I think the post is an overreaction. The plug in author clearly stated the consequences of using his plug in. The blogger clearly wants to make this a scandelous "expose" but it just isn't because there is no effort to deceive anyone of anything.
I also decided not to use the plug in a few weeks ago but was impressed that the author was open and transparent of its shortcomings. Labeling his efforts as "shocking" or "insane" is a tad over dramatic isn't it?
Besides all this is on github. Fork pull and push your alternative then post it on HN. Done!
It's not at all obvious to 95% or more of the plugin users that this is just an API for a web service. I wouldn't say it's intentionally deceptive or anything, but it's not an appropriate amount of notice.
I guess when one is considering to use a package they're supposed to read its README file. If they can't be bothered, well, that's their problem, even pages of notices won't help.
Some concepts have upsides and downsides such that notice may be required in order that the individual can make an informed decision and if they choose poorly it's on them.
Some ideas like this one are so bad that they shouldn't exist at all on the premise that the idea of spell checking requiring sending all your documents over http is so bad that anyone that runs it must perforce either not know or not understand because understanding would lead any reasonable party not to install it.
Therefore the addon exists only as a trap for the unwary or the stupid and makes the plugin ecosystem worse for existing and thus ought to be deleted.
It's a clear and concise notice that both explains the issue, and warns about the implications, in less than three sentences. To me, it's perfectly appropriate. If you're in the 5%, then you're done grokking the notice, and you can move on however you choose. If you're in the 95%, then you have all of the keywords with which to do your due diligence before proceeding.
A lot of people sign NDA's when they work as a programmer. Installing a spell-checker and accidentally break ones nda's seems as a valid surprise. That and passwords in wp-config and similar files being commented out occasionally make me actively avoid cloud solutions for spell checking.
> Installing a spell-checker and accidentally break ones nda's seems as a valid surprise.
No, that is a shocking lack of due diligence IMO.
Seriously, if we as developers can't be trusted not to install random junk without checking the consequences how do we expect the user-on-the-street to stop installing malware because they just have to take that "what Disney character's left testicle are you most likely find in your coffee tomorrow" quiz?!
I've done projects with NDA for the Android platform where using Android Studio today is almost mandatory.
After reading this post I remembered that Android Studio already has some kind of spell checking active by default and to be honest I didn't read the complete source code of Android Studio and all packages that are shipped with it by default, who does that?
Maybe you do, but who is going to pay you for completing that task (as a programmer) and reviewing every single update in the future.
There is a wide gulf of difference between installing an IDE from a trusted corporate entity who would be sued if they did this kind of thing by default without warning vs. installing a 3rd party open source plugin from a developer you've never heard of without reading the description.
>a trusted corporate entity who would be sued if they did this kind of thing by default without warning
Microsoft does key-logging by default in Windows 10. They don't hide the fact that they do key logging, but they don't advertise it to users either. And yes, it's key-logging even if they claim it's for "telemetry purposes only guys, for realsy".
There is a difference but it doesn't change anything for me as a contractor. I'd imagine suing Google or Apple would be no fun when I'm sued by some bank for a breach of NDA.
As a software dev we ideally should keep in mind for what kind of target audience we are developing our tools, and in this case it is obvious that this tool would be a problem for many if not most companies for security reasons.
Is there even a reason why anyone would want to have all his source code sent to some unknown third party? Or why this would be necessary for something like spell checking?
I doubt that the dev has bad intentions with this plugin, but imho this tool is badly designed and unusable. Doesn't matter how visible this information is, there are no justifications I can think of why I should allow my source code to be sent to a third party.
That is a lot of trust in a corporate entity who in all honesty trys to profit from you wherever possible, and they would not be sued if such items were spelled out in the TOS. In this plug in, the plug-in author placed a notice where it could be found by anyone, not hidden away. Here, just as dspillett said, do your own due diligence and select products accordingly.
At the same time,even large trusted corporations can impose interesting license agreements (runtime or otherwise) that you better be well versed on before you start creating releases of your product.
