Dear Kite,
I really love this idea, but <i>hell</i> no I'm not using it yet. Here's why... I'll cut to the point here, so please forgive the bluntness as I mean no insult or accusation, just honest criticism, and I'm gonna try to cover a lot in as small a space as possible.<p>There's not even a mention on kite.com about how data is handled that I can find anywhere. What is the method of transport? What stands between skids and my code? The server my data goes to, is it shared VPS hardware waiting to get pwned by your neighbor, xtremecrackz.zyx or is it on private servers guarded by a three headed puppy named Κέρβερος, 13 ninja, and biometric security? Does the page even mention this <i>is</i> a cloud service somewhere? I see support for VS Code, but not MSVS proper, emacs but not specifically GNU/Linux yet; Mac support but not Linux in spite of at least $4M USD in seed and 3 years of development (source: crunchbase [1])? The Windows download page gives instructions for bypassing SmartScreen warnings meaning your code signing certificate has no reputation with Microsoft yet if I understand correctly. Frankly, I didn't think "Adam Smith" was even a real person until I checked it out. LOL, sorry bro but it sounds kinda generic to someone skeptical I guess. Maybe you assume trust since you travel in the circles you do, but we nutjobs like stuff in writing, and trust assumptions without verification are bad practice anyhow -.-<p>(on trust)
Your investor who may or may not provide the same or similar "Kite" software discussed in GCHQ leaks as a "correlates-anything" solution, Palantir Technologies, has been standing in the suspiciously shadowy center of a maelstrom in some circles. I like them supporting our warfighting - but not working against the people of the United States, or anyone's civilians for that matter, however that's an argument for the agencies they contracted with. I've watched my brothers bleed out defending the rights their software has helped undermine, I'm not sure how to feel about them at all right now. Do I want to give my code to their creepy software? No, not really, since I'd have to consider that if they got a contract they might, without even knowing the end use, build software to guide Terminators to hunt down and kill civilians who write bad code or wear plaid socks. Seriously though: eyebrow raised.<p>(advice)
I would add more clear information about how this all works. A link to security answers should come up before the footer IMO, given the nature of this product. Going out of my way to look for it, I guess it seems like security was an afterthought. I can appreciate your blog post about security [2] and the main security page which links to that article (merge these?), but they fail to answer almost all of my questions. They imply that the service isn't really ready for the spotlight, but do not explicitly say anywhere to safeguard sensitive stuff or not to trust everything just yet, but it seems softly implied to me.<p>(bigFoilHat)
This might sound far out to some, feel free to ignore or laugh, but if I were an evil puppet master, I'd have my cybersecurity and intelligence contractor who provides access to mission critical software or monetary capital for a startup attempt to leverage this relationship to gain information about code in the wild and specific targets' code using this service, perhaps to have software look for opportunities to steal parts of keys, suggest code changes to enable exploitation, forward copies of code from persons of interest to investigators. I might ask them to approach them as patriots in the interest of the GWOT and all things decent, to tacitly and deniably or perhaps even expressly cooperate with legally and morally grey-area surveillance operations. Perhaps if there is no cooperation or just to keep it quiet, I might suggest they infiltrate Kite.com and gain the ability to intercept data clandestinely by using their trust and rapport with company leadership. "Plz send all code to spies and disable security stuffz kthxbai" I can weaken my own PRNGs and send copies of my code for spooks to analyze by myself without assistance thanks. Again, I'm attempting to honestly characterize how it makes me feel, just sayin'. I simply have no way to even fool myself into thinking I can know what goes on with my data after it leaves my PC. How do I even build rules for my firewalls? What are the parent processes which need communication, on which ports, using what protocols? Which servers will it upload to? Can we blacklist certain destinations by region or other attributes? I think you need a more robust explanation on the site before us crazy people are satisfied.<p>(bigFoilHat Q)
HN: what say you, am I just being paranoid here in thinking that users' analyzed code may end up being displayed on an alphabet soup agency wiki somewhere along with download links for tools to suprisebuttsecks us being passed out to every malware hoarding contractor who accidentally skated past the SF-86? Maybe I'm just having a bad bout of Stallman Syndrome. One might argue "99.99% of users' code will be useless fluff and bizcruft, who cares if they copy my der.py code?" but finding that 0.01% relevant signal in the noise is exactly what Palantir does for customers, isn't it? So how can I flippantly dismiss the notion?<p>(Q) Do you sell, gift, trade, share, or otherwise disclose or make available knowingly any information about users' personal data or source code, even if anonymized or generalized in reports and detached from identifying information, to other parties? Can/will/do these parties include your investors? Does Palantir Technologies store, use, or have access to at any time, our source code or any information about it or ourselves?<p>That said, it sounds cool as phrack and I would love to see this in many languages and editors, but only if it can be trusted somehow. I'll be watching and investigating, thanks for sharing this on HN,<p>-Ax<p>[1] <a href="https://www.crunchbase.com/organization/kite-com/" rel="nofollow">https://www.crunchbase.com/organization/kite-com/</a>
[2] <a href="https://kite.com/blog/thoughts-on-security" rel="nofollow">https://kite.com/blog/thoughts-on-security</a><p>Please correct anything I am mistaken about, I admit I could be completely off the mark here.