
Kite telemetry code in Sublime package SideBarEnhancements - Matetricks
https://forum.sublimetext.com/t/rfc-default-package-control-channel-and-package-telemetry/30157
======
eropple
So this is something I'm not sure I've ever said before, but if you work for
Kite, you need to quit.

Like, I get working for even exploitative companies (though I won't)--economic
insecurity is definitely a thing and we all gotta eat. But you can find a job
that doesn't involve literally spying on the down-low. I promise you, you can.

Abandon these jerks before they bring _you_ down with them. They've
demonstrated a willingness to screw people and even if you don't really care
about them screwing other people, they'll screw you too.

EDIT: Also, because it's on-topic and the post on HN seems to have gone
ignored, somebody is typo-squatting `cross-env` on NPM and dumping environment
variables to a Chinese server run by "HackTask", it probably deserves a signal
boost:
[https://twitter.com/o_cee/status/892306836199800836](https://twitter.com/o_cee/status/892306836199800836)
[https://news.ycombinator.com/item?id=14901566](https://news.ycombinator.com/item?id=14901566)

~~~
sillysaurus3
This seems incredibly overblown. According to the diff, all they were
collecting is time spent editing certain file extensions, along with a list of
installed packages:

[https://github.com/SideBarEnhancements-
org/SideBarEnhancemen...](https://github.com/SideBarEnhancements-
org/SideBarEnhancements/commit/4d1d20cf7f4917cbe7dad0b3a9e8a8573162be6b#diff-01b294ac86b2009fd6c11bf4267bb0e7L65)

They're trying to figure out what languages people are actually editing on a
day-to-day basis, and people here are calling for them to leave the company?
Like, really?

People have been whipped up into a frenzy for data that a webapp wouldn't
blink twice at collecting. But when it's installed locally it's somehow
different than if we load a webapp in a browser?

I agree with you in principle, but it seems like people here didn't actually
look at what was being collected. They just saw "data collection" and went
absolutely nuts.

Yeah, collecting installed package names isn't really great, but it's pretty
harmless, right? It's a stupid decision, but people seem to be looking for
reasons to get upset.

They're not collecting filenames, and they take the sha1 hash of whatever
could be personally identifiable. Why is any of this bad, or a violation of
trust? They even say right in the readme that they're doing it and how to opt
out: [https://github.com/SideBarEnhancements-
org/SideBarEnhancemen...](https://github.com/SideBarEnhancements-
org/SideBarEnhancements/commit/4d1d20cf7f4917cbe7dad0b3a9e8a8573162be6b#diff-0730bb7c2e8f9ea2438b52e419dd86c9L29)

If they made it opt-in, no one would opt-in. I understand it's a slippery
slope, but is this reaction appropriate?

~~~
eropple
1) Principle is what matters. This behavior is utterly and completely
indefensible; screwing with people's private code for your whatever-nobody-
cares startup is absolutely unacceptable at any level. I don't care how big
your Series A round was or who your investors are, you just don't do it and
you don't hide it and you don't lie about "forgetting" about it (and it should
be considered a lie until proven otherwise because after the last couple weeks
Adam Smith could fit in some Baghdad Bob photoshops).

2) Collecting non-bundled package names is another way to phrase "exfiltrating
competitors' upcoming products." That by itself is sufficient evidence for me
to want some heads.

~~~
sillysaurus3
Collecting file extensions bucketed by time plus a list of installed package
names is spying on you?

I doubt they even thought of the competitor angle. I wouldn't have. Startups
don't win by worrying what every new company is doing.

It wasn't a smart decision, but you're acting like they are uploading your
entire source code tree. (I think someone even claimed that they were doing
this at one point but was later shown to be mistaken.)

~~~
eropple
Man--I like you and I think you are a pretty awesome poster, so I'd like to go
through an experiment with you. Upload the filenames of everything you've put
through your editor in the last nine months. Pastebin it for me right now (and
I say pastebin because _I_ sure have no idea how secure Kite's stuff is so
we're gonna be assuming that it's not, yeah?). The request is totally insane,
right? Even beyond the pure principle of it, if you did that for half a dozen
developers we'll find something you really don't want me to know about, be it
business or personal. (Ever use, say, org-mode or vimwiki?)

