back to article Microsoft defends intrusive dialog in Visual Studio Code that asks if you really trust the code you've been working on

Visual Studio Code program manager Chris Dias has defended an intrusive new "Workspace Trust" dialog, saying it is to "raise awareness that there are many attack opportunities when you download code from the internet." The feature, introduced last month in version 1.57, was initially described as "extra security against code …

  1. MajorDoubt
    Facepalm

    It seems like a good idea

    but to many people have "that would never happen to me" mindset

    1. Arthur 1

      Re: It seems like a good idea

      This is 100% a good feature, I avoid opening code I'm unsure about in IDEs so being able to put code in safe mode will be really handy.

      The popup could be less annoying though.

    2. Warm Braw

      Re: It seems like a good idea

      The fundamental problem, of course, is that random code should simply not be capable of causing havoc - though it's been a "feature" of the traditional "security" model for so long that hardly anyone even acknowledges it isn't inevitable.

      And that problem is so entrenched that "trust" is no real defence - in fact it's just another route to undermine such shoddy protection as there is.

      A better way to approach this - especially in a development environment - would be to run all the code in a sandbox of some kind unless otherwise directed. It might help catch unintended wayward code as well as deliberately malicious code.

      1. Adrian 4

        Re: It seems like a good idea

        No, the fundamental problem is that the bloody editor wants to run arbitrary bits of code when you didn't ask it to.

        Fix that entirely unnecessary misfeature by deleting it and you don't have to run rings around yourself trying to stop it in all the cases where that's a bad idea.

        1. teknopaul

          Re: It seems like a good idea

          Microsoft protection from word docs containing executable code all over again.

          Text files are safe (if you are not using Microsoft tools) .

        2. adamXpeter

          Re: It seems like a good idea

          The single biggest problem that a modern open source project will contain and refresh hundreds of dependencies.

          And no, not a single "cool kid" has ever reviewed those before updating.

        3. daniel-wu

          Re: It seems like a good idea

          This. My codes should only run if want to. Either by compiling it, or running it in my browser. Why VS Code imply that are planning to run it right away, implied by the annoying dialog box?

    3. JBowler

      Re: It seems like a good idea

      Well, indeed, but that mindset is a product of simple arrogance. Keep on asking whether that code that they downloaded from the internet does what they think it does and, maybe, they will start to think. If they don't, at least you tried. That's the way I approach all these problems; I ask if you are really serious and it you are then that is your judgement. When I let go of my end of the ladder and you fall off the building; you said you could hold it. I've had too many people telling me they know what they are doing not to trust them, many of them were right.

  2. elsergiovolador Silver badge

    Professional stareless box clicker

    They just want to train people into clicking boxes without reading, as fast as possible.

    Next version will show "Do you relinquish your soul to Microsoft?" or something more sinister like "Do you give us irrevocable license to do whatever we want with anything you write?"

    Thanks to GDPR and Cookie Law I am well trained in clicking any popup windows to go away, I don't even notice them.

    1. Plest Silver badge
      Facepalm

      Re: Professional stareless box clicker

      I'm putting my money into Bacofoil shares today!

    2. Anonymous Coward
      Anonymous Coward

      Re: Professional stareless box clicker

      We run a Python application at my workplace which we maintain internally. Whenever we are asked to 'put this validation in' or 'ensure the user knows this' it ends up being done by adding a box to click through. I don't think there's a meaningful action which can be performed at this point without 6 box-clicks afterwards. Nobody is interested in the end result being 'user awareness' when building this but are instead interested in 'closed out jira'. The end result is always the same... users learn either how to click fast or which combination of tab + space will get them to the end. Nobody knows what the boxes say, not even those who made them.

  3. b0llchit Silver badge
    Boffin

    Trusting trust, again

    Is this what you get when you trust VS Code or is there more? Is there any guarantee that VS Code is not inserting bad code in your projects when you make a build? Are your sure? Have you checked the entire chain of software to make sure? From bios to OS, from compiler to editor and more?

    If not, you should read Ken Thompson's Reflections on Trusting Trust. All these dialogs are treating symptoms. The problem is elsewhere and the complexity does not help. Maybe we should start at reducing the self-inflicted complexity and move forward from there.

    1. 42656e4d203239 Silver badge

      Re: Trusting trust, again

      dunno why you are getting downvoted, especial;y in light of the tool chain attack on Solarwinds recently.

