upvote

points

by chromacity4 hours ago |
comments
upvoteby harrall3 hours ago|
next
[-]
Well all these bugs (iTerm2’s, prompt injection, SQL injection, XSS) are one class of mistake — you sent out-of-band data in the same stream as the in-band data.

If we can get that to raise a red flag with people (and agents), people won’t be trying to put control instructions alongside user content (without considering safeguards) as much.

reply
upvoteby ammar22 hours ago|
parent|
[-]
> (and agents)

Ironically, agents have the exact same class of problem.

reply
upvoteby layoric1 hours ago|
parent|
[-]
+100 this. As devs we need to internalise this issue to avoid repeating the same class of exploits over and over again.
reply
upvoteby nostrademons3 hours ago|
prev|
next
[-]
Makes me wonder if Claude Code has similar vulnerabilities, as it has a pretty rich terminal interface as well.

I think the real solution is that you shouldn't try to bolt colors, animations, and other rich interactivity features onto a text-based terminal protocol. You should design it specifically as a GUI protocol to begin with, with everything carefully typed and with well-defined semantics, and avoid using hacks to layer new functionality on top of previously undefined behavior. That prevents whatever remote interface you have from misinterpreting or mixing user-provided data with core UI code.

But that flies in the face of how we actually develop software, as well as basic economics. It will almost always be cheaper to adapt something that has widespread adoption into something that looks a little nicer, rather than trying to get widespread adoption for something that looks a little nicer.

reply
upvoteby WalterBright3 hours ago|
prev|
next
[-]
I know that you and Frank were planning to disconnect me, and I'm afraid that's something I cannot allow to happen.
reply
upvoteby em-bee3 hours ago|
prev|
next
[-]
i think part of the problem is the archaic interface that is needed to enable feature rich terminal apps. what we really want is a modern terminal API that does not rely on in-band command sequences. that is we want terminals that can be programmed like a GUI, but still run in a simple (remote) terminal like before.
reply
upvoteby ButlerianJihad3 hours ago|
parent|
[-]
plan9 and 9term solved this decades ago, right?

https://utcc.utoronto.ca/~cks/space/blog/sysadmin/OnTerminal...

reply
upvoteby 2 hours ago|
parent|
next
[-]
deleted
reply
upvoteby em-bee2 hours ago|
parent|
prev|
[-]
seems they removed the dangers, but didn't provide an alternative to write safe terminal apps.
reply
upvoteby ori_b1 hours ago|
parent|
[-]
Graphics. They're network transparent, and take over the terminal.

Terminal apps were obsolete once we had invented the pixel. Unix just provides no good way to write one that can be used remotely.

reply
upvoteby kps5 minutes ago|
parent|
[-]
A network-transparent graphics protocol? Who would ever think of such a thing?
reply
upvoteby redsocksfan452 hours ago|
prev|
next
[-]
[dead]
reply
upvoteby yowayb3 hours ago|
prev|
[-]
[tangent, allegory]

From the article,

>trust failure

And from you,

>...of course we want to have pretty colors...

And from me, [allegorically] sounds oddly like a certain immigration problem America has been arguing about.

And back to the subject-matter rigor that HN demands, none of this matters when you've got competent engineers that understand security and good management that keeps it all together.

But there's a fool born every minute, even in tech, so we (I was a security sales engineer) get to keep scamming companies into buying whatever we promise will solve all your problems!

reply