[wvh]

I've been telling less computer literate folks not to install random stuff since the nineties, and I can't understand how many devs are doing just that these days.

I used to work in security auditing, and it makes me feel pretty jaded to think of the gigabytes upon gigabytes of random stuff that just gets pulled in from everywhere in IDEs, package managers, build pipelines and container images.

At least back then there was still a chance to read a significant part of the code and find problems before they found you.

[Sweepi]

Answer: Because the "random stuff" (plugins for VS Code and other IDEs) solves real problems and nothing bad happens most of the time.

Almost no manager will sign-off spending time on building stuff in-house if its available "for free".

This is also in no way a new thing. How much code was written in notepad++ in the '00ies? Did anyone bother to check if the plugins did sth. malicious? We also used some weird closed-src "addon" for the Nullsoft installer to get a product out of the door, dont remember what the problem was exactly....

[cess11]

"solves real problems and nothing bad happens most of the time."

Like Wordpress plugins previously that'll work for now but we're now on the trajectory of relearning that same lesson, because people are automating discovery and exploitation of these extensions and plugins and whatnot around text editors and MCP and so on.

Though I suspect we'll first see a torrent of exploitation similar to what was done to Wordpress instances, and then a change of behaviour, because as you allude to, the people with influence didn't learn from previous experiences with similar technologies.

[dividedbyzero]

I suppose people did learn that it isn't that bad or costly after all and the risk and the bandaids are still better than the cost of being the first to try and fix software supply chains for good. As things stand, I don't know how that might even be done if it's supposed to not be a better bandaid and someone has to do the legwork and it can't be so costly or impractical to overworked IT teams that everyone is just going to ignore it.

[zitterbewegung]

At least in my experience depending on how serious the company was about security plugin downloading would be prohibited.

[ferguess_k]

Can relate. A lot of the times it is the process that is slowing people down, and it is unrealistic for any corporation to do security audition for everything developers need on time, so unfortunately rules have to be bent.

Some big corps resort to a different tactics: they ONLY allow in-house tools. IDEs, communication tools, everything you need on a daily basis, they make in-house tools for that. It costs a lot of money but they care about security.

[tracker1]

Worse, is when the "team" doing the auditing is one guy, and that guy leaves with no replacement... and you need to explain to mgt that their new product release hasn't gone out for 3 months because you can't get the new versions of modules cleared and into the internal repo for production apps.

Actually happened at one of the largest banks in the world when I was contracting there. And that was mostly just a license/legal audit, not even a full source/security audit.

[rTX5CMRXIfFG]

> solves real problems and nothing bad happens most of the time

Aaand this is why AI is taking our jobs and we all rightfully deserve to be laid off. This utter lack of risk awareness and care for quality is what created the need for autonomous agents to dig through and build upon man-made slop.

Honestly, I find it rich that we’re the ones who think that AI is the one that’s producing slop. Give any agent clear harnesses and it’ll produce better code than a human would close to 100% of the time. That’s still as indeterministic as the way you used “most of the time”, but the deviation tends to be smaller and the quality and rigor is much higher.

[TheFlyingFish]

Are you suggesting that AI-written code tends to be more secure than human-written code? Because there are many examples to the contrary, starting with MoltBook.

[rTX5CMRXIfFG]

Not really, no. That's not even the point. Say for example they're just the same level of security. Then what value does a human even offer to a company if AI can do the same quality of work faster? It's not as if the company benefits from something like "human discernment", because as predicated in this thread, developers exactly have none of that, since they don't care about the security aspect of the VSCode extensions that they use. Might as well lay off the human developers and just use AI for as long as the latter is cheaper. How many people does a company really need to update its VSCode to the version that blocks the malicious extension? Do you need more than one and does that person have to be full-time?

[stalfosknight]

This is how you end up with the total dumpster fire known as npm.

[axegon_]

The vast majority of devs in the last few years have either been raised as sloppers or transitioned from developers to sloppers. Programming has evolved into a blackbox where fewer than ever people know how a program works, despite the numbers of "programmers" has skyrocketed. Just a few months ago a friend had a job interview(fake one obviously) where he was asked to clone a repo and do some stuff on it. The repo contained some vs code hooks which did a ton of stuff in the background installing backdoors and whatnot. In my friend's case, that was a non-issue since he was running it in a VM but I recon thousands of others have fallen victim of such attacks and have no clue still.