> but who is going to pay you for completing that task (as a programmer) and reviewing every single update in the future
If you can't factor it into your costs of doing business (that you pass on to the client) then you either have to factor it into your costs of doing business (that you have to eat) or decide to take the risk of not bothering.
The risk is your's to take should you chose of course (or if you don't work alone the risk is your company's to take) and depending on the 3rd party involved that risk might not be particularly high (as others have pointed out the risk profile of relying upon Google is vastly different to that of a small add-in developer hardly anyone has heard of), but if the worst happens and you end up in court you won't be able to just dismiss it as "well, how was I to know?".
If you leak NDA covered client information through your use of a tool or service and the client finds out, "but you'd have never paid me enough that I could afford to be more careful" is not going to be a defence that will get you very far, unless of course you have paperwork that states they were aware (perhaps you included the time in your quote but they asked for that bit of work not to be done due to the expense).
> If you can't factor it into your costs of doing business (that you pass on to the client) then you either have to factor it into your costs of doing business (that you have to eat) or decide to take the risk of not bothering.
Thanks, I know this myself. But there is a reality in which no one will accept you factoring in the costs of analysing every tool used.
You try to do this -> someone else gets the contract
You try to change the contract to cover for this -> someone else gets the contract
So you have no choice but to take the risk. Fine. But that doesn't make it a "valid surprise".
In ideal world it wouldn't matter: we'd have time to properly analyse everything we use and clients wouldn't mind paying to having things done properly. We don't live in an ideal world so someone somewhere needs to decide if the risk is worth taking. If you don't push that decision on to the client (because your competitors don't and you fear it will reduce your edge too much) then you have to make the choice and take responsibility for it.
My point is that this software is badly designed since almost no company would ever accept that the source code of their products will be sent to unknown third parties.
I mean the person that developed this plugin will probably also develop for some company and should know that.
So I can't see for which target audience this plugin is because almost everyone doing software development for a company would be excluded.
It's as if you designed a gun that will explode in your hands once you pull the trigger. What is the target audience here?
> You don't need to rest he whole source code, but you should read the description
Would you dare to test this in a court? I wouldn't.
If the plugin author was really honest, he'd mention the fact that this spell checker is web based in the title or at the top of the description, where people actually read it.
Nobody would complain if this was called the "Web Based Spell Checker" or "After The Deadline Spell Checker".
I think that's fairly prominent place and the only explanation for installing this extension could be either that it's acceptable - for example if one's using MSVSC to edit Wikipedia articles or something like that - or negligence to read anything but the title (which can't be helped).
(Well, author could've put "[INSECURE!!!! WILL STEAL YOUR CODEZ!!!!1one]" in the title... but should he?)
Thank you for writing this! By reading the article I had exactly the same feeling.
The author of the extension was open and clear, the author of the post need to keep this anger for secret but explicit surveillance programs, not optional online spellcheckers...
Yeah really, it just means now maybe people will have more options.
You can choose an easy simple not-private way of doing things, or you can do things in a private way.
Being up front about it is 100% the only way to manage this properly so what else can be done?
It's not like we should suddenly not make useful tools because they dont use end to end encryption on everything, not every action needs that level of protection, but some do.
I don't think it's an overreaction at all. Simply building the extension with those shortcomings, regardless of the documentation, was a terrible, irresponsible idea.
Because it's more time and effort to make a service that checks spelling (are you accounting for stems? Possessives? Other uses of the single quote such as contractions?) and suggests corrections than to wrap an already-existing service that does the same. I find it highly plausible that the author of the plug-in wrote it to solve their needs and just made it available because hey, it doesn't cost them anything.
I've found local spellcheckers really unreliable. They never catch obscure or niche words, or grammar. Chrome has an option to ask google for spelling suggestions and it makes it much more reliable.
I agree, also considering that virtually every spell checker these days uses an online API rather than offline dictionary + semantic grammar rule checks you shouldn't use any of those for sensitive documents regardless of them using HTTPS or not.
I also decided not to use the plug in a few weeks ago but was impressed that the author was open and transparent of its shortcomings. Labeling his efforts as "shocking" or "insane" is a tad over dramatic isn't it?
Besides all this is on github. Fork pull and push your alternative then post it on HN. Done!