Readit Newsafrisch commented on A Postmark backdoor that’s downloading emails koi.security/blog/postmar... · Posted by u/ghuntley
> This problem is as old as software.
Sure, I agree, and the problem is absolutely magnified by AI. If a back door gets into Thunderbird, or Google decides to start scanning and sharing all of your email, that’s one point of failure.
An MCP may connect to any number of systems that require a level of trust, and if any one thing abuses that trust it puts the entire system at risk. Now you’re potentially leaking email, server keys, recovery codes, private documents, personal photos, encrypted chats - whatever you give your AI access to becomes available to a single rogue actor.
Giving AI agents permission to do things on your behalf in your computer is obviously dangerous. Installing a compromised MCP server is really the same as installing any compromised software. The fact that this software is triggered by the user or an agent doesn't really change anything. I don't think that humans are more able to decide not to use a tool that could potentially be compromised, but that they have chosen to install already.
afrisch commented on A Postmark backdoor that’s downloading emails koi.security/blog/postmar... · Posted by u/ghuntley
How is this different from a backdoor in, say, a Thunderbird extension? I've maintained an extension for Thunderbird and, when I was no longer interested in it, a guy pushed hard to take over the project after sending a few legitimate contributions. I declined because it seemed crazy to give the keys to tens of thousands mailbox to a guy I didn't really know. I also found it crazy that people would trust me initially, but well, I know I'm a good guy :-)
afrisch commented on Jane Street's sneaky retention tactic economist.com/finance-and... · Posted by u/yawaramin
The article isn’t really very persuasive about this though. Having worked with OCaml at Jane Street is not, I think most of us would agree, going to be, going to be a serious barrier to getting hired to work with another language somewhere else.
> For Jane Street’s technical rank-and-file, particularly the many hired straight out of university, non-compete agreements may be surplus to requirements. A scan of jobs listed by Millennium, a rival fund that has recently clashed with Jane Street in court, shows the strength of the latter’s position in the job market. Millennium wants engineers experienced in c++, Go, Java and Python, languages that are commonly used across finance and tech. OCaml developers, it seems, are Jane Street’s to keep.
If someone worked with OCaml at Jane Street I would just take this as a signal that they are smart enough to quickly learn Go, Python, whatever they need, and will probably be more successful after 6 months than a “Python developer” would be.
> Having worked with OCaml at Jane Street is not, I think most of us would agree, going to be, going to be a serious barrier to getting hired to work with another language somewhere else.
The retention factor is *not* that other companies wouldn't want to hire them, but rather that these employees are likely to dislike being forced to use something other than OCaml.
45 nested WinForms is bizarre. I think you'd melt a UX designer's eyeballs. It's possible that Microsoft sees this as low impact (small user base), or is too complex to fix, or too high risk to fix.
You could create an interesting payload with this, especially given it can be done via PoSh.
Get payload on machine -> enable Full memory dumps -> execute payload/BSOD -> upon recovery, exfiltrate memory dump.
Secrets galore.
No doubt excessive nesting is bizarre, although the end user might not notice (nested panels that fit in their parent are not visible). That's not a reason to have your entire OS break :-(
It's actually been fixed. I didn't, and neither did OP, read far enough through the SO thread linked in the GitHub issue.
Fix was previously included in https://support.microsoft.com/en-us/topic/june-27-2017-kb402....
> Addressed issue (Error 0x7F) with Windows Forms (WinForms) that causes the system to crash after upgrading to the Creators Update.
It has been fixed but a similar problem (with the same repro case) reappeared with a recent Windows update, only now when closing the popup.
No, no they don't. They already tried that with NT4. It went badly for anyone wanting decent graphics performance.
So at least they should really work hard to not let a BSOD happen in case of excessive nesting of widgets. The repro case is actually the same than the one for a bug which was fixed 6 years ago, and it is straightforward (just nest enough panels in a modal popup, and close it). It's hard to understand how this could not be caught by a non regression test.
It's crazy a such a simple script, which is actually the same as 6 years ago, can produce a BSOD in a deterministic way with the latest update of Windows. And nobody at MS seems to care about it.
afrisch commented on CDuce: XML-oriented functional language cduce.org/examples.html... · Posted by u/mucholove
Cool! What was the motivation behind CDuce? I’m super interested in exploring the language because all the new things look like old things. For instance—SwiftUI looks like XML and therefore why couldn’t it have been done with Nibs? XML seems like a treasure trove.
CDuce was the result of my PhD thesis (about 20 years ago); mostly just a research prototype with enough engineering efforts to make it usable for small enough projects. It came after XDuce, which introduced the idea of building a functional language around regular expression types (used to XML schema languages, DTD, XSD, Relax). My work focused on distilling the theory from XDuce into more primitive constructs from type theory (products, unions, recursion), and embedding them into a more expressive type system and language (with set-theoretic intersection and negation, function types, extensible records -- used to model XML attributes, etc), also with a powerful XML pattern matching engine and an efficient implementation of type-checking (just deciding subtyping is in theory exponential in the size of schema, but works well in practice). The theory could probably be used to serve as the basis of statically-typed languages working, on, say, "typed" JSON structures. The work was/is continued by my PhD advisor and other colleagues to include parametric polymorphism (original CDuce supported ad hoc overloading polymorphism only).
The idea was just that if your language could directly express constraints on your document types in its native type system, the compiler could directly type-check statically complex transformations and make sure they produce documents from the expected output schema (assuming the input complies with the announced input schema). This is more direct than having to rely on mapping between XML and "native" data types, which (usually) don't fully preserve constraints imposed by XML schema languages, and are themselves tedious and fragile to write. This works well for XML->XML transformations. Of course, in most applications, XML parsing and/or generation is just a tiny part, which shouldn't affect the choice of an implementation language. With OCamlDuce, I explored the idea of extending OCaml to include XML types. The combination felt a bit ad hoc, but was ok. Today, it could be rebuilt indeed about PPX extension points + some type-checking hooks in the OCaml compiler.
“There are additional complications in certain languages, where the comparison is context sensitive and depends on more than just single characters compared directly against one another,
[…]
Numbers. A customization may be desired to allow sorting numbers in numeric order. If strings including numbers are merely sorted alphabetically, the string “A-10” comes before the string “A-2”, which is often not desired. This behavior can be customized, but it is complicated by ambiguities in recognizing numbers within strings (because they may be formatted according to different language conventions). Once each number is recognized, it can be preprocessed to convert it into a format that allows for correct numeric sorting, such as a textual version of the IEEE numeric format.”*
I think those file browsers made the right choice, even given that they don’t (as in this example) always do the right thing.