
Want to spell check? Read the fine print - exolymph
http://samnewman.io/blog/2016/05/30/want-to-spell-check-read-the-fine-print/
======
userbinator
_there is a rather large amount of traffic generated from my machine for
things like Sonos and Dropbox and the like, but eventually I tracked down what
was being sent. Sure enough I could see all the text being sent, unencrypted,
over HTTP_

Another consequence of the "cloud everything" trend. I feel like it's almost a
deliberate plan to make everyone's machines constantly send and receive data
over dozens of active connections, so the odd one occasionally sending out
something that shouldn't be will easily "get lost in the noise"... You could
even say that at least this time they were nice enough to tell you and send
data in cleartext so you can easily see what's going on. Imagine if it used
HTTPS, added another layer of encryption/obfuscation on top of that, and the
notice was buried deep in a long license agreement, how long would it take
someone to discover it?

What astounds me is that 20K(!) _Visual Studio_ users --- so presumably NOT
the "average barely-computer-literate" user we often like to think of as being
the ones to get fooled by schemes like this --- probably saw the notice, but
didn't give a second thought to installing something like this? These are
developers, the people writing today's and tomorrow's software. That makes me
sad and scared for the future of privacy/security.

Then again, Microsoft's official Visual Studio privacy policy isn't all that
much more reassuring:

[https://www.visualstudio.com/en-us/dn948229](https://www.visualstudio.com/en-
us/dn948229)

 _For pre-release and free versions of the software, users cannot opt out of
usage data collection._

Bluntly stated, "You're the product."

~~~
startling
I've never used wireshark, but fwiw it's trivial to filter by destination
with, for example, tcpdump.

~~~
userbinator
The problem isn't filtering but determining what to look for - a lot of these
are hosted on things like AWS or some CDN, which means machines with very
generic hostnames, and you'd have to catch a meaningful DNS lookup to get
started. If the traffic is encrypted, you still have no great idea what's
actually being sent (is it fragments of the file you're working on, which keys
you've pressed in the last 10 secons, or an automatic update check? They could
all be similar sizes), and if the application is doing security "correctly" it
will be very hard to MITM.

~~~
startling
It's actually pretty easy to mitm your own https with tools like mitmproxy:
[https://mitmproxy.org/](https://mitmproxy.org/)

But in this case getting the application to use the proxy may have been
tricky.

------
demarq
I think the post is an overreaction. The plug in author clearly stated the
consequences of using his plug in. The blogger clearly wants to make this a
scandelous "expose" but it just isn't because there is no effort to deceive
anyone of anything.

I also decided not to use the plug in a few weeks ago but was impressed that
the author was open and transparent of its shortcomings. Labeling his efforts
as "shocking" or "insane" is a tad over dramatic isn't it?

Besides all this is on github. Fork pull and push your alternative then post
it on HN. Done!

~~~
iopq
Why a plug-in has to send everything through the web instead of just having a
dictionary is beyond me.

~~~
andreareina
Because it's more time and effort to make a service that checks spelling (are
you accounting for stems? Possessives? Other uses of the single quote such as
contractions?) and suggests corrections than to wrap an already-existing
service that does the same. I find it highly plausible that the author of the
plug-in wrote it to solve their needs and just made it available because hey,
it doesn't cost them anything.

~~~
yAnonymous
I want to believe, but
[https://news.ycombinator.com/item?id=11805189](https://news.ycombinator.com/item?id=11805189)

Instant uninstall. This is exactly the kind of crap I expected when MS
announced they'd invest in open source.

------
zerocrates
> This peaked my interest - who were the people behind this service?

I just had to check, and am sad to report After the Deadline wouldn't have
caught this error ("peaked" for "piqued") even if the author had still been
using it.

More relevantly, am I wrong in thinking that After the Deadline _does_
actually support HTTPS? An HTTPS request [1] seems to work fine. The article
muses on this point a little, but maybe it is just the "teacher" module at
fault after all?

[1]
[https://service.afterthedeadline.com/checkDocument?key=test-...](https://service.afterthedeadline.com/checkDocument?key=test-
hn&data=sneak%20peak)

~~~
samnewman
I'll update the post, thanks!

