Next Flash Version Will Support Private Browsing

An anonymous reader writes "The world rolled its eyes when the problem of Flash cookies came to light several months ago. Even if you're careful about cookies or even if you use your browser's private surfing feature, sites can still track you through cookies stored by Flash. However, soon enough the next version of Flash, 10.1, will support private browsing and will integrate with browsers to turn it on when the browser itself is in private browsing mode. Browsers still store data during a private browser session, but they will delete it all at the end of the session. The same will be true of Flash private browsing."

Remind me why

Remind me why Flash needs to be stateful, again?

Re:Remind me why

[fuzzyfuzzyfungus]

Because Advertisers are the customers that matter, and they love having something that survives a naive "clear cookies" attempt by the pitiful consumer?

Re:Remind me why

[NecroPuppy]

There are a number of flash based games which use the flash cookies to save info you might want around so you don't have to start from scratch each time.

Re:Remind me why

[broken_chaos]

Online games are a major user (as opposed to abuser) of storing data with Flash. There are some that actually are complex and long enough (and fun, too!) to warrant a save function. It can also be mildly-to-moderately helpful for some other Flash 'applications', like a video/audio player storing settings like volume levels.

Re:Remind me why

[Wingman+5]

I can give one good legitimate example, flash games. It allows you to save your game and allow a more complex game that that could need more than one sitting to beat.

Re:Remind me why

[chromas]

Using a browser cookie, generate the page calling the Flash applet and pass an identifier as a parameter.

Re:Remind me why

[Cryacin]

When spoken in the context of Flash, then yes, it makes perfect sense to not have those pesky 'shared objects' aka cookies on your machine.

However, with the advent of Flex (now Flashbuilder to confuse and confound more), there are many applications out there that legitimately store information on the client.
There has been a large mention of games already, but to that mix, I would add business software. There are many RIA's out there that manage data and distribution using Flex, and hence, pull a large amount of information from servers. Yes, sure, you could reload the data every time that you navigate away from a particular flash harness page, or you could store data within the shared object and not need to spend the vendor's bandwidth, nor stuff the client's pipe with information that was just sent a few minutes ago.

With the introduction of P2P channels in Flex 4, this opens up a whole range of possibilities to send data to a cluster of peers on a destination network, rather than clogging up outgoing pipes with information. There are a range of business cases for this technology.

That said, however, there is a need to curb the wild west attitude to data storage. There should be an option to default allow/deny/question whether Shared Objects should be allowed. Currently it is auto accept up to 100kb which falls outside of many legitimate applications anyway. Most importantly, there should be an option to always allow shared objects from a particular website.

We can't let the abuse of a technology proclude us from legitimate use when there are perfectly valid and reasonable strategies to manage and distinguish between positive and negative use cases.

Re:Remind me why

[DragonWriter]

There are a number of flash based games which use the flash cookies to save info you might want around so you don't have to start from scratch each time.

If its a flash-based game on an account-based site, you could just save the state to a resource on the server linked to the user account and restore it from that the next time the user opened the game.

This also doesn't rely on the user using the same browser to continue the game.

Re:Remind me why

[sopssa]

That really adds unnecessary complexity. There are tons of those flash games sites and they would all need to generate same kind of database scheme or make a standard on how you pass the data between the site and flash applet.

Instead more controls about it is the way to go. Personally I would also like an option to globally disallow all cookies, but let it ask me if I want to save data.

I noticed earlier today that theres beta of 10.1 out and interestingly it also supports hardware accelerated video with NVidia cards. Lowered dramatically CPU usage when playing video in full-screen. Seems that this private browsing thing isn't included yet tho.

Re:Remind me why

[DragonWriter]

However, with the advent of Flex (now Flashbuilder to confuse and confound more), there are many applications out there that legitimately store information on the client.
There has been a large mention of games already, but to that mix, I would add business software. There are many RIA's out there that manage data and distribution using Flex, and hence, pull a large amount of information from servers. Yes, sure, you could reload the data every time that you navigate away from a particular flash harness page, or you could store data within the shared object and not need to spend the vendor's bandwidth, nor stuff the client's pipe with information that was just sent a few minutes ago.

Doesn't HTTP define a whole slew of metadata headers and specified caching behavior to specifically address this kind of thing? Why build "rich" web apps that don't leverage HTTP features that specifically address the need you are dealing with?

Re:Remind me why

[Rejemy]

Flash cookies are shared by all browsers.

Re:Remind me why

[Rejemy]

It's very useful for games. Let's say you've made an online game, and you want settings for things like volume, key controls, etc. Sure, you could have the server remember those things and send them up to the flash player each time. But what if you have a different keyboard at home and want a different key layout? What if you want the volume off at work, but on at home? These are perfect applications for client-side flash variables.

