Slashdot Mirror
Freaky Flash 6 Fishy Features
donpardo writes "I upgraded to Flash 6 last week (to patch a security hole). When I right clicked on a Flash ad at abcnews.com, and pulled down to Settings I got a tabbed dialogue box asking if I wanted to give them access to my cam and microphone. Clicking through on the tabs revealed that the microphone and the camera had already been detected and that the microphone was active. I doubt the camera or the microphone were sending information out but this still seems invasive. Here are Macromedia's statements about the mic and the camera. In addition there is a setting to ask how much information the site can store on your computer. The default value is 100K. According to the information statement "Data can be anything from your user name to your current score in an interactive game to a list of stocks in your portfolio ... The data is not public, but the privacy of this data depends on the policies of the web site where the movie is hosted."" I thought the first sentence of this submission was telling ...
Now im actually glad to have dial up
"The United States has no right, no desire, and no intention to impose our form of government on anyone else." - Bush 05
wow
Die, Macromedia, die!
Common they are not going to listen to you ...
At work we have been blocking flash on and off for a while now and it now looks like that it will get blocked and stay that way. Its a shame too since cisco has finaly started using it for the only thing it was good for -- vector drawings.
Just be sure to cover your webcam with your shirt before you start making out with the supermodel. You should be okay.
Using IO and local storage; looks like they want to create a "web within the web" - except here they control the client and all the content. No more pesky 'open standards'. And, of course, if you want to create content, you'll have to pay the man...
I'm getting sick of this.
/Janne
Trust the Computer. The Computer is your friend.
Ok, I understand that the technology is here and that it is possible. I understand that some people want to know what your working on in your computer or the sites you are visiting for advertising purposes and what not.
What I cannot fathom, is how could anyone purposely write a program to spy into my room, listening to me or watching what I am doing? Doesn't anyone have a conscious anymore? Come on. This is my house, my life, stay the f@#k out!
Oh, well. Good thing they never bothered making a Flash 6 for Linux.
- A.P. (is the sky still falling, slashdot?)
"Remember when the U.S. had a drug problem, and then we declared a War On Drugs, and now you can't buy drugs anymore?"
The first tab is set to 'deny' access to both your mic and your cam by default. The fact that the mic is turned on or off has to do with your PC's settings, not flash players.
Still, could be fun...
Think outside the... Hey, where'd the friggin' box go?
hmmmm, now i know what all those MS "hotfixes" are for!
How can I make money selling my amateur porn if they can see it all without my permission?
have with running a microphone and/or a camera?
You'd think M$ had something to do with this...
... to boycott Flash.
-jfedor
Okay, security's important, but come on people. The settings are configurable, the policy is easy to understand and what we're talking about in terms of the data being stored is essentially what amounts to Cookies for Flash. The camera and mic stuff can be turned off. If you don't like Flash this won't make you love it and if you love Flash this won't make you hate it. So people are posting about WHAT exactly?
"I have to turn my camera off for Flash! Invasion of privacy! Invasion of privacy! Cookies are evil! The sun is disappearing, the dragons are coming! The dragons are coming!
Is it just me, or does this sound like domain-limited cookies?
It says: "This data may be accessed by the Flash movie that is running or by another Flash movie on the same web site."
My impression is that the data it collects is not data sitting on your hard drive, it is data that relates to the flash application you are using.
-Zordok
IIRC, access to cameras and mics (if present) was also a feature of Flash 5 certainly, and maybe Flash 4 as well -- the feature was just a little bit more buried then, and perhaps the detection built into the OS at the time wasn't as good.
I remember wondering what on earth a website would do with data from my microphone. Count the number of obscenities I muttered as I waited for the stupid flash-enabled splash screen to go away?
Ok, it's good to be concerned, but if you read the description, it's simply a method for a Flash movie to store information on your computer in a similar fashion as a web page stores information through a cookie.
This info is only available to other Flash movies from THE SAME SITE, similar to the protection provided for cookies.
It's simply a way to provide persistance from session to session at the same web site. I still wouldn't trust it with my credit card numbers, but Macromedia isn't Hitler reincarnated.
Calm down. This has only been a test.
q:]
MadCow.
I used to have a sig, but I set it free and it never came back.
Why is this a big deal? Shared objects are exactly the same as javascript cookies. whats the difference?
p ap ers/security.pdf
once again, Slashdot shows its lack of understanding of flash technology by posting this fud.
btw, this is all covered in the Flash mx security whitepaper:
http://www.macromedia.com/desdev/mx/flash/white
The porn banner industry will just LOVE this.
Sounds like yet another loophole unscrupulous crackers could exploit.
Video Game cheats, hints a
In 100Kb, you've said "Damn, it's another bl**dy flash site". No more room for video, unless they get lucky, and get a 1-frame shot of your appalled face to go with it.
Now don't get me wrong, this is an invasion of privacy, especially if they have full control of a machine (say, Windows). I could think of a few things I'd grab, though, if I was feeling malicious. And I'm a pretty honest guy.
Author, Shell Scripting : Expert Re
Thats all.
Hmmm. Flash + Cookie = Charcoal?
If by default your options are turned off, then is there really any large amount of harm?
Storing information on your computer is an old practice (cookies), and contrary to popular belief, isn't all that bad.
How many of you stay logged in on slashdot when come back to the site? That wouldn't be possible without "maintaining state" between visits.
Personally I commend Macromedia for giving developers access to such important features (stored variables) and trying to get others into the mainstream (integrating video and mic).
If you think this is an underhanded deed, then why don't you check your cookie files, you'll see quite a few, 90% are there solely to help you (10% could be tracking information, which in the end, just gives the user more relevant information).
you can read what the camera and microphone settings are for here:
a 24
http://radio.weblogs.com/0106797/2002/04/30.html#
they are going to be used in a forthcoming flash communications server that will allow you to stream audio and video.
whats the big deal?
