So this is something I'm not sure I've ever said before, but if you work for Kite, you need to quit.<p>Like, I get working for even exploitative companies (though I won't)--economic insecurity is definitely a thing and we all gotta eat. But you can find a job that doesn't involve literally spying on the down-low. I promise you, you can.<p>Abandon these jerks before they bring <i>you</i> down with them. They've demonstrated a willingness to screw people and even if you don't really care about them screwing other people, they'll screw you too.<p>EDIT: Also, because it's on-topic and the post on HN seems to have gone ignored, somebody is typo-squatting `cross-env` on NPM and dumping environment variables to a Chinese server run by "HackTask", it probably deserves a signal boost: <a href="https://twitter.com/o_cee/status/892306836199800836" rel="nofollow">https://twitter.com/o_cee/status/892306836199800836</a> <a href="https://news.ycombinator.com/item?id=14901566" rel="nofollow">https://news.ycombinator.com/item?id=14901566</a>
/u/michael0x2a on Reddit put together a nice tl;dr[1] of the story arc for those that don't want to dig through the thread.<p>tl;dr for that is basically:<p>Kite has been collecting "anonymous" data from sublime users with the <i>SideBarEnhancements</i> plugin installed. This has been happening for atleast a year and the data collected included <i>activeNonBundledPackageNames</i> which is basically a list of packages installed via Package Control.<p>It seems they were intentionally unclear about who the data was sent to and did not think to remove it from the plugin after the Atom Minimap incedent because:<p><i>> the truth is we didn't remember</i> [2]<p>[1] <a href="https://www.reddit.com/r/programming/comments/6qwtfz/kite_injected_telemetry_into_the_third_most/dl0psv0/" rel="nofollow">https://www.reddit.com/r/programming/comments/6qwtfz/kite_in...</a><p>[2] <a href="https://forum.sublimetext.com/t/rfc-default-package-control-channel-and-package-telemetry/30157/30" rel="nofollow">https://forum.sublimetext.com/t/rfc-default-package-control-...</a>
I'd implement an industry-wide blacklist, personally. This is strike number, two? three? of this company subverting well-known packages with telemetry. Any package that is proven to be connecting to their servers should be removed, the authors should be banned, and the company should be thrown onto a list of Known Bad Actors to prevent any kind of package, add-on, or extension from ever accepting them again.<p>You <i>cannot</i> fight this kind of malevolence with a finger-wag and a proposed solution that you simply <i>inform</i> the user next time before doing it. It will become buried inside the ToS and become ignored and commonplace. Stop it now and forever, while the spotlight is on it.
/sarcasm Really looking forward to reading the Kite blog post this time around: "Staying Open (Still): Kite Responds To the SideBarEnhancements Issue." /sarcasm<p>Sorry Kite - fool us once, shame on you. Fool us twice, shame on us. There's now a 0% chance of my ever using your products or services.
they're also obscuring who this log data is being sent to by just posting JSON to an ec2 IP address (52.52.168.91). The server tries hard to not let you know it belongs to Kite. You know someone is ashamed of what they're doing when they take efforts to mask who's doing it.<p>But you can see kite's own installer uses the same ip address for its telemetry: <a href="https://github.com/kiteco/kite-installer/blob/master/ext/telemetry/telemetry.js#L9" rel="nofollow">https://github.com/kiteco/kite-installer/blob/master/ext/tel...</a>
Deeply concerning that this has been in place for "the better part of a year", and that they "didn't remember" about their telemetry collection - how careless have they been with the actual data, if they don't even claim to be able to keep track of gathering it?<p>This is a complete destruction of their narrative from last week. They'll be sorry for being caught - again - and we'll have to be on continual lookout for this kind of thing in the future. I can't wait for the floodgates to open, once major tech companies figure out that there's not enough oversight to prevent this 100% of the time: I expect more than a few projects to be bought out similarly.
This is why I use Little Snitch. If there are any rogue outgoing connections, I will know about it. I am extremely selective with the connections I allow my machine to make.
On the topic of tracking, you might want to check your browser extensions as well.<p>I discovered tracking codes inside a browser extension back in 2013, and I doubt that it would be the last one:<p><a href="https://paradite.com/2013/12/07/solved-issue-with-vglnk-all-websites-having-a-script-related-to-vglink-attached-to-the-end/" rel="nofollow">https://paradite.com/2013/12/07/solved-issue-with-vglnk-all-...</a><p>(Ironically by visiting my blog post you are contributing to tracking by Google Analytics)
Interesting growth model by buying out developers of popular packages and add telemetry or the kite product.<p>You just kill all credibility on the way and you will be outlawed by maintainers etc.<p>We may be many but at certain bottlenecks ethics is still high and with OSS we are able to just fork packages.<p>As companies start to exploit developers trust we have to rethink the security model inside our IDE`s and probably move to a smartphone like sandbox model.
I just started picking up Python and was installing popular useful looking addons from Atom. Surprisingly I got some Kite installer running from a syntax highlighting package.<p>They seem to be very keen on paying addon developers to distribute their crapware.
It looks like we need to sandbox packages and put a permissions system in place for atom/vscode/sublime. There's no reason why SideBarEnhancements needs access to the internet.
What I find most amusing about this company is that they even attempted to get away with spying on people in an justly-paranoid/vigilant industry like ours.<p>Like, did they not think that we wouldn't catch them in the act?<p>Don't try to steal from thieves.
I modified the Stats.py file in the SideBarEnhancements.sublime-package on my computer to remove the line that references this IP address. I also made the file read-only so it won't get updated. Does anyone know if that will take care of the issue on my computer for now?
At this point I'm really thinking that Atom, Sublime et al are lost causes. If plugins makers will add their own telemetry I'll just go back to vim and be done with it.