If you want on to Microsoft's internal network, CORPNET, publish or own an existing a VSCode extension.
-
RE: https://hachyderm.io/@ChrisShort/116606591908387955
If you want on to Microsoft's internal network, CORPNET, publish or own an existing a VSCode extension.
The Visual Studio Code Marketplace, which Microsoft own, is completely uncontrolled.
Anybody can publish an extension, it provides code execution on endpoints, extensions auto update by default, "verified" blue tick extensions just need any domain registration, and there's no endpoint security controls at all around what users can install.
VSCode is an absolute security shittip as a result.
@GossiTheDog hell even opening a repo in vscode can cause code execution in multiple ways. It is basically impossible to use securely.
GitHub - emilyselwood/self_deleting_repo: A repo that deletes it self when it opens in an editor.
A repo that deletes it self when it opens in an editor. - emilyselwood/self_deleting_repo
GitHub (github.com)
-
Also - if you think 'none of our users run VSCode', check your telemetry. They do. It doesn't even need local admin rights to install.
I've tooted about this one for about two years now, Microsoft have created their own security bonfire and it's going off in their own backyard, they just haven't realised yet.
@GossiTheDog I remember your earlier writings on this subject and I have been extremely paranoid about the VSCode extensions I've put on my work-owned machine.
I've also switched away from VSCode-based editors on my personal machines, partially because of this and also because of all the other happy horseshit MS has been pulling.
-
RE: https://hachyderm.io/@ChrisShort/116606591908387955
If you want on to Microsoft's internal network, CORPNET, publish or own an existing a VSCode extension.
The Visual Studio Code Marketplace, which Microsoft own, is completely uncontrolled.
Anybody can publish an extension, it provides code execution on endpoints, extensions auto update by default, "verified" blue tick extensions just need any domain registration, and there's no endpoint security controls at all around what users can install.
VSCode is an absolute security shittip as a result.
@GossiTheDog @tymwol Something macros something something word documents
-
Also - if you think 'none of our users run VSCode', check your telemetry. They do. It doesn't even need local admin rights to install.
I've tooted about this one for about two years now, Microsoft have created their own security bonfire and it's going off in their own backyard, they just haven't realised yet.
@GossiTheDog And this is why my work PC is locked down so tight I can't even make and run my own batch files, let alone anything .exe. The organisation actually practices the Essential Eight.
-
Also - if you think 'none of our users run VSCode', check your telemetry. They do. It doesn't even need local admin rights to install.
I've tooted about this one for about two years now, Microsoft have created their own security bonfire and it's going off in their own backyard, they just haven't realised yet.
@GossiTheDog Also check if they are running Cursor (the AI thing). It's VSCode in disguise, uses the same plugins, can import all the settings, etc.
-
Also - if you think 'none of our users run VSCode', check your telemetry. They do. It doesn't even need local admin rights to install.
I've tooted about this one for about two years now, Microsoft have created their own security bonfire and it's going off in their own backyard, they just haven't realised yet.
@GossiTheDog this is exactly why we delivered this session last year at #PSConfEU
-
RE: https://hachyderm.io/@ChrisShort/116606591908387955
If you want on to Microsoft's internal network, CORPNET, publish or own an existing a VSCode extension.
The Visual Studio Code Marketplace, which Microsoft own, is completely uncontrolled.
Anybody can publish an extension, it provides code execution on endpoints, extensions auto update by default, "verified" blue tick extensions just need any domain registration, and there's no endpoint security controls at all around what users can install.
VSCode is an absolute security shittip as a result.
@GossiTheDog One day, I might figure out why I'd ever want to install VSCode, but this is not that day. May it rot in hell for completely destroying search results between it and the real VS, both ways.
-
Also - if you think 'none of our users run VSCode', check your telemetry. They do. It doesn't even need local admin rights to install.
I've tooted about this one for about two years now, Microsoft have created their own security bonfire and it's going off in their own backyard, they just haven't realised yet.
@GossiTheDog@cyberplace.social
"but it's for developers it's allowed to be insecure they surely know what they're doing and think perfectly rationally at all times!"
-
RE: https://hachyderm.io/@ChrisShort/116606591908387955
If you want on to Microsoft's internal network, CORPNET, publish or own an existing a VSCode extension.
The Visual Studio Code Marketplace, which Microsoft own, is completely uncontrolled.
Anybody can publish an extension, it provides code execution on endpoints, extensions auto update by default, "verified" blue tick extensions just need any domain registration, and there's no endpoint security controls at all around what users can install.
VSCode is an absolute security shittip as a result.
@GossiTheDog And the editor itself makes extensions necessary. Like want to highlight trailing white space (something that should be built into a code editor)? Nope, you need to install a random 3rd party extension!