I'm willing to be strident because _heads on pikes_ are how you ensure this is
not repeated in an amplified way. Kite might be dopey, stupid, careless, and
mean instead of actively malicious. Doesn't matter. The next one will be if
clear lines are not drawn.

~~~
sillysaurus3
Your posts are pretty good too! I completely agree that collecting filenames
would be a blatant breach of trust. If they were doing that, I'd be the first
one labeling the company as evil. But my hangup is that they didn't actually
do that, and what they _did_ do seems benign.

The thing is, market forces are pretty good at settling these issues. It's an
open-source plugin, so everyone can see what they're doing. If they start
being naughty, people can uninstall and switch to something else. But why are
we punishing them before they did anything serious, along with locking down
the ability of anyone else to ever collect any kind of usage data about their
plugins? Even something harmless like "time spent trying to figure out the
options screen"?

I hope it doesn't seem like I'm trying to defend spyware here. Collecting
metrics about your product is the first step toward improving it. The motive
seems like a positive one, not a negative greedy one.

~~~
eropple
They did do something serious, is what I'm saying. Consider people who use a
text editor--the same text editor they write code with!--for, say, a list of
notes. I have a list of meeting notes in Markdown, for example, in a git repo.
Sure, I doubt Kite is paying attention to that I met with X on Y. But I
really, really don't care that they're not paying attention (because I don't
know who's gonna get ahold of it next--are they keeping it, are they packaging
it for resale, is their server pwned, how do I know and how do they verify).
Fundamentally, I care that they stole it. The act demonstrates either ill will
or negligence so grave as to substitute for ill will.

"Telemetry" and "personally identifiable and sensitive data" are very
different things both morally and legally and _boy howdy_ do I have a
different reaction to one or the other.

Market forces are only good at settling issues when the market participants
have perfect information. Nine months of spying that somebody just happened to
notice to reveal it? (Ditto the Atom thing?) The damage has already been done.
"With many eyes, bugs are shallow" has a certain truth to it (although I have
Heartbleed calling on line two), but nobody's auditing everything, nobody can
audit everything, and the damage that can be done because nobody has that
information has the potential to be both personal and very high.

~~~
sillysaurus3
Wait, sorry, I think I missed something.

 _They did do something serious, is what I 'm saying. Consider people who use
a text editor--the same text editor they write code with!--for, say, a list of
notes. I have a list of meeting notes in Markdown, for example, in a git repo.
Sure, I doubt Kite is paying attention to that I met with X on Y. But I
really, really don't care that they're not paying attention (because I don't
know who's gonna get ahold of it next--are they keeping it, are they packaging
it for resale, is their server pwned, how do I know and how do they verify).
Fundamentally, I care that they stole it. The act demonstrates either ill will
or negligence so grave as to substitute for ill will.

"Telemetry" and "personally identifiable and sensitive data" are very
different things both morally and legally and boy howdy do I have a different
reaction to one or the other._

If I'm reading this correctly, you're saying Kite has access to your meeting
notes? How? According to the diff, they were only uploading the file
extension.

If they're uploading PII (let alone the contents of code files), that's
completely different, and I'd turn on them in a heartbeat. Did they do that?

~~~
eropple
What happens when the file name is "2017-02-12 - meeting with John Doe.md"?

(This is the same reason, scaled down, that people are angry and concerned
about stuff like phone metadata collection.)

~~~
sillysaurus3
They split off the extension and only collect the ".md" part:
[https://github.com/SideBarEnhancements-
org/SideBarEnhancemen...](https://github.com/SideBarEnhancements-
org/SideBarEnhancements/commit/4d1d20cf7f4917cbe7dad0b3a9e8a8573162be6b#diff-01b294ac86b2009fd6c11bf4267bb0e7L70)
If it's an unrecognized extension, they set it to blank.

That's why I was so confused why people are upset.

