abadidea4d ago

info on the github breach appears to only be available on xitter 🙄 , I fished it out for you.

#github

Show threadabadidea4d ago
gonna gently push back that there's no reason (according to github's version of the story) to associate this with AI or with spectacular incompetence on the part of the employee; the issue is that industry standard, extremely widely used text editor Visual Studio Code has a big button that says "click here to add useful functionality to do your job" that has a 1% chance of installing ransomware
Show threadNephrite4d ago
@0xabad1dea I'm honestly not sure if you're joking or if this is literally true.
Show threadRatsnake
@Nephrite @0xabad1dea 1% is maybe a bit exaggerated but VS Code marketplace is kinda notorious for malware
May 20 at 8:26amTusky
Show threadNephrite4d ago
@ratsnakegames @0xabad1dea That sounds pretty bad. Don't they do reviews or anything?
Show threadRatsnake4d ago
@Nephrite @0xabad1dea which package registry does these days?
Show threadNephrite4d ago
@ratsnakegames @0xabad1dea Maybe I shouldn't learn coding. Sounds more and more like a well of cursed knowledge these days.
Show threadRatsnake4d ago

@Nephrite you just have to be aware that things you download from the internet can be bad. It's always been that way.

And avoiding anything that has to do with JavaScript helps.

Show threadRadek Pietruszewski 🐶2d ago
@Nephrite @ratsnakegames @0xabad1dea The problem IMO is a complete lack of sandboxing. You can have completely legitimate extension one day, then next day it gets updated with a compromised version (perhaps via a dependency)
Show threadRatsnake2d ago
@radex @Nephrite @0xabad1dea you cannot meaningfully sandbox an extension whose functionality includes compiling and running code from the user's workspace
Show threadRatsnake2d ago

@radex sandboxing the web browser was reasonably easy at the start because web pages had extremely limited functionality. But every time that allowable functionality gets extended, there is another multi-year process of defining and standardizing new interfaces including new permissions.

You cannot do that in an IDE without severely compromising the usefulness of thr IDE's plugin model

Show threadRadek Pietruszewski 🐶2d ago

@ratsnakegames @Nephrite @0xabad1dea Sure. I'd rather say that _not every_ extension can be meaningfully sandboxed.

Required permissions could be clearly displayed and those that require full unsandboxed access could be additionally flagged.

IMO this would go a long way towards reducing risk of pwnage via extensions. Long process, sure, but worth it.

Show threadDerPumu (he/him)4d ago
@ratsnakegames @Nephrite @0xabad1dea 1% is directionally consistent. 😁