Slashdot Mirror
Freaky Flash 6 Fishy Features
donpardo writes "I upgraded to Flash 6 last week (to patch a security hole). When I right clicked on a Flash ad at abcnews.com, and pulled down to Settings I got a tabbed dialogue box asking if I wanted to give them access to my cam and microphone. Clicking through on the tabs revealed that the microphone and the camera had already been detected and that the microphone was active. I doubt the camera or the microphone were sending information out but this still seems invasive. Here are Macromedia's statements about the mic and the camera. In addition there is a setting to ask how much information the site can store on your computer. The default value is 100K. According to the information statement "Data can be anything from your user name to your current score in an interactive game to a list of stocks in your portfolio ... The data is not public, but the privacy of this data depends on the policies of the web site where the movie is hosted."" I thought the first sentence of this submission was telling ...
At work we have been blocking flash on and off for a while now and it now looks like that it will get blocked and stay that way. Its a shame too since cisco has finaly started using it for the only thing it was good for -- vector drawings.
Just be sure to cover your webcam with your shirt before you start making out with the supermodel. You should be okay.
Ok, I understand that the technology is here and that it is possible. I understand that some people want to know what your working on in your computer or the sites you are visiting for advertising purposes and what not.
What I cannot fathom, is how could anyone purposely write a program to spy into my room, listening to me or watching what I am doing? Doesn't anyone have a conscious anymore? Come on. This is my house, my life, stay the f@#k out!
The first tab is set to 'deny' access to both your mic and your cam by default. The fact that the mic is turned on or off has to do with your PC's settings, not flash players.
Still, could be fun...
Think outside the... Hey, where'd the friggin' box go?
How can I make money selling my amateur porn if they can see it all without my permission?
Okay, security's important, but come on people. The settings are configurable, the policy is easy to understand and what we're talking about in terms of the data being stored is essentially what amounts to Cookies for Flash. The camera and mic stuff can be turned off. If you don't like Flash this won't make you love it and if you love Flash this won't make you hate it. So people are posting about WHAT exactly?
"I have to turn my camera off for Flash! Invasion of privacy! Invasion of privacy! Cookies are evil! The sun is disappearing, the dragons are coming! The dragons are coming!
Well someone might want to write a flash program that allows you to upload pictures of yourself, or sound clips.
Honestly, if you're this paranoid you should be more concerned that your OS has control of your camera and microphone, since your OS was written by Microsoft!
graspee
If by default your options are turned off, then is there really any large amount of harm?
Storing information on your computer is an old practice (cookies), and contrary to popular belief, isn't all that bad.
How many of you stay logged in on slashdot when come back to the site? That wouldn't be possible without "maintaining state" between visits.
Personally I commend Macromedia for giving developers access to such important features (stored variables) and trying to get others into the mainstream (integrating video and mic).
If you think this is an underhanded deed, then why don't you check your cookie files, you'll see quite a few, 90% are there solely to help you (10% could be tracking information, which in the end, just gives the user more relevant information).
you can read what the camera and microphone settings are for here:
a 24
http://radio.weblogs.com/0106797/2002/04/30.html#
they are going to be used in a forthcoming flash communications server that will allow you to stream audio and video.
whats the big deal?
Oh, well. Good thing they never bothered making a Flash 6 for Linux.
Yeah, I'll say! I do most of my surfing in the nude!
I wouldn't wanna get hit with lawsuits from indavertantly traumatizing people!
(ahem!)
The more advanced the technology, the more open it is to primitive attack
Comment removed based on user account deletion
No, these features are new to the Flash 6 plugin.
They got a custom video codec built by Sorenson built to do this. That's what Apple is suing Sorenson over.
The thing is that it's a full video code and weighs in around 75k. Pretty impressive really. Audio is MP3 encoded.
A|Q|U|A
Tomorrow's InBox:
From: xxxx
Subj: Come see My Hot WebCam!
From: xxxx
Subj: We're waiting for you!
From: xxxx
Subj: Flash Installed, See Bubba pick at his ass-crack
I was hacking some code to interface with one of the Logitech cams, and there was a bit in the "take picture" command that seemed to serve no purpose. I couldn't find out why it was there, since flipping it did nothing.
As the sun set, I began to notice what it was for. With the bit ON, it would notify the user that it took a picture with the blink of an LED. With it off, it wouldn't. The dark room made this much more evident.
Just think of the possible uses for this one. If the FBI knows your IP, they can try to infect you with a virus that snaps a mugshot of you for them. When you are registering software, the installer can get a picture of the user and compare it against the DB of previous installations with that serial number. Your boss can see what you're doing without even opening the door.
Scary, huh? It's made me always turn my cam towards the wall when I'm not using it.
qslack.com
What happens if I do nothing?
