Slashdot Mirror

he was trying to open http://www.adobe.com/devnet/acrobat/pdfs/reader_overview.pdf

Looks like Adobe could have been one of the other said targets in the cyber attack. Adobe was just issued this press release today:

Adobe Investigates Corporate Network Security Issue
http://blogs.adobe.com/conversations/2010/01/adobe_investigates_corporate_n.html
Posted by Pooja Prasad on January 12, 2010 3:16 PM

Adobe became aware on January 2, 2010 of a computer security incident involving a sophisticated, coordinated attack against corporate network systems managed by Adobe and other companies. We are currently in contact with other companies and are investigating the incident. At this time, we have no evidence to indicate that any sensitive information--including customer, financial, employee or any other sensitive data--has been compromised. We anticipate the full investigation will take quite some time to complete. We have and will continue to use information gained from this attack to make infrastructure improvements to enhance security for Adobe, our customers and our partners.

``I didn't think you could run the flash player at all on ARM chips.''

Think again: Adobe and ARM Accelerate Flash and AIR for ARM Platforms

Here it is. Unfortunately, I think there is plenty of non compatible hardware out there that will be running 32-bit Linux for a while.

...we don't? So what is it that I'm using? The Adobe alpha 64bit Linux Flash release really is quite stable and works well for me. It's the only platform to actually have 64bit Flash, IIRC.

They're going to put Flash on the Nexus.
Unless Adobe/Google's programmers have done the impossible and magically
secured Flash, most of their security isn't going to be worth a damn.

You can use the Adobe Javascript Blacklist Framework to block the vulnerable function completely, so that no matter what the (non-admin) user does, they cannot execute the Javascript. They still get prompted about the Javascript, but it won't execute.

More information about mitigating the vulnerability using this method is
here:

http://kb2.adobe.com/cps/532/cpsid_53237.html

More general information about the framework is here:

http://kb2.adobe.com/cps/504/cpsid_50431.html

You can use the Adobe Javascript Blacklist Framework to block the vulnerable function completely, so that no matter what the (non-admin) user does, they cannot execute the Javascript. They still get prompted about the Javascript, but it won't execute.

More information about mitigating the vulnerability using this method is
here:

http://kb2.adobe.com/cps/532/cpsid_53237.html

More general information about the framework is here:

http://kb2.adobe.com/cps/504/cpsid_50431.html

PDF was developed as a document exchange format. It had absolutely nothing to do with prepress, that didn't come about until version 3.

http://www.adobe.com/pdf/about/history/

Why would that spur Adobe to make a 64-bit version?

Not really sure but you can ask them why after you download it from http://labs.adobe.com/technologies/flashplayer10/64bit.html

There is an early 64-bit version of Adobe's flash plugin: http://labs.adobe.com/technologies/flashplayer10/64bit.html (Linux only)

Just like in the past, Flash exploits will be something Windows users have to worry about while Linux and Mac users just sit back and shake heads that so many people put up with the problems of an overly large monoculture.

lolwut?

I've been running Sumatra PDF for the last year, and there's less drama.

The trouble with Adobe Reader is that Adobe keeps trying to make it into a proprietary web browser. It knows about links, it runs Javascript, and it has a DRM scheme. None of which are needed by 99.9+% of PDF documents. Forms are a bit more popular, but PDF forms are kind of lame anyway; you can fill them up, but they don't do anything.

Actually, it doesn't. LEGO is an adjective, there are no "legos" or "leggos", they're LEGO bricks:

Woosh.

There is no photoshopping either: http://www.adobe.com/misc/trade.html

leggos are any bricks that snap together. LEGO is a trademark for a subset of these connecting blocks that has lost true trademark status because people use the word in the generic. That the owner of the trademark asserts something different doesn't surprise me. Though they are still fighting it, which is why I used them and Adobe in my example.

so for example PDF text doesn't reflow well if you change the font size on a reader

Actually, for some time it's been possible to use the Adobe tools to create a PDF designed to be reflowed. (And I do mean some time.) Unfortunately, it doesn't happen automatically. Only the very shittiest PDFs won't reflow graciously in a recent Acrobat reader though (mostly crap eBook OCR)

Back when ECMAScript 4 was still alive there was a proposed Vector class that had the potential to provide O(1) access. This is very useful for many performance sensitive algorithms including coding, compression, encryption, imaging, signal processing and others. The proposal was bound up with Adobe's parameterized types (as in Vector<T>) and it all died together when ECMAScript 4 was tossed out. Parameterized types are NOT necessary to provide dense arrays with O(1) access. Today Javascript has no guaranteed O(1) mechanism, and version 5 fails to deal with this.

