Nothing dependent on an honor system lasts long (in the US at least). Some bonehead always ruins the nice thing! Life with the inevitable bad actor is worse for everyone… but we manage.
> Please don't be a dev with access to things my security depends on.
Devs just want “Do Anything Now mode”, who doesn't? :)
I doubt at most shops VSCode extension security is considered differently from any extensions or libraries used throughout the codebase.
Almost nobody reads every line of their includes. (Sadly, but obviously.)
If all your includes can come only from an artifact depot or mirror because your build system can't reach the Internet, and those only get there with a PR and code review, you're on a good start. Operationalizing that to stay current with zero day fixes and the like, starts to be "a thing", which is why there's so much energy in software-supply chain security, through industry efforts like SLSA and GUAC and firms like https://www.kusari.dev/.
Read a decent checkpoint and overview on this emerging ecosystem here (from 2022):
Confusing marketing and description about it are unfortunate - DevKit provides Visual Studio style solution and text explorers, and maybe additional features since last time I verified this.
In order to write C#, however, you do not need that - base C# extension that has no licensing strings attached is the actual language server you need. And solution explorer, should you want that, can be restored with Ionide which doubles as a language server for F#.
And, hey, at least it's not like with Oracle where SDK distribution itself that has a trap :)
I kinda get the impression, the author of the original articles has little understanding of what they are actually talking about. The numbers of concerning extensions they found is rather low, and their claims of concern are very questionable, especially when they bring s** like a "reverse shell" to a local IP as a security-problem. My impression is, they heard about problems, poked around and found things they do not understand and then claim problems. This is just poor rage bait for the alarmist mindset than real meat.
14 comments
[ 2.7 ms ] story [ 48.4 ms ] threadhttps://en.m.wikipedia.org/wiki/Web_of_trust
Not expecting that many.
I sometimes randomly try interesting extensions out. Will not do this again. Should only install extensions recommended by Microsoft I guess.
Maybe the same applies for browser extensions?
Devs just want “Do Anything Now mode”, who doesn't? :)
I doubt at most shops VSCode extension security is considered differently from any extensions or libraries used throughout the codebase.
Almost nobody reads every line of their includes. (Sadly, but obviously.)
If all your includes can come only from an artifact depot or mirror because your build system can't reach the Internet, and those only get there with a PR and code review, you're on a good start. Operationalizing that to stay current with zero day fixes and the like, starts to be "a thing", which is why there's so much energy in software-supply chain security, through industry efforts like SLSA and GUAC and firms like https://www.kusari.dev/.
Read a decent checkpoint and overview on this emerging ecosystem here (from 2022):
https://security.googleblog.com/2022/10/announcing-guac-grea...
It still has a serious license footgun built-in, Oracle-style.
In order to write C#, however, you do not need that - base C# extension that has no licensing strings attached is the actual language server you need. And solution explorer, should you want that, can be restored with Ionide which doubles as a language server for F#.
And, hey, at least it's not like with Oracle where SDK distribution itself that has a trap :)
We Hacked Multi-Billion $ Companies in 30 Minutes with a VSCode Extension
https://medium.com/@amitassaraf/the-story-of-extensiontotal-...
(https://news.ycombinator.com/item?id=40624000)
I kinda get the impression, the author of the original articles has little understanding of what they are actually talking about. The numbers of concerning extensions they found is rather low, and their claims of concern are very questionable, especially when they bring s** like a "reverse shell" to a local IP as a security-problem. My impression is, they heard about problems, poked around and found things they do not understand and then claim problems. This is just poor rage bait for the alarmist mindset than real meat.