What it’s sending and how to block it.
I tried out Visual Studio Code the other day after hearing a colleague refer to it, and I think I also saw it being used in a video and I liked the look of it. So I went off and grabbed a copy and started playing. The first point of interest for me was the ability to add add-ons, one in particular being remote SSH browsing. I thought this was a great idea so grabbed that too. Here’s where the security fun starts.
Working in security, certain things catch my eye, like the word ’telemetry’. And so began the dig. Tools, settings, prefs etc. being my first port of call, searching for ways to stop this software phoning home. I found some settings, un-ticked the boxes and left it at that. But out of morbid curiosity I searched through the settings again. After all, if the software is free, you’re the product. After a few minutes I found that the telemetry settings were all over the place, and that you need to disable it in more than one place.
The issue I had was the wording of the remote SSH browser. It said that it would send command info and the like back as telemetry. If this is what I understand it to be, then I don’t want it and it would be considered potential IP loss to me. SO what is it telling Big Bro? Here’s how I found out.
ZAP proxy (version 2.9 when I tested this) is a great security tool which provides a man-in-the-middle intercepting proxy for anything that likes to talk TCP. So I fired it up and noted the port that it listens on, which was 8080. As I’m using Linux I used the http_proxy and https_proxy environment variables to allow programs spawned from the command session use http://127.0.0.1:8080…
$ export http_proxy=http://127.0.0.1:8080
$ export https_proxy=http://127.0.0.1:8080
$ code
That last line starts Visual Studio Code. Then I sat back and watched ZAP’s screen as VSC phoned home. The first few calls were GET’s, so I ignored them. Then some POSTs occured:
POST https://vortex.data.microsoft.com/collect/v1 HTTP/1.1
Content-Type: application/x-json-stream
Content-Encoding: gzip
Content-Length: 1487
Connection: close
Host: vortex.data.microsoft.com
Each POST was followed with a 200 with the following JSON payload:
{
"ipv": false,
"pvm": null,
"rej": 0,
"bln": 0,
"acc": 8,
"efi": []
}
The acc value seemed to change between POSTs.
The actual payload that was sent (the telemetry) appeared to be obfuscated or encoded. You might first think that this was probably https encrypted data but this is not the case, as ZAP is acting as an intercepting proxy, being able to see the payloads clearly. Look at the Content-Type line - gzip. I saved the content into a file and tried simply gunzipping it which yielded the decoded telemetry data.
Bottom line, I wasn’t too happy. Machine name, operating system, version number, architecture, keyboard language, something called localhostCount (may be interesting). I caught it sending info with vscode-docker.networks.inspect when I right-clicked a docker network shown in VSC’s docker add on, so it’s safe to say anything you click on is probably sent back to base. The docker add-on might not belong to Microsoft but the telemetry still went to Microsoft’s servers (listed below).
There may be more to follow so I’m going to let it run and gather some info for further research. To make parsing the content easier I found simply searching for commas and replacing them with \n in SublimeText, sorting and then removing duplicate lines made for much easier human reading and pattern spotting.
code –telemetry
They do tell you what you’re getting yourself in for by providing a –telemetry command line argument, which you’re welcome to try out yourself. I won’t waste space repeating it all here.
Block the data leak
A simply way to block the telemetry (outside the control of VSC itself) would be to amend your hosts file. The remote hosts you need to add is https://vortex.data.microsoft.com.
Like so:
Linux
Add this to the end of the /etc/hosts file. Provide a line return also for safe keeping.
127.0.0.1 https://vortex.data.microsoft.com
Windows
Same deal but in C:\Windows\System32\Drivers\etc\hosts. If you use Notepad you’ll need to start it with administrator access.
Update 21st January 2020
I set up a virtual machine and prepared ZAP for action, and installed a fresh copy of VSC and ran it. I received the message that telemetry was an option but the only buttons on that box were close and more info. Before I had a chance to change anything or opt out, VSC phoned home big time! New data seen in the outgoing telemetry:
“common.version.shell”:”6.1.5"
“cpus.count”:2
“cpus.model”:”Intel(R) Core(TM) i5–7300U CPU @ 2.60GHz”
“cpus.speed”:2711
“isVMLikelyhood”:100
“freemem”:2587979776
“totalmem”:8364355584
“meminfo.privateBytes”:118092
“meminfo.sharedBytes”:8888
“meminfo.workingSetSize”:220668
I couldn’t actually stop this data leaving this fresh installation! So I had no choice and got no opt out option before this first payload left. And now I know that Microsoft can see a lot more information about the systems its deployed on than what you might think is necessary.
