Money quote:
Excel requires some skill to use (to the point where high-level Excel is a competitive sport), and AI is mostly an exercise in deskilling its users and humanity at large.
Money quote:
Excel requires some skill to use (to the point where high-level Excel is a competitive sport), and AI is mostly an exercise in deskilling its users and humanity at large.
Integrated python scripts in excel sounds like a malware developers dream.
I mean… Yeah, but the same can be said for VB?
Especially since VBA can make calls to the Windows API directly and through that avenue do all kinds of funky things to your system.
Yeah, but lots more tooling and libraries for Python. Its just one more attack surface 🤷
And a nightmare for an application developer told to make some app with a spreadsheet for a database scale
Could result in some very cursed codebases.
“We dont use git, we just update the excel spreadsheet”
I’ve worked at places where they did that anyway lol
That’s just called Access
Is that creepy thing still alive?
It can’t be … but I wouldn’t be surprised if it was. I remember making fun of Access on StackOverflow circa 2008 and running afoul of some dude there who was like the last living Access consultant on Earth. I’ve never encountered defensive rage like that before or since.
Fun Access fact, the Diebold-manufactured voting machines that featured prominently in the 2000 presidential election cycle used an Access database as their underlying data storage mechanism. Access DBs did incorporate an audit table - which was manually-editable.
That explains why they didn’t want anyone investigating the machines. Did proper authorities finally get access (no pun intended lol) to investigate? Or was that already known?
No, this came out after the election was settled. There was a woman that maintained a website covering all these details called BlackBoxVoting or something like that (long gone now).
I did not want to read this, today … or ever.
Surely there’s some sort of sandboxing that could be done? Like start by disallowing sys calls entirely
Definitely, but sandboxes can be escaped, and you can’t protect everything via sandbox. Apparently its all cloud anyway, but if it were local and sandboxed, there are still exploits like rowhammer and spectre that may cause further risks.
Its taken years to get browser sandboxes to where they are, and even they get broken every so often.
Fair point. Of course that’s already a problem with Excel. It would probably have to be disabled by default just like VBA macros.
They foresaw that. That’s because python on Excel doesn’t run locally, but in the cloud and then returns the result to you: https://support.microsoft.com/en-us/office/introduction-to-python-in-excel-55643c2e-ff56-4168-b1ce-9428c8308545
That’s even worse!
That’s the worst possible solution to that problem. Why can’t they just develop their own script that’s Turing complete but doesn’t have any system calls?
Or just use Lua compiled without the system calls. This is done by many video games. İt’s 2025, there is no need to create new domain specific languages.
Or use embedded Lisp, like all the cool kids.
Still sounds like you’d be shipping your data to the cloud, where it can be exfilled from there.
Would potentially be a great phishing tool, just need to trick someone into putting sensitive data into a precooked excel file, and it gets exfilled.
Currently only for business customers which probably use OneDrive or SharePoint anyways, so it’s not that they need that to exfiltrate data. But for a phishing/hacking attempt? There are probably some nice possibilities.
Yeah, no doubt.
Having access to visual basic is dangerous enough, let alone Python