probably not seen by many users) seems intentionally misleading, as it is careful not to state to whom the metrics are sent, leaving the reader with the impression that they are being sent to the project maintainer and not to Kite, Inc.
Even the README you linked to (probably not seen by many users) seems intentionally misleading, as it is careful not to state to whom the metrics are sent, leaving the reader with the impression that they are being sent to the project maintainer and not to Kite, Inc.
This is an important point, and it's one I overlooked. I've never used SideBarEnhancement. I assumed users knew it was related to Kite. If `urlopen('http://52.52.168.91/status', json_body)` is the only indication where the data is sent, then that's unacceptably vague.
I suppose it's best for Sublime to force plugins to be opt-in for data collection, but as someone who wishes devtools were better, it's unfortunate a few groups with terrible PR skills are ruining it for everyone. It didn't need to turn out this way. They just needed to be open about what they were doing. They weren't even collecting anything to warrant being sneaky.
> I've never used SideBarEnhancement. I assumed users knew it was related to Kite.
Considering how many posts you've made in this thread defending Kite, this seems like a major gap in your understanding. A simple ctrl-F of both the Github README and the PackageControl page show no mention of Kite.
True, though all the code was doing was collecting a list of installed packages and a list of file extensions you've edited. Judging by the reactions here, you'd think they were uploading your entire ~/ directory.
I'm curious how Kite got the telemetry into that extension if it's unaffiliated. https://github.com/titoBouzout seems like a fairly standard github account, though it's strange he had no commits for six months until this incident.
They paid him, I do believe (saw this asserted by folks who'd know and saw no contesting it).
> True, though all the code was doing was collecting a list of installed packages and a list of file extensions you've edited. Judging by the reactions here, you'd think they were uploading your entire ~/ directory.
OK, so you acknowledge that this was an unacceptable privacy breach, you're just a little less upset about it than some other people here. Damning with faint praise, I guess.
> I'm curious how Kite got the telemetry into that extension if it's unaffiliated.
They probably paid him.
It's not a privacy breach to collect the file extensions you've edited bucketed by time. (Collecting the list of installed packages is debatable.) The unacceptable breach of trust was that they tried to hide the fact that they were doing it. It was incredibly stupid to hide it, since few people would've cared if they were just honest. Now they're in the same category as paid spyware marketers.
I'd rather look like a fool and get to the truth than stay silent and let a story go half told. At least people are clear about what precisely was being collected.
FWIW I think that's cool and gracious of you. People don't mea culpa often.
Thanks for the level headed analysis. It was appreciated.
/u/michael0x2a on Reddit put together a nice tl;dr[1] of the story arc for those that don't want to dig through the thread.
tl;dr for that is basically:
Kite has been collecting "anonymous" data from sublime users with the SideBarEnhancements plugin installed. This has been happening for atleast a year and the data collected included activeNonBundledPackageNames which is basically a list of packages installed via Package Control.
It seems they were intentionally unclear about who the data was sent to and did not think to remove it from the plugin after the Atom Minimap incedent because:
> the truth is we didn't remember [2]
[1] https://www.reddit.com/r/programming/comments/6qwtfz/kite_in...
[2] https://forum.sublimetext.com/t/rfc-default-package-control-...
What precisely is Kite collecting in this case? Ideally backed by a link to a github repo proving that they're collecting whatever people are saying they're collecting.
I've been reading for about 10 minutes and can't find any references. The closest I found was https://twitter.com/gerardroche/status/891802572373319680 which links to https://github.com/kiteco/kite-installer/blob/master/ext/tel... but that doesn't actually say what they're collecting.
That class seems to be collecting time spent, identified by the variable `name`. But it's not immediately obvious what `name` is being set to. If it's set to a full file system path, then I agree it's a breach of trust. But if it's something generic like 'options screen' then clearly they're just trying to improve their product.
People here seem to be losing their minds over this, so I'm trying to figure out whether it's justified or if it's another game of telephone.
EDIT: Found the code: https://github.com/SideBarEnhancements-org/SideBarEnhancemen...
Am I misreading this, or is everyone losing their minds over collecting how much time was spent editing certain file extensions? The only thing that seems to be remotely dubious is "activeNonBundledPackageNames", and that doesn't seem sensitive.