The Macromedia Flash Player automatically detects any default microphone or other audio recorder on your computer, and sets microphone sensitivity to a medium value.
....
What happens if I do nothing?
The Flash Player automatically detects any video cameras on your computer and displays the name of the default camera it will use. If you do not select another camera from the pop-up menu, the Flash Player uses the default camera. To see a live display of the image being detected by the default camera, click the video preview area.
Now this is scary.
But picture this-- a virus that takes your picture, records you for a minute, compresses into
I think Back Orifice already has this in as a plugin, but man, a viral version of this... What's the best way to disable a laptop mic?
W
-------------------
This is my SIG. There are many like it, but this one is mine.
Ever since they made it so that play, loop and other right clickable consumer controls could be made unavaliable, I made the program unavaliable on my machine. Unlike IE past Win 98, it is still removable. The worst case I saw before I pulled the plug was a right click put the dialog box on the other side of the screen and not where you were trying to stop an annimation and where a right click brought up only one option "about Macromedia" I contacted the company concerning these trends in loss of control. I received no reply. I prefer Netscape over IE, because any page with flash content brings up a dialog box in IE, "do you want to install......" There is no option in IE "do not ask me again". I got tired of telling it "NO NO NO NO NO!" I would suspect MS and Macromedia have the same agenda to have your computer skip ads the same way your DVD player skips the FBI warning. Somebody is paying bucks to have the content delivered like it or not.
Since most flash is used for forced advertising and not for content, my main machine is flash and IE disabled by choice. At the rare site with actual flash content, my standby machine still has it, but it's rare I fire up that antique.
The truth shall set you free!
You can find information on how to uninstall Flash here: http://www.macromedia.com/support/flash/ts/documen ts/remove_player.htm
Prevent email address forgery. Publish SPF records for y
....register with us by giving us your life history along with your request for privacy.
We need your life history to make sure it you.
It does vector and is even a bit more open....
How can Flash be removed from 1) Windows, and 2) Linux?
Reasons not to run Flash:
Flash presents unknown security risks. Sometimes Flash and other Macromedia products have been the point of entry of trojans and viruses, as mentioned in this documentation of a very serious bug, Macromedia Flash Activex Buffer overflow.
Flash on a website advertises Flash. There must always be some notice that says "Download Flash if you don't have it", and a link to Macromedia, so that web site viewers can get the latest version. This forced added content distracts from the intended content.
Flash is nearly always used to provide images that are irrelevant to the content. Except for those who care about bright, shiny things more than content, Flash gets in the way. Flash authors are seldom qualified to provide moving picture content, and, even if they were, Flash is a very limited cinematic tool.
Flash often causes long load times. Long load times communicate that the website viewer's time is less important than the website creator's love of movement. Flash often causes Website viewers to wait for "Loading..." messages.
For website viewers who do not want to run Flash and other Macromedia software, or cannot, web sites using it are broken.
By using Flash, authors of Flash content may cause the URL of their customers to be transmitted to Macromedia. If some disloyal Macromedia employee, or Macromedia itself, thought of some profitable reason to approach those customers directly, Flash content authors could lose business.
Flash content is proprietary content. It is the money-making scheme of one company. This tends to undermine web standards like HTML. The Internet is a public utility for all of us to use. Proprietary methods go against that spirit.
MOTHER OF GOD that is so SINISTER of them. Surely, the bit is there to serve SATAN!
I mean, how could it serve a legitimate purpose if you were using your webcam for, say, security purposes - to watch your empty office or house while you were away, or you just didn't want the LED to blink when it took a picture for say - your robot vision app? Won't someone PLEASE get these hardware engineers to stop including useful features in their devices?
The intel webcams have always had this nice little shutter on the front that you can close. A very nice feature.
Flash started off as a very interesting technology about 6 years ago, and gained popularity amongst users because it was small (142k download or so), relatively innocuous (Only two exploits so far AFAIK) and it brought those things to the web that java applets had promised but failed to do. There was a huge demand for Flash coders in the middle of the Dotcom boom, especially when Flash 4 hit the scene with scripting abilities, allowing developers to make fancy interactive sites, and even more so when Flash 5 came around which improved the scripting and performance yet still remained small and relatively safe.
What happened?
Thousands of dotcommers made enormous flash intro animations to their sites (about half of them forgetting to make a "skip intro" link), which rapidly irritated many many visitors to said sites (a study on the irritation factor of flash intros and banners would be *very* interessting). At the same time as the dotcom scene started crashing around everyone's ears, desperate internet marketing whizzes decided that flash would be a brilliant vehicle for advertising, pushed along by an equally desperate Macromedia, whose products were no longer selling like hot cakes. The results of those ideas can be seen on almost every portal on the web (ZDNet is my favourite with slashdot also not doing too badly), and visitors reactions are known to everybody it seems except for the mindless marketing people who push it. In this way it is very similar to spam.