      Ken Thompson nailed it all those years ago, and everyone else has swept it (the trust problem) under the carpet ever since.

    2. werdsmith Silver badge

      Re: Trusting trust, again

      VS code is not the toolchain it just runs the toolchain, depending on how you set it up.

      You can run the toolchain independently of VS code and see if you get the same output.

      The trust onus is on the toolchain.

      1. Anonymous Coward
        Anonymous Coward

        Re: Trusting trust, again

        "The trust onus is on the toolchain."

        Trust starts there? VS Code is an executable, which BTW, is governing every toolchain.

        Also, I like the humor behind the article calling VS Code "lightweight", which also opens the question on just WTF is VS Code really doing behind the scenes with all that bloat? Seriously, the bigger the field, the more places to hide eggs.

    3. Anonymous Coward
      Anonymous Coward

      Re: Trusting trust, again

      Ken Thompson is smart. Microsoft developers these days are impossibly incompetent.

      We have nothing to worry about.

    4. Steve Davies 3 Silver badge

      Re: Is there any guarantee that VS Code is not inserting bad code

      or more likely a whole bunch of telemetry that phones home to MS every time the user does something.

      Nanny MS is really pushing things here.

  4. Detective Emil

    Not that macOS is in any sense perfect …

    … but for years it's supported a quarantine flag that gets attached to downloaded stuff, and to files generated from that stuff (unzipped archives, mounted disk images etc.). If you try to do something that could allow a quarantined item to do damage, you're asked if you want to allow the action. If you do, the flag is cleared, and you're not asked again for that item. It can be a pita, but I find it a lot less rebarbative than Clippy.

    "Redmond, start your photocopiers."

    1. Bill Mercer

      Re: Not that macOS is in any sense perfect …

      Actually, Windows has been doing this just as long as Mac OS if not longer.

      Files are tagged with an alternate data stream that identifies whether the file came from the local system, trusted network, internet, etc. When you try to open an executable that is flagged as coming from the internet, you're warned that the file is blocked and you have to unblock it or change security settings to allow it to run.

      1. The Indomitable Gall

        Re: Not that macOS is in any sense perfect …

        Except that when you download and save as, the file reports as being from the local storage, doesn't it...?

    2. katrinab Silver badge

      Re: Not that macOS is in any sense perfect …

      Windows does that too.

      Download an Excel spreadsheet, or receive one as an email attachement. Excel will open it in restricted mode until you unblock it.

      1. Dave K

        Re: Not that macOS is in any sense perfect …

        The problem with restricted mode in Excel is that it is essentially useless. You can't even apply an existing filter or expand a field in a pivot table. So even performing the bare minimum of manipulation with a sheet you've been sent is impossible. Unfortunately, what this means is that most people I've seen just hit the "open in normal mode" routinely for all sheets they open without even thinking.

        It's a bit like the Vista "UAC" issue again. I understand why MS implemented it, but it was so intrusive and popped up so frequently that people either turned UAC off altogether, or just got into the habit of hitting "allow" without even thinking. Either way, the security and safety gains were nullified.

        That's the problem here. Make security too intrusive and people will get used to bypassing it by default. Either way, all you've achieved is to make your product seem more annoying. What MS need to do is to find the right balance so that people actually stop and think when they get such a notification.

    3. Tim 11

      Re: Not that macOS is in any sense perfect …

      It all depends what you mean by "downloaded" - npm install? git fetch? visual studio template? Almost all the code I write work on is "downloaded" from a git repo even if I wrote it myself

  5. Dvon of Edzore

    Running lint causes the code to be executed?

    Of course it does! This is the same company that happily extended email to be executable code instead of a simple messaging platform so spammers could pwn your computer, added "features" to the web browser so anonymous adverts on "trusted" websites could pwn your computer, and made it much easier to run everything as administrator (root) rather than encouraging least-privilege software to limit the damage their new standards caused.

    The real question is, "Do you trust the authors of Visual Studio?"

    1. Arthur 1

      Re: Running lint causes the code to be executed?