Folks involved with this need to consult with people that do more than manipulate the DOM. Formalizing JSON is great and all but I hadn't noticed any hesitation to use it without a standard... ActionScript has dense arrays for a reason and javascript should as well.

How stupid are these people?! Adobe even has a feature to redact (not draw black boxes) text from documents

By what measure of success? Effectiveness, sure. But what is the market share of all the Linux distros put together? What is the ratio of Windows to Linux boxes globally or in the US?

How do you define success? Apparently for you, at least in this context, it's market share. That's a bit spurious considering the fact that Linux is Free. What is the market share of Linux anyway? Probably a lot higher than you realize. Oh, you thought only desktop computers ran operating systems? Ever heard of Tivo? Android? Routers? Embedded systems? Servers? I'll bet if you put every device that runs Linux vs. every device that runs Windows you might be surprised about the "ratio of Windows to Linux boxes globally". Besides, Ferrari has low market share. They're a success right?

Says you. You're omitting how many devices don't work on Linux due to a lack of drivers or simple inoperability with Linux. It's improving, but there's a long way to go.

Linux supports more peripherals than OSX; I don't see you bringing that up? You wouldn't happen to have an agenda would you? Besides, I've installed quite a few Linux boxes in my day. It's the very rare exception that I find a device that doesn't just work out of the box. Contrast this with literally every other operating system ever made. And everytime that has happened, I waited a few months for the next kernel update and it did work. A lot of hardware actually works better in Linux. For example, my Verizon USB aircard. In Windows, you have to wait over 30 seconds for it to do its thing and connect and it disconnects requiring pulling it out and reinserting it about once an hour. On Linux, it connects in about 5 seconds and works perfectly for as long as you want. Funny story, I was at my brother's house a couple of weeks back and his Windows 7 box bluescreened so many times, I lost count. Finally, I was like, dude, what does the error say when it crashes? Come to find out the problem was the USB network adapter he had was crashing his box. Plugged it into my netbook running Ubuntu 9.10 and it worked perfectly.

The main flaw i find in Linux is the opposite. It's small because it's small. Developers don't want to double their efforts to sell to a handful of neck beards.

I don't see Linux's smallness as a flaw. Actually, that tends to increase the signal to noise ratio quite a bit. There are quite a few quality software projects that only develop for Linux and/or OSX and refuse to port to Windows because of the inevitable flood of clueless users that would pull in thus swamping the project in handholding. This is a good example. Very high quality software.

As for the "handful of neck beards" comment, didn't you say something about the supposed childish and condescending tone of the GP? Besides, there are quite a few commercial projects that develop for Linux. But, if you stop and think about it, why would there be large amounts of commercial Linux development in any case? One of the possible reasons developing commercial software is such a niche for Linux is that practically anything you need is in the repositories anyway. And quite a bit of Free sofware spanks the commercial alternatives. K3B smokes Nero. Pidgin smokes YIM, AIM, and MSN Messenger. Firefox and Chrome smoke IE, Opera, Safari, what-have-you. And for the stuff where the Free stuff isn't as good as the proprietary bits, it's still pretty good. OpenOffice is pretty good, GIMP is pretty good, Eclipse is pretty good. Why pay for proprietary software when my needs are already met for free?

Wine isn't there either. i use as much FOSS as i can.

That

You're not the only one that's noticed Linux sound has sucked for a while... ever had Flash player just up and decide that it either a.) now owns your sound card and nothing else will play or b.) just stops outputting sound altogether. It's really sad to say this, but Flash support is a basic thing I look for before I want to play with other alternate OSes like OpenSoliaris. For the forseeable future, much of the web depends on flash.

