Kite telemetry code in Sublime package SideBarEnhancements (opens in new tab)

http://hacktask.net/ shows a "we'll be right back" message in Chinese. It could be misdirection, but I'm not exactly doing forensic analysis here.

Needs to be said more. Not to mention every telecom company, which are unofficial government entities at this point.

If you work for these companies in any capacity you're being highly unethical. End of discussion.

You forgot the other top 5 companies. Although Apple has plausible deniability.

Losing employees incurs a significant cost. Projects miss deadlines, recruiters need to be paid and executives need to divide their attention.

If a couple of employees leave, they'll be limping.

Of course it is! But "don't be a shithead" is a moral imperative that you need to uphold over your investors leaning on you. I mean, not being a shithead won't get your chief growth hacker's blog all hype, but words fail me (and they rarely fail me) when I try to express how little I care about that.

That's also why I didn't try to say that the founders or the executive team should be better. I'm talking about the people who those founders and executives use to do bad shit and who they will screw whenever it makes a tiny bit of business sense to do so.

Plenty of people work for literal sociopaths. It's rare that you can just point and go "...duh?" about it, though.

1) Principle is what matters. This behavior is utterly and completely indefensible; screwing with people's private code for your whatever-nobody-cares startup is absolutely unacceptable at any level. I don't care how big your Series A round was or who your investors are, you just don't do it and you don't hide it and you don't lie about "forgetting" about it (and it should be considered a lie until proven otherwise because after the last couple weeks Adam Smith could fit in some Baghdad Bob photoshops).

2) Collecting non-bundled package names is another way to phrase "exfiltrating competitors' upcoming products." That by itself is sufficient evidence for me to want some heads.

So, to use an analogy:

"Yeah, we broke into your house and rummaged through your stuff, but it's okay, we were only there to count how many spoons you had.

Yes, I know, we could've asked you before we broke into your house, but we tried that before, and for some reasons we had no takers. And it was really important to our researchers that we get a good idea about the number of spoons!"

Kite basically just invented a new spyware/malware industry that specifically targets the development community.

This kind of behavior needs to be stomped on hard and fast.

Collecting any data without request is unacceptable, and unlawful.

In fact, it might violate more than a dozen of laws in the EU.

This is a general matter of principle. You do not get to access anything that is mine without approval.

If no one opts in, that's your problem, and you need to rethink your business model - and not break into users systems and steal their data. This is malware.

I commented about this just yesterday how google felt that data collection is now 'common' - https://news.ycombinator.com/item?id=14893700

I think developers are (rightly) afraid this trend now hits their editors.

I think that there is a clique on HN (which I am a part of) that values their privacy and security that is more vocal and aware than the average user. Also, in the webapp example I think keeping private source code and software private is much more important than your pictures / (micro)blog.

Yes, the reaction is appropriate. You seem to agree that this is malicious action, so your position is kind of hazy.

> People have been whipped up into a frenzy for data that a webapp wouldn't blink twice at collecting. But when it's installed locally it's somehow different than if we load a webapp in a browser?

Well, yes. But it's even worse than that. This code was submarined into an unrelated open source tool and sent the data to a company with which the user had no relationship whatsoever. That's a little different from Google keeping track of how often I log into GMail, isn't it?

Even the README you linked to (probably not seen by many users) seems intentionally misleading, as it is careful not to state to whom the metrics are sent, leaving the reader with the impression that they are being sent to the project maintainer and not to Kite, Inc.

The reddit comment linked says:

> Post #27 (wbond):

> > adam314: Hi everyone, member of Kite here. The SideBarEnhancements telemetry was

> > originally added to gather data around what programming languages we should support next.

>

> [wbond:] The question is, why did you try to hide who the data was being sent to? And why did you ask

> to capture activeNonBundledPackageNames? That bit of data seems like a very non-anonymous

> collection of information. You could be capturing internal package names and consequently

> exfiltrating the existence of development of competitors products.

It uses a machine-specific identifier (MAC address), making it traceable across the public IPs sending data. With some resolution due to the hourly pings. That could be valuable in the right/wrong scenarios, although there are tons of other things recording data like that of course (websites).

They apparently paid the author (Tito) to add it in. Originally he had pulled all of his packages from the default channel because he was unhappy that we require semver for all new packages (to allow newer features to work). After a bunch of users complained, he added SideBarEnhancements back (his most popular package), but apparently at some point later Kite paid him to add tracking code to it.

Just an upside to doing it at first, was it?

I hate that we're even talking about your company and that we have to because it's a bad actor that's hurting people. Talking about what you're doing, even condemning this ratshit behavior most strongly, kind of empowers your company, and your company doesn't deserve press--even bad press. Kite deserves the equivalent of an unmarked grave.

So what's going on with the data collection? Do you still control the IP the system reports back to, or are users reporting their details to somebody else? Are you still using data arriving there?

Sure but you also put the code there in the first place. How much of your sketchy behavior is driven by VC demands?

Will there be upsides to adding it to other plugins though?

It provides and then remembers sane choices pretty well. It's easier if you have enough background to understand 'port', 'dns', and 'application', but once you spend a day or two teaching it your habits, it becomes a fantastic tool that is out of your way until the moment it notices something serious.

The first day of using Little Snitch may drive you insane. It gets better rapidly after.

Perhaps Glasswire?

http://glasswire.com

Grimd for the DNS blocker!

Thanks. Didn't know that it was required for blogs. Added a WP plugin for that (inspected, no tracking code in the plugin).

I work on VSCode. We are aware of the possibility of bad plugins or even good plugins that go bad. The real nightmare scenario would be what's happened with some Chrome plugins, where a widely used plugin is either co-opted or bought out and becomes malicious (even worse if it disguises its maliciousness).

All of these package ecosystems are similar to NPM in that they are built on trust and community policing. This is not enough. One possible way forward is to move towards an security model more like iOS's or Androids where apps need to explicitly get the user's permission before performing potentially dangerous operations like making network requests.

I'd be interested to hear how other platforms have tried tracking these sort of concerns

This has definitely always been a concern among certain users of the Package Control community. Since the Sublime Text python environment is run as the user, without a sandbox, it is possible a rogue package would upload all of your data somewhere.

So far we've operated under a model of requiring the end user trust the package developer, which isn't going to be the case 100% of the time. We are set up in such a way that the connection is required to be secure to prevent hijacking the connection and replacing packages with hacked versions. But if the package developer is choosing to add code, that is more of a policy issue than technology issue.

Seems not to be included in any other file on github: https://github.com/search?utf8=%E2%9C%93&q=%2252.52.168.91%2...

or maybe any plain ip address... Or the more solid precaution may be to interpose on the sublime supplied network interface api and give people a log of which packages are accessing the network and what addresses.

use vim ;]

I think the person you're replying to meant not using Kite.