Macromedia spent a fortune on making Flash a tool that would liven up the web and make colourful, interactive, animated, dynamic sites possible especially in conjunction with macromedia's backend flash application server, generator. Apart from a host of sites early on this trend has died out almost completely, because what macromedia didn't realise is that just like web designers/coders have to cope with different browsers, they also have to cope with users who haven't and won't use the plugin, and therefore go for the lowest common denominator in websites:html with one or two pics etc. Flash didn't save a single dotbomb from going under.
Now, just like any other large company (ahem), they need to add "features" in order to carry on making money with their product. Flash 6(MX) now has built in video, microphone and cookies. I very much doubt this is suddenly going to improve the content of all the Flash we've been getting, although it may kill one or two other companies' media players(Quicktime, WMP, Real) but, in moving out of the traditional small player that they've had, it will fast become larger, and someone is sooner or later going to find some hole in their player (actionscript getting access to the drive while ostensibly looking for cookies? Exploiting a hardware driver(keylogger)?). For all my irritation with Sun's Applet saga and java on windows, Sun worked very hard to make the language and VM design secure (and the fact that of the few exploits with browser JVM's being mostly in MS' JVM does show this). Macromedia doesn't AFAIK have that much experience in security wrt clientside technologies and time will tell what will happen with this player.
I used to be a Director programmer and with Director you could pretty much do anything on the client machine with no checks and shockwave, director's browser plugin went in the same direction as flash is going: first a straight player and then with laetr versions you could download all sort's of xtras onto the client machine. I once, as a security test, wrote a screensaver with shockwave, that everybody in the company loved (it even won an award for design). What no one realised until we tald them, was that the screensaver had been merrily scanning people's drives in the background and uploading filelists to us.
You see, they had this wonderful insight:
Of course, protocols for network transparent graphics, sound et cetera already exist, but they have that nasty four letter word in them (open).
Sarcasm aside, I am sure the intent of this is to allow Flash 6 to provide Video conferencing type applications - just click on the link and there you go.
I saw a most interesting article in InfoHurl about this - the funny thing was they showed apps being remoted to Windows, Mac-OS, and Linux. Yeah, I'll believe MacroMedia will be supporting Linux with a good Flash 6 player about the same time as BillG tongue-kisses RMS - the current Flash 5 player is MUCH slower than the Windows player on the same hardware (while strangely NOT taking all available CPU!), fails to sync video and audio, and generally is unstable (Heaven forfend somebody ELSE might want to access
www.eFax.com are spammers
http://www.zombo.com/
How's that for a nice flash intro?
OK, some people seem to have found info about what the camera and mic objects are for on the web but I'll post the link again for the people who skipped that posting before moving on: http://radio.weblogs.com/0106797/2002/04/30.html#a 24
1. The default the the camera and mic is to DISALLOW a site to access them.
2. The camera and mic objects are there for something MM has coming down the tubes for a communication server via the Flash player, and the player will PROMPT users before ever granting a site access to their mics and cameras...I've got the beta of the server for testing purposes and it asks me every time (since I never check the little box asking me if I want the player to remember my setting)
3. As many people have pointed out, the Local Storage settings are essentially cookies for Flash. They work in pretty much the same fashion (can only be accessed by the domain that created them, etc.) as cookies, but are only consumable by Flash.
Personally, I wish some of the folks here would give the "Flash is evil" stuff a rest and see more people looking at the GOOD things that can be done with Flash rather than just the worthless drivel that a lot of people have produced, but that's the opinion of someone who works for MM, so I don't have much of a prayer there.
for anyone using voice recognition, or any other application where keeping your mike at the CORRECT
level is important. What right do they have to change my settings?!
Can we discuss this?
Reasons not to run Flash:
Flash presents unknown security risks. Sometimes Flash and other Macromedia products have been the point of entry of trojans and viruses, as mentioned in this documentation of a very serious bug, Macromedia Flash Activex Buffer overflow [eeye.com].
So, ok, _ONE_ security notice. No known exploits of this hole. Company acknowledgement and fix in less than a day.
What other risks? WHat other holes or past vulnerables? Any known exploits? Name them. I think the case can be made that Macromedia is more diligent with security than many in this business, and more worthy of trust.
Maybe the problem is with using a browser that requires Activex?
Flash on a website advertises Flash. There must always be some notice that says "Download Flash if you don't have it", and a link to Macromedia, so that web site viewers can get the latest version. This forced added content distracts from the intended content.
The Flash plug-in is just about default on most browser installs, so few see that download message. The plug-in's truly free, and not nagware like QuickTime or Real. And most people aren't developers, so not a very targeted campaign, is it? The real ad value is that the plugin works well for the majority of users.