Re:Remind me why

[DragonWriter]

Flash cookies are shared by all browsers.

On the same computer, sure; I was somewhat imprecise in my language. When I referred to a different browser, I really meant a browser on a different computer. Transparency to the use of which is, I would think, one of the main reasons to want to use an internet-based application (game or otherwise) rather than something locally-installed.

Re:Remind me why

[BoppreH]

You talk like if it's the game developer fault that browsers treat Flash cookies differently. It's not the Flash player that controls what will be erased when the user clears his navigation history.

Re:Remind me why

It's very useful for games. Let's say you've made an online game, and you want settings for things like volume, key controls, etc.

I can give another good and equally redundant example, flash games. Online games are a major user (as opposed to abuser) of storing data with Flash. There are some that actually are complex and long enough (and fun, too!) to warrant a save function.

Re:Remind me why

[davester666]

> Because Advertisers are the customers, and they....

Fixed that for you. People with the flash player aren't customers of Adobe's, because they aren't paying Adobe anything.

Just like, up until very recently, cell phones were designed for the needs of the manufacturers customers, namely wireless carriers, and as such, were designed [and/or redesigned] to meet the desires of the wireless carriers. If actual end-users liked the design and/or specific features, those features had to be removed :-)

Re:Remind me why

Sorry for comment hijacking.

Adobe provides Flash Settings Manager to allay your privacy concerns. Of course, it is not very user-friendly for average Joe but average Joe probably can't be bothered about privacy anyway. And there is "Delete All" button as well, for paranoids.

Re:Remind me why

[abulafia]

Doesn't HTTP define a whole slew of metadata headers and specified caching behavior to specifically address this kind of thing? Why build "rich" web apps that don't leverage HTTP features that specifically address the need you are dealing with?

HTTP page caching doesn't have semantics for things not of 'document' granularity. Think database records. People want to use these things as front ends to corporate directories and whatnot, be able to futz around with them on a plane, and have them sync when they're back in touch with the mothership. HTTP doesn't try to provide anything at all close to record level caching.

Re:Remind me why

The "added complexity" is a small Javascript which sets a browser cookie when the Flash object needs to store information and reads a browser cookie when the Flash object wants to read back its stored information. That script could very well be part of the standard "create a Flash object" cross-browser script that Adobe publishes on their website for Flash developers, thereby reducing the overhead for developers to zero.

Browsers should really be the only arbiter of state and information about the local system. If Flash wants to store/load some state or get a list of installed fonts, it should ask the browser, not the OS. Flash is supposed to be a plug-in, not a standalone application. A plug-in should obey the restrictions imposed by the host program. IMHO the plug-in interface needs to be changed to include a sandbox to prevent plug-ins from accessing storage and other information leaking system APIs.

BTW, I don't give a rats ass about private browsing modes. I configure my browser like that by default. My browser of choice doesn't even have a private browsing mode. If that means that Flash will happily store Flash cookies, then that's a complete privacy failure. Well, it would be if I allowed Flash in my primary browser or had not prevented it from creating persistent state in the other browser. Flash will not be back in my main browser before it stops giving advertisers more information about my system than the browser alone would.

Re:Remind me why

Flash cookies are beyond the control of the browser. For example, they're shared between all browsers that use the Flash plug-in, so no single browser can simple delete them: The user most likely will not understand that "delete all cookies" means that his highscores in the other browser which he uses for games are also going to be deleted.

A Flash game developer could use browser cookies to store state, but of course they won't, because it's easier to use Flash cookies and they're more likely to survive, because most users don't know they're there, let alone how to delete them. This is very clearly Adobe's fault. The introduction of a form of persistence separate from browser cookies was unnecessary and the privacy user interface is an abomination. An improvement of the user interface is hardly enough. Flash cookies need to go, period.

Re:Remind me why

[digitalunity]

Your example of cell phones is apt in this case. Innovation in the cell phone industry has been limited to what carriers will allow. I hope Google starts a trend to buck the subsidized phone business.

Cell phones have been capable of so much more for a long time, but in this case the true customers are the carriers - not the end users.

Flash is in an almost identical situation. Allowing even savvy end users to manage their privacy would hamper advertisers efforts to track us. Flash is a dominant force because everyone uses it. If there is fragmentation, Adobe will lose it's power, mindshare and eventually its revenue.