-
Also - if you think 'none of our users run VSCode', check your telemetry. They do. It doesn't even need local admin rights to install.
I've tooted about this one for about two years now, Microsoft have created their own security bonfire and it's going off in their own backyard, they just haven't realised yet.
@GossiTheDog I installed VSCodium yesterday for a project and @Sempf was nice enough to suggest looking at the extensions with the warning that the extensions were a bit of a wild west.
It was shockingly terrible! You can't find or use ANYTHING safely in that tool.
I haven't installed anything in yet because frankly, I don't trust it yet. I'd rather walk slowly and safe.
-
RE: https://hachyderm.io/@ChrisShort/116606591908387955
If you want on to Microsoft's internal network, CORPNET, publish or own an existing a VSCode extension.
The Visual Studio Code Marketplace, which Microsoft own, is completely uncontrolled.
Anybody can publish an extension, it provides code execution on endpoints, extensions auto update by default, "verified" blue tick extensions just need any domain registration, and there's no endpoint security controls at all around what users can install.
VSCode is an absolute security shittip as a result.
@GossiTheDog I realize that this is tangential, but the network is named CORPNET? Really? Are we in a cheap 1980s techno-thriller?
-
RE: https://hachyderm.io/@ChrisShort/116606591908387955
If you want on to Microsoft's internal network, CORPNET, publish or own an existing a VSCode extension.
The Visual Studio Code Marketplace, which Microsoft own, is completely uncontrolled.
Anybody can publish an extension, it provides code execution on endpoints, extensions auto update by default, "verified" blue tick extensions just need any domain registration, and there's no endpoint security controls at all around what users can install.
VSCode is an absolute security shittip as a result.
VS Code started to be a thing people used when I was at MS. A lot of folks were using the remote extensions for working in Azure VMs. I saw that there was an open issue about FreeBSD support, so I reached out to some of the folks responsible internally. The things I learned about how that worked made me back away slowly and be very happy I used vim.
-
@GossiTheDog I realize that this is tangential, but the network is named CORPNET? Really? Are we in a cheap 1980s techno-thriller?
@maccruiskeen that's the main AD domain, yep. Keep in mind MS is an 80s company
-
RE: https://hachyderm.io/@ChrisShort/116606591908387955
If you want on to Microsoft's internal network, CORPNET, publish or own an existing a VSCode extension.
The Visual Studio Code Marketplace, which Microsoft own, is completely uncontrolled.
Anybody can publish an extension, it provides code execution on endpoints, extensions auto update by default, "verified" blue tick extensions just need any domain registration, and there's no endpoint security controls at all around what users can install.
VSCode is an absolute security shittip as a result.
@GossiTheDog One of the top 10 extensions, with 73 million downloads, looks like its owned by a single dev on his personal github account.
I wonder how many fishing attempts he gets per day.
-
@GossiTheDog And this is why my work PC is locked down so tight I can't even make and run my own batch files, let alone anything .exe. The organisation actually practices the Essential Eight.
@ingram you can probably install VSCode
-
@maccruiskeen that's the main AD domain, yep. Keep in mind MS is an 80s company
@GossiTheDog@cyberplace.social @maccruiskeen@social.linux.pizza also, this is the company that chose to call a flagship product family .NET
-
Also - if you think 'none of our users run VSCode', check your telemetry. They do. It doesn't even need local admin rights to install.
I've tooted about this one for about two years now, Microsoft have created their own security bonfire and it's going off in their own backyard, they just haven't realised yet.
@GossiTheDog lol MS didn't even follow their own guidelines
-
@maccruiskeen that's the main AD domain, yep. Keep in mind MS is an 80s company
@GossiTheDog @maccruiskeen is it pronounced corEnet or corPnet?
-
Also - if you think 'none of our users run VSCode', check your telemetry. They do. It doesn't even need local admin rights to install.
I've tooted about this one for about two years now, Microsoft have created their own security bonfire and it's going off in their own backyard, they just haven't realised yet.
@GossiTheDog "how can you be so mean! We added a dialog bump 'do you trust this developer XiJinPing'"
Same thing all over again, applications, consent dialogs, browser extensions, IDE plugins, ...
Trusting that your users have sane judgement, prepare to mop! -
They recently added a feature to control what publishers are allowed
Centrally manage VS Code settings with policies
Enterprise policies in Visual Studio Code enable organizations to centrally manage settings for their development teams. This reference details the available policies and how to implement them.
(code.visualstudio.com)
@ConanChiles @GossiTheDog And here I am just thinking "An open repository system where you add allowed sources would have allowed for better control from the start"