Here’s a dump of the variables captured in this most recent telemetry payload.
activateCallTime
activateResolvedTime
activationEvents
ai.cloud.role
ai.cloud.roleInstance
ai.device.id
ai.device.osArchitecture
ai.device.osPlatform
ai.device.osVersion
ai.internal.sdkVersion
arch
baseData
codeLoadingTime
commitHash
common.firstSessionDate
common.instanceId
common.isNewSession
common.lastSessionDate
common.machineId
common.nodeArch
common.nodePlatform
common.platform
common.platformVersion
common.product
common.remoteAuthority
common.sequence
common.timesincesessionstart
common.version.renderer
common.version.shell
cpus.count
cpus.model
cpus.speed
currentKeyboardLayout.layout
currentKeyboardLayout.options
currentKeyboardLayout.rules
currentKeyboardLayout.variant
customKeybindingsCount
data
didUseCachedData
editorIds
emptyWorkbench
entries.didHandleExtensionPoint/breakpoints
entries.didHandleExtensionPoint/codeActions
entries.didHandleExtensionPoint/colors
entries.didHandleExtensionPoint/commands
entries.didHandleExtensionPoint/configuration
entries.didHandleExtensionPoint/configurationDefaults
entries.didHandleExtensionPoint/debuggers
entries.didHandleExtensionPoint/grammars
entries.didHandleExtensionPoint/iconThemes
entries.didHandleExtensionPoint/jsonValidation
entries.didHandleExtensionPoint/keybindings
entries.didHandleExtensionPoint/languages
entries.didHandleExtensionPoint/menus
entries.didHandleExtensionPoint/problemMatchers
entries.didHandleExtensionPoint/problemPatterns
entries.didHandleExtensionPoint/snippets
entries.didHandleExtensionPoint/taskDefinitions
entries.didHandleExtensionPoint/themes
entries.didHandleExtensionPoint/views
entries.didHandleExtensionPoint/viewsContainers
entries.didHandleExtensionPoint/webviewEditors
entries.didInitWorkspaceService
entries.didInitWorkspaceStorage
entries.didLoadExtensions
entries.didLoadMainBundle
entries.didLoadWorkbenchMain
entries.didRemovePartsSplash
entries.didRestoreEditors
entries.didShowPartsSplash
entries.didStartWorkbench
entries.extensionHostReady
entries.LifecyclePhase/Eventually
entries.LifecyclePhase/Ready
entries.LifecyclePhase/Restored
entries.main
entries.main/startup
entries.renderer/started
entries.willHandleExtensionPoint/breakpoints
entries.willHandleExtensionPoint/codeActions
entries.willHandleExtensionPoint/colors
entries.willHandleExtensionPoint/commands
entries.willHandleExtensionPoint/configuration
entries.willHandleExtensionPoint/configurationDefaults
entries.willHandleExtensionPoint/debuggers
entries.willHandleExtensionPoint/grammars
entries.willHandleExtensionPoint/iconThemes
entries.willHandleExtensionPoint/jsonValidation
entries.willHandleExtensionPoint/keybindings
entries.willHandleExtensionPoint/languages
entries.willHandleExtensionPoint/menus
entries.willHandleExtensionPoint/problemMatchers
entries.willHandleExtensionPoint/problemPatterns
entries.willHandleExtensionPoint/snippets
entries.willHandleExtensionPoint/taskDefinitions
entries.willHandleExtensionPoint/themes
entries.willHandleExtensionPoint/views
entries.willHandleExtensionPoint/viewsContainers
entries.willHandleExtensionPoint/webviewEditors
entries.willInitWorkspaceService
entries.willInitWorkspaceStorage
entries.willLoadExtensions
entries.willLoadMainBundle
entries.willLoadWorkbenchMain
entries.willRestoreEditors
entries.willShowPartsSplash
entries.willStartWorkbench
extensionVersion
freemem
from
hasAccessibilitySupport
iKey
initialStartup
isLatestVersion
isVMLikelyhood
language
loadavg
measurements
meminfo.privateBytes
meminfo.sharedBytes
meminfo.workingSetSize
name
onCommand
onLanguage
outcome
pinnedViewlets
platform
pluginHostTelemetry
properties
publisherDisplayName
reason
reasonId
release
resource.ext
resource.mimeType
resource.scheme
restoredEditors
sampleRate
sessionID
startup
startupKind
tags
target
theme
themeId
time
timers.ellapsedAppReady
timers.ellapsedEditorRestore
timers.ellapsedExtensions
timers.ellapsedExtensionsReady
timers.ellapsedNlsGeneration
timers.ellapsedPanelRestore
timers.ellapsedRequire
timers.ellapsedTimersToTimersComputed
timers.ellapsedViewletRestore
timers.ellapsedWindowLoad
timers.ellapsedWindowLoadToRequire
timers.ellapsedWorkbench
timers.ellapsedWorkspaceServiceInit
timers.ellapsedWorkspaceStorageInit
timestamp
totalmem
us
version
windowCount
windowKind
windowSize.innerWidth
windowSize.outerHeight
windowSize.outerWidth
workbench.filesToDiff
workbench.filesToOpenOrCreate
workspace.empty
workspace.roots