Re:Remind me why

[NicknamesAreStupid]

Maintaining state has been the holy grail and tar baby of AI and advertising. You can't think about much without it, and you can't respond well with much of it. Advertisers need just enough of 'state' to justify their existence, e.g., "Our reader, John, saw our ad and bought your product!" But if they get too much, they can find their revenue source compromised, e.g., "80 million other viewers did not."

Re:Remind me why

And what about Flash projector mode? Are you going to require that running a Flash projector has to load up a browser so that it can get a cookie despite the Flash projector not actually being embedded in a page and thus would be using a localhost cookie anyway...the way Flash exists, as an embedded but standalone type, it makes sense for it to manage its own data (just like PDF viewers can keep track of the last page read, you wouldn't expect the PDF viewer to store this in a cookie, would you?)...the only thing that never made sense was the extreme persistence of this data, even when the browser is supposed to be cleaning up after itself. Your 'solution' is both naive from a webapp standpoint as well as naive of Flash in general.

Re:Remind me why

[chromas]

Actually, that was just a hack I thought up that doesn't require change on the part of Adobe. As others have pointed out, Flash should behave differently when working as a plug-in. Perhaps the Persistant Objects could just be an abstraction for browser cookies or at least use the cache directory while being plugged.

Re:Remind me why

[Rossman]

"There should be an option to default allow/deny/question whether Shared Objects should be allowed."

There is: http://www.macromedia.com/support/documentation/en/flashplayer/help/settings_manager03.html

You can also whitelist and blacklist sites in that same Flash Global Settings Manager :)

Re:Remind me why

[izomiac]

I have to wonder why they don't use normal browser cookies... Is having 100k of storage so important as to reinvent the wheel?

Re:Remind me why

[gmack]

Funny.. I just went through there and I don't see any whitelist or blacklist entries. I do see one for trusting files at certain locations but that has nothing to do with what sites can store info on the computer.

In addition, disabling "allow third party sites to access information on your computer" Does not actually prevent flash for creating files on my drive for each flash site I visit. It only prevents the few useful sites where I had saved settings from doing so.

Re:Remind me why

[ytpete]

Sorry, but that's really disingenuous. Flash is stateful for the same reason that Google Gears and HTML5 add stronger persistence functionality to browsers – web developers are demanding it as they write increasingly complex apps and more user data moves into the cloud. Flash is increasingly being positioned as a serious development platform, so web developers are the true customers here.

Re:Remind me why

Flash cookies are beyond the control of the browser.

Actually, from what I've heard, Adobe (and Macromedia before them) have wanted to hook into the browser's "clear cookies" UI for a long time. But the browsers control the plugin API, UI hooks, etc., and if they're uninterested in playing ball then the two sets of data are stuck in separate silos.

The introduction of a form of persistence separate from browser cookies was unnecessary and the privacy user interface is an abomination.

You make it sound like Flash 'cookies' were added solely because they're harder to clear than browser cookies. Adobe just loves evil, yeah! Actually, Flash shared objects provide additional capabilities that browser cookies don't, such as the option to request additional storage space from the user. This falls into the traditional scope of Flash features: browser provides some minimal functionality, with API improvements years away if they will ever come at all, and Flash steps in to fill the void. Don't like it? Help get those browsers up to speed, buddy.

An improvement of the user interface is hardly enough. Flash cookies need to go, period.

I don't get this argument. Why are browser cookies ok, then? Aren't they the same concept, except with a more readily accessible UI?

Re:Remind me why

[ytpete]

Shared objects actually provide a bunch of stuff that the bare-bones browser APIs don't. See here: http://livedocs.adobe.com/flex/3/langref/flash/net/SharedObject.html

Also, shared objects can store far more than 100k of data if the user grants permission to the app. Storage limits are set on a per-domain basis.

Re:Remind me why

Flash cookies need to go because they (unexpectedly for most users) duplicate functionality that the browser already provides. No, additional storage is not a valid excuse. Web games don't trust local storage for anything but a unique identifier (or if they do, they really shouldn't.)

When Flash is the application environment (i.e. not inside the browser), then I can see how there needs to be an API for storage, but in the context of the web browser, the data model is server-based. Users do not expect to have local data in a web browser. This expectation should not be created. Storing data locally breaks one of the key advantages of using a web client: You can no longer simply use another computer to get your data. DOM storage is the same kind of mistake.

Flash is Adobe's foot in the door for network delivered applications, and the API is proof of that. Flash is not a browser plugin, it's a browser parasite.

Re:Remind me why

Adobe provides Flash Settings Manager [macromedia.com] to allay your privacy concerns. Of course, it is not very user-friendly for average Joe but average Joe probably can't be bothered about privacy anyway. And there is "Delete All" button as well, for paranoids.