~~~
CarolineW
Since you're here:

    
    
      > ... any text opened in Visual Studio Code
      > with this extension loaded would be send ...
                                            ^^^^
    

I suspect that should be "sent".

~~~
samnewman
Thanks - fixed!

------
c_hackett
So I spotted the same problem on 6th May 2016 and sent a PR (which was merged)
to update the description shown in VS Code to "Detect mistakes as you type and
suggest fixes using a web service"

PR [https://github.com/Microsoft/vscode-spell-
check/pull/30](https://github.com/Microsoft/vscode-spell-check/pull/30)

But it seems this was reverted in a more recent commit.

#letTheConspiracyTheoriesBegin

~~~
seanmcb
This was an oversight by me in a recent update - however -I've resolved it and
with any luck made the statement even more visible for the users/anyone who
does an update.

------
jcoffland
This cloud thing has gotten really ridiculous lately. I was at the Maker Faire
recently and this guy at one of the booths was pontificating on the virtues of
their 3D printing platform which ran in the cloud. Finally he finished with,
"I'd love to give you a demo but we've been having trouble with the wifi all
day." If I was drinking milk it would have shot out my nose.

~~~
JustSomeNobody
At least you weren't drinking the Kool-Aid.

------
itajaja
The plugin author should definitely be blamed for this. But I think that the
root problem is with the `teacher` npm package. An issue[0] was also opened
just 6 days ago raising doubts about using http.

[0]
[https://github.com/vesln/teacher/issues/4](https://github.com/vesln/teacher/issues/4)

~~~
gruez
No, the root problem is using an online service for spellchecking when every
other decent editor does it locally.

~~~
greggman
Online spell checkers are better along many axis. For example they can spell
check names in the news and slang that's likely not in an offline dictionary

~~~
icebraining
Why can't you just add those names and slangs to the dictionary?

~~~
dingo_bat
Because an online service can dedicate 10TB of disk space to spell checking,
while your laptop with a 512GB SSD won't like to store >100MB for the
spellchecker.

~~~
tamana
Look up "bloom filter" and the computer science of spellcheck.

You are off by a factor of 1000 or more for cost of spellcheck

~~~
AlexandrB
I think "the cloud" is making people forget how _simple_ some common features
actually are. The default assumption seems to be that it needs to be in the
cloud because it's too hard to do locally.

------
timhaines
There's a PM at Microsoft called Sean McBreen who works with Visual Studio.
Probably the same guy. He's posted his email address publicly before -
smcbreen@microsoft.com (i.e. here
[https://github.com/Armitxes/VSCode_SQF/issues/2](https://github.com/Armitxes/VSCode_SQF/issues/2)
)

~~~
samnewman
Thanks Tim - I had just started trying to track Sean down, so this will help!
Will update the post if I hear anything back from him.

------
kogus
What does it take to get listed in the Visual Studio extensions dialog? If
there is a review process, it should probably include a requirement that
"transmitting your code across the wire" requires explicit consent each time,
or something similar.

------
jmspring
If you are on OS X, buy and run Little Snitch. The connections for outbound
requests are quite amazing.

~~~
wingerlang
It gets really annoying really fast though.

~~~
fishanz
I agree. Run Charles Proxy on their free trial for 15 minutes with the OS X
proxy turned on and find out what your Mac is really sending out and taking
in. Then buy it because it's an incredible tool that proves extremely useful
when debugging your own work!

~~~
wingerlang
Technically I think they are different beasts. Charles proxy is for, as you
say, inspecting and debugging. Little snitch is for making a white/blacklist
of connections.

That being said I 100% agree that Charles is a fantastic application.

~~~
voltagex_
Getting offtopic here - if I wanted egress filtering at the router level, what
could I add to my network that wouldn't force LAN traffic through the same
port? OpenWRT isn't an option on my router because the 802.11AC radios aren't
(and probably will never be) supported.