On Windows and on OS X sound er, just works.... I wish Linux would get there. It's bad enough that an Adobe dev posted a plog post entitled "Welcome to the Jungle" in reference to developing for Linux... guess what annoying part of Linux he was writing about? I especially like the chart...

I think Adobe just Photoshopped their own text into the same boilerplate:

The Photoshop trademark must never be used as a common verb or as a noun. The Photoshop trademark should always be capitalized and should never be used in possessive form or as a slang term. It should be used as an adjective to describe the product and should never be used in abbreviated form.

Ideally, you wouldn't invest time in algorithmic layouts. Some big institutions would invest in smart people with advanced degrees and a broad understanding of physics, mathematics and aesthetics to construct a Domain Specific Language for UI layout. Which has been done once in HTML, and adobe is doing it again with Adam and Eve. In a presentation given at Google, Sean Parent argues that this process dramatically reduces the code, and in doing so prevents some bugs and makes debugging others easier.

If nobody has time to implement it, it's because management is too timid to make the case for investing in the business they happen to run.

If uploadafile.com has a crossdomain.xml file then it can be blocked. The only way around that would be to get the user to execute javascript to inject an object tag into the page, which like the GP said, is a pretty big problem with or without Flash.

Adobe does have a fix for this behavoir, and it's Flash Meta Policies.
http://www.adobe.com/devnet/flashplayer/articles/fplayer9_security_03.html

Of course, they're only available to flash 9 and 10, but the people running Flash 8 still have worse security problems to worry about.

I'm glad that 64-bit Firefox doesn't have a flash plugin.

Really? http://labs.adobe.com/technologies/flashplayer10/faq.html

It's in Alpha but works fine with Fedora 10 and 11. Also works well in CentOS/RHEL 5, rpmforge even has it in the repo:

http://packages.sw.be/flash-plugin/flash-plugin-10.0.32.18-0.1.el5.rf.x86_64.rpm

Oh, your must be using "The OS" (TM) or "The Other OS" (TM)(C), then yeah, your right it doesn't exist and you have my sympathy.

Sorry for the sarcastic tone, I'm just feeling like it right now.

I've been worried about Flash security for a long time now. I'd like to point out three features of Flash that bother me.

First, Flash allows a web application to paste data to the clipboard even if the browser itself forbids this. Of the major browsers, only IE allows applications to directly set the clipboard content.

Second, Flash has an XMLHttpRequest equivalent with a lax security policy. Cross-domain retrieval is controlled by an XML control file listing permissible origins.

Finally, Flash has its own cookie system. These Flash cookies are hidden from the user, and require special tools to remove.

These features are secure in themselves, but are enablers: they give attackers the means to exploit other vulnerabilities.

Unfortunately, this cavalier attitude fits Adobe's business model. Lax security is as much a feature of Flash as its vector graphics. Flash allows web developers "get shit done" with no regard for the security of the web ecosystem as a whole. Web developers then come to rely on Flash, which increases the adoption of Flash Player among users, which in turn increases the value of Adobe's authoring tools. Being insecure is lucrative, up to the point that the vulnerabilities become so egregious that users disable Flash.

On the other hand, browser vendors seem to take a mostly-conservative approach to security (don't laugh yet): consider XMLHttpRequest: sure, its same-origin restriction on the target URL is inconvenient, and the restriction might have been loosened while remaining secure. But this same prudent restriction has also prevented many attacks. Browser vendors have the right incentives because users have a realistic choice of browsers. Flash is an all-or-nothing affair.

I wish I had an answer. Hopefully, HTML 5 will become widely supported enough that websites won't feel compelled to use Flash for graphics and storage, and eventually Flash's market penetration will sink below the point that web developers can consider it a viable way to circumvent browser security.

Adobe 64 bit flash plugin pre-release. Came out like a year ago.

If you want something that "works for everyone" then Flash isn't it.

I'm familiar with the laughable Flash performance on linux.

That said, it's statistically irrelevant.

http://www.adobe.com/products/player_census/flashplayer/PC.html

For 1 billion of the 1 billion PCs* on the internet, they have modern Flash that works.

*Rounding intentional.