The reddit comment linked says:
> Post #27 (wbond):
> > adam314: Hi everyone, member of Kite here. The SideBarEnhancements telemetry was
> > originally added to gather data around what programming languages we should support next.
>
> [wbond:] The question is, why did you try to hide who the data was being sent to? And why did you ask
> to capture activeNonBundledPackageNames? That bit of data seems like a very non-anonymous
> collection of information. You could be capturing internal package names and consequently
> exfiltrating the existence of development of competitors products.
It uses a machine-specific identifier (MAC address), making it traceable across the public IPs sending data. With some resolution due to the hourly pings. That could be valuable in the right/wrong scenarios, although there are tons of other things recording data like that of course (websites).
Does kite own SideBarEnhancements? How did this code get past a PR?
They apparently paid the author (Tito) to add it in. Originally he had pulled all of his packages from the default channel because he was unhappy that we require semver for all new packages (to allow newer features to work). After a bunch of users complained, he added SideBarEnhancements back (his most popular package), but apparently at some point later Kite paid him to add tracking code to it.
If an addon maintainer was successfully bribed to add something like this to their addon, that maintainer should probably be banned from the ecosystem along with everything Kite touches.
Kite is the primary corrupting force here, but the people who keep taking money to screw over their userbase need to be punished as well.
Sublime, Atom, and VSCode all need to step up right now and make it clear that this kind of behavior is 100% unacceptable
Edit:
Allowing this addon straight back into the Sublime ecosystem reflects extremely poorly on them as well.
https://github.com/SideBarEnhancements-org/SideBarEnhancemen...
Please see https://forum.sublimetext.com/t/rfc-default-package-control-... for the reason that SideBarEnhancements was re-added. In this case not re-adding it would lead to continued tracking of users, which seems to me would be the more negligent action on my part.
To your edit:
I'm not sure how Package Control handles removals of packages but if they are left installed in sublime then this was probably the best move.
If the package was left "orphaned" in the editor the telemetry would remain but I'm pretty sure PC updates packeges automatically by default so pushing an update without it makes sure the code is removed for most users.
For what it's worth, we didn't remember. There was no upside to keeping it there.
Just an upside to doing it at first, was it?
I hate that we're even talking about your company and that we have to because it's a bad actor that's hurting people. Talking about what you're doing, even condemning this ratshit behavior most strongly, kind of empowers your company, and your company doesn't deserve press--even bad press. Kite deserves the equivalent of an unmarked grave.
So what's going on with the data collection? Do you still control the IP the system reports back to, or are users reporting their details to somebody else? Are you still using data arriving there?
Sure but you also put the code there in the first place. How much of your sketchy behavior is driven by VC demands?
Will there be upsides to adding it to other plugins though?
I'd implement an industry-wide blacklist, personally. This is strike number, two? three? of this company subverting well-known packages with telemetry. Any package that is proven to be connecting to their servers should be removed, the authors should be banned, and the company should be thrown onto a list of Known Bad Actors to prevent any kind of package, add-on, or extension from ever accepting them again.
You cannot fight this kind of malevolence with a finger-wag and a proposed solution that you simply inform the user next time before doing it. It will become buried inside the ToS and become ignored and commonplace. Stop it now and forever, while the spotlight is on it.
Seriously. Sublime, Atom, VSCode, and every other platform that supports plugins should all be in crisis mode over the crap Kite's been caught doing.
If we can't trust that an addon we installed yesterday is safe today, their platforms just turned into gigantic malware vectors that are totally wide open.
This kind of exploitation needs to be stopped immediately.
I work on VSCode. We are aware of the possibility of bad plugins or even good plugins that go bad. The real nightmare scenario would be what's happened with some Chrome plugins, where a widely used plugin is either co-opted or bought out and becomes malicious (even worse if it disguises its maliciousness).
All of these package ecosystems are similar to NPM in that they are built on trust and community policing. This is not enough. One possible way forward is to move towards an security model more like iOS's or Androids where apps need to explicitly get the user's permission before performing potentially dangerous operations like making network requests.
I'd be interested to hear how other platforms have tried tracking these sort of concerns
Explicitly asking the user before a plugin can make a network request would be great! I don't know what "sidebar enhancements" is/was, but it doesn't sound like that would need network access.