~~~
eropple
Yup - I understand that; I looked at the code. But, and I think I expressed
this poorly, I have no assurances except through forensics (i.e., having to go
grovel through a bunch of code for a few frigging sidebar functions that have
no reason to be sending anything anywhere in the _first_ place!), that that's
_all_ they did. The breach of trust has been created and it has created a
relationship (an unwitting one) that _they_ could change at will.

~~~
sillysaurus3
Yeah, after thinking it over, I agree. It also wasn't clear to me that they
were trying to hide the fact that they were submitting the statistics to Kite.
I thought they were being up front about it. Your reaction (and everyone
else's) makes complete sense in that context. It was strange that a list of
file extensions caused such uproar, but it's doubly strange that they tried to
be shady about collecting it.

I guess it's best to enforce a blanket ban on this behavior. I still can't get
over how dumb it was for Kite to do this. All they had to do was be open and
honest about it and nobody would've cared too much. Crossing over into the
realm of paid spyware is way too far.

------
dabber
/u/michael0x2a on Reddit put together a nice tl;dr[1] of the story arc for
those that don't want to dig through the thread.

tl;dr for that is basically:

Kite has been collecting "anonymous" data from sublime users with the
_SideBarEnhancements_ plugin installed. This has been happening for atleast a
year and the data collected included _activeNonBundledPackageNames_ which is
basically a list of packages installed via Package Control.

It seems they were intentionally unclear about who the data was sent to and
did not think to remove it from the plugin after the Atom Minimap incedent
because:

 _> the truth is we didn't remember_ [2]

[1]
[https://www.reddit.com/r/programming/comments/6qwtfz/kite_in...](https://www.reddit.com/r/programming/comments/6qwtfz/kite_injected_telemetry_into_the_third_most/dl0psv0/)

[2] [https://forum.sublimetext.com/t/rfc-default-package-
control-...](https://forum.sublimetext.com/t/rfc-default-package-control-
channel-and-package-telemetry/30157/30)

~~~
adamsmith
For what it's worth, we didn't remember. There was no upside to keeping it
there.

~~~
eropple
Just an upside to doing it at first, was it?

I hate that we're even talking about your company and that we have to because
it's a bad actor that's hurting people. Talking about what you're doing, even
condemning this _ratshit_ behavior most strongly, kind of empowers your
company, and your company doesn't deserve press--even bad press. Kite deserves
the equivalent of an unmarked grave.

------
AdmiralAsshat
I'd implement an industry-wide blacklist, personally. This is strike number,
two? three? of this company subverting well-known packages with telemetry. Any
package that is proven to be connecting to their servers should be removed,
the authors should be banned, and the company should be thrown onto a list of
Known Bad Actors to prevent any kind of package, add-on, or extension from
ever accepting them again.

You _cannot_ fight this kind of malevolence with a finger-wag and a proposed
solution that you simply _inform_ the user next time before doing it. It will
become buried inside the ToS and become ignored and commonplace. Stop it now
and forever, while the spotlight is on it.

~~~
fooey
Seriously. Sublime, Atom, VSCode, and every other platform that supports
plugins should all be in crisis mode over the crap Kite's been caught doing.

If we can't trust that an addon we installed yesterday is safe today, their
platforms just turned into gigantic malware vectors that are totally wide
open.

This kind of exploitation needs to be stopped immediately.

~~~
mattbierner
I work on VSCode. We are aware of the possibility of bad plugins or even good
plugins that go bad. The real nightmare scenario would be what's happened with
some Chrome plugins, where a widely used plugin is either co-opted or bought
out and becomes malicious (even worse if it disguises its maliciousness).

All of these package ecosystems are similar to NPM in that they are built on
trust and community policing. This is not enough. One possible way forward is
to move towards an security model more like iOS's or Androids where apps need
to explicitly get the user's permission before performing potentially
dangerous operations like making network requests.

I'd be interested to hear how other platforms have tried tracking these sort
of concerns

~~~
ReverseCold
Explicitly asking the user before a plugin can make a network request would be
great! I don't know what "sidebar enhancements" is/was, but it doesn't sound
like that would need network access.