      Couple things:

      1) ESlint is an open source project that has nothing to do with Microsoft, people commonly call it from their node build scripts which can be kicked off from inside code, so if you want to know why a static analyzer runs code talk to them (I'll disappoint you by adding that there's probably a good reason)

      2) Jupyter Notebooks also has nothing to do with MS, but with the right plugin to integrate them you can run arbitrary code from inside the notebook (by design)

      3) I'm pretty certain that before you add plugins vscode can't execute any code at all, it's a text editor that becomes an IDE as you customize it

      4) vscode and pretty much all of its plugins are open source so there's no issue of trust, feel free to audit it yourself

      (edit love that the MS hater brigade is already out to downvote a post that consists of four easily verifiable facts lol)

      1. The Indomitable Gall

        Re: Running lint causes the code to be executed?

        11 hours on and there's still only one downvote. Not quite a "brigade" then...

        1. Anonymous Coward
          Anonymous Coward

          Re: Running lint causes the code to be executed?

          Found one of the downvoters... :)

  6. Ken Moorhouse Silver badge

    Put a checksum checker...

    ...in your code with a result checksum for each library file being called. (As well as checksumming its own footprint). If checksum's match then you've made some effort to verify your external sources. However, if your external sources in turn call libraries outside of their domain (which is a risk being discussed a lot these days), then you can't guarantee trust. Many coders are oblivious of the fact that this could happen

    If all libraries were to have checksum checking built into them in this way, then you could have some protection against root of heirarchy change. If this were a coding "standard" whereby you called a library only if it met the structural checksum standard, and that each library it called committed to doing the same, then security problems would start to decrease.

    1. Anonymous Coward
      Coat

      Re: Put a checksum checker...

      Sorry Ken,

      Your comment cannot be trusted, it did not include a checksum.

      1. katrinab Silver badge
        Paris Hilton

        Re: Put a checksum checker...

        Do you trust my response?

        b91acf84a18ae9356265f16bff5e4e2c

    2. Arthur 1

      Re: Put a checksum checker...

      The type of trust you're talking about here is different, where you want to check that a library you're calling into isn't altered at runtime. The type of trust the article is talking about is during development where a dev has obtained code and wants to open it locally, since there are many ways for code to execute out of your IDE you want to distinguish between code you trust and code you're looking at but don't trust to execute on your dev machine.

      If you're curious though, checksums aren't robust enough to be the basis of your library trust system. The usually proposed and sometimes implemented solution to the problem you're discussing is to sign code cryptographically where you use a private key and the code/executable itself to make a digest which is appended to the package, then people can verify that the code is unchanged by using your public key and their copy of the package at any time. Googlable keyword is code signing.

    3. doublelayer Silver badge

      Re: Put a checksum checker...

      This isn't useful in this or most cases. The problem this is intended to solve is the use of untrusted libraries by a developer who doesn't audit the library for security or is dealing with a library of such complexity that it's infeasible to do so. If the dev inserts the checksum of an insecure library, your system won't catch it.

      If you're really afraid that something will modify a library which your main application imports, you're going to have to do more. If all you've done is insert checksums into your main module, the person substituting libraries can just edit those checksums so they match again. You can do this better, namely by signing your code and not running code from unsigned random files.

  7. Dan 55 Silver badge

    File metadata

    If you were to download code from the internet, it would have the URL in the file's metadata, wouldn't it... why not check that instead of if a filename exists...?

    1. doublelayer Silver badge

      Re: File metadata

      No, it probably wouldn't. Some filesystems keep track of that, but not all do. What if something other than a browser downloads the file? What if it was in an archive that was downloaded? What if it was copied from a drive using something that doesn't have such a metadata field? What if it's currently on something without such a field? If you're doing this at all, you can't treat a file not known to have been downloaded recently as safe.

      1. Dan 55 Silver badge

        Re: File metadata

        So finding something called readme.txt is a better test? Anyone up to no good will just look through the source and avoid the filenames which pop up this dialog.

        A poster above who expressed the idea better than I had the same idea. It's slowly getting more comprehensive on Windows.

  8. nintendoeats

    I'm going to be a horrible person and say that this sounds reasonable. The motives make sense, the implementation is mildly annoying but it's basically SUPPOSED to be, or it wouldn't work (as they demonstrated). I will complain about many Microsoft-related things, but this is not one of them.

  9. beep54
    Devil

    I used to loathe MS

    Now is fully hate it.

    1. Plest Silver badge
      Facepalm

      Re: I used to loathe MS

      OK, thanks for sharing that but it's tired refrain from like moaning about why gas lamps in the streets aren't bright enough.