And all those paranoids will be really pleased when they find out that clicking the "Delete All" button only removes the cookies from the list in the Flash Setting Manager and NOT from the hard drive. They're still there under ~/.macromedia, in two different subdirectories.

Re:Remind me why

But Adobe's CEO/President doesn't go around screaming "DEVELOPERS DEVELOPERS DEVELOPERS DEVELOPERS!" so your argument that it is being positioned as a serious development platform is inherently flawed.

Re:Remind me why

I dont think that slashdotters understand you they are IT guys mostly.... they are on VPN....

Advertisers are biggest customers to Adobe.

Re:Remind me why

If its a flash-based game on an account-based site, you could just save the state to a resource on the server linked to the user account and restore it from that the next time the user opened the game.

In some cases, yes. However, there are various issues relating to the number of different developers creating Flash games (who often have no association with the sites hosting the games), the reluctance of some people to bother with logging in, and the viral nature of Flash games (where plenty of people visit a site because they were linked to that specific game, and the have no interest in the site itself).

That being said, there are some solutions available. For example, Mochi Media (best known for pre-game ads in Flash games) have added account-based data storage that's tied to the accounts they already use for microtransactions. Since they're not tied to a specific site, it's a better solution for games that wind up on a lot of sites. But you still have people who are reluctant to sign up.

Re:Remind me why

[rsborg]

HTML5 has client-side storage. Yet another reason why Adobe wants HTML5 to be delayed or blocked altogether.

Re:Remind me why

[Rossman]

Funny? No, what's funny is that you went there and clearly didn't look very well.

It's right here, and it's under the fairly obvious title of "Website Privacy Settings".

http://www.macromedia.com/support/documentation/en/flashplayer/help/settings_manager06.html :)

Re:Remind me why

[gmack]

On here that only seems to change the camera and microphone settings. No reference at all to file storage.

Anyhow that page has always been on "always ask" and I still get cookies.

Re:Remind me why

[DragonWriter]

HTTP page caching doesn't have semantics for things not of 'document' granularity.

First off, that's not true: HTTP/1.1 supports both partial GET requests (using the Range header) and caching partial GET requests, so it does have semantics for things not of "document" granularity, including caching them.

Second off, even if it was true, its not meaningful, since HTTP doesn't restrict what can be a "document" (or, in HTTP terms, a resource.) So even if it did only support caching "full" rather than partial GET requests, it could still cache at any level of granularity set by the architect of the particular application, all within the regular HTTP/1.1 scheme with no proprietary extensions.

HTTP doesn't try to provide anything at all close to record level caching.

HTTP provides exactly record level caching, if your record is accessible by a GET request to a specific URL, or as a specified byte range of a specific URL.

Re:Remind me why

[DragonWriter]

You talk like if it's the game developer fault that browsers treat Flash cookies differently.

Who chose to use Flash, again?

Re:Remind me why

[BoppreH]

People who want to provide small games for masses or marketing products.

Re:Remind me why

[abulafia]

First off, that's not true: HTTP/1.1 supports both partial GET requests (using the Range header) and caching partial GET requests, so it does have semantics for things not of "document" granularity, including caching them.

Well, yes, and if you want to do byte-range seeking over structured data in Javascript, be my guest. Some of us use DBMSes for a reason.

HTTP provides exactly record level caching, if your record is accessible by a GET request to a specific URL, or as a specified byte range of a specific URL.

Sigh. Let me know when you have that on/offline groupware system built on top of your browser cache done, 'kay?. In the mean time, I think most sane folks are looking forward to using client side storage.

The point being, of course, that yes, you could do that, much like you could also cook your dinner on a car engine. That doesn't mean that your car has "stove semantics".

Re:Remind me why

[DragonWriter]

Well, yes, and if you want to do byte-range seeking over structured data in Javascript, be my guest. Some of us use DBMSes for a reason.

But, since (as I stated in the next paragraph), HTTP doesn't impose any limit on what a resource is, there is no reason a single database record can't be a full resource so that you would never need to use or cache range queries to do record-level cacheing.

In fact, quite a lot of web applications use a model where a collection located at http://www.example.com/foos has individual resources accessible through http://www.example.com/foos/bar, http://www.example.com/foos/baz, etc. This pretty much directly corresponds to having a DBMS with table "foos" and records with primary keys "bar" and "baz" (and, in fact, that's often exactly what the storage is on the server.) Insofar as the existing web infrastructure is cacheing these responses, record-level cache isn't something HTTP merely supports in theory, its something that it is regularly relied on to provide.

Sigh. Let me know when you have that on/offline groupware system built on top of your browser cache done, 'kay?.

I never claimed that was doable. The reason, though, has nothing to do with HTTP not supporting record-level cacheing -- which it does quite well -- but with the fact caching alone, record-level or otherwise, doesn't do anything to support offline client-initiated updates that are immediately visible to the client but where the corresponding requests to the server are deferred until a connection is available.

Which, AFAICT, is the one and only problem solved by local storage for web apps, whether its provided by Google Gears, Flash, or HTML5.

Re:Remind me why

[abulafia]

But, since (as I stated in the next paragraph), HTTP doesn't impose any limit on what a resource is

You're still abusing a page cache as a record cache. I'm quite aware of the advantages (and disadvantages) of RESTful models. There are reasons why DBMSes do things they way they do, and browser caches do the things that they do, and why wire protocols for web browsing and databses interactions are different. As I said, I don't care how you wish to use or misuse the facilities; have fun!

I never claimed that was doable.

Oh, but it is! Just use your lovely record cache, and store your offline changes in cookies. Then when the client goes back online, your trusty Javascripty goodness merely has to check in with the server and reconcile your cookie-recorded changes. Simple, and clearly how those specs were meant to be used, just like a hash table document store (your browser cache) is a local DBMS.

Which, AFAICT, is the one and only problem solved by local storage for web apps

You seem to be having a different conversation than the one I was. Don't let me stop you, though. But if you want to continue to pick nits, have fun with that, but I'm done playing along, thanks.

Re:Remind me why

[DragonWriter]

You're still abusing a page cache as a record cache.

Its not a "page cache". Its a resource cache. There is nothing in the definition or semantics of HTTP that demands, or even favors, a particular kind of resource.

I never claimed that was doable.

Oh, but it is!

Um, First you attacked a strawman position that I never made, and now you are defending the same strawman. At this point, I think you are now truly arguing with yourself.

Re:Remind me why

[abulafia]

Look up the word "sarcasm" - it might come in handy some day. You can find it in the dictionary, between "muppet" and "twit".

Horay!

[Wingman+5]

Now I can plan that birthday party without anyone knowing.

Re:Horay!

[fuzzyfuzzyfungus]

All my "birthday parties" end up being absorbed by tissues. I'm not sure why I keep bothering to plan them...

Re:Horay!

[catd77]

Well, then they don't find out about the suprise party. OR whatever you call it.

Crontab to Delete Flash Cookies

[baez]

So I've been using this line in my crontab for a long time now without any problems (well no more problems than I usually experience with Flash under Linux):

* * * * * rm -fr /home/me/.macromedia

I think this solves the problem, but maybe I'm mistaken...?

Re:Crontab to Delete Flash Cookies

Perhaps just "sudo chown root:root /home/me/.macromedia" to prevent flash from storing files to begin with?

Re:Crontab to Delete Flash Cookies

sudo chown 0:0 .macromedia
sudo chmod 0000 .macromedia

Re:Crontab to Delete Flash Cookies

[Bottles]

The other option is to make that directory non-writable, which is what I've done on every machine I own.

Re:Crontab to Delete Flash Cookies

[baez]

I like the idea of chown/chmod on the directory. I'll have to give that a shot.

I did just look again, and it appears that they've changed the storage directory to:

/home/me/.adobe/Flash_Player/AssetCache

Re:Crontab to Delete Flash Cookies

I tried that and found some sites no longer worked. The "Zero Punctuation" videos were one I remember

Re:Crontab to Delete Flash Cookies

[mister_playboy]

You are correct... I didn't know about that directory. Thanks.

That's simply not an adequate response

Sorry Adobe, but it's time for HTML5.

Re:That's simply not an adequate response

[Rejemy]

By which you mean "it's time for HTML5 in 3 years when IE9 penetration is high enough, assuming IE9 supports HTML5 when and if it comes out".

Re:That's simply not an adequate response

[catd77]

OR If everyone somehow miraculously switches to a web browser like Firefox or Chrome that are actually safe and fast.

Re:That's simply not an adequate response

[westlake]

Sorry Adobe, but it's time for HTML5.

Whn will there be a final HTML 5 standard to support?

Re:That's simply not an adequate response

Sorry pal, the hot linking alone makes HTML5 an economic liability to the Web 2.0 business model. While it may make head way in niche markets it will never take the top spot in sites that people actually want to visit. I'm afraid unless you got something cooking today that Flash is going to be king for at least another few years.

You may bemoan MS for catering to the non-open-as-in-speech crowd but these are the people with the real pull. MS (on the internet) is pulled by vendors, not the other way around.

Re:That's simply not an adequate response

[kiddygrinder]

it may be faster but the last time