iTerm2 author here. This could be used as a link in an exploit chain but by itself the claim in the title is massively overblown. I’m on a family vacation but I’ll release a fix when I get back.
Disclosure: I didn't discover the vulnerability. I wrote the blog post.
Thanks for releasing a fix!
It was surprising that there wasn't an official release, even though the bug impacts otherwise routine, harmless workflows. The patch itself [1] framed the issue as "hypothetical," so the goal of the blog post was to demonstrate that it is not. I'm glad that you've agreed to release a fix.
30kloc client and server combined. I built this as an experiment in building an app without reading any of the code. Even ops is done by claude code. It has some minor bugs but I’ve been using it for months and it gets the job done. It would not have existed at all if I had to write it by hand.
I moved across the country to work for Palm on a secret project which was revealed to be the Foleo only after I started. I spent a year trying to make the web browser with a totally broken engine they had licensed from Access. Having blown their budget of 100k on the engine they were determined to stick with it. I was amused when it was announced and then canceled after I quit.
I was a developer at a third party developer writing Foleo software and I always wondered what was going on on the other side of the wall. The rumour I was told for the cause of all the delays was that some executive had decided the screen was too low resolution way too late in the project and everything had to be redesigned.
Released a year or two earlier they might have been decent devices, IMHO.
As I understand it, the precision of such timers has been limited a bit in browsers to mitigate some Spectre attacks (and maybe others), but I imagine it would still be fine for this purpose.
There’s a change coming in the next dot release so managed environments can disable all generative ai features. I’ll keep an eye out for what others do in this regard to support enterprise users.
Hey George! We should catch up! (to readers: I was the guy who hired George as an intern and he was awesome. so AMA too!)
AOLServer was so, so, so far ahead of it's time. It had a WYSIWYG HTML editor years before Dreamweaver that could post content to the server. The integrated (Illustra!) Database and TCL interpreter meant you could build basically anything with it. Props to Jimbo and Doug...
We built what I think might have been the worlds first massively multi-homed, self-provisioning hosting service (called, creatively, "Navi-Service") with it. Think Linode but in 1997.
iTerm2 has code to detect when the current host changes and then disables paste bracketing. An ssh session suddenly ending is a common cause of it being left on with annoying consequences.
After sending a bracketed paste, iTerm2 watches for half a second for `00~` to be echoed back and then offers to turn paste bracketing off for you.
Every modal reporting feature has similar problems: mouse reporting and focus reporting, in particular.
> An ssh session suddenly ending is a common cause of it being left on with annoying consequences. ... Every modal reporting feature has similar problems: mouse reporting and focus reporting, in particular.
I've hit that with mouse reporting. Now that you mention it, seems like one way to address this would be the ssh client sending the ANSI escape sequences to turn off these features on exit. I wonder if the openssh developers would be open to doing so. It also seems possible to wrap ssh in a tiny shell/whatever script that calls ssh, saves the exit status, prints these disable codes, and returns the original exit status.
...then again, as the same problem could happen with any program crashing, one could argue it should be the shell's responsibility to reset terminal state after each program invocation. It could do so blindly (always send the disable codes) or set up ptys for children + pipe program output through itself and watch for state changes that need to be reset. I wonder if any shells do this, or if any common rc scripts set post-command execution wrappers to do so.
All but one of my monitors are or were sold by Apple. So they were tested and are usb c and need no dongles. The other is a low dpi monitor with no special features besides hdr.
The three apple approved monitors generally work well, requiring a reboot sometimes only if I unplug them.
The other one I constantly have to fix the settings for.
It sucks. I wish apple employees had multiple displays.
I have five monitors. When it works, it's great. The other 5% of the time it's a giant pain in the butt. I don't know why this part of macOS is so incredibly buggy. It often forgets the arrangement, the HDR setting, and the refresh rate.
I wrote a little program to detect when it breaks and set it back, but they don't have APIs for refresh rate and HDR so it's only a partial fix.
I've half a mind to take a job there, fix it, and quit.
Try using displayplacer. It supports hz and I added color_depth to it a while back. I don't remember HDR being in the APIs used either but that may address it.
I'm running 3 external monitors off of a laptop and for me macOS is much more consistent about putting the windows in the right place, I don't even have to plug them in the same order. When I try to do the same on my desktop with nvidia surround, all of the monitors need to be plugged in on boot in order for it to "remember" the configuration.
reply