Hey, at least they aren't as bad as Real, and its' software.
Sig (appended to the end of comments you post, 120 chars)
Cause if you is, us crackas can sa-bo-tage your sweet raaahd with a gastank full o' sugar!!! Yee haw!
All these scumwares that check for updates or send my browser history, bookmarks, cookies, registry keys, and directory trees to various sites keep freezing my ssh sessions. If they started to broadcast my mike, I'd be screwed. My dialup bandwidth isn't a resource any program can use at anytime, it's my precious property and I'm pissed off everyone is abusing it.
On the news recently, I vaguely recall something about how cameras were being used at stores (or going to be used) to observe people's reactions to certain displays, signs, products, specials, and whatnot. They were actually going to look at your face and try to determine your subconcious thoughts of what you're currently looking at to determine if they need to change the display.
Perhaps MM just wants to watch people and listen while they browse flash animations, so they can make notes like "gee he didn't like that one much."
Erik
Comment removed based on user account deletion
First off if you are concerned about Flash security, read the whitepaper about it before spouting off about it:i tepap ers/security.pdf
http://www.macromedia.com/desdev/mx/flash/wh
Everything is set to deny by default. The plugin can see your mic and camera because its on your computer! It can't send that information unless you give it permission to. Again, read the security white paper.
The new camera and mic abilities of Flash allow you to do some really powerful things that you simply can't do any other way. In fact there was a story about someone trying to build custom web conferencing software last week and I told them to wait a couple months for the server that uses these features of the Flash plugin... I was modded up to 4!
This kind of thing is going to push the web to new places. Technology is driven by innovation which later turn into standards, not the other way around.
A|Q|U|A
I finally upgraded from Flash to No-Flash. I couldn't be happier! Now if I could just stop the animated GIFs I'd be ecstatic!
A feeling of having made the same mistake before: Deja Foobar
By further alienating the community they most need for the widestream distribution and prevailence of their product, they are dooming their own product to failure. Flash is always and will always be seen on flashly, useless websites if they continue with policies like that.
When I linked to the site to read the statements on the mic & camera settings, a pop up asking in I wanted to install Flash 6. Umm, no thanks...
"Give a woman two glasses of wine and some pad thai, and they'll agree to just about anything." the Sports Guy
There is no reason to use flash in _any_ website.
Educate all web designers not to use it.
Tomorrow's InBox:
From: xxxx
Subj: Come see My Hot WebCam!
From: xxxx
Subj: We're waiting for you!
From: xxxx
Subj: Flash Installed, See Bubba pick at his ass-crack
We should all be looking into SVG as an alternative to Flash. It's a completely open standard, based on XML. It is getting support in the newer versions of the major browsers (including mobile browsers). I would trust it more than I would trust some proprietary commercial product. The GIF patent issue got a lot of people to switch to the superior PNG format. Maybe this issue will also get people to switch to SVG. Ogg Vorbis is another example: The more they want to enforce royalties on MP3, the more people will use the superior, free format.
It's not even security as an application poking its head where it does not belong. Is there any good/common reason for flash to do anything with anyone's webcam/microphone? I think not.
Though I also think it's reasonable to at least muse the posibility that this was all just setup by the X10 camera people to setup a world wide voyeur web =]
What happens if I do nothing?
The Macromedia Flash Player automatically detects any default microphone or other audio recorder on your computer, and sets microphone sensitivity to a medium value.
....
What happens if I do nothing?
The Flash Player automatically detects any video cameras on your computer and displays the name of the default camera it will use. If you do not select another camera from the pop-up menu, the Flash Player uses the default camera. To see a live display of the image being detected by the default camera, click the video preview area.
Now this is scary.
But picture this-- a virus that takes your picture, records you for a minute, compresses into
I think Back Orifice already has this in as a plugin, but man, a viral version of this... What's the best way to disable a laptop mic?
W
-------------------
This is my SIG. There are many like it, but this one is mine.
Ever since they made it so that play, loop and other right clickable consumer controls could be made unavaliable, I made the program unavaliable on my machine. Unlike IE past Win 98, it is still removable. The worst case I saw before I pulled the plug was a right click put the dialog box on the other side of the screen and not where you were trying to stop an annimation and where a right click brought up only one option "about Macromedia" I contacted the company concerning these trends in loss of control. I received no reply. I prefer Netscape over IE, because any page with flash content brings up a dialog box in IE, "do you want to install......" There is no option in IE "do not ask me again". I got tired of telling it "NO NO NO NO NO!" I would suspect MS and Macromedia have the same agenda to have your computer skip ads the same way your DVD player skips the FBI warning. Somebody is paying bucks to have the content delivered like it or not.
Since most flash is used for forced advertising and not for content, my main machine is flash and IE disabled by choice. At the rare site with actual flash content, my standby machine still has it, but it's rare I fire up that antique.
The truth shall set you free!
You can find information on how to uninstall Flash here: http://www.macromedia.com/support/flash/ts/documen ts/remove_player.htm
Prevent email address forgery. Publish SPF records for y
C'mon people! be rational here... i know not many people here are fans of flash at all, but it's not flash that's doing anything here...it's the people that would program an exploit... .... geez.. paranoid old fashion's.
If you all are as paranoid as your comments suggest, then just stay back in the world of the C64, or II/e
On the same note, this could be used for a variety of things useful.. interative games, voice recognition, voice commands, etc... c'mon.. use your imagination... nothing can progress if we don't take a chance on new tech!
Comment removed based on user account deletion
There is an open source alternative to flash. It is called Ming. Why not try it. Maybe help with it. And stop using Flash.
Let me tell you this. No one wants to look into your webcam unless you are only slightly over 18, female and have an aversion to wearing clothing.
A camera and a Microphone are two very useful items for online communication. If you don't want to be seen or heard, don't freaking buy them.