My concern would be that throwing internet connection under a consent flag may stop some shady apps, but the rest will just invent a bogus reason for why they need to connect: "We need to connect to the internet to check for updates!" How many Android apps have requested access to your Contacts, and waived the harvesting concerns away by saying it only needs to see your Contacts so that it can more easily pair you with your friends? Nevermind that they're also uploading the entire contact list to their servers...
Without an easy way to know who the package is connecting to, it only instills a false sense of security.
This has definitely always been a concern among certain users of the Package Control community. Since the Sublime Text python environment is run as the user, without a sandbox, it is possible a rogue package would upload all of your data somewhere.
So far we've operated under a model of requiring the end user trust the package developer, which isn't going to be the case 100% of the time. We are set up in such a way that the connection is required to be secure to prevent hijacking the connection and replacing packages with hacked versions. But if the package developer is choosing to add code, that is more of a policy issue than technology issue.
I agree, completely. It is a policy issue. For that reason, I am imploring the maintainers of packaging communities like Sublime Text, pip, CPAN, etc. to put forth a firm stance in their policy that says No, we will not tolerate this, period. If you don't, it sends the message that this sort of scummy behavior is acceptable so long as you disclose it. I don't think that's okay, I don't think any sane end-user thinks that's okay. What little defense of this I've seen inevitably comes from other developers, who invariably have monetization in the back of their minds.
/sarcasm Really looking forward to reading the Kite blog post this time around: "Staying Open (Still): Kite Responds To the SideBarEnhancements Issue." /sarcasm
Sorry Kite - fool us once, shame on you. Fool us twice, shame on us. There's now a 0% chance of my ever using your products or services.
Kite is plainly a bad actor. Sublime and GitHub/Atom should be taking steps to permanently remove them and the things they're infecting from their respective ecosystems
We now know of 3 different popular addons they've hijacked in various ways to snoop on code and to build up their business.
If one company is doing this, it makes me very concerned what else is going on, and what else is coming.
the sad thing is that this has been out for 9 months. If Kite was looking for stats to help inform their product development they already got all the data they need.
they're also obscuring who this log data is being sent to by just posting JSON to an ec2 IP address (52.52.168.91). The server tries hard to not let you know it belongs to Kite. You know someone is ashamed of what they're doing when they take efforts to mask who's doing it.
But you can see kite's own installer uses the same ip address for its telemetry: https://github.com/kiteco/kite-installer/blob/master/ext/tel...
It might be worth searching every release in the package_control_repo for this IP address...
https://github.com/wbond/package_control_channel/tree/master...
Seems not to be included in any other file on github: https://github.com/search?utf8=%E2%9C%93&q=%2252.52.168.91%2...
Shouldn't this search find the kite-installer repo? The IP does not exist anymore in SideBarEnhancements but is still in this repo: https://github.com/kiteco/kite-installer/blob/master/ext/tel...
> This search took too long to finish; some results may not be shown.
Shown when you hover over the question mark.
or maybe any plain ip address... Or the more solid precaution may be to interpose on the sublime supplied network interface api and give people a log of which packages are accessing the network and what addresses.
Deeply concerning that this has been in place for "the better part of a year", and that they "didn't remember" about their telemetry collection - how careless have they been with the actual data, if they don't even claim to be able to keep track of gathering it?
This is a complete destruction of their narrative from last week. They'll be sorry for being caught - again - and we'll have to be on continual lookout for this kind of thing in the future. I can't wait for the floodgates to open, once major tech companies figure out that there's not enough oversight to prevent this 100% of the time: I expect more than a few projects to be bought out similarly.
This is why I use Little Snitch. If there are any rogue outgoing connections, I will know about it. I am extremely selective with the connections I allow my machine to make.
So for those of us who aren't selective with the connections we allow, is it feasible to start using Little Snitch? I'd be interested in trying, but it seems like there would be dozens if not hundreds of "strange" connections that you'd have to filter through which ultimately turn out to be innocent (e.g. OS X update checks).
It provides and then remembers sane choices pretty well. It's easier if you have enough background to understand 'port', 'dns', and 'application', but once you spend a day or two teaching it your habits, it becomes a fantastic tool that is out of your way until the moment it notices something serious.
The first day of using Little Snitch may drive you insane. It gets better rapidly after.
How does it work with browsers? You have to allow all outgoing traffic to port 80/443 regardless of host/ip? Or be asked every time you visit a different website if you want to allow it or not?
