If you want on to Microsoft's internal network, CORPNET, publish or own an existing a VSCode extension.

Reply to If you want on to Microsoft's internal network, CORPNET, publish or own an existing a VSCode extension. on Thu, 21 May 2026 20:39:11 GMT

ingram@mastodon.social — Thu, 21 May 2026 20:39:11 GMT

@GossiTheDog I'm not going to try, but from experience anything that isn't on the allow-list is blocked. Staff can request the thing to be added to the list, but default is "computer says no". VSCode isn't one of the supported tools. On of the tools I use brings in libraries and some have DLLs, and these get blocked by default too.

Companies can protect themselves, but staff will gnash teeth and wail.

Reply to If you want on to Microsoft's internal network, CORPNET, publish or own an existing a VSCode extension. on Thu, 21 May 2026 15:33:01 GMT

slashdottir@mastodon.online — Thu, 21 May 2026 15:33:01 GMT

@GossiTheDog My guess is if this is true, we might see them try to exit the browser space entirely... that might take a while though

Reply to If you want on to Microsoft's internal network, CORPNET, publish or own an existing a VSCode extension. on Thu, 21 May 2026 14:11:10 GMT

slashdottir@mastodon.online — Thu, 21 May 2026 14:11:10 GMT

@GossiTheDog Google is probably thinking how this will simplify their own job - no more worrying about malware or unsafe sites or anything. Users just poke the stochastic text machine and text is generated for them. No more spidering or security monitoring of websites needed. They are no doubt fantasizing about all the layoffs they can do

Reply to If you want on to Microsoft's internal network, CORPNET, publish or own an existing a VSCode extension. on Thu, 21 May 2026 14:10:37 GMT

slashdottir@mastodon.online — Thu, 21 May 2026 14:10:37 GMT

@GossiTheDog Politicians do not understand complexity really, they are specialists in tapping into the vibes of public sentiment and then crafting rhetoric to get those vibes resonating in their preferred direction.

Security is like this fractal mandelbrot surface of complexity where the more surface you generate or explore, the more vectors of attack there are. It's way too much for most people, and way too much for politicians who are only interested in what most people think.

Reply to If you want on to Microsoft's internal network, CORPNET, publish or own an existing a VSCode extension. on Thu, 21 May 2026 13:34:41 GMT

yacc143@mastodon.social — Thu, 21 May 2026 13:34:41 GMT

some of these configuration is totally benign and makes sense, like LSP support etc (although just blindly configuring it, risks configuring tools that are not installed on the system, but that's another story).
@emily_s @GossiTheDog @binford2k

Reply to If you want on to Microsoft's internal network, CORPNET, publish or own an existing a VSCode extension. on Thu, 21 May 2026 13:34:40 GMT

yacc143@mastodon.social — Thu, 21 May 2026 13:34:40 GMT

@binford2k
Yeah the point is that it's an utterly bad design:

So you have to blindly trust the workspace directory to "auto run" in undefined (because extensions can add/modify behaviour).

Or you have to accept that a certain part of the functionality (again undefined) will be not working or working suboptimal.

And there is literally no way to safely review: give me an overview what commands does this repo configure to run.

The point is @emily_s @GossiTheDog

Reply to If you want on to Microsoft's internal network, CORPNET, publish or own an existing a VSCode extension. on Thu, 21 May 2026 11:44:53 GMT

stevel@hachyderm.io — Thu, 21 May 2026 11:44:53 GMT

@yacc143 @GossiTheDog did get an IE3 patch out to fix an ActiveX control vulnerability back in the late 90s, it was such an easy target.

Has anything that bad shipped between then and vs.code plugins? Doubtful. Flash and java applets were trying to run in sandboxes...
#cybersecurity

Reply to If you want on to Microsoft's internal network, CORPNET, publish or own an existing a VSCode extension. on Thu, 21 May 2026 11:32:21 GMT

yacc143@mastodon.social — Thu, 21 May 2026 11:32:21 GMT

@GossiTheDog
Not really, VSC let extensions bring their own binaries too, doesn't it?
@ingram

Reply to If you want on to Microsoft's internal network, CORPNET, publish or own an existing a VSCode extension. on Thu, 21 May 2026 09:55:50 GMT

yacc143@mastodon.social — Thu, 21 May 2026 09:55:50 GMT

@stevel
Do you know my CEO colleague, he insists on positive formulations even if you just report the end of world. "And finally I've got an incredible deal at the end of the world sales for cloud resources for the period after the big rock will hit earth and exterminate all life more advanced than bacteria. Our year-end bonuses are safe!"

But yes active-x was unfairly windows only, we non windows users were discriminated against.
@GossiTheDog

Reply to If you want on to Microsoft's internal network, CORPNET, publish or own an existing a VSCode extension. on Thu, 21 May 2026 09:48:06 GMT

yacc143@mastodon.social — Thu, 21 May 2026 09:48:06 GMT

@GossiTheDog
Nothing surprising here.

Microsoft traditionally has the MSDOS & Windows 3.11 security mindset, which only is replaced surgically with something better. But the default is no security.

Prove me wrong.

Reply to If you want on to Microsoft's internal network, CORPNET, publish or own an existing a VSCode extension. on Thu, 21 May 2026 07:24:00 GMT

mcepl@en.osm.town — Thu, 21 May 2026 07:24:00 GMT

@GossiTheDog

And if you like me don’t use VS Code, don’t feel smug: our editors ($VIM, Emacs, etc.) don’t even have any marketplace and pull executable code from completely random places on the Internet (mostly GitHub, which we know how secure it is).