Flash has to evolve like anything else to stay alive. Integrating more multimedia functionality into its program can't be a bad thing. It isn't being invasive, it's off by default. Go cry wolf where it's important.
(/local/home/curiosity)-#who -u|grep thecat|cut -c 44-49|xargs kill -9
Soylent Green is PEOPLE!!!
This is not exactly about flash exploiting the data from your webcam or mic.
I am thinking about any general applet / activex control (or even a messenger client) that an average Joe downloads. What if it starts sending streams (for whatever reasons it maybe)?
Time for webcam designers to put a switch that really turns the darn thing off. Most of the popular ones (including the logitechs) doesn't have it! (Some of them have a stupid lens cover that is more irritating than useful)
Then, at long last, the TV is watching YOU!
The good and new comes from no quarter where it is looked for, and is always something different from what is expected.
....register with us by giving us your life history along with your request for privacy.
We need your life history to make sure it you.
I just visited the site looking for any information regarding end user player controls. There is zero information in this department. The site is a sales pitch to site developers bragging the fact 98% + browsers have the player installed. There consumer is web developers, not end users. The only support is to the content developers. This one sided view is going to get them into trouble when it is abused. They are following in Microsoft's PR footsteps.
Let me get this straight. You are afraid of spyware running on an insecure OS and trust another app running on the same insecure platform to be able to detect it? Firewalls running on Windows are nothing but a joke. I'm just waiting for a well publicized exploit that ignores the major Windows 'Firewall' products to cause the clue by four to hit people.
Democrat delenda est
The new camera and mic abilities of Flash allow you to do some really powerful things that you simply can't do any other way.
I can't think of one. Can you?
At work we have been blocking flash on and off for a while now and it now looks like that it will get blocked and stay that way.
Yes, it certainly is easier to mindlessly block harmless, useful technologies, rather than actually applying some thought. We certainly couldn't expect you to think and realize that this is a total non-story.
Go back to sleep, slashbot, go back to sleep. Just collect your paycheck, and push buttons you don't understand.
Here is some more information on the features mentioned in the article.
p ers/security.pdf
n ts/mxtopics.htm
p / icrophone/
p / amera/
p / ocalinfo/
n ts/local_so.htm
r ipts/local_shared_object/
a 24
n ts/local_imbedded_video.htm
Notice that Camera and Microphone access defaults to off. Anytime that a Flash movie tries to access the camera or microphone the user will be asked to allow or deny the access. The access is domain based.
The Shared Objects are very similar to cookies, the main difference being that you can store entire ActionScript objects, and they can be used with Flash projectors (they don't require a web browser).
If anyone does find a way to exploit any of these features, we would be very interested in hearing about it. (my email is included below).
Macromedia Flash MX Security Whitepaper
http://www.macromedia.com/desdev/mx/flash/whitepa
Macromedia Flash MX Top 5 topics
http://www.macromedia.com/support/flash/ts/docume
Microphone Settings
http://www.macromedia.com/support/flashplayer/hel
Camera Settings
http://www.macromedia.com/support/flashplayer/hel
LocalStorage Settings
http://www.macromedia.com/support/flashplayer/hel
TechNote : What is a Shared Object
http://www.macromedia.com/support/flash/ts/docume
Using Shared Objects in Macromedia Flash MX
http://www.macromedia.com/support/flash/action_sc
Interview with Jeremy Allaire (Macromedia CTO) where he discusses a "new communications server".
http://radio.weblogs.com/0106797/2002/04/30.html#
TechNote : using the local video object in Flash MX
http://www.macromedia.com/support/flash/ts/docume
mike chambers
mesh@macromedia.com
Edit -> Preference -> Privacy & Security -> Images -> Animated images should loop: NEVER
unless you're not using Mozilla...
Thanks on the information to stop MS browser from begging me to install Macromedia flash. I almost stopped using the IE browser completely because of that persistant nagging.
The truth shall set you free!
I think it's like the firewall/network card relationship. You go buy a network card to browse the web, but there's no way to tell what software is using the card unless you get a firewall too.
Same goes with the camera - you buy it because you wanted to take some silly photos but now users are finding out that they have no idea how much software has control over it.
It doesn't matter if the defaults off, because now it's just another point of entry for hackers to gain access of your hardware, and it's a point of access you probably didn't even know about.
There really needs to be a set of access controls for hardware, settable at the driver level.
+5 informative!
It does vector and is even a bit more open....
First of all, It's Linux you moron. Second, you spelled "faggots" wrong, so calling these people skullfucks is really innapropriate. Third, there are firewalls for Linux, moron.
See the post above.
Mine has a hard power switch and a real honest to god power indicator led. Wouldn't have considered anything else.
Anything else is asking for trouble someday. If not today's spyware, who knows what somebody will come up with next year. But if you have to reach up and flip the camera on you are in control.
Democrat delenda est
Yes, I have thought about some great ways of using this technology and I'll be speaking about them with another developer at SIGGRAPH this year. :-) (No, I'm not kidding)
A|Q|U|A
No problem. A simple firewall filter will suffice to block out shockwave. They can't be pulling shit like that.
It's too bad this headline didn't happen to the previous version.. ba-dum ching!!
All the functionality of Back Orifice, now with animations!
[1]
[2]
If you're going to mod this down, please at least use the "-1 Stupid" tag :(
You guys are being really paranoid about all this.
... elegant.
Why don't you research the capabilities before totally writing off this new feature ? I think its pretty safe. Try to find an exploit ! Turn my camera on without my permission !
While I respect the Slashdot crowd, I can't stand how backwards some of you are with Flash. Yes, I know, you can't use your text editor, but if you researched the new MX capabilities and programming enhancements, you might find it
But until then go ahead and roil what you don't understand.
At the risk of stating the obvious, if you value your privacy, you should probably have your web cam covered and your microphone unplugged whenever you aren't using them. It wouldn't be hard to write a virus/trojan/etc that activates them and eavesdrops without your being aware of it -- flash or no flash. The only way to be sure that doesn't happen is to physically disable the sensors.
