Hacker Newsnew | past | comments | ask | show | jobs | submit | Lammy's commentslogin

Being open source means very little when they won't merge PRs, like this one to support disabling streaming one's network behavior to ` log.tailscale.com`: https://github.com/tailscale/tailscale-android/pull/695

Heh, that's my PR. Initially I thought it would be a trivial change, but then I realized I hadn't considered how it should interact with MDM / device posture functionality - these aren't features I'm personally using with the Android client, but are understandably important to enterprises.

I still hope to get back to that and try to get it to a state where it can be merged, but I need to figure out how to test the MDM parts of it properly, and ideally get a bit of guidance from the tailscale team on how it should work/is my implementation on the right track (think I had some open questions around the UI as well)


Let's stop moving the goalposts. Open source has a specific definition, and "they merge whatever code I want them to" isn't part of it. Just fork the client, compile it, and run it yourself.

An option to disable telemetry is important.

It's not "whartever code".


You're welcome to fork it

[flagged]


Open source = I should be able to fork it, change it, and use it

Open source = The maintainers should build exactly what I hysterically scream at them

If I had to choose one definition of open source from these two options, it's going to option 1 I'm afraid.


Once again confusing Open Source with Free Software.

Neither "open source" nor "free software" has ever meant that the developers must accept contributions from third parties.

Literally nothing to do with that distinction.

It seems to have a BSD license, what more are you looking for?

You control what software you install

> How does Tailscale make money?

They spy on your network behavior by default, so free users are still paying with their behavioral data. See https://tailscale.com/docs/features/logging

“Each Tailscale agent in your distributed network streams its logs to a central log server (at log.tailscale.com). This includes real-time events for open and close events for every inter-machine connection (TCP or UDP) on your network.”

They know what you're doing, when, from where, to where, on your supposedly “private” network. It's possible to opt out on Windows, on *nix systems, and when using the non-GUI client on macOS by enabling the FUD-named “TS_NO_LOGS_NO_SUPPORT” option: https://tailscale.com/docs/features/logging#opt-out-of-clien...

It is not currently possible to opt out on iOS/Android clients: https://github.com/tailscale/tailscale/issues/13174

For an example of how invasive this is for the average user, this person discovered Tailscale trying to collect ~18000 data points per week about their network usage based on the number of blocked DNS requests for `log.tailscale.com`: https://github.com/tailscale/tailscale/issues/15326


I'd love to have someone else chime in on this because I did some spelunking and am not sure if this comment is true.

I checked my DNS logs and saw zero attempts to resolve `log.tailscale.com` having ran tailscale for many years (I added it to a blocklist anyway). From their admin panel, it appears "networking logging" requires paying for Premium[0], so it's not being used for free users (or Personal Pro).

Also, from looking at some source code (because the docs don't include this), I discovered you can disable logging for the macOS App Store client by doing:

     echo "TS_NO_LOGS_NO_SUPPORT=true" > ~/Library/Containers/io.tailscale.ipn.macos.network-extension/Data/tailscaled-env.txt
[0]: https://login.tailscale.com/admin/logs/network

That’s misleading; you have to pay extra to get access to that feature.

Pretty much this. DNS, SNI, and otherwise plaintext traffic sniffing. That together with user/device 'fingerprinting' (a much more amorphous concept), and that's why such-and-such thing you were just talking about with so-and-so pops up on your screen/feed/whatever, sometimes only minutes later.

I highly doubt any of this can actually be opted-out of. How else would they stay in business?


The `TS_NO_LOGS_NO_SUPPORT` option opts out of all log collection, and says in the name why it is collected in the first place. Tailscale has support for all users, including free, and having access to logs has to be how they can provide free support. Having quick access to logs reduces the time it takes to handle tickets, so they can help more people quickly and don't need to limit support to only paying users.

The core client code is open source, feel free to inspect it yourself.


The client may be open source. But the service is obviously not.

Don't let that deter you from trusting whomever you choose, though.


They specifically avoid sending traffic through tailscale servers whenever possible. That’s how the free tier stays free. Most connections are direct, P2P.