------
tradesmanhelix
/sarcasm Really looking forward to reading the Kite blog post this time
around: "Staying Open (Still): Kite Responds To the SideBarEnhancements
Issue." /sarcasm

Sorry Kite - fool us once, shame on you. Fool us twice, shame on us. There's
now a 0% chance of my ever using your products or services.

~~~
fooey
Kite is plainly a bad actor. Sublime and GitHub/Atom should be taking steps to
permanently remove them and the things they're infecting from their respective
ecosystems

We now know of 3 different popular addons they've hijacked in various ways to
snoop on code and to build up their business.

If one company is doing this, it makes me very concerned what else is going
on, and what else is coming.

------
bajabaron
they're also obscuring who this log data is being sent to by just posting JSON
to an ec2 IP address (52.52.168.91). The server tries hard to not let you know
it belongs to Kite. You know someone is ashamed of what they're doing when
they take efforts to mask who's doing it.

But you can see kite's own installer uses the same ip address for its
telemetry: [https://github.com/kiteco/kite-
installer/blob/master/ext/tel...](https://github.com/kiteco/kite-
installer/blob/master/ext/telemetry/telemetry.js#L9)

~~~
bajabaron
It might be worth searching every release in the package_control_repo for this
IP address...

[https://github.com/wbond/package_control_channel/tree/master...](https://github.com/wbond/package_control_channel/tree/master/repository)

~~~
mawalu
Seems not to be included in any other file on github:
[https://github.com/search?utf8=%E2%9C%93&q=%2252.52.168.91%2...](https://github.com/search?utf8=%E2%9C%93&q=%2252.52.168.91%22&type=Code)

~~~
Artemis2
Shouldn't this search find the kite-installer repo? The IP does not exist
anymore in SideBarEnhancements but is still in this repo:
[https://github.com/kiteco/kite-
installer/blob/master/ext/tel...](https://github.com/kiteco/kite-
installer/blob/master/ext/telemetry/telemetry.js)

------
ivanbakel
Deeply concerning that this has been in place for "the better part of a year",
and that they "didn't remember" about their telemetry collection - how
careless have they been with the actual data, if they don't even claim to be
able to keep track of gathering it?

This is a complete destruction of their narrative from last week. They'll be
sorry for being caught - again - and we'll have to be on continual lookout for
this kind of thing in the future. I can't wait for the floodgates to open,
once major tech companies figure out that there's not enough oversight to
prevent this 100% of the time: I expect more than a few projects to be bought
out similarly.

------
synaesthesisx
This is why I use Little Snitch. If there are any rogue outgoing connections,
I will know about it. I am extremely selective with the connections I allow my
machine to make.

~~~
sillysaurus3
So for those of us who aren't selective with the connections we allow, is it
feasible to start using Little Snitch? I'd be interested in trying, but it
seems like there would be dozens if not hundreds of "strange" connections that
you'd have to filter through which ultimately turn out to be innocent (e.g. OS
X update checks).

~~~
eropple
The first day of using Little Snitch may drive you insane. It gets better
rapidly after.

~~~
kevindqc
How does it work with browsers? You have to allow all outgoing traffic to port
80/443 regardless of host/ip? Or be asked every time you visit a different
website if you want to allow it or not?

~~~
wlesieutre
IIRC the default ruleset allows browsers to make any connections on 80/443\.
You could delete that rule and do it on a case-by-case basis, but it'd be
painful.

There are probably browser extensions better suited to restricting browser
connections. Maybe run LS on top of one of those so the browser can catch most
of them witout making a ton of popups.

~~~
kevindqc
Makes sense. Thanks!

------
paradite
On the topic of tracking, you might want to check your browser extensions as
well.

I discovered tracking codes inside a browser extension back in 2013, and I
doubt that it would be the last one:

[https://paradite.com/2013/12/07/solved-issue-with-vglnk-
all-...](https://paradite.com/2013/12/07/solved-issue-with-vglnk-all-websites-
having-a-script-related-to-vglink-attached-to-the-end/)

(Ironically by visiting my blog post you are contributing to tracking by
Google Analytics)

~~~
sbarre
uBlock begs to differ ;-)

~~~
verdverm
Grimd for the DNS blocker!

~~~
paradite
I don't know if storing a plain text log of my browsing history is a good
thing or not...

[https://github.com/looterz/grimd/blob/fc327b2f2993f762c8557c...](https://github.com/looterz/grimd/blob/fc327b2f2993f762c8557c577d394960b1c82a87/handler.go#L84)

------
spdy
Interesting growth model by buying out developers of popular packages and add
telemetry or the kite product.

You just kill all credibility on the way and you will be outlawed by
maintainers etc.

We may be many but at certain bottlenecks ethics is still high and with OSS we
are able to just fork packages.

As companies start to exploit developers trust we have to rethink the security
model inside our IDE`s and probably move to a smartphone like sandbox model.

~~~
tradesmanhelix
> Interesting growth model by buying out developers of popular packages and
> add telemetry or the kite product.

Sadly, I think it's what you might call "evil genius".

------
sergiotapia
Again? Is there no escape from these guys?

~~~
yvesmh
I really don't like the idea of having to wonder if the next plug-
in/editor/IDE/etc I use is compromised by Kite or any other shady phone-home
companies.

~~~
verdverm
use vim ;]

~~~
yvesmh
What's stopping Kite from grabbing one of your Vim plugins and adding
telemetry to it?

------
dsl
I just started picking up Python and was installing popular useful looking
addons from Atom. Surprisingly I got some Kite installer running from a syntax
highlighting package.

They seem to be very keen on paying addon developers to distribute their
crapware.

------
ekiminmo
It looks like we need to sandbox packages and put a permissions system in
place for atom/vscode/sublime. There's no reason why SideBarEnhancements needs
access to the internet.

------
omginternets
The best course of action in such cases is to vote with your feet.

~~~
numbsafari
The question is: to where?

Is there a single IDE with plugins that has a security model in place that
would prevent plugins from being taken over by nefarious asshats?

I love vim and emacs... but what's to keep them from being affected by the
same thing? Who has time to read all the source code of every
plugin/dependency that they use?

It's all about trust and what Kite is doing is completely destroying the
network of trust in each of the communities they choose to infect.

~~~
wishinghand
I think the person you're replying to meant not using Kite.

~~~
numbsafari
What keeps Kite from taking over another package?

~~~
omginternets
A failing business model.

Moreover, a valid solution doesn't have to solve _every_ problem. Abandoning
Kite is already a good start.

------
hd4
What I find most amusing about this company is that they even attempted to get
away with spying on people in an justly-paranoid/vigilant industry like ours.

Like, did they not think that we wouldn't catch them in the act?

Don't try to steal from thieves.

------
TaizWeb
Just uninstalled the package, are there any alternatives available? I can live
without it but it'd be nice if I had something to replace it with

~~~
joshschreuder
The current version on Github is clean (telemetry removed). You can always
fork it yourself, or just download the repo files and add to Sublime Text
3\Installed Packages.

If you have the .sublime-package file still, you can unzip it to that
directory and modify the extension

------
wedowhatwedo
I modified the Stats.py file in the SideBarEnhancements.sublime-package on my
computer to remove the line that references this IP address. I also made the
file read-only so it won't get updated. Does anyone know if that will take
care of the issue on my computer for now?

~~~
wbond
A new version of SideBarEnhancements is out with the stats removed. You should
get automatically updated the next time you restart Sublime Text or manually
upgrade the package.

------
thrillgore
At this point I'm really thinking that Atom, Sublime et al are lost causes. If
plugins makers will add their own telemetry I'll just go back to vim and be
done with it.

~~~
Ndymium
What is there to prevent a vim plugin author from adding the same kind of
features?

------
Gaelan
Disappointing. Kite looked like a really nice product.