I don't care if it's 90,000 hectares. That lake was not my doing.
This tech is pimarily focused on Video conferencing and tech/customer support. Imagine going to an online store and being greeted by a 'live' salesperson who can answer your questions in person.
Obviously there is room to abuse as in any tech. As long as the features are turned off by default and always, always give you the choice of whether to use them or not, I don't see any problems.
In the meanwhile if you don't like flash, pick a browser and plugin set that you can live with.
IE isn't the only one out there. Mozilla works very well for me.
A fool throws a stone into a well and a thousand sages can not remove it.
How can Flash be removed from 1) Windows, and 2) Linux?
Reasons not to run Flash:
Flash presents unknown security risks. Sometimes Flash and other Macromedia products have been the point of entry of trojans and viruses, as mentioned in this documentation of a very serious bug, Macromedia Flash Activex Buffer overflow.
Flash on a website advertises Flash. There must always be some notice that says "Download Flash if you don't have it", and a link to Macromedia, so that web site viewers can get the latest version. This forced added content distracts from the intended content.
Flash is nearly always used to provide images that are irrelevant to the content. Except for those who care about bright, shiny things more than content, Flash gets in the way. Flash authors are seldom qualified to provide moving picture content, and, even if they were, Flash is a very limited cinematic tool.
Flash often causes long load times. Long load times communicate that the website viewer's time is less important than the website creator's love of movement. Flash often causes Website viewers to wait for "Loading..." messages.
For website viewers who do not want to run Flash and other Macromedia software, or cannot, web sites using it are broken.
By using Flash, authors of Flash content may cause the URL of their customers to be transmitted to Macromedia. If some disloyal Macromedia employee, or Macromedia itself, thought of some profitable reason to approach those customers directly, Flash content authors could lose business.
Flash content is proprietary content. It is the money-making scheme of one company. This tends to undermine web standards like HTML. The Internet is a public utility for all of us to use. Proprietary methods go against that spirit.
Why the fsck would I want to use FLASH for video conferencing? there's plenty of other software out there to do the job, WITHOUT the unnecessary extral FLASH layer. Besides which, I purged Flash from my system once it started being used for intrusive ads, ala shoskeles, and it's NOT getting back on.
Just as bad are the "all flash" web sites. Excuse me, HTML is just fine, thank you.
I don't want ANY software tool that is used by advertisers to have as much control over my system as Flash has. Whitepaper or no whitepaper, one of those ad-mongers will hack it to ignore the user settings and do what he wants.
So far I've found a number of sites that have flash links that try to make use of well known exploits. They typicaly start as web sites that Google thinks have useful info and when you go to the main site you get popups much like a typical pr0n site and some of the other pages will load flash programs that may have exploits. We alternate between a white list and black list of sites we allow. With this new "feature", it looks like I'll be going back to the wite list option.
I didn't ask for help.. I don't want help.. I certainly don't want people to store tracking information about me..
That bastard paperclip think on MSOffice is there to help you too... doesn't mean it's a good thing.
I advocate tough love. If this behavior continues, one of the following three things will happen.
All of these are acceptable in my opinion, so I'm not going to sweat it.
Karma: Good (despite my invention of the Karma: sig)
You would think that even though the Slashdot community is very anti flash, people would respond AFTER they had some idea of what they were talking about.
1. Any site that wants to access you mic or camera has to ask you first. They can never have access without your approval. Half of the responses to this story are complaining about something (sites accessing you camera or mic) that does not exist.
2. As a few people pointed out the information is just like cookies, a 100K cookie.
Flash started off as a very interesting technology about 6 years ago, and gained popularity amongst users because it was small (142k download or so), relatively innocuous (Only two exploits so far AFAIK) and it brought those things to the web that java applets had promised but failed to do. There was a huge demand for Flash coders in the middle of the Dotcom boom, especially when Flash 4 hit the scene with scripting abilities, allowing developers to make fancy interactive sites, and even more so when Flash 5 came around which improved the scripting and performance yet still remained small and relatively safe.
What happened?
Thousands of dotcommers made enormous flash intro animations to their sites (about half of them forgetting to make a "skip intro" link), which rapidly irritated many many visitors to said sites (a study on the irritation factor of flash intros and banners would be *very* interessting). At the same time as the dotcom scene started crashing around everyone's ears, desperate internet marketing whizzes decided that flash would be a brilliant vehicle for advertising, pushed along by an equally desperate Macromedia, whose products were no longer selling like hot cakes. The results of those ideas can be seen on almost every portal on the web (ZDNet is my favourite with slashdot also not doing too badly), and visitors reactions are known to everybody it seems except for the mindless marketing people who push it. In this way it is very similar to spam.
Macromedia spent a fortune on making Flash a tool that would liven up the web and make colourful, interactive, animated, dynamic sites possible especially in conjunction with macromedia's backend flash application server, generator. Apart from a host of sites early on this trend has died out almost completely, because what macromedia didn't realise is that just like web designers/coders have to cope with different browsers, they also have to cope with users who haven't and won't use the plugin, and therefore go for the lowest common denominator in websites:html with one or two pics etc. Flash didn't save a single dotbomb from going under.
Now, just like any other large company (ahem), they need to add "features" in order to carry on making money with their product. Flash 6(MX) now has built in video, microphone and cookies. I very much doubt this is suddenly going to improve the content of all the Flash we've been getting, although it may kill one or two other companies' media players(Quicktime, WMP, Real) but, in moving out of the traditional small player that they've had, it will fast become larger, and someone is sooner or later going to find some hole in their player (actionscript getting access to the drive while ostensibly looking for cookies? Exploiting a hardware driver(keylogger)?). For all my irritation with Sun's Applet saga and java on windows, Sun worked very hard to make the language and VM design secure (and the fact that of the few exploits with browser JVM's being mostly in MS' JVM does show this). Macromedia doesn't AFAIK have that much experience in security wrt clientside technologies and time will tell what will happen with this player.
I used to be a Director programmer and with Director you could pretty much do anything on the client machine with no checks and shockwave, director's browser plugin went in the same direction as flash is going: first a straight player and then with laetr versions you could download all sort's of xtras onto the client machine. I once, as a security test, wrote a screensaver with shockwave, that everybody in the company loved (it even won an award for design). What no one realised until we tald them, was that the screensaver had been merrily scanning people's drives in the background and uploading filelists to us.
You see, they had this wonderful insight:
Of course, protocols for network transparent graphics, sound et cetera already exist, but they have that nasty four letter word in them (open).
Sarcasm aside, I am sure the intent of this is to allow Flash 6 to provide Video conferencing type applications - just click on the link and there you go.
I saw a most interesting article in InfoHurl about this - the funny thing was they showed apps being remoted to Windows, Mac-OS, and Linux. Yeah, I'll believe MacroMedia will be supporting Linux with a good Flash 6 player about the same time as BillG tongue-kisses RMS - the current Flash 5 player is MUCH slower than the Windows player on the same hardware (while strangely NOT taking all available CPU!), fails to sync video and audio, and generally is unstable (Heaven forfend somebody ELSE might want to access
www.eFax.com are spammers
http://www.zombo.com/
How's that for a nice flash intro?
OK, some people seem to have found info about what the camera and mic objects are for on the web but I'll post the link again for the people who skipped that posting before moving on: http://radio.weblogs.com/0106797/2002/04/30.html#a 24
1. The default the the camera and mic is to DISALLOW a site to access them.
2. The camera and mic objects are there for something MM has coming down the tubes for a communication server via the Flash player, and the player will PROMPT users before ever granting a site access to their mics and cameras...I've got the beta of the server for testing purposes and it asks me every time (since I never check the little box asking me if I want the player to remember my setting)
3. As many people have pointed out, the Local Storage settings are essentially cookies for Flash. They work in pretty much the same fashion (can only be accessed by the domain that created them, etc.) as cookies, but are only consumable by Flash.
Personally, I wish some of the folks here would give the "Flash is evil" stuff a rest and see more people looking at the GOOD things that can be done with Flash rather than just the worthless drivel that a lot of people have produced, but that's the opinion of someone who works for MM, so I don't have much of a prayer there.
Cookies are "ok" but does anyone else remember all of those security holes that we had to live through with the cookie implementation in the browsers? At the end of the day, you have to ask, why do I want to be able to send video through flash animation and is it worth the hassle of the potential security holes. To which I answer no and no but I said no to flash web sites a looooong time ago so it's a moot point.
I am not a number! I am a man! And don't you
jaysus ! Could you make your white / black lists available to others who don't have the research ability technical grasp whatever it takes to protect themselves ?
The mic and audio features will inable even more interesting learning applications.
A. It's set to off by default ( it shows the mic level just to show that it is receiving a signal, not that it's giving the movie access ) .
B. You can set the filesize to 0 ( Try doing that with IE? ) or to unlimited or just about anywhere between ( well, almost )
C. The secure settings are set to default.
I understand some people hate Macromedia Flash but you got to consider that back when Cookies were still a majorly unknown thing for the Average user e.g. Clue = 0 and browser had all kinds of nice little Frame issues that Flash had security for what a movie could send. E.g. it would only allow data to be posted/get to the domain the movie was from.
for anyone using voice recognition, or any other application where keeping your mike at the CORRECT
level is important. What right do they have to change my settings?!
According to 'the boys from Brazil'
even Hitler reincarnated isn't Hitler reincarnated
___
It's the end of my comment as I know it and I feel fine.
I have never been a big fan of Flash. Not that it is a bad technology, but just like anything else that is remotely cool people use, abuse, and misuse it to the point where the cons outweigh the pros.
I guess my biggest beef with Flash is that people make IT the content as opposed to using it to accent the content. Ever been to a site where you can't bookmark shit and none of the browser navigation does shit because hitting back only restarts the whole thing? That is the kind of stuff that drives me nuts...
Just my $.02...
--Jon
Can we discuss this?
Reasons not to run Flash:
Flash presents unknown security risks. Sometimes Flash and other Macromedia products have been the point of entry of trojans and viruses, as mentioned in this documentation of a very serious bug, Macromedia Flash Activex Buffer overflow [eeye.com].
So, ok, _ONE_ security notice. No known exploits of this hole. Company acknowledgement and fix in less than a day.
What other risks? WHat other holes or past vulnerables? Any known exploits? Name them. I think the case can be made that Macromedia is more diligent with security than many in this business, and more worthy of trust.
Maybe the problem is with using a browser that requires Activex?
Flash on a website advertises Flash. There must always be some notice that says "Download Flash if you don't have it", and a link to Macromedia, so that web site viewers can get the latest version. This forced added content distracts from the intended content.
The Flash plug-in is just about default on most browser installs, so few see that download message. The plug-in's truly free, and not nagware like QuickTime or Real. And most people aren't developers, so not a very targeted campaign, is it? The real ad value is that the plugin works well for the majority of users.
Flash is nearly always used to provide images that are irrelevant to the content. Except for those who care about bright, shiny things more than content, Flash gets in the way. Flash authors are seldom qualified to provide moving picture content, and, even if they were, Flash is a very limited cinematic tool.
Those comments are more often applied to television.
So should Flash have a taste filter to prohibit the creation of tacky content?
Flash is just a tool, not an artistic movement.
Flash often causes long load times. Long load times communicate that the website viewer's time is less important than the website creator's love of movement. Flash often causes Website viewers to wait for "Loading..." messages.
Flash is currently one of the most eficient and reliable formats for delivering dynamic interactive content. It's success comes from the fact that there's not really any other interactive animated format that competes with it yet.
Download time is a contract between author and viewer; if the content is good, they'll accept the delay. With broadband, the majority of Flash pieces download in a few seconds.
For website viewers who do not want to run Flash and other Macromedia software, or cannot, web sites using it are broken.
Sites are broken because the author didn't care enough to put in detection for the plug-in, and didn't include alternate non-Flash content. By the way, the Flash plugin (presence and version) is VERY easy to detect via javascript or other means (unlike Quicktime)
By using Flash, authors of Flash content may cause the URL of their customers to be transmitted to Macromedia. If some disloyal Macromedia employee, or Macromedia itself, thought of some profitable reason to approach those customers directly, Flash content authors could lose business.
Uh huh.... right. Big software company secretly wants to run tiny boutique webshop in converted factory loft making way kewl Flash pieces.
Flash content is proprietary content.
No more or less than ANY content.
It is the money-making scheme of one company. This tends to undermine web standards like HTML. The Internet is a public utility for all of us to use. Proprietary methods go against that spirit.
The Flash movie format SWF is an open format. Write your own authoring tool. Others have.
It must be Slushdot instead.
News for Luddites. FUD that matters.
To everyone worried about security holes that have never been exploited, the added bandwidth of streaming images and (god forbid) sound, and the thought that your microphone will be used to spy on you, here's a hint.
INSTALL LYNX YOU LUDDITES!
Thank you.
No Zen is good zen
"So, ok, _ONE_ security notice. No known exploits of this hole. Company acknowledgement and fix in less than a day."
Flash has caused several very serious security breaches, and the company acknowledges this. A computer under my supervision was totally owned by someone exploiting a bug in a Macromedia product.
"The Flash plug-in is just about default on most browser installs, so few see that download message."
You forgot something very important. Sometimes there has been more than one upgrade to Flash within a month. If a web site uses a later version of Flash than is installed, you see the message.
"Sites are broken because the author didn't care enough to put in detection for the plug-in, and didn't include alternate non-Flash content. By the way, the Flash plugin (presence and version) is VERY easy to detect via javascript or other means (unlike Quicktime)"
Your answer to this extremely serious problem can be shortened to "Sites are broken..." It is VERY bad advertising if a user gets an error message instead of a web page. That happens a lot with Flash sites, for many reasons. For example, the user may have Javascript disabled, or it may be an imperfect implementation of Javascript, such as with version 5 of Opera.
"Uh huh.... right. Big software company secretly wants to run tiny boutique webshop in converted factory loft making way kewl Flash pieces."
Your answer is an attempt to influence by innuendo, not logic. Several years ago I was getting about 40 pieces of spam a day. Many seemed to have a connection with AOL. It just happened that someone from AOL called, trying to sell me something. I complained about the spam. Immediately it stopped. Was AOL doing the spamming? Maybe not; maybe it was someone who worked for the company who was making some money on the side. Would someone wanting to make money try to breach your computer security? Here is a small list of attempts to do so: The Spyware Infested Software List
The fact remains, when you use Flash, you are giving your customer list to Macromedia, and to whomever has access to Macromedia computers.
"Download time is a contract between author and viewer; if the content is good, they'll accept the delay. With broadband, the majority of Flash pieces download in a few seconds."
The viewer is not aware of any contract. The viewer is aware that he or she must wait. Again, this is extremely bad advertising.
This Slashdot story continues an impression of Macromedia. The company is like Microsoft in that they tend to push the limits of what people will accept so that they can make more money. Would you have a friend who continued to test your limits? No? Then don't have a business association that tests people's limits.
Thanks.
I've been following Macromedia since they started. This Slashdot story was the last straw for me. If something goes wrong with my customer's computers, it will be me who is blamed. Deleting Flash is a sensible precaution on a business network.
Anybody else astounded by the parallels?
Pretty soon computers will not have off buttons either.
is bring up www.goatse.cx and point your camera at your monitor.
*** Unsuspecantly flash strangers with Flash 6! ***
Pull don't your pants and give Flash the Flash.
what security breaches?
You forgot something very important. Sometimes there has been more than one upgrade to Flash within a month. If a web site uses a later version of Flash than is installed, you see the message.
afaik, there are flash versions 3 thru 6, with about 2 years between the version steps. there is no flash 5.2.
The fact remains, when you use Flash, you are giving your customer list to Macromedia, and to whomever has access to Macromedia computers.
you are providing them with the urls of companies that have an swf on their site. this could have been any authoring tool that generates swf. but you're right, they probably do this so they don't have to search the web for swfs.
The viewer is not aware of any contract. The viewer is aware that he or she must wait. Again, this is extremely bad advertising.
the viewer doesn't have to do anything. either he or she waits, or decides that it wouldn't be worth it. swfs are small. you can make big swfs, and you can make swfs that really suck. you also can make pretty shitty html sites. if you have that sort of talent.
The company is like Microsoft in that they tend to push the limits of what people will accept so that they can make more money.
they opened up the standart. i don't know what you mean by pushing the limits of what people will accept. but as a company, macromedia wants to make money. just like any other company.
--
making up good sigs is a hard thing to do.
Thanks for your reply.
"i don't know what you mean by pushing the limits of what people will accept."
I consider this Slashdot story is an example of pushing the limits. They are taking more control of the user's computer without making it clear in advance what they are doing. That's abusive, in my opinion. Your computer is your property. You wouldn't feel good about someone using your car without permission. You shouldn't feel comfortable having someone use your computer without permission.
but i have been to a site that uses the microphone and the camera (for a chat) and the player asked me for my permission. it defaults to no and is very prominent.
the feature of being able to use the camera and the microphone is agood thing, in my opinion. if i would have to iplement it, i would default it to no, and ask for the users permission if a site tries to use the mic/cam, the exact same thing macromedia has done.
and untill i see any proof i have no reason to believe otherwise. an outgoing video/audio stream would be fairly easy to detect. and it would severly damage the company, a risk for no possible benefit i can see. you couldn't just explain such a 'feature' in the manuals.
adding the aud/vid streaming capability by itself is not evil. if they (or the site owners) could access the cam/mic without the users prior permission i would, as i said, agree with you. but that is simply not the case.
--
making up good sigs is a hard thing to do.
> A camera and a Microphone are two very useful items for online communication.
> If you don't want to be seen or heard, don't freaking buy them.
People want to be seen and heard *ON THEIR TERMS*, not when some spyware decides to do it.
> Flash has to evolve like anything else to stay alive.
In that case DIE FUCKWAVE SLASH, DIE ! And take PDF with you you. HTML is good enough, thank you.
I'm not repeating myself
I'm an X window user; I'm an ex-Windows user
What you are saying strikes me as sensible. However, if Macromedia can make this change without warning users, it can make other changes.
I corresponded with someone at Macromedia about problems of this nature. It is possible that the company just appears to be sneaky, and in fact they are only ignorant of proper marketing.
This Slashdot story, "Freaky Flash 6 Fishy Features", has certainly done the company a huge amount of damage. The story was motivated by the surprise at what Macromedia has done. That is terrible marketing. For a full realization of the depth of the damage, reflect upon the fact that Slashdot readers are a significant percentage of all the people who make technical policy about computer use at their companies. That is terrible marketing; it's so bad that it makes me wonder about the ability of the company managers to make any decision.
Also, look at this quote (2nd paragraph), from the Macromedia web site: "The data is not public, but the privacy of this data depends on the policies of the web site where the movie is hosted."
Translation: "We have arranged a situation in which the privacy of your computer is out of your control and is dependent on someone else." That is becoming very close to the exact purpose of spyware and malware.
Translation 2: "We are moving toward a way of making money in which we make it possible for web sites to control a user's computer, without the user's understanding or knowledgeable permission."
What is also VERY scary about this is that Macromedia has made programming mistakes in the past, and will no doubt make mistakes again. When you use Flash, you are allowing non-standard ways of communicating which have not been reviewed by a standards committee (such as with the upgrade and install process). As this shows, and the Slashdot story implies, Macromedia is willing to make your computer less secure as a result of their money-making schemes. This gives the strong impression that the user's security is not their priority.
I agree with the Open BSD team: Security is a primary concern. I don't like the direction Macromedia wants to take us, and I don't like their ideas of what is acceptable behavior. But Macromedia is worse than sneaky, the company has bad judgement, and that is even more frightening.
My comment below your comment should have been posted as a reply to your comment.
The Slashdot software has been a bit buggy lately. It has also been eliminating recent comments from the list of old comments, and keeping old ones.
My comment below your comment should have been posted as a reply to your comment.
The Slashdot software has been a bit buggy lately. It has also been eliminating recent comments from the list of old comments, and keeping old ones.
The Slashdot software is failing. Please read the entire thread to see my answer to your most recent comment.
Now, could someone please tell me there is a way to set up IE 6 so that it won't pop up a message window every time I load a page up that uses Flash 6?
The Security option that seems to deal with it is "Download signed ActiveX controls". It has 3 settings: Enable (I won't), Disable (pops up a message that the page can't be displayed properly), and Prompt (prompts me to install it).
Well, if you help me I'll reward you with removing Flash 6 from my most hated software list.
That is entirely upto the programmer. If he does it right load times can be as small as 30 seconds for a really rich flash document, as Flash MX now supports streaming audio and images that can be loaded from the server directly. MX also has new support for video (Sorenson) and is now at a very exciting stage. Btw a basic (text) flash document wil actually be smaller in size than a similar HTML document, and security for the content is also better than basic HTML..
nt
This paranoid ranting is, well, ridiculous.
1. Flash, as a vector format, is far more efficient
than sending a straight image. This doesn't
mean it isn't used when it shouldn't be.
2. It's not as often upgrades as you seem to think.
3. A fair amount of the time, it's actually used
to provide interactive content, in a way that's
far more efficient and lightweight than Java.
Note that Java has most of the problems you list with Flash, -including- huge download times (often) and plugin issues! Mostly, it would be very nice to have web DPS instead of flash to work with (but don't hold your breath), and it would be very good to have an open source flash (or other animated, interractive vector graphics format) available, but there isn't one at the moment.
The article seems very badly informed in any case -- what it seems to talk about regarding "storing information on your computer" is no more than flash's version of cookies!
Or maybe you should be unplugging your webcam when you visit pr0n sites with flash applets :)
Living better through chemicals
Why not make it interesting? Modify that virus so that it detects when the user is surfing lots of pr0n sites, waits 5 minutes, then captures a short video clip from the user's webcam and emails that snippet to everyone in the user's address book...
Because on average, 5 minutes is more than enough for majority geeks.
The setting to disallow stored data defaults to 100k per website. Even if you check the "never" box that only applies to the the current website! It's still 100k for the next site you visit. #@$$@%#@!
-
- - You can't take something off the Internet! That's like trying to take pee out of a swimming pool.
I've read a lot of replies that flame flash. Well, I totally agree that flash isn't a great way to design a website, and all the reasons provided by everyone here are perfectly valid. HOWEVER, I consider flash a very good form of internet art. Sure, it isn't productive and etc, but it's great entertainment. I spend at least half an hour a day browsing www.newgrounds.com and I get some good laughs now and then(although there is crap submitted in great quantities). I think flash gives creative people a way to express themselves in the internet community(as do ASCII art, animated gifs and etc, but flash does it in much greater quantities).
Join the elite! Post at score:2! Ghostwheel is online.
Cookies are not a problem in themselves, but when they are used by determined organizations to cross-reference computer use, can be used to discover information far more extensive than any one cookie stores.
Most people are honest, and have difficulty thinking like the crooks, and don't have the technical knowledge to understand the issues. So, they have difficulty imagining the way that cookies are actually used sometimes.