#Fail #NoSecurity

Reply to If you want on to Microsoft's internal network, CORPNET, publish or own an existing a VSCode extension. on Thu, 21 May 2026 07:00:31 GMT

binford2k@hachyderm.io — Thu, 21 May 2026 07:00:31 GMT

@emily_s @GossiTheDog I’m just saying that if you open a freshly cloned repo and vscode says “yo dude, can this repo run some code?” and you say “hell yeah sounds like a great time, I trust that repo, run some code” then you shouldn’t be surprised when the repo runs some code.

Reply to If you want on to Microsoft's internal network, CORPNET, publish or own an existing a VSCode extension. on Thu, 21 May 2026 05:52:33 GMT

emily_s@mastodon.me.uk — Thu, 21 May 2026 05:52:33 GMT

@binford2k @GossiTheDog yes... Do you know every single thing you need to check before clicking that button on a repo? Do you check all changes to all repos you've clicked that button on before you open your editor? Do you keep track of all changes to all of your plug-ins to check if they've added yet another way to trip this class of thing? (plugin's that silently update by default)

That button is entirely so lawyers can say "Well we warned you" and not actually provide any security.

Reply to If you want on to Microsoft's internal network, CORPNET, publish or own an existing a VSCode extension. on Thu, 21 May 2026 05:11:09 GMT

binford2k@hachyderm.io — Thu, 21 May 2026 05:11:09 GMT

@emily_s @GossiTheDog sounds like this only happens when you trust the folder when it asks for permission. https://www.devclass.com/development/2026/01/22/vs-code-tasks-config-file-abused-to-run-malicious-code/4079547

Reply to If you want on to Microsoft's internal network, CORPNET, publish or own an existing a VSCode extension. on Wed, 20 May 2026 23:37:25 GMT

h0ru2@cyberplace.social — Wed, 20 May 2026 23:37:25 GMT

@GossiTheDog Was a bit shocked, when I discovered it's just installed into the user's home directory.

Reply to If you want on to Microsoft's internal network, CORPNET, publish or own an existing a VSCode extension. on Wed, 20 May 2026 21:41:30 GMT

paco@infosec.exchange — Wed, 20 May 2026 21:41:30 GMT

@brnrd Seems like they pioneered this model back with ActiveX plugins:
(A) trust this plugin to do anything it wants, even if it’s malicious,
(B) don’t let this plugin do anything, no matter how useful
(C) Maybe later (the 2020s enhanced version of this choice)

@GossiTheDog

Reply to If you want on to Microsoft's internal network, CORPNET, publish or own an existing a VSCode extension. on Wed, 20 May 2026 19:09:01 GMT

larthallor@mastodon.social — Wed, 20 May 2026 19:09:01 GMT

@GossiTheDog Just got notified by regular old Visual Studio that there is an update 18.6.1 except there are no release notes for 18.6.1.

So now I'm left wondering if this is a fix for a security flaw I should install right now or the result of a supply side attack facilitated by a security flaw I should definitely not install.

Whichever is the truth, I'm sure the correct approach is to ask CoPilot what to do, right Microsoft?

Reply to If you want on to Microsoft's internal network, CORPNET, publish or own an existing a VSCode extension. on Wed, 20 May 2026 18:54:50 GMT

steppl@mastodon.social — Wed, 20 May 2026 18:54:50 GMT

@GossiTheDog

Tried VScode, it was not really bad - except for my taste ate too much RAM, which becomes precious with all that AI and Browser-engine Apps.

Still looking for something better than Notepad++ having:
- low mem footprint
- (relatively) fast
- plugin/built-in support for couple languages I need

Reply to If you want on to Microsoft's internal network, CORPNET, publish or own an existing a VSCode extension. on Wed, 20 May 2026 18:32:17 GMT

ingmarvandijk@mastodon.social — Wed, 20 May 2026 18:32:17 GMT

@neffo @GossiTheDog @maccruiskeen coreP0WNED

Reply to If you want on to Microsoft's internal network, CORPNET, publish or own an existing a VSCode extension. on Wed, 20 May 2026 15:23:56 GMT

stevel@hachyderm.io — Wed, 20 May 2026 15:23:56 GMT

@GossiTheDog in their favour: MSFT are showing how they've successfully implemented a cross-platform vulnerability ecosystem. ActiveX was windows only

Reply to If you want on to Microsoft's internal network, CORPNET, publish or own an existing a VSCode extension. on Wed, 20 May 2026 14:13:03 GMT

stonebear2@hachyderm.io — Wed, 20 May 2026 14:13:03 GMT

@GossiTheDog ....

.......

and here I thought npm was bad. Sweet moldy cheezus on stale wonderbread with a radiator moonshine chaser and a frop stash full of ergot.

Reply to If you want on to Microsoft's internal network, CORPNET, publish or own an existing a VSCode extension. on Wed, 20 May 2026 14:06:15 GMT

epic_null@infosec.exchange — Wed, 20 May 2026 14:06:15 GMT

@ConanChiles @GossiTheDog And here I am just thinking "An open repository system where you add allowed sources would have allowed for better control from the start"

Reply to If you want on to Microsoft's internal network, CORPNET, publish or own an existing a VSCode extension. on Wed, 20 May 2026 13:57:55 GMT

brnrd@bsd.network — Wed, 20 May 2026 13:57:55 GMT

@GossiTheDog "how can you be so mean! We added a dialog bump 'do you trust this developer XiJinPing'"

Same thing all over again, applications, consent dialogs, browser extensions, IDE plugins, ...
Trusting that your users have sane judgement, prepare to mop!

Reply to If you want on to Microsoft's internal network, CORPNET, publish or own an existing a VSCode extension. on Wed, 20 May 2026 13:29:26 GMT

neffo@mas.to — Wed, 20 May 2026 13:29:26 GMT

@GossiTheDog @maccruiskeen is it pronounced corEnet or corPnet?