Happy to add another {mips32,armv7} box to my network, though.

~~~
wingerlang
I'd love to help you but this is not my area of expertise. (Just responding as
you replied to me, hopefully someone else can chime in).

------
cwilkes
I'll give a reason why I would have chosen this route by way of example. A
Hololens hackathon I went to had us using Unity and C sharp. Not knowing C
sharp I still wanted to participate so I learned enough of it to be able to
post to a python script in AWS where I could actually do some work.

Could I have done that locally? Sure but I didn't know the language. I just
wanted to get something done and it did the job pretty well.

Maybe that applies in this situation? I don't know. Course what I was doing
was for a throwaway project that I wasn't planning on releasing to the world.

------
btrask
We could really use a decentralized spell checking service. I'm thinking a
blockchain, maybe Ethereum.

Edit: Poe's law.

~~~
GuiA
Please make a compelling case as to why a distributed solution is warranted
for spell checking?

~~~
pkaye
Doesn't Google use a large corpus of documents along with machine
learning/statistical analysis to do spelling and grammar checking? The same
way they do language translation.

~~~
tamana
You are confusing index building with index lookup.

------
labmice
Well.... Don't know if you already know about it... but After the Deadline was
written by Raphael Mudge, the creator of Armitage and Cobalt Strike. See the
1st video on this site
[http://www.hick.org/~raffi/afterthedeadline.html](http://www.hick.org/~raffi/afterthedeadline.html)
Also if you go to 02:40 he says that Hacker News is his favorite site.
Inception...

------
tombert
I kind of wonder why no one just forks the (Libre/Open)Office spell-checker
and design a plugin around that. Doesn't that work totally fine offline?

------
nanis
I guess a spell checker once again is a major feat of software engineering:
[http://prog21.dadgum.com/29.html](http://prog21.dadgum.com/29.html)

------
SZJX
Well this seems to be an exaggeration. Does this plugin also send anything for
non-text based files at all?

------
trtr
tremendous

------
yAnonymous
The plugin is managed by a Microsoft employee, but unlike other MS plugins, it
has the author name instead of "Microsoft", which makes it even more
suspicious.

The description was changed to reflect that it uses a web service at one
point, but the change was reverted.

[https://github.com/Microsoft/vscode-spell-
check/pull/30](https://github.com/Microsoft/vscode-spell-check/pull/30)

So no, the post is not overdramatic at all.

~~~
MOARDONGZPLZ
I work for a large organization and make and manage personal programs all the
time with absolutely no relationship to or input from my parent organization.
Occasionally I am allowed put them on the Org's Github if they're useful and
relevant to the mission. It's a cool little perk because it can give personal
projects more visibility.

I'm not saying it's _not_ suspicious (I don't think it is though), but I don't
think that a Microsoft employee creating their own plugin, even under
Microsoft's Github, makes it suspicious.

~~~
yAnonymous
And what about the secretly reverted plugin description? Must have been a
weird accident.

------
DominikR
I have finished a few projects as an external contractor for companies in the
financial sector and many would be surprised how paranoid these companies are
about the source code.

Aside from the (sometimes insane) checks they have in place I've also had to
sign a NDA.

I doubt that the creator of this plugin had bad intentions, but using this
plugin could cause some programmers to be dragged in front of a court.

I believe the warning should be more visible.

------
dragandj
Wait a minute. Microsoft did something to deceive the users of its "free"
Visual Studio? Why this does not surprise me...

I can understand why people used Visual Studio 20 years ago - decent free
alternatives were lacking. But in 2016? And no less than for markdown!

~~~
Hondor
What alternatives are there? Just recently there was a HN story about a great
add-on for Emacs that would find the definition of a symbol. That's been in VS
for a decade or two but open source editors apparently don't have it. Same
goes for renaming things and having them automatically renamed everywhere
else. Background compiler that underlines and even corrects your errors as you
type - what else does that?

~~~
wtbob
> Just recently there was a HN story about a great add-on for Emacs that would
> find the definition of a symbol. That's been in VS for a decade or two but
> open source editors apparently don't have it.

ctags has existed since 1979, which is almost 40 years ago. The thing you read
about implements a different way to find definitions.