[anthk]

Ask for yourself; I'm keeping my sanity back with stuff from https://t3x.org and the like. Scheme with logic/DIscrete Math, the MInikanren and the Mini Prolog it's incredibily powerful.

[pseudocomposer]

What are “vs code hooks” exactly? A search for that or “VSCode Hooks” isn’t turning up anything for me in Kagi or Google…

[axegon_]

I assume they are called hooks, .vscode/settings.json - you can put some linters/tests which run automatically (from my understanding, something similar to git hooks, hence the reason I called them hooks). I generally hate the concept and I generally dislike vscode so... yeah.

[AshamedBadger56]

I assumed they are meaning VSCode plugins that "hook" into the system.

[thewebguyd]

> I can't understand how many devs are doing just that these days.

Convenience, and as someone who has been on the other side of the fence his whole career (sysadmin + security), dev != tech savvy. Even during my days in the help desk, the devs were some of the most difficult users to support. Being good at developing software doesn't always equate to being good at operating computer systems, especially in an enterprise environment.

It used to be, dev workstations and environments were fully IT controlled and curated. Then everyone moaned and complained about not having local admin access to their machine (I get it, it sucks and is annoying, but there is a reason), and then devtools started dumping themselves in %APPDATA& and user directories to bypass the admin requirement for installs. And now extensions are in everything, and IT has no tools to control it.

[isityettime]

> It used to be, dev workstations and environments were fully IT controlled and curated. Then everyone moaned and complained about not having local admin access to their machine (I get it, it sucks and is annoying, but there is a reason), and then devtools started dumping themselves in %APPDATA& and user directories to bypass the admin requirement for installs.

It's about more than lack of admin access. One uncomfortable truth I've realized over the course of my career is that the more IT "manages", the worse my computer becomes by basically any metric you can think of: stability, performance, predictability, inspectability. I've lost count of the number of times IT have broken things for me. Often, the security software they require itself has unacceptable, careless security flaws (e.g., hardcoded passwords, completely incorrect permissions checks).

Uptime of systems, even laptops, that I own can be measured in months. IT and security departments mandate the installation of so much downright shoddy software that they often end up requiring (sometimes formally!) weekly reboots just to keep the system "stable".

Frankly, I've yet to work at a company where IT or security has done what I would consider to be adequate testing of their own policies and tools. I have sadly learned down to my bones that each time I'm informed (if I'm ever informed!) that some new thing on my system will henceforth be "controlled" by some department that sees policies and standards as their mandate, no matter whether they have a "test group" that trials the stuff ahead of me or not, my system is about to permanently degrade. And more often than not, literally no one will be able to answer basic questions about the behavior of the system anymore, because the kind of people who buy and implement turnkey corporate IT solutions don't really know much about what that software does. (After all, not having to really know what it does is the whole selling point of such solutions.)

[keyle]

Never underestimate the power of procastination disguised as productivity!

[emsign]

It's stupid but understandable. Be it browsers or IDEs they lack much needed functionality but instead of completing their products so they can be used productively out of the box, they outsource this to the community and call it a feature. Doesn't matter how good your bug fixing and security policies are if you allow basically everyone to circumvent it. In a nutshell Microsoft is lazy. Don't use their products and beware of the extension/module creep elsewhere.

[locallost]

Because you need to install things to get things done. In the world of perfect security and order it's impossible to get anything done, much the same as it's impossible to do in complete chaos.

I am telling people to wear helmets when they drive a car, this would save hundreds of thousands of lives every year in the world, but somehow I cannot convince them.

[ofjcihen]

Did work for a company last week that get popped pretty badly during a round of Shai even though they were aware of the packages.

Turns out no amount of communication to the team matters when you set Copilot to autopilot and it’s not aware of the compromised packages.

I suspect that’s going to be a trend.

[pojzon]

In AI era the way to install software is to pass a random script from internet to shell with sudo privileges.

Thats enough to see how much AI crowd cares about security.

[casey2]

So you've been telling companies to stop using CI/CD too right?