      MS are a big nasty corp, they're not going change and one person moaning about it won't change that. However there's plenty of alternatives out that don't involve MS, you can avoid them if try hard enough. So stop wasting time moaning and start a movement to help others who feel the same, maybe invent your own O/S, it's been done before and I believe is used quite a bit now. I think there's even some orgs out that promote openess in software and software development, now what's it called? Hmm....

  10. JDX Gold badge

    To be fair

    Asking me if I trust the author of code I've written seems quite reasonable.Especially when I work on code I wrote 10 years ago and wonder "what cretin wrote this garbage?"

    1. bombastic bob Silver badge
      Trollface

      Re: To be fair

      I always try to make the code maintainable. After all, *I* might be the one who has to maintain it [years from now when I, too, ask similar questions about the author's intelligence and ability to code - whoops, it was me!]

      Seriously, though, if I can't maintain my own code years later, something's wrong with the author.

      as for a popup dialog asking me to trust the author of the code, pluma and a bash or csh shell are looking MUCH BETTER these days in lieu of any kind of "helpful" IDE...

      1. Lusty

        Re: To be fair

        These days I think it's generally easier to write a paragraph describing in detail what the code does at the top. Saves a lot of time looking at the code because you can probably then just write a new function to replace it rather than maintaining your own crappy old code! Also means you can skip the commenting throughout because during the month you originally write it you'll know everything about it. 10 years later you won't care because the blurb at the top should be sufficient to start from scratch and produce something better in less time

        1. Brewster's Angle Grinder Silver badge

          Over the hill

          What you say used to be true. But I've reached the point in my life where the code I write now is not as good as the stuff I wrote ten years ago.

          1. DJO Silver badge

            Re: Over the hill

            I look at old code and it's either "Gosh! How the hell did I do that?" or "Why?, oh gods why?".

            This is the problem with being self taught, while my teacher had unlimited patience, was charming and an absolute delight, he knew fuck all.

            1. Brewster's Angle Grinder Silver badge

              Re: Over the hill

              Sooner or later you run out of people to teach you and have to figure it out yourself. Being taught is nothing more than a leg up. And people who are taught don't always understand why it should be done like that. If you've tried it, you know, and know when you can cheat. And I certainly don't think people who are taught produce better code. These days they often produce worse code because they haven't grown up with the machines and don't understand that a CPU is actually going to have to execute what's been written.

              I can sympathetic with finding old code brilliant and atrocious, or an amalgam of both; the impossible made possible before your eyes. Lets face it, for most of us, the code is a prototype that should be thrown away and rewritten (and then thrown away and rewritten again because you succumbed to second system syndrome). But that's just not possible. And the rest of the time the code is a quick bodge on a prototype that should have been discarded.

              Within those limits, it's often pretty good. The bad habits acquired on 8 bit micros are rarely visible. It's well factorised. It's almost like looking at a codebase written by adults. And there are inspired flashes I think I'd struggle to match. No wait, I've just had an idea...

        2. Anonymous Coward
          Anonymous Coward

          Re: Description and Comments

          have saved my bacon more than once.

          Sadly, in many places, these are now frowned upon. On the last Agile project I worked on, I was hauled over the coals for commenting on almost every line of my code. I was told that there was no time in this or any sprint for commenting.

          I walked as soon as I could. The project foundered badly with unmaintainable code that didn't work.

          A total waste of money.

  11. Fruit and Nutcase Silver badge
    Alert

    "In user studies, we watched people spend all their time thinking they had broken something."

    That's a lot of fine grained telemetry

  12. IGotOut Silver badge

    Cookie consent

    Was a EU Privacy Directive requirement. GDPR just happens to cover it as well.

  13. Plest Silver badge
    Coffee/keyboard

    Nice idea but won't last long

    Well intentioned but ultimately will, as others have said, lead to "button blindness", people will see it for the 27th time and just click "OK". I use VSCode and it's come up 4-5 times when I opened from JSON files off a network share, after the 3rd or 4th time I simply clicked "OK" with an annoying sensation that I should really be paying more attention but I'm too busy.

    Nice idea, it will work the first couple of times but then it'll simply be annoying and people will find a way to disable it.

    1. bombastic bob Silver badge
      Alert

      Re: Nice idea but won't last long

      it's like the day I realized that SHUTTING OFF ANTI-VIRUS for the directories that contain all of the code I'm working on (and all of the output binaries) made EVERYTHING GO FASTER, in particular the compile-link-debug cycle.