Flash is nearly always used to provide images that are irrelevant to the content. Except for those who care about bright, shiny things more than content, Flash gets in the way. Flash authors are seldom qualified to provide moving picture content, and, even if they were, Flash is a very limited cinematic tool.
Those comments are more often applied to television.
So should Flash have a taste filter to prohibit the creation of tacky content?
Flash is just a tool, not an artistic movement.
Flash often causes long load times. Long load times communicate that the website viewer's time is less important than the website creator's love of movement. Flash often causes Website viewers to wait for "Loading..." messages.
Flash is currently one of the most eficient and reliable formats for delivering dynamic interactive content. It's success comes from the fact that there's not really any other interactive animated format that competes with it yet.
Download time is a contract between author and viewer; if the content is good, they'll accept the delay. With broadband, the majority of Flash pieces download in a few seconds.
For website viewers who do not want to run Flash and other Macromedia software, or cannot, web sites using it are broken.
Sites are broken because the author didn't care enough to put in detection for the plug-in, and didn't include alternate non-Flash content. By the way, the Flash plugin (presence and version) is VERY easy to detect via javascript or other means (unlike Quicktime)
By using Flash, authors of Flash content may cause the URL of their customers to be transmitted to Macromedia. If some disloyal Macromedia employee, or Macromedia itself, thought of some profitable reason to approach those customers directly, Flash content authors could lose business.
Uh huh.... right. Big software company secretly wants to run tiny boutique webshop in converted factory loft making way kewl Flash pieces.
Flash content is proprietary content.
No more or less than ANY content.
It is the money-making scheme of one company. This tends to undermine web standards like HTML. The Internet is a public utility for all of us to use. Proprietary methods go against that spirit.
The Flash movie format SWF is an open format. Write your own authoring tool. Others have.
"So, ok, _ONE_ security notice. No known exploits of this hole. Company acknowledgement and fix in less than a day."
Flash has caused several very serious security breaches, and the company acknowledges this. A computer under my supervision was totally owned by someone exploiting a bug in a Macromedia product.
"The Flash plug-in is just about default on most browser installs, so few see that download message."
You forgot something very important. Sometimes there has been more than one upgrade to Flash within a month. If a web site uses a later version of Flash than is installed, you see the message.
"Sites are broken because the author didn't care enough to put in detection for the plug-in, and didn't include alternate non-Flash content. By the way, the Flash plugin (presence and version) is VERY easy to detect via javascript or other means (unlike Quicktime)"
Your answer to this extremely serious problem can be shortened to "Sites are broken..." It is VERY bad advertising if a user gets an error message instead of a web page. That happens a lot with Flash sites, for many reasons. For example, the user may have Javascript disabled, or it may be an imperfect implementation of Javascript, such as with version 5 of Opera.
"Uh huh.... right. Big software company secretly wants to run tiny boutique webshop in converted factory loft making way kewl Flash pieces."
Your answer is an attempt to influence by innuendo, not logic. Several years ago I was getting about 40 pieces of spam a day. Many seemed to have a connection with AOL. It just happened that someone from AOL called, trying to sell me something. I complained about the spam. Immediately it stopped. Was AOL doing the spamming? Maybe not; maybe it was someone who worked for the company who was making some money on the side. Would someone wanting to make money try to breach your computer security? Here is a small list of attempts to do so: The Spyware Infested Software List
The fact remains, when you use Flash, you are giving your customer list to Macromedia, and to whomever has access to Macromedia computers.
"Download time is a contract between author and viewer; if the content is good, they'll accept the delay. With broadband, the majority of Flash pieces download in a few seconds."
The viewer is not aware of any contract. The viewer is aware that he or she must wait. Again, this is extremely bad advertising.
This Slashdot story continues an impression of Macromedia. The company is like Microsoft in that they tend to push the limits of what people will accept so that they can make more money. Would you have a friend who continued to test your limits? No? Then don't have a business association that tests people's limits.
You're a bit naive.
So you're saying that no one would want to see a CEO's webcam that has confidential papers in view of the picture? Papers that could give a competitor an advantage? (or anyone--such information could make a person very rich in the stock market) ...or how about a credit card in view of the cam. Maybe those items would be hard to read, but someone could get lucky, and the mic wouldn't even have this sort of problem if any of this info is spoken aloud. In fact the mic could probably catch information that is even more sensitive...
Maybe they don't really want to look at your webcam pics, but use them to embarass you. Ever use your computer in your underwear? Ever change in front of your webcam? Ever pick your nose? Those events could be posted all over the internet.
So it is off by default. That doesn't guarantee that the plugin doesn't have a bug somewhere that'll allow a webmaster to get access to the webcam or mic anyway. It's another possible way some wacko can access your system. Granted that the most used browsers have known security holes that are much worse, so to some degree you have a point, but it is still a concern.