Slashdot Mirror
Freaky Flash 6 Fishy Features
donpardo writes "I upgraded to Flash 6 last week (to patch a security hole). When I right clicked on a Flash ad at abcnews.com, and pulled down to Settings I got a tabbed dialogue box asking if I wanted to give them access to my cam and microphone. Clicking through on the tabs revealed that the microphone and the camera had already been detected and that the microphone was active. I doubt the camera or the microphone were sending information out but this still seems invasive. Here are Macromedia's statements about the mic and the camera. In addition there is a setting to ask how much information the site can store on your computer. The default value is 100K. According to the information statement "Data can be anything from your user name to your current score in an interactive game to a list of stocks in your portfolio ... The data is not public, but the privacy of this data depends on the policies of the web site where the movie is hosted."" I thought the first sentence of this submission was telling ...
At work we have been blocking flash on and off for a while now and it now looks like that it will get blocked and stay that way. Its a shame too since cisco has finaly started using it for the only thing it was good for -- vector drawings.
If they can tap into it in the first place, what makes you think they cant enable the access remotely just as easily...
"The United States has no right, no desire, and no intention to impose our form of government on anyone else." - Bush 05
Comment removed based on user account deletion
I was hacking some code to interface with one of the Logitech cams, and there was a bit in the "take picture" command that seemed to serve no purpose. I couldn't find out why it was there, since flipping it did nothing.
As the sun set, I began to notice what it was for. With the bit ON, it would notify the user that it took a picture with the blink of an LED. With it off, it wouldn't. The dark room made this much more evident.
Just think of the possible uses for this one. If the FBI knows your IP, they can try to infect you with a virus that snaps a mugshot of you for them. When you are registering software, the installer can get a picture of the user and compare it against the DB of previous installations with that serial number. Your boss can see what you're doing without even opening the door.
Scary, huh? It's made me always turn my cam towards the wall when I'm not using it.
qslack.com
What happens if I do nothing?
The Macromedia Flash Player automatically detects any default microphone or other audio recorder on your computer, and sets microphone sensitivity to a medium value.
....
What happens if I do nothing?
The Flash Player automatically detects any video cameras on your computer and displays the name of the default camera it will use. If you do not select another camera from the pop-up menu, the Flash Player uses the default camera. To see a live display of the image being detected by the default camera, click the video preview area.
Now this is scary.
But picture this-- a virus that takes your picture, records you for a minute, compresses into
I think Back Orifice already has this in as a plugin, but man, a viral version of this... What's the best way to disable a laptop mic?
W
-------------------
This is my SIG. There are many like it, but this one is mine.
Ever since they made it so that play, loop and other right clickable consumer controls could be made unavaliable, I made the program unavaliable on my machine. Unlike IE past Win 98, it is still removable. The worst case I saw before I pulled the plug was a right click put the dialog box on the other side of the screen and not where you were trying to stop an annimation and where a right click brought up only one option "about Macromedia" I contacted the company concerning these trends in loss of control. I received no reply. I prefer Netscape over IE, because any page with flash content brings up a dialog box in IE, "do you want to install......" There is no option in IE "do not ask me again". I got tired of telling it "NO NO NO NO NO!" I would suspect MS and Macromedia have the same agenda to have your computer skip ads the same way your DVD player skips the FBI warning. Somebody is paying bucks to have the content delivered like it or not.
Since most flash is used for forced advertising and not for content, my main machine is flash and IE disabled by choice. At the rare site with actual flash content, my standby machine still has it, but it's rare I fire up that antique.
The truth shall set you free!
This tech is pimarily focused on Video conferencing and tech/customer support. Imagine going to an online store and being greeted by a 'live' salesperson who can answer your questions in person.
Obviously there is room to abuse as in any tech. As long as the features are turned off by default and always, always give you the choice of whether to use them or not, I don't see any problems.
In the meanwhile if you don't like flash, pick a browser and plugin set that you can live with.
IE isn't the only one out there. Mozilla works very well for me.
A fool throws a stone into a well and a thousand sages can not remove it.
You see, they had this wonderful insight:
Of course, protocols for network transparent graphics, sound et cetera already exist, but they have that nasty four letter word in them (open).
Sarcasm aside, I am sure the intent of this is to allow Flash 6 to provide Video conferencing type applications - just click on the link and there you go.
I saw a most interesting article in InfoHurl about this - the funny thing was they showed apps being remoted to Windows, Mac-OS, and Linux. Yeah, I'll believe MacroMedia will be supporting Linux with a good Flash 6 player about the same time as BillG tongue-kisses RMS - the current Flash 5 player is MUCH slower than the Windows player on the same hardware (while strangely NOT taking all available CPU!), fails to sync video and audio, and generally is unstable (Heaven forfend somebody ELSE might want to access
www.eFax.com are spammers
There should be a configuration walk through on install. If companies would do this, they could at least gain respect for the discloser, and educate the user to the feature set of the product. And there is always the default / advanced installation for those who just blindly want to accept it or custom configure it.
Can we discuss this?