  14. Binraider Silver badge

    Drop table *?

    Insert other potentially damaging commands available to a programming language here.

  15. Tony W

    Crying "Wolf"

    It would be OK if they didn't raise an obviously false alarm so often. Windows requires me to click to confirm it's OK every time I copy a jpg from my local NAS to my PC (although I can use a browser to copy a jpg from the real internet without any warning.) Etc., etc. It's a bit like car and burglar alarms, everyone knows that it's highly unikely to be an actual thief and takes no notice.

  16. arthoss

    what a non issue, really, an article about it? I expected an opinion supporting it. With attacks with multiple vectors, which already happened in the IDE in the past (! see Xcode Chinese attack), I'd expect that the programmers will pay attention as hell to what they're running. This popup should not be ignored people. Those saying "I'll automatically click ok" should be fired.

    1. Dan 55 Silver badge

      It's just yet more training people to click Yes, like UAC or the Office apps.

  17. RichardBarrell

    It's not very annoying: I only see it once per project.

  18. Mike 137 Silver badge

    Suddenly everyting is explained

    "raise awareness that there are many attack opportunities when you download code from the internet."

    If MS work on the basis that you won't examine and verify code you download before using it, the gross bug-ridden state of their products is perfectly explained.

  19. Flywheel
    Coat

    I don't have this problem

    With vim

    1. werdsmith Silver badge

      Re: I don't have this problem

      That's true. But you have a whole world of other ones.

      1. Anonymous Coward
        Anonymous Coward

        Re: But you have a whole world of other ones.

        And, I hope, at least some zeros, if only to provide a wider range of possible binary numbers... :-)

  20. Ken Hagan Gold badge

    Pointless

    The real problem here is that this question is pointless. It has no useful answer.

    If the user trusts the code, it doesn't mean it is trustworthy. (Even well-intentioned code might have bugs.) It just means the user doesn't want to be pestered by an algorithm that is (inevitably) too dumb to answer the question by itself.

    If the user doesn't trust the code, they presumably still want to read it, so they will click on the annoying popup to make it go away.

    Either way, the user has been annoyed and Microsoft have learned nothing that they can act on. (I *assume* that MS don't do dangerous things on random pieces of code just because the end-user happens to be reading it. That would be like ActiveX on steroids.) On the other hand, the end-user has learned that they are using an IDE created by people who think this a security feature. Oh dear.

  21. Anonymous Coward
    Anonymous Coward

    Ah, so that's where the code has gone..

    .. I had been wondering what happend to the code in Windows Vista.

    Has it asked if you intended to move the mouse yet, or is that destined for the next update?

  22. NicX

    I don't see why this is an issue? An annoyance, maybe, but a welcome one if it means more secure code.

    1. Anonymous Coward
      Anonymous Coward

      re: An annoyance

      because Mummy MS knows best. You will obey. People who disobey their mummies get sent to the naughty step until they learn their lesson.

  23. Ozzard
    FAIL

    "No, I absolutely don't trust all the code in this workspace, as there are eleventy-thousand build scripts and bits of Typescript compiler and packer downloaded from FSM-knows-where. But there is no model anywhere that would allow me to determine what I *could* trust. So what do I do?"

    1. Steve Davies 3 Silver badge

      re: So what do I do?

      Find another job perhaps?

      All those frameworks are a disaster waiting to happen unless they have been forensically examined line by line. Who knows what shit has been included in them for nefarious reasons?

      1. Nick Ryan Silver badge

        Re: re: So what do I do?

        Shhhh... Just compile it and deploy it if it compiles. Testing, and in particularly usability testing is the end user's responsibility. If it compiles, it gets delivered...

  24. skalamanga

    Microsoft also think its a good idea to open an intrusive dialog box asking if I'm sure I want to save the file I just clicked on, then open another intrusive dialog box asking if I really want to run the file I literally just downloaded!

  25. Nick Ryan Silver badge

    VS Code "is capable of running code from the workspace on your behalf to provide a richer development experience,"

    Compiling and building code is one risk with external sources, but automatically running shite that it happens to be in a directory is just typically negligent and stupid.

    By the same organisation that created auto-infect/auto-run, executables in emails and ActiveX in browsers (hell, ActiveX has just always been awful)

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like