Slashdot Mirror

← Back to Stories (view on slashdot.org)

Freaky Flash 6 Fishy Features

Posted by chrisd on from the what-are-they-thinking dept.

donpardo writes "I upgraded to Flash 6 last week (to patch a security hole). When I right clicked on a Flash ad at abcnews.com, and pulled down to Settings I got a tabbed dialogue box asking if I wanted to give them access to my cam and microphone. Clicking through on the tabs revealed that the microphone and the camera had already been detected and that the microphone was active. I doubt the camera or the microphone were sending information out but this still seems invasive. Here are Macromedia's statements about the mic and the camera. In addition there is a setting to ask how much information the site can store on your computer. The default value is 100K. According to the information statement "Data can be anything from your user name to your current score in an interactive game to a list of stocks in your portfolio ... The data is not public, but the privacy of this data depends on the policies of the web site where the movie is hosted."" I thought the first sentence of this submission was telling ...

12 of 284 comments (clear)

  1. Check again... by djrogers · · Score: 5, Informative

    The first tab is set to 'deny' access to both your mic and your cam by default. The fact that the mic is turned on or off has to do with your PC's settings, not flash players.

    Still, could be fun...

    --
    Think outside the... Hey, where'd the friggin' box go?
  2. Camera and Mike Setting : Flash server by Anonymous Coward · · Score: 3, Informative

    you can read what the camera and microphone settings are for here:

    http://radio.weblogs.com/0106797/2002/04/30.html#a 24

    they are going to be used in a forthcoming flash communications server that will allow you to stream audio and video.

    whats the big deal?

  3. Re:Internet Awareness Anyone? by Anonymous Coward · · Score: 5, Informative

    They are turned off by default, and everytime a new domain tries to access them, the user is prompted to give permission.

    mike chambers

    mesh@macromedia.com

  4. Re:Ominous by pixel.jonah · · Score: 2, Informative

    It's basically like cookies.

    And you have the option to disable it on a per-site basis. Seems pretty aboveboard to me...

  5. Chill out and think - these features are *good*. by Aquaman616 · · Score: 2, Informative

    First off if you are concerned about Flash security, read the whitepaper about it before spouting off about it:
    http://www.macromedia.com/desdev/mx/flash/whi tepap ers/security.pdf

    Everything is set to deny by default. The plugin can see your mic and camera because its on your computer! It can't send that information unless you give it permission to. Again, read the security white paper.

    The new camera and mic abilities of Flash allow you to do some really powerful things that you simply can't do any other way. In fact there was a story about someone trying to build custom web conferencing software last week and I told them to wait a couple months for the server that uses these features of the Flash plugin... I was modded up to 4!

    This kind of thing is going to push the web to new places. Technology is driven by innovation which later turn into standards, not the other way around.

    --
    A|Q|U|A
  6. Re:These features existed before by Aquaman616 · · Score: 5, Informative

    No, these features are new to the Flash 6 plugin.

    They got a custom video codec built by Sorenson built to do this. That's what Apple is suing Sorenson over.

    The thing is that it's a full video code and weighs in around 75k. Pretty impressive really. Audio is MP3 encoded.

    --
    A|Q|U|A
  7. how about SVG? by stego · · Score: 4, Informative

    It does vector and is even a bit more open....

  8. Actually, I have some great ideas by Aquaman616 · · Score: 2, Informative

    Yes, I have thought about some great ways of using this technology and I'll be speaking about them with another developer at SIGGRAPH this year. :-) (No, I'm not kidding)

    --
    A|Q|U|A
  9. Re:Internet Awareness Anyone? by sunset · · Score: 3, Informative
    They are turned off by default, and everytime a new domain tries to access them, the user is prompted to give permission.

    The problem is, it can't be proven. That's why things like open standards and open source exist.

  10. Re:Internet Awareness Anyone? by White+Roses · · Score: 3, Informative
    At the risk of attracting trolls, this sort of internet lack-of-awareness is exactly why I recommend and give Macs to my friends and relatives.

    Plus, might I add, Mac OS X does it the better way: FTP, HTTP and SSH services are turned off by default. Nothing than can potentially allow someone in to your computer should be turned on by default. Nothing. And that's exactly what Flash 6 is doing: allowing access by default to your system. Netscape, while having access to cookies on by default at least also warns you by default (at least on Solaris, which is the default install I see every week - I have had them severely limited on my other machines for so long, I don't remember, because newer versions of Netscape also preserve preferences). This doesn't seem to even come with a small disclaimer. Perhaps buried in the EULA somewhere. But to me, this should be prominently displayed every time it is run, unless you tell it otherwise, or simply off by default.

    Want it done right? Use a Mac. Or spend your life fixing holes in Windows. Or get savvy enough to use one of the less user friendly *n?xes.

    Oh, and check all the preferences on everything you install all the time now, as well, it seems (although I don't remember AppleWorks calling the mothership when I install it). Bastard marketroids.

    --
    Do not touch -Willie
  11. From the source by Anonymous Coward · · Score: 4, Informative

    OK, some people seem to have found info about what the camera and mic objects are for on the web but I'll post the link again for the people who skipped that posting before moving on: http://radio.weblogs.com/0106797/2002/04/30.html#a 24

    1. The default the the camera and mic is to DISALLOW a site to access them.

    2. The camera and mic objects are there for something MM has coming down the tubes for a communication server via the Flash player, and the player will PROMPT users before ever granting a site access to their mics and cameras...I've got the beta of the server for testing purposes and it asks me every time (since I never check the little box asking me if I want the player to remember my setting)

    3. As many people have pointed out, the Local Storage settings are essentially cookies for Flash. They work in pretty much the same fashion (can only be accessed by the domain that created them, etc.) as cookies, but are only consumable by Flash.

    Personally, I wish some of the folks here would give the "Flash is evil" stuff a rest and see more people looking at the GOOD things that can be done with Flash rather than just the worthless drivel that a lot of people have produced, but that's the opinion of someone who works for MM, so I don't have much of a prayer there.

  12. Re:How can Flash be removed? by eswierk · · Score: 3, Informative
    Disabling Macromedia Flash on Microsoft Internet Explorer

    These instructions are known to work with Internet Explorer 6.0 on Windows 2000. They may require modifications on other versions of IE or Windows.

    1. Set Internet Explorer to prompt you before installing any ActiveX controls (plug-ins):
      1. Close all Internet Explorer windows.
      2. Open the Internet Options control panel.
      3. In the Security tab, click Internet, then click Custom Level.
      4. Make sure that Download signed ActiveX controls is set to Prompt, and that Download unsigned ActiveX controls is set to Prompt or Disable.
      5. Click OK to save the security settings.
    2. Remove Flash:
      1. Open the Internet Options control panel, if it isn't already open.
      2. In the General tab, under Temporary Internet Files, click Settings, then click View Objects.
      3. Right-click on the Macromedia Flash icon and select Remove.
      4. Close the Downloaded Program Files window.
      5. Click OK to close the Settings window.
    3. Clear the Internet Explorer cache:
      1. Open the Internet Options control panel, if it isn't already open.
      2. In the General tab, under Temporary Internet Files, click Delete Files.
      3. Click OK to close the Internet Properties window.

      If you stop now, Flash ads will not appear, but IE will pop up a dialog box every time you view a page containing a Flash ad. You can prevent this from happening 99% of the time by continuing to the next step.
    4. Prevent Internet Explorer from prompting you to install Flash:
      1. Click Start, then Run, and enter this command:
        notepad %systemroot%\system32\drivers\etc\hosts
        A Notepad window should appear with a file in which most of the lines begin with "#".
      2. At the bottom of the file, add the following line:
        0.0.0.0 download.macromedia.com activex.microsoft.com active.macromedia.com
      3. Close the Notepad window and click Yes to save changes.

      This last step will prevent your computer from ever accessing the Internet addresses where the Flash plugin is normally found. If you later find that you need to access one of those addresses, just remove it from the hosts file.