100 Kilobytes is a lot just to "save the state of the user's computer". There is indeed something fishy in the story Slashdot calls "Freaky Flash 6 Fishy Features". If you are a programmer, it is easy to guess that something is being planned that is not being discussed on the Macromedia web site.
Your answer to this extremely serious problem can be shortened to "Sites are broken..." It is VERY bad advertising if a user gets an error message instead of a web page. That happens a lot with Flash sites, for many reasons. For example, the user may have Javascript disabled, or it may be an imperfect implementation of Javascript, such as with version 5 of Opera.
You are so right Futurepower, and to the reasons Flash detections fail you can add misidentifying the browser and/or OS.
(I had a juicy example to post, but the slashcode treats it as code--even though I've chosen to post "Plain Old Text.") Anyway if you use one of the less popular browsers and have Flash installed you know this is true. Look at the source code for sites that fail to detect Flash. Most often they assume the only two browsers are MSIE and Netscape, and the only OS's are Mac and MSWindows. Oh, and they put all this crap in the head of the document! Way to slow up those load times, guys. The Macromedia fanclub will counter with "That's not Flash's problem; that's bad web design." That's an unrealistic response, and in all likelihood disingenuous. That's the way Flash actually is, the way people are experiencing it. Flash slows up load times and breaks many sites.
You aren't taking a view different than yours sufficiently seriously, in my opinion.
You said, "I would give you a list of names, many of whom you would know if you had a life - but I won't, because I don't think your even qualified to make judgement on them."
I make the statements I make because I have been following the issues, not because I haven't. If I had not been following the issues, I would not know enough to care.
I have, for example, followed the careers of Roger Black (DaniloBlack.com) and Hillman Curtis (HillmanCurtis.com). Both of them have used Flash in a way that I think were poor marketing.
One of the biggest problems with Flash is not Flash itself, but the poor abilities of people who try to author motion pictures for the first time.
Here is an example of some fairly good work in Flash by Hillman Curtis: HP Ad The biggest problem with Flash is that people use it for unncessary motion. In this case Hillman Curtis made a fairly good movie. But it still looks amateur compared to the images we see on television every day. That's a huge problem: Customers unconsciously compare Flash moving pictures with regular moving pictures, and Flash often looks, comparatively, dorky.
You said, "Thats makes complete business sense doesnt it. Good thinking sherlock ! Macromedia realy wants to piss off its developmet comunities - the comunitys that use and are passionate about they're products. You realy do have so little understanding of the web. "
You are missing the point. Macromedia is collecting your customer's web site addresses for some reason. What is the reason? What would the company do if it fell in financial hard times, and the survival of the company depended on selling the web addresses? The sale could be hidden. AOL had disloyal employees who sold AOL customer information and company proprietary information. This could happen at Macromedia. The fact that they collect this information suggests that they can conceive of using it.
I agree. One problem with Flash is that web designers are rarely good cinemetographers.
Another is that web designers rarely take the time to consider all the programming issues of making Flash actually work in the real world.
A third problem is that, even if a web designer is an extremely knowledgeable programmer, and a great cinematographer, there are browsers that deliberately mis-identify themselves. Opera can be one of them. There is a menu option to identify Opera as anything you like. And Opera is arguably the world's most convenient browser.
The excellent free ad removal tool, The Proxomitron (or here, The Proxomitron), identifies whatever browser you use as "Space Bison". It is a woolly world out there, and we should not pretend that we are ready for a particular technology when we aren't.
This is the issue: Do you want some of your customers to get error messages, or bad displays? If you don't want to make this sacrifice, then Flash technology is not quite there yet.
Yep, they tell you, we will be very careful about turning you camera on and won't let anyone else do it, honest!
Give me one good reason I should ever let Macromedia look through my camera.
Microsoft has been very careful with your privacy for years. I doubt these advert pushing clowns will do any better than this: Ha-Ha
That's why I won't run anything but free software. Macromedia, fuck off!
DMCA, Hollings, Palladium. What might have sounded like paranoia is now common sense.
Just remember to make a copy of the REBUS tape so that you have evidence that the ZikZak BlipVerts are lethal.
Thoughts on tech, Software Engineering, and stuff
Is Macromedia on the wrong track here, "The data is not public, but the privacy of this data depends on the policies of the web site where the movie is hosted" are they stupid? Invading users of their products privacy is a major blunder, that will piss off a lot of people...can you say SPAM!. What I'd like to know is how flash determines that it's ok for it to take your data. Does the website "inform" flash, I doubt it, They'll take your data by default and apologize later. Gee, I wonder if you could use flash as a TROJAN now like BO and grab screenshots and sound bites from users PC's? Stupid Stupid Stupid too bad Flash was a cool thing, someone should drop kick the asshole in marketing who came up with this one.
the privacy of this data depends on the policies of the web site where the movie is hosted.
What does that mean.
Does it mean that anyone can make any kind of policy on their web site and use the data on your hard disk as they wish. What kind of data can they put on your harddisk, could this be audio or video from you'r microphone and webcam.
Does the data on your harddisk belong to you or to the website.
Who's gonna read all the policy's of every web site just to watch a "Flash Movie".
The bad thing about this seems to be that you can not make your own policy about what's on your harddisk but you have to agree or disagree every time again on the policy of a web site and then you have to trust this web site ( not only Macromedia ) for not breaking their policy.
I think it's not a technical issue but a legal issue. What does it mean when I click OK on a request for using my dataspace, agreeing with whatever policy the website uses.
Does anybody know.
Time to install Flash 6 on my girlfriend's computer!
Too bad I don't live in the dorms anymore, man, that could be fun...
This has even more potential than those folks at X10 ever dreamed of w/ their 'spy on [insert hot chick here]' ads!
is competition good, or is duplication of effort bad?
Right away I found one possibility in Flash MX:
What happens if you crack a router and spoof Macromedia?