info on the github breach appears to only be available on xitter đ , I fished it out for you.
-
@david_chisnall@infosec.exchange @0xabad1dea@infosec.exchange
While yes, I think it's more about the perception of extensions being secure. Emacs has the same security model, but you don't see Big News
about it.
Granted part of this is that Emacs itself requires a certain level of understanding to use so it filters out users who Just Install Things
but still.Iâve thought about this for a while and I think the difference is the marketplace. I use a bunch of vim extensions but vim and emacs donât have a built-in thing that advertises extensions to me. Thereâs no âclick here to installâŚâ button with flashy marketing. Thereâs no built-in concept of ârecommended extensionsâ.
When I install an extension in vim, itâs almost always because someone looks over my shoulder and says âwow, I forgot how bad vim was without [my favourite extension]â and I try it and decide it actually does make life nicer. When people install extensions in VS Code itâs because theyâve been trained that thereâs always an extension in the store and itâs the top result for their search. And that gives people a big incentive to put malicious extensions in the store.
-
@0xabad1dea Or the extension was legitimate and got compromised (their use of the term "poisoned" makes me think that).
Supply chain attacks are on the rise; the best course of action is to admit when they happen, learn from them, and use those learnings to prevent it in the future.
@soviut @0xabad1dea Checkmarkx (appsec company!) recently couldn't kick out the attackers for a month, so one of their recommended action to clients was to disable auto update of the Checkmarkx extension in VSCode (which was poisoned)
-
@0xabad1dea Huh. Itâs almost as if an editor with a marketplace for extensions and zero thought to the security model (beyond âextensions have complete access to your computerâ) might not have been the best idea after all.
@david_chisnall @0xabad1dea I could not ever have thought that to be a problem! Who has ever heard of it being problematic to download random code from the Internet and run it with full privileges on your computer? This realization is a breakthrough in infosec. Someone deserves a Nobel price for this. And a Turing award.
(#sarcasm just in case)
-
gonna gently push back that there's no reason (according to github's version of the story) to associate this with AI or with spectacular incompetence on the part of the employee; the issue is that industry standard, extremely widely used text editor Visual Studio Code has a big button that says "click here to add useful functionality to do your job" that has a 1% chance of installing ransomware
@0xabad1dea I'm honestly not sure if you're joking or if this is literally true.
-
@0xabad1dea I'm honestly not sure if you're joking or if this is literally true.
@Nephrite @0xabad1dea 1% is maybe a bit exaggerated but VS Code marketplace is kinda notorious for malware
-
@Nephrite @0xabad1dea 1% is maybe a bit exaggerated but VS Code marketplace is kinda notorious for malware
@ratsnakegames @0xabad1dea That sounds pretty bad. Don't they do reviews or anything?
-
@ratsnakegames @0xabad1dea That sounds pretty bad. Don't they do reviews or anything?
@Nephrite @0xabad1dea which package registry does these days?
-
@Nephrite @0xabad1dea which package registry does these days?
@ratsnakegames @0xabad1dea Maybe I shouldn't learn coding. Sounds more and more like a well of cursed knowledge these days.
-
@endrift 3800 properly distinct repos doesnât strike me as an unlikely number if it includes every employeeâs minor side project over the last 18 years