The traffic that does go through their servers is encrypted, and bandwidth limited on the free plan. Any snooping on client behavior would have to be done client side, and the clients are all open source. To some extent the coordination server might be able to deduce some metadata about connections; but definitely not snoop all plaintext traffic.

I think they do have some “service detection” which can basically port-scan your devices to make services visible in the web UI. But that is easy to disable. And premium/enterprise tiers can intentionally log traffic statistics.


> To some extent the coordination server might be able to deduce some metadata about connections; but definitely not snoop all plaintext traffic.

Metadata is as good as data for deducing your behavior. Think what conclusions can be drawn about a person's behavior from a log of their network connections, from each connection's timestamp, source, destination, and port. Think about the way each additional thing-which-makes-network-requests increases the surveillance value of all the others.

Straight away, many people's NTP client tells the network what OS they use: `time.windows.com`? Probably a Windows user. `time.apple.com`? Probably Mac or iOS. `time.google.com`? You get the idea. Yeah, anyone can configure an NTP client to use any of those hosts, but the vast vast majority of people are taking the default and probably don't even know what NTP is.

Add a metadata point: somebody makes a connection to one of the well-known Wi-Fi captive portal detection hosts around 4PM on a weekday? Maybe somebody just got home from school. Captive portal detection at 6PM on a weekday? Maybe somebody just got home from work. Your machines are all doing this any time they reconnect to a saved Wi-Fi network: https://en.wikipedia.org/wiki/Captive_portal#Detection

Add a metadata point: somebody makes a network connection to their OS's default weather-widget API right after the captive-portal test, and then another weather-API connection exactly $(DEFAULT_INTERVAL} minutes later? That person who got home is probably still home.

Required reading: https://kieranhealy.org/blog/archives/2013/06/09/using-metad...


True, but none of that metadata goes to Tailscale.

This is pure misinformation. 'Most connections are direct, P2P' makes no sense to anyone versed in basic networking.

I don’t mean P2P in the same sense that BitTorrent or something is P2P. (Splitting one connection into many distributed ones) But more like how a game that does P2P multiplayer has the clients connect directly instead of through a centralized service.

What do you mean? P2P is commonplace, for example, in IP telephony, and obviously in many other cases.

Ironically I like Blades a lot more on OG XBOX (the JX720 theme for XBMC). Its 360 iteration got really crowded when MS added the Live blade and all the ad units. The NXE (what this site emulates) was Peak 360 IMO :)

White NXE burning our eyes for the first time, I remember it like yesterday.

I stayed on the original green NXE (2.0.7371.0) to keep my SMC exploit and ran FreeStyleDash instead of the eye-searing later MSDashes when XBrebooting into a newer kernel https://github.com/Free60Project/wiki/blob/master/docs/Hacks...


This uBlock Origin rule will do it for you:

  ||unicornjelly.com/images/unianil.gif

My favorite part of NT is the Local Procedure Call (now obsoleted by ALPC): https://computernewb.com/~lily/files/Documents/NTDesignWorkb...

Very cool to be able to read the original design instead of just reverse-engineered ones. Thanks for posting!


> arguably

Sick of this weasel word. Either argue it or don't.


Also used incorrectly most of the time. They meant to use “debatably”.

Arguably:

- used to say that a statement is very possibly true even if it is not certain (merriam-webster)

- in a way that can be shown to be true (cambridge)

ie. you can be prove it through argument, not “you can make the argument”


Even worse, "I would argue that..."

It's not hypothetical if you are here, in the current tense, arguing that. I've mostly cured myself of the habit, but its tough.


“I would argue that…” is a weaker statement, because it ends with an implied “…but since I don’t care that much, I’m not ‘seriously’ arguing that.” It’s not at all equivalent to the strong statement “I argue that…”, which has no such qualifier.

Why cure yourself of useful conversational nuance?


> Open source is a licensing and delivery mechanism, period. It means you get the source for software and the right to use and modify it.

Once again confusing the two and proving that “Open Source” was the worst thing to ever happen to “Free Software”


And now Palantir sells exactly this product, literally named Gotham https://www.palantir.com/platforms/gotham/

If people didn't buy new cars there would never be used cars.

Tell that to Cuba.

Not entirely true; there are at least the lease, rental, and commercial fleet markets supplying predictable inventory of used cars to the public market.

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: