1. 11

    It’s egregious judgement errors like this that make me wonder if the appropriate course of action is not to apply a patch, change settings, etc. but instead just uninstall and stop using it entirely. Who knows what else might be lurking in there?

    1. 17

      This seems a bit harsh.

      This feature allows iTerm to check whether links are clickable, which is a really cool feature IMO.

      Also, we should give the iTerm team props for releasing a patch so quickly.

      EDIT: It’s also nice to see someone owning up to their mistake: https://gitlab.com/gnachman/iterm2/wikis/dnslookupissue

      1. 7

        This feature allows iTerm to check whether links are clickable, which is a really cool feature IMO.

        It’s a nice feature, but it’d work just as well if it only checked a regex. Web browsers don’t even disable invalid links, so it’s a stretch to expect a terminal to do so.

        I do agree it’s a bit harsh to completely uninstall just over this issue, though.

        1. 10

          This seems a bit harsh.

          I don’t think so: if you need a bug to grasp why leaking DNS queries is bad, what other insane privacy gaps did you build in to your software?

          This feature allows iTerm to check whether links are clickable, which is a really cool feature IMO.

          • build a list of clickable URIs in code
          • let the user specify URI prefixes
          • … or a regex!
          • … or even better push it to my plumber daemon!

          There are plenty of ways to make clickable links without adding a massive privacy vulnerability.

          1. 9

            Sure! And @gnachman owned up to the fact that he didn’t think this through.

            My concern is with the people attacking iTerm and threatening to uninstall because the guy made a mistake. I have no doubt he works hard on iTerm and his response was both fast and transparent. I’m sure he’s learned a good lesson and this won’t happen again. If anything, I have more respect for him than I did before.

            1. 25

              It’s kind of gross that @gnachman has a long history of steadily improving iTerm and there are cries of “uninstall!” when he makes a single mistake that he fesses up to and fixes quickly. Seriously, why make free/OSS stuff if people are going to be that uncharitable about it?

              1. 2

                Totally gross, indeed. Only took at least 3 bug reports (the other two are directly referenced by the OP of the new one), each detailing the very same security issue from a different angle (but each one is, in fact, security-related), over a period of 2 years (each report came roughly 1 year apart of the other one).

                But, of course, the alternative facts is that once the word spread out to Hacker News / Lobsters / whatnot, the issue was “fixed” very quickly, so, to even entertain the idea that such software should be uninstalled due to this, is entirely unjustified and gross!

                P.S. Did you know he has a Patreon, too, as per HN? If you do appreciate his work all that much, maybe instead of arguing against the solid security concerns that people with knowledge of the matter do have, you should instead be setting up your recurring donation?

                1. 1

                  I’m not quite sure where to start with this response. I suspect we are talking past each other, or not talking about the same thing. I’m advocating for a little grace here. The implementation was bad, period. He should’ve fixed it earlier. But even with both concerns I can’t get too worked up about it. It’s funny because I work in infosec and I despise software bloat because it usually produces stupid bugs like this.

                  Anyway, thanks for the thoughts.

              2. 8

                I quite like iTerm2, will continue to use iTerm2, and I’m grateful for the continued innovation and effort in iTerm2.

                A concern I have is the issue has been reported twice over the past few years, both raising concerns around privacy and security:

                only after the high level of attention paid to the bug on HN and Lobsters was the severity of the issue considered.

                1. 2

                  I agree that this is a problem, but uninstalling isn’t the solution.

                  A better approach would be a post-mortem. Any reasonable engineering company would do this after finding a security issue in their software has been reported multiple times. Why not do the same in OSS?

                  I’ve opened this issue to try to get this started: https://gitlab.com/gnachman/iterm2/issues/6068

            2. 1

              Good looks owning up to it. I’ve been happy with iTerm2 for some time now, and this issue won’t change that, now that they have responded quickly and appropriately (in my mind).

            3. 1

              I uninstalled it after this. Apple has been improving terminal a lot in recent years. It now supports many of the features I sought in iTerm, like ligature rendering.

              I appreciate iTerm a lot, but really obvious security mistakes (correctly) lower people’s confidence in the security of the product in other respects.

            1. 4

              A patch has been released as v3.1.1. It’s available here (the home page has not been updated at the time of posting) and through the iTerm “Check for Updates” feature.

              1. 1

                If you already know about this vulnerability, a patch is kinda pointless — presumably, you can already disable the setting as-is.

                But a better option seems to be uninstalling such a PoS of a liability altogether — who knows what other great security decisions were taken? The fact that folks have pointed out about this twice before, including in a security setting (Issue 5303 from 2016-11-02 — 10 months ago), and noone paid any attention to the big-picture implications, leaves little confidence in the project being capable of making sound architecture decisions.

                1. 2

                  I’m torn, primarily because:

                  A) I wouldn’t personally be affected - never put sensitive material onscreen to be seen by passers-by (it stays in files or occasionally is on the clipboard for a second before getting cleared) B) it’s a vastly better terminal emulator than the others I’ve tried. They really nailed the ‘useful’ bit.

                  On the other hand I agree that this implies a pretty serious lack of thought on the developers part, and I don’t think I want to risk it.

              1. 5

                I also know that some startups offer below average salary, because of options you get as an employee when joining a startup.

                1. 8

                  This is kind of the same thing though, isn’t it? Options are worthless until there is a liquidation event. By not calling this out, the employer is hoping you’ll add the potential value of the options to your salary to get total comp, but they’re still underpaying you.

                  1. 0

                    Yes, exactly. It’s “virtual” money. It’s one of those things i don’t get why founder try to do such things to the employees.

                  2. 8

                    As I once said elsewhere:

                    Stock options are for when you want to tightly couple your career and investing decisions at a moment when you’re excited and biased and trying to please someone who can offer or deny you a job.

                    Before taking options, maybe ask yourself if you’d invest in this company if you weren’t going to work there.

                    Personally, I consider stock options to be basically worthless, because:

                    • Most companies fail.
                    • Success or failure depends more on business decisions than on my individual code contributions.
                    • Stock options can be complicated and sometimes employees get the short end of the stick vs outside investors
                    • Having options would complicate my decision about when to leave a job for other reasons

                    Getting paid in options makes me an investor in the business, and investing in individual stocks is always risky. Getting paid in cash means I have zero risk, and can invest in mutual funds or whatever seems prudent to me.

                    1. 3

                      True, the salary is lower but the expected value of the compensation isn’t usually different. Here’s how it works.

                      Lets say you have a job that pays you $100k a year, no bonuses, and no option to buy into the company. How much do you expect to have been paid after four years, barring any promotions or raises? That’s $100k/yr * 4yr = $400k.

                      Now suppose you have a different job. It only pays $90k a year, but you get to buy a .001 ownership stake in the company at negligible cost on a four year vest. There’s an 80% chance that the company will fail and go bust when it runs out of money after year four, but a 20% chance that the company could get sold outright for $200M. What do you expect to have been paid after four years?

                      There are two possibilities. If the company goes bust, you get $90k/yr * 4yr = $360k. If the company is successfully sold, you get your $360k salary plus an additional $200k from the sale of your share of the company, for a total of $560k.

                      Since you have probabilities for the two outcomes, you can calculate the expected value. You have a 20% chance of earning $560k, and an 80% chance of earning $360. (20% * $560k) + (80% * $360) = $400k.

                      So the salary in the second job is 10% lower, but the expected pay after four years is exactly the same.

                      What makes optioned offers so difficult to evaluate is the uncertainty in assigning the odds and payouts of success. Are the odds of liquidity really as high as %20, and will the company really sell for $200M? Or is it more like a 10% chance at a $500M sale? And is that better or worse? Expected value lets you weigh those options.

                      1. 3

                        What makes optioned offers so difficult to evaluate is the uncertainty in assigning the odds and payouts of success. Are the odds of liquidity really as high as %20, and will the company really sell for $200M? Or is it more like a 10% chance at a $500M sale?

                        That’s my problem: either of those numbers could be anything.

                        Also, imagine the stock and job being decoupled: you don’t work at this company, but you have the chance to invest $10k, with 80% odds of losing it entirely. Would you? I wouldn’t.

                        you get to buy a .001 ownership stake in the company at negligible cost on a four year vest.

                        Complication: what happens if you want to leave the job after 2 years? So far I haven’t had a 4-year job in tech.

                        1. 1

                          That’s my problem: either of those numbers could be anything.

                          Like a lot of things, it takes explanation and practice to get a feel for how it works, but the numbers really can’t be anything.

                          Its fairly common knowledge that nine out of ten startups fail outright. So a ten percent success rate is a pretty reasonable probability to assign if you know absolutely nothing else. The valuation range at liquidity is pretty limited too. A valuation higher than $500M would be outstanding, but $100M to $200M is a lot more common and a safer bet, again if you know nothing else. One way to get a better estimate than that is simply to ask what the founders think. They have to answer that question for investors all the time. Yes, it might be wildly optimistic, but at least you can use it as an upper limit.

                          Also, imagine the stock and job being decoupled: you don’t work at this company, but you have the chance to invest $10k, with 80% odds of losing it entirely. Would you? I wouldn’t.

                          Obviously if you can’t afford to be without the $10k for the investment period, or forever, you cant take that bet. But if we’re still talking about a payout on success of $200k with a confident 80% failure estimate, then the expected value math says its a good deal, and I’d certainly take it if I could afford to be without the $10k.

                          However, those kind of deals (small, lucrative) are usually only made available to employees, as one of the benefits for doing work with the startup. If you evaluated the company and wanted in on the deal, but for some reason didn’t want to work there, you’d have to come up with a much bigger ‘put’ than $10k to buy into it. Think ten times that amount, if they wanted funding partners at all.

                          Complication: what happens if you want to leave the job after 2 years? So far I haven’t had a 4-year job in tech.

                          Most companies that aren’t on an immanent failure course will simply exercise their “right of first buyback” on your shares. You’ll get back whatever money you paid for them, and you’ll walk away from the job having made whatever your salary was for those two years.

                    1. 7

                      Not a bad observation, I guess, but not all that interesting or new either.

                      1. 31

                        It definitely is one worth repeating. I regularly meet junior developers earning less then minimum wage when calculating their hours. And they aren’t even aware. Repeat it until they all know.

                        1. 8

                          I think this is why companies have robust grad-to-hire pipelines but don’t really have good solutions for devs with 2 years experience looking for a new job. Fresh faces are the best buy.

                          1. 4

                            One problem I’ve noticed is that many junior developers seem to be OK with this. In my experience, they justify it as “paying their dues”.

                            I did the same early on in my career. Now I work 40 hours and go do something else. I wonder if this is just one of those lessons you have to learn the hard way. That would explain why job postings like these are still around: they work.

                            1. 4

                              As long as the culture continues to lionize it, as long as companies that demand it face no consequences, then, yes, “the hard way” is the only reliable way to learn it.

                              But those of us who have already learned it can work to change the culture, and the companies. Blog posts like this are one way of contributing to that work.

                            2. 4

                              I’m 23 and started working when I was 22. At a startup. An early stage startup. I’ve never worked more than 8 hours and never would - even if I love software programming. I will never understand the mindset of 22-26 year olds who do this, pressured or not. Am I just lucky that no one has asked me to do work long hours?

                              1. 4

                                I’ve sometimes accepted to put in exceptional extra hours because everything was exploding - on the condition that we’d fix the root cause once found. Otherwise, same thing. I mostly refuse to work more for the same amount for two reasons: I have a family that I care about more than I care about work, and also, if you want me to work more and not actually incentivize that by actually paying me for the extra work, I’m not doing it. Usually, the conversation goes “We’ll need you guys to put in overtime.” and then I’ll reply “Oh, nice, I’m fine with it, as long as it’s paid.” “Never mind.”

                              2. 3

                                If you are not even aware of what your hourly rate is when you probably have a degree in computer science, then you have only yourself to blame.

                                Getting young people drunk on an image so they will work for you for free or at a great discount is a proven technique in the charity industry.

                                1. 2

                                  Sure, it is. But these people are also my competition and peers, so I’ve got double interest in educating them.

                                  1. 2

                                    I mean, my “hourly rate” is highly variable. I’m on a salary and have no fixed hours.

                                    1. 1

                                      Hourly rate is calculated on top of your average work hours.

                                      1. 1

                                        Could use that to get my average hourly rate, I suppose.

                                        Though, how should I count hours when I’m on-call but not working but might need to be working at any moment? There’s a reason salary is just easier :)

                                        1. 1

                                          If you have no seperate, explicit arrangement for on-call as a freelancer, you should renegotiate your contract. Different services, different arrangements.

                                          If you are on-call for free and get paid only when a call happens, you negotiated badly. Carrying a pager is a service worth something, you are selling off the right to be called to work at any time. You are not allowed to freely use that time, for example, you are not allowed to drink or get too far away from you computer. It’s not unusual that this is worth 50% of the hourly wage!

                                          If your client thinks these fees are too high, maybe the systems you are on-call for aren’t as mission-critical as they are communicated.

                                          I’m working for a major local enterprise company that - because they thought through that line of thinking in full - has almost no systems in 24 hour support, only 6 to 20.

                                          1. 2

                                            I’m an employee, not a freelancer, and I get paid the same oncall or not, called or not, working or not. That’s how salary works – I work enough to make the bosses happy in exchange for a single (very large) number.

                                            1. 1

                                              Similarly in that case, I hope your contract has clear phrasing about how much of your workload is on-call, how much not and what your compensation around that is. It is very usual that on-call on weekends is paid higher, so your salary is not necessarily fixed.

                                              (I know how salary works, I have employees with on-call regulations)

                                              1. 1

                                                Sorry, didn’t mean to imply that you personally don’t know how salary works – poor wording on my part.

                                                1. 1

                                                  No problem, I guess we misunderstood each other quite a bit in that thread. Happy about the discussion, thanks :).

                                          2. 1

                                            At a job I had, on-call had specific procedures and expectations, and we’d get a bonus on the paycheck when we’d have to carry the torch, as a compensation that would be paid even if nothing happened. This incentivized us to take care of our shit in such a way that we would only get disturbed during office hours. They also provided a cheap company smartphone that would rotate along with the duty, preconfigured so that you could use it to connect anywhere at any time if it was required.

                                1. 3

                                  I noticed this a while back while using my 15” Macbook Pro at a coffee shop. I forgot to bring my charger and my battery was dropping like crazy. Looked at who was using all the energy and it was Slack. I don’t usually bring my charger to the coffee shop, so now I just don’t use Slack while I’m there.

                                  1. 2

                                    Superforecasting: The Art and Science of Prediction

                                    The theme of the book is that, with a little training and the right approach, it’s possible to increase the accuracy of your predictions. I’m about 50 pages in, but it’s a good book and a fun read so far.