Flash was introduced here because it just works.

Come up with something that works for everyone.

Presumably you use Windows. Flash is a clusterfuck on Linux. If you want something that "works for everyone" then Flash isn't it.

If you make it better than Flash (how?) websites will switch. And Flashs security issues and crashes in Linux will not bother them.

As for the how, I would describe "better" as something that won't crash on Linux while still working on Windows. That would be better. Of course, Adobe won't just take that sitting down. If something better does come out, they will probably pay YouTube/Google/Vimeo/what-have-you to continue using Flash.

Finally, I would argue that <video> and HTML5 are much better than Flash because:
1) It's an open standard; anyone can make an HTML5 renderer, but only Adobe can make a decent Flash viewer (yes other viewers exist, no they're not any good compared to Adobe Flash)
2) Flash has such stupidity that it disables 3d acceleration if your client glx vendor string has "SGI" in it, because Adobe is too stupid to check for whether the card actually supports acceleration (supposedly they experienced crashes when doing a more reasonable test, but that just shows they don't care enough about whether the Linux drivers work well to actually fix or work around bugs). Binary blobs tend to have stupidity like this.

What's the difference between Shockwave and Flash?

Or are they the same thing? If so, why two names for it?

You're welcome.

Flash is included in every Netscape download

Ahh, that clears it up!

No, it's two different plugins.

1. Shockwave Flash 10.0 r32
2. Shockwave for Director 11.5

You can have 1 without 2, latest versions.
Looks some crazed half-forgotten branding initiative.

Interestingly, the player test page http://www.adobe.com/shockwave/welcome/ tries to install an old version if you have only Flash:

Macromedia Shockwave Player 10.1

That's the old branding and an old version. But anyway it fails to install. Maybe Adobe is confused by my nightly version of Firefox.

What's the difference between Shockwave and Flash?

Or are they the same thing? If so, why two names for it?

You're welcome.

The PDF reference is here, in case anyone was wondering.

Maybe you haven't seen this: http://www.adobe.com/devnet/swf/

This is 278 pages of very straightforward and in-depth documentation on the SWF file format.

"Everybody uses it" is not the same as open. PDF is like VHS or CD. All are closed standards, requiring a license from their respective owners.

You're moderated flamebait for being wrong and, as you usually do, aggressively defending your incorrect position when ten seconds of fact checking would indicate that you are wrong.

You can, as I said in the original post, download the PDF specification and implement it without paying a royalty and you've been able to do this for every version of the PDF specification since version 1.0. That page is linked to from the top link that you get if you Google for 'PDF specification' and it has been for some years. No license is required for downloading or implementing them.

The ISO 32000 specification, which is now the official PDF specification, costs money to buy from ISO (as all ISO specs do, including the C language specification), but the format it describes is identical to the one described by the PDF 1.7 format, with various sub-formats (e.g. PDF/A) requiring only a subset of the features described in this document. Although it costs money to get the spec from ISO, there are no royalty requirements for implementors. Adobe now publish their versions as extensions to the ISO-controlled format, rather than as complete new specifications and any organisation wanting interoperability should mandate the ISO specification rather than the Adobe extensions.

Of course, you'd have known all of that if you'd spent a minute actually doing basic research on the topic at hand before posting. Fortunately, the fact that you still haven't learned how to use quote tags means that it's usually easy to spot your posts from a distance and ignore your ill-informed ramblings.

http://www.adobe.com/accessibility/products/flashplayer/overview.html "With integrated support for Microsoft Active Accessibility (MSAA), Flash Player 10 makes content available via screen access technologies such as Window-Eyes from GW Micro and JAWS from Freedom Scientific."

But it is very bad that Adobe doesn't consider accessibility support to be a "must have" feature for the desktop version of their Flash Player.

npviewer is part of "nspluginwrapper", and IMHO should be avoided like the plague. It causes nothing but problems, especially the infamous "I've crashed your firefox but will continue to run flash in a wrapper while consuming CPU" issue.

Adobe has had flash10 in "alpha" for linux/64-bit for awhile now. I'd heartily recommend it over the 32-bit wrapped version.