Reasons not to run Flash:
Flash presents unknown security risks. Sometimes Flash and other Macromedia products have been the point of entry of trojans and viruses, as mentioned in this documentation of a very serious bug, Macromedia Flash Activex Buffer overflow [eeye.com].
So, ok, _ONE_ security notice. No known exploits of this hole. Company acknowledgement and fix in less than a day.
What other risks? WHat other holes or past vulnerables? Any known exploits? Name them. I think the case can be made that Macromedia is more diligent with security than many in this business, and more worthy of trust.
Maybe the problem is with using a browser that requires Activex?
Flash on a website advertises Flash. There must always be some notice that says "Download Flash if you don't have it", and a link to Macromedia, so that web site viewers can get the latest version. This forced added content distracts from the intended content.
The Flash plug-in is just about default on most browser installs, so few see that download message. The plug-in's truly free, and not nagware like QuickTime or Real. And most people aren't developers, so not a very targeted campaign, is it? The real ad value is that the plugin works well for the majority of users.
Flash is nearly always used to provide images that are irrelevant to the content. Except for those who care about bright, shiny things more than content, Flash gets in the way. Flash authors are seldom qualified to provide moving picture content, and, even if they were, Flash is a very limited cinematic tool.
Those comments are more often applied to television.
So should Flash have a taste filter to prohibit the creation of tacky content?
Flash is just a tool, not an artistic movement.
Flash often causes long load times. Long load times communicate that the website viewer's time is less important than the website creator's love of movement. Flash often causes Website viewers to wait for "Loading..." messages.
Flash is currently one of the most eficient and reliable formats for delivering dynamic interactive content. It's success comes from the fact that there's not really any other interactive animated format that competes with it yet.
Download time is a contract between author and viewer; if the content is good, they'll accept the delay. With broadband, the majority of Flash pieces download in a few seconds.
For website viewers who do not want to run Flash and other Macromedia software, or cannot, web sites using it are broken.
Sites are broken because the author didn't care enough to put in detection for the plug-in, and didn't include alternate non-Flash content. By the way, the Flash plugin (presence and version) is VERY easy to detect via javascript or other means (unlike Quicktime)
By using Flash, authors of Flash content may cause the URL of their customers to be transmitted to Macromedia. If some disloyal Macromedia employee, or Macromedia itself, thought of some profitable reason to approach those customers directly, Flash content authors could lose business.
Uh huh.... right. Big software company secretly wants to run tiny boutique webshop in converted factory loft making way kewl Flash pieces.
Flash content is proprietary content.
No more or less than ANY content.
It is the money-making scheme of one company. This tends to undermine web standards like HTML. The Internet is a public utility for all of us to use. Proprietary methods go against that spirit.
The Flash movie format SWF is an open format. Write your own authoring tool. Others have.
"So, ok, _ONE_ security notice. No known exploits of this hole. Company acknowledgement and fix in less than a day."
Flash has caused several very serious security breaches, and the company acknowledges this. A computer under my supervision was totally owned by someone exploiting a bug in a Macromedia product.
"The Flash plug-in is just about default on most browser installs, so few see that download message."
You forgot something very important. Sometimes there has been more than one upgrade to Flash within a month. If a web site uses a later version of Flash than is installed, you see the message.
"Sites are broken because the author didn't care enough to put in detection for the plug-in, and didn't include alternate non-Flash content. By the way, the Flash plugin (presence and version) is VERY easy to detect via javascript or other means (unlike Quicktime)"
Your answer to this extremely serious problem can be shortened to "Sites are broken..." It is VERY bad advertising if a user gets an error message instead of a web page. That happens a lot with Flash sites, for many reasons. For example, the user may have Javascript disabled, or it may be an imperfect implementation of Javascript, such as with version 5 of Opera.
"Uh huh.... right. Big software company secretly wants to run tiny boutique webshop in converted factory loft making way kewl Flash pieces."
Your answer is an attempt to influence by innuendo, not logic. Several years ago I was getting about 40 pieces of spam a day. Many seemed to have a connection with AOL. It just happened that someone from AOL called, trying to sell me something. I complained about the spam. Immediately it stopped. Was AOL doing the spamming? Maybe not; maybe it was someone who worked for the company who was making some money on the side. Would someone wanting to make money try to breach your computer security? Here is a small list of attempts to do so: The Spyware Infested Software List
The fact remains, when you use Flash, you are giving your customer list to Macromedia, and to whomever has access to Macromedia computers.
"Download time is a contract between author and viewer; if the content is good, they'll accept the delay. With broadband, the majority of Flash pieces download in a few seconds."
The viewer is not aware of any contract. The viewer is aware that he or she must wait. Again, this is extremely bad advertising.
This Slashdot story continues an impression of Macromedia. The company is like Microsoft in that they tend to push the limits of what people will accept so that they can make more money. Would you have a friend who continued to test your limits? No? Then don't have a business association that tests people's limits.
That is entirely upto the programmer. If he does it right load times can be as small as 30 seconds for a really rich flash document, as Flash MX now supports streaming audio and images that can be loaded from the server directly. MX also has new support for video (Sorenson) and is now at a very exciting stage. Btw a basic (text) flash document wil actually be smaller in size than a similar HTML document, and security for the content is also better than basic HTML..