If you want on to Microsoft's internal network, CORPNET, publish or own an existing a VSCode extension.
-
RE: https://hachyderm.io/@ChrisShort/116606591908387955
If you want on to Microsoft's internal network, CORPNET, publish or own an existing a VSCode extension.
The Visual Studio Code Marketplace, which Microsoft own, is completely uncontrolled.
Anybody can publish an extension, it provides code execution on endpoints, extensions auto update by default, "verified" blue tick extensions just need any domain registration, and there's no endpoint security controls at all around what users can install.
VSCode is an absolute security shittip as a result.
And if you like me don’t use VS Code, don’t feel smug: our editors ($VIM, Emacs, etc.) don’t even have any marketplace and pull executable code from completely random places on the Internet (mostly GitHub, which we know how secure it is).
-
RE: https://hachyderm.io/@ChrisShort/116606591908387955
If you want on to Microsoft's internal network, CORPNET, publish or own an existing a VSCode extension.
The Visual Studio Code Marketplace, which Microsoft own, is completely uncontrolled.
Anybody can publish an extension, it provides code execution on endpoints, extensions auto update by default, "verified" blue tick extensions just need any domain registration, and there's no endpoint security controls at all around what users can install.
VSCode is an absolute security shittip as a result.
@GossiTheDog
Nothing surprising here.Microsoft traditionally has the MSDOS & Windows 3.11 security mindset, which only is replaced surgically with something better. But the default is no security.
Prove me wrong.
-
@GossiTheDog in their favour: MSFT are showing how they've successfully implemented a cross-platform vulnerability ecosystem. ActiveX was windows only
@stevel
Do you know my CEO colleague, he insists on positive formulations even if you just report the end of world. "And finally I've got an incredible deal at the end of the world sales for cloud resources for the period after the big rock will hit earth and exterminate all life more advanced than bacteria. Our year-end bonuses are safe!"But yes active-x was unfairly windows only, we non windows users were discriminated against.
@GossiTheDog -
@ingram you can probably install VSCode
@GossiTheDog
Not really, VSC let extensions bring their own binaries too, doesn't it?
@ingram -
@stevel
Do you know my CEO colleague, he insists on positive formulations even if you just report the end of world. "And finally I've got an incredible deal at the end of the world sales for cloud resources for the period after the big rock will hit earth and exterminate all life more advanced than bacteria. Our year-end bonuses are safe!"But yes active-x was unfairly windows only, we non windows users were discriminated against.
@GossiTheDog@yacc143 @GossiTheDog did get an IE3 patch out to fix an ActiveX control vulnerability back in the late 90s, it was such an easy target.
Has anything that bad shipped between then and vs.code plugins? Doubtful. Flash and java applets were trying to run in sandboxes...
#cybersecurity -
@emily_s @GossiTheDog I’m just saying that if you open a freshly cloned repo and vscode says “yo dude, can this repo run some code?” and you say “hell yeah sounds like a great time, I trust that repo, run some code” then you shouldn’t be surprised when the repo runs some code.
@binford2k
Yeah the point is that it's an utterly bad design:So you have to blindly trust the workspace directory to "auto run" in undefined (because extensions can add/modify behaviour).
Or you have to accept that a certain part of the functionality (again undefined) will be not working or working suboptimal.
And there is literally no way to safely review: give me an overview what commands does this repo configure to run.
The point is @emily_s @GossiTheDog
-
@binford2k
Yeah the point is that it's an utterly bad design:So you have to blindly trust the workspace directory to "auto run" in undefined (because extensions can add/modify behaviour).
Or you have to accept that a certain part of the functionality (again undefined) will be not working or working suboptimal.
And there is literally no way to safely review: give me an overview what commands does this repo configure to run.
The point is @emily_s @GossiTheDog
some of these configuration is totally benign and makes sense, like LSP support etc (although just blindly configuring it, risks configuring tools that are not installed on the system, but that's another story).
@emily_s @GossiTheDog @binford2k -
RE: https://hachyderm.io/@ChrisShort/116606591908387955
If you want on to Microsoft's internal network, CORPNET, publish or own an existing a VSCode extension.
The Visual Studio Code Marketplace, which Microsoft own, is completely uncontrolled.
Anybody can publish an extension, it provides code execution on endpoints, extensions auto update by default, "verified" blue tick extensions just need any domain registration, and there's no endpoint security controls at all around what users can install.
VSCode is an absolute security shittip as a result.
@GossiTheDog Politicians do not understand complexity really, they are specialists in tapping into the vibes of public sentiment and then crafting rhetoric to get those vibes resonating in their preferred direction.
Security is like this fractal mandelbrot surface of complexity where the more surface you generate or explore, the more vectors of attack there are. It's way too much for most people, and way too much for politicians who are only interested in what most people think.
-
@GossiTheDog Politicians do not understand complexity really, they are specialists in tapping into the vibes of public sentiment and then crafting rhetoric to get those vibes resonating in their preferred direction.
Security is like this fractal mandelbrot surface of complexity where the more surface you generate or explore, the more vectors of attack there are. It's way too much for most people, and way too much for politicians who are only interested in what most people think.
@GossiTheDog Google is probably thinking how this will simplify their own job - no more worrying about malware or unsafe sites or anything. Users just poke the stochastic text machine and text is generated for them. No more spidering or security monitoring of websites needed. They are no doubt fantasizing about all the layoffs they can do
-
@GossiTheDog Google is probably thinking how this will simplify their own job - no more worrying about malware or unsafe sites or anything. Users just poke the stochastic text machine and text is generated for them. No more spidering or security monitoring of websites needed. They are no doubt fantasizing about all the layoffs they can do
@GossiTheDog My guess is if this is true, we might see them try to exit the browser space entirely... that might take a while though
-
@ingram you can probably install VSCode
@GossiTheDog I'm not going to try, but from experience anything that isn't on the allow-list is blocked. Staff can request the thing to be added to the list, but default is "computer says no". VSCode isn't one of the supported tools. On of the tools I use brings in libraries and some have DLLs, and these get blocked by default too.
Companies can protect themselves, but staff will gnash teeth and wail.
-
R relay@relay.infosec.exchange shared this topic