See here:
http://labs.adobe.com/downloads/flashplayer10.html
http://labs.adobe.com/technologies/flashplayer10/64bit.html

npviewer is part of "nspluginwrapper", and IMHO should be avoided like the plague. It causes nothing but problems, especially the infamous "I've crashed your firefox but will continue to run flash in a wrapper while consuming CPU" issue.

Adobe has had flash10 in "alpha" for linux/64-bit for awhile now. I'd heartily recommend it over the 32-bit wrapped version.

See here:
http://labs.adobe.com/downloads/flashplayer10.html
http://labs.adobe.com/technologies/flashplayer10/64bit.html

Quite frankly, I don't see a need for yet another document format. PDFs work everywhere, and have been around for a while. It can render anything you can hope to find in a book anyway, so what more do you need?

What more you need is a little thing called reflow Your PDF does not work "everywhere." It is formatted for a specific size of paper. Chances are, an electronic reading device (including a computer screen) is not that exact size or aspect ratio. the eBook formats (ePub, eReader, Mobipocket, etc.) all permit reflow of the document to the screen size and dimensions of the reader, allow adjustments in font size, and all kinds of goodies that PDF will not accommodate.

An interesting side note on audio APIs: http://blogs.adobe.com/penguin.swf/linuxaudio.png

Man, not that bullshit again...

Let's break this down.
First you have platform independence layers - things like ClanLib, SDL, libao, PortAudio, Allegro, and Open AL. These would be present on any platform. That's the point of them. The diagram seems to go out of its way to mix these in with lower-level technologies, as if to make it less obvious that they're just included to pad out the diagram.

Then there's the trio of obsolete network audio servers: NAS, ESD, and aRts... I suppose if I were to fire up a quick game of xpilot then I might want NAS, but otherwise one can usually assume these days that these three servers aren't installed and don't need to be.

There's FFADO - which is relevant if you're using a firewire audio device... How many people do this? I guess it could be popular among musicians and sound techs - have audio hardware outside the computer's case, accessed via a bus that isn't USB... But this is a driver layer, not an API layer - and these days it seems FFADO provides an ALSA interface, so I think the complaint here is obsolete.

That leaves three modern sound servers (Jack, Pulse, and GStreamer) and two low-level APIs (Alsa and OSS). This is still a bit of an unfortunate mess IMO but nowhere near the rat's nest implied by the diagram.

Right before all the distributions started switching to PulseAudio, I remember thinking about how alsa was becoming stable (and "the" audio standard), and I wasn't seeing anyone with sound issues anymore.

Granted, alsa alone isn't as versatile as pulseaudio, but there is value in sticking to a 'pretty good' solution, even if it might not be the best.

An interesting side note on audio APIs: http://blogs.adobe.com/penguin.swf/linuxaudio.png

First off, if you install Java even if you wanted to install it just for IE, or just to run a local program that runs java, it installs the Java Plugin for FireFox as well as ask you for the toolbar of the day. The same goes for Adobe Acrobat Reader if you just wanted to view a PDF, and is actually worse since the earlier installers would install Adobe AIR Without permission. Flash doesn't install to both by default, but the problem with Flash for FireFox is that it does not automatically update. (don't know why. The ActiveX Flash has an updater.)

Second. Again, I'm all for the blacklisting, Especially the 1.0 version since uninstall was not possible until 1.1. What I'm saying is that this needs to happen with other plugins with similar security issues and not just with Microsoft's because a few zealots are butthurt because they see a MS product in their Microsoft free FireFox.

In February, .NET 3.5 framework comes out and it has 2 verified exploits (See Here). In that period of time, Adobe flash has had 4 exploits and Acrobat Reader had 8 (See Here). Java had 15 (not too sure of this number See Here) Now considering that none of the affected Adobe or Sun Plugins were blocked (as they should have been) Is this more of a political move because it's Microsoft or is it because Firefox cares about the security of their browser? (which they should.)

if Apple lets Adobe get away with it, no small feat given how protective Apple has been about its app market.