IIRC the default ruleset allows browsers to make any connections on 80/443. You could delete that rule and do it on a case-by-case basis, but it'd be painful.
There are probably browser extensions better suited to restricting browser connections. Maybe run LS on top of one of those so the browser can catch most of them witout making a ton of popups.
Makes sense. Thanks!
On the topic of tracking, you might want to check your browser extensions as well.
I discovered tracking codes inside a browser extension back in 2013, and I doubt that it would be the last one:
https://paradite.com/2013/12/07/solved-issue-with-vglnk-all-...
(Ironically by visiting my blog post you are contributing to tracking by Google Analytics)
uBlock begs to differ ;-)
Grimd for the DNS blocker!
I don't know if storing a plain text log of my browsing history is a good thing or not...
https://github.com/looterz/grimd/blob/fc327b2f2993f762c8557c...
> (Ironically by visiting my blog post you are contributing to tracking by Google Analytics)
That's interesting, where's the opt-in for that on your blog? I don't see a modal that asks me before transmitting any of my data, or even giving my IP to a third party, or doing any tracking, as is required by EU law.
Thanks. Didn't know that it was required for blogs. Added a WP plugin for that (inspected, no tracking code in the plugin).
Interesting growth model by buying out developers of popular packages and add telemetry or the kite product.
You just kill all credibility on the way and you will be outlawed by maintainers etc.
We may be many but at certain bottlenecks ethics is still high and with OSS we are able to just fork packages.
As companies start to exploit developers trust we have to rethink the security model inside our IDE`s and probably move to a smartphone like sandbox model.
> Interesting growth model by buying out developers of popular packages and add telemetry or the kite product.
Sadly, I think it's what you might call "evil genius".
Again? Is there no escape from these guys?
I really don't like the idea of having to wonder if the next plug-in/editor/IDE/etc I use is compromised by Kite or any other shady phone-home companies.
use vim ;]
What's stopping Kite from grabbing one of your Vim plugins and adding telemetry to it?
It's not an editor thing, it's a shitty package creators thing.
I just started picking up Python and was installing popular useful looking addons from Atom. Surprisingly I got some Kite installer running from a syntax highlighting package.
They seem to be very keen on paying addon developers to distribute their crapware.
It looks like we need to sandbox packages and put a permissions system in place for atom/vscode/sublime. There's no reason why SideBarEnhancements needs access to the internet.
The best course of action in such cases is to vote with your feet.
The question is: to where?
Is there a single IDE with plugins that has a security model in place that would prevent plugins from being taken over by nefarious asshats?
I love vim and emacs... but what's to keep them from being affected by the same thing? Who has time to read all the source code of every plugin/dependency that they use?
It's all about trust and what Kite is doing is completely destroying the network of trust in each of the communities they choose to infect.
I think the person you're replying to meant not using Kite.
What keeps Kite from taking over another package?
A failing business model.
Moreover, a valid solution doesn't have to solve every problem. Abandoning Kite is already a good start.
What I find most amusing about this company is that they even attempted to get away with spying on people in an justly-paranoid/vigilant industry like ours.
Like, did they not think that we wouldn't catch them in the act?
Don't try to steal from thieves.
Just uninstalled the package, are there any alternatives available? I can live without it but it'd be nice if I had something to replace it with
The current version on Github is clean (telemetry removed). You can always fork it yourself, or just download the repo files and add to Sublime Text 3\Installed Packages.
If you have the .sublime-package file still, you can unzip it to that directory and modify the extension
I modified the Stats.py file in the SideBarEnhancements.sublime-package on my computer to remove the line that references this IP address. I also made the file read-only so it won't get updated. Does anyone know if that will take care of the issue on my computer for now?
A new version of SideBarEnhancements is out with the stats removed. You should get automatically updated the next time you restart Sublime Text or manually upgrade the package.
They have removed the file already https://github.com/SideBarEnhancements-org/SideBarEnhancemen... but I wouldn't be surprised if they compromised more plug-ins and we just haven't found out yet
At this point I'm really thinking that Atom, Sublime et al are lost causes. If plugins makers will add their own telemetry I'll just go back to vim and be done with it.
What is there to prevent a vim plugin author from adding the same kind of features?
Disappointing. Kite looked like a really nice product.