there is a rather large amount of traffic generated from my machine for things like Sonos and Dropbox and the like, but eventually I tracked down what was being sent. Sure enough I could see all the text being sent, unencrypted, over HTTP
Another consequence of the "cloud everything" trend. I feel like it's almost a deliberate plan to make everyone's machines constantly send and receive data over dozens of active connections, so the odd one occasionally sending out something that shouldn't be will easily "get lost in the noise"... You could even say that at least this time they were nice enough to tell you and send data in cleartext so you can easily see what's going on. Imagine if it used HTTPS, added another layer of encryption/obfuscation on top of that, and the notice was buried deep in a long license agreement, how long would it take someone to discover it?
What astounds me is that 20K(!) Visual Studio users --- so presumably NOT the "average barely-computer-literate" user we often like to think of as being the ones to get fooled by schemes like this --- probably saw the notice, but didn't give a second thought to installing something like this? These are developers, the people writing today's and tomorrow's software. That makes me sad and scared for the future of privacy/security.
Then again, Microsoft's official Visual Studio privacy policy isn't all that much more reassuring:
What if I want to be the product? I could pay for Visual Studio Enterprise/Ultimate or whatever, or just accept that my usage is being tracked by MS. As long as they aren't being so egregious as to send the contents of my files, or sending over an unencrypted connection, I don't see why the makers of the product, offering it for free, can't track basic data.
They're not offering it for free then, they're offering it in exchange for your data, and that should be made clear when you make that transaction. You can't have a fair economic exchange when one party is deceived about what the costs are to them.
Who's being deceived? As GP points out, it's in the privacy policy: "For pre-release and free versions of the software, users cannot opt out of usage data collection."
There isn't enough time in the day to read all the privacy policies and terms of service for all the things that we use. Just because something is written in the small print does not magically make it OK.
I agree mostly, but come on, whenever a big company like MS, Google etc puts this in privacy policy, anyone on HN learns about this pretty quick,and tbh I don't think anyone will upgrade to paid version for preventing basic usage data collection
It's probably worth pointing out that this is Visual Studio Code, rather than Visual Studio - the audience for the former is fairly small by comparison!
The problem isn't filtering but determining what to look for - a lot of these are hosted on things like AWS or some CDN, which means machines with very generic hostnames, and you'd have to catch a meaningful DNS lookup to get started. If the traffic is encrypted, you still have no great idea what's actually being sent (is it fragments of the file you're working on, which keys you've pressed in the last 10 secons, or an automatic update check? They could all be similar sizes), and if the application is doing security "correctly" it will be very hard to MITM.
yep cloud everything... noticed a while ago (after installing little snitch) that anything typed (and pasted?) into OSX ⌘-space search also calls out to the cloud to get suggestions. not cool.
This is explicitly called out when you start using Spotlight in OS X, and it links to an option which allows you to turn the feature off. This is a complaint about nothing.
I guarantee you that you did see the dialog the first time you pressed ⌘-Space after upgrading to a version of OS X that includes Siri Search. You probably just skipped past it without thinking and then forgot.
You also get told before you are mugged; telling you about it has absolutely no bearing on whether the action that follows is acceptable.
Even if they tell you about it, it's still a bad idea. There's plenty of legalese that people don't read because life is too short. It would be better if this wasn't the default.
I know, no analogy is perfect. I am saying that getting mugged or having your keystrokes sent somewhere is inherently bad as default and should be opt-in, not opt-out.
Another consequence of the "cloud everything" trend. I feel like it's almost a deliberate plan to make everyone's machines constantly send and receive data over dozens of active connections, so the odd one occasionally sending out something that shouldn't be will easily "get lost in the noise"... You could even say that at least this time they were nice enough to tell you and send data in cleartext so you can easily see what's going on. Imagine if it used HTTPS, added another layer of encryption/obfuscation on top of that, and the notice was buried deep in a long license agreement, how long would it take someone to discover it?
What astounds me is that 20K(!) Visual Studio users --- so presumably NOT the "average barely-computer-literate" user we often like to think of as being the ones to get fooled by schemes like this --- probably saw the notice, but didn't give a second thought to installing something like this? These are developers, the people writing today's and tomorrow's software. That makes me sad and scared for the future of privacy/security.
Then again, Microsoft's official Visual Studio privacy policy isn't all that much more reassuring:
https://www.visualstudio.com/en-us/dn948229
For pre-release and free versions of the software, users cannot opt out of usage data collection.
Bluntly stated, "You're the product."