There are already application made in Flash in the app store(list)

Any decient game engine should be using the GPU by default, but it seems that Flash for iPhone has some sort of problem with that:

http://labs.adobe.com/wiki/index.php/Applications_for_iPhone#Can_applications_take_advantage_of_hardware_acceleration.3F

"Can applications take advantage of hardware acceleration?

Yes. In some cases, the rendering of Flash content will be hardware accelerated.
We will publish more information on this when we release the public beta. "

"In some cases"?
There shouldn't even be any discusion about whether something is hardware accelerated or not. If you have a GPU, then you use it.

Adobe shipped "Adobe Media Player" on Air platform and they recently converted it to "Adobe TV" which gives free videos/TV shows to Developers, designers and so on. I just checked and it has some Actionscript stuff.

As Adobe Air is available for all OS, better check it out http://www.adobe.com/products/mediaplayer/

Really? Here's an Android phone running Flash... now. http://www.adobe.com/devnet/devices/articles/htchero.html

"What operating systems are supported for authoring iPhone content using Flash?"
iPhone application development will be supported on operating systems supported by Adobe Flash Professional CS5. This includes both Mac and Windows based operating systems.

Also note this Tweet from Ryan Stewert, saying:

"One of the biggest things about the Flash/iPhone news is that you no longer need a Mac to build iPhone apps."

So yeah, unless Apple does something radical, Flash CS5 will be able to export to iPhone from Windows.

HanClinto was among a number of readers to send word that Adobe has worked around the inability to run Flash on iPhones and iPod Touch devices. Adobe has been trying to work with Apple for more than a year to get its Flash Player software running on Apple's products, but has said it needs more cooperation from Apple to get it done. Now Adobe has come up with a work-around.

This does NOT let Flash content, as we know it, run on iPhone! For once in your miserable lives, editors, (and maybe submitters, too), READ THE DAMN ARTICLE! Last line of the first paragraph, IN BOLD: These aren't Flash SWF files, they're native iPhone apps.

Getting these into the app store might be tricky, though.

And I HATE this whiny editorializing BULLSHIT! Again from TFA, THIRD FUCKING PARAGRAPH, first sentence: As of today, participants in the Adobe pre-release program have submitted 8 applications and all of them have been accepted into the App Store.
 
Slashdot eds, this is the worst submission I've seen in a while. kdawson, do you know how to read, or click on a link?
 
For anyone who actually cares to know details, there's more info here.

HanClinto was among a number of readers to send word that Adobe has worked around the inability to run Flash on iPhones and iPod Touch devices. Adobe has been trying to work with Apple for more than a year to get its Flash Player software running on Apple's products, but has said it needs more cooperation from Apple to get it done. Now Adobe has come up with a work-around.

This does NOT let Flash content, as we know it, run on iPhone! For once in your miserable lives, editors, (and maybe submitters, too), READ THE DAMN ARTICLE! Last line of the first paragraph, IN BOLD: These aren't Flash SWF files, they're native iPhone apps.

Getting these into the app store might be tricky, though.

And I HATE this whiny editorializing BULLSHIT! Again from TFA, THIRD FUCKING PARAGRAPH, first sentence: As of today, participants in the Adobe pre-release program have submitted 8 applications and all of them have been accepted into the App Store.
 
Slashdot eds, this is the worst submission I've seen in a while. kdawson, do you know how to read, or click on a link?
 
For anyone who actually cares to know details, there's more info here.

As pointed out by a previous poster, there are already apps using this on the store http://labs.adobe.com/technologies/flashcs5/appsfor_iphone/

The same note is present in Adobe's case - see here (scroll to bottom): "Delivery through the App Store requires participation in the iPhone Developer Program and approval of the application by Apple."

It's worth noting that there are already a few apps made with Flash on Adobe store.
Also not mentioned in the summary is that this is actually native code being generated:
"We created a new compiler front end that allowed LLVM to understand ActionScript 3 and used its existing ARM back end to output native ARM assembly code. We call this Ahead of Time (AOT) compilationâ"in contrast to the way Adobe Flash Player and Adobe AIR function on the desktop using Just in Time (JIT) compilation. Since we are able to compile ActionScript to ARM ahead of time, the application gets all the performance benefits that the JIT would offer and the license compliance of not requiring a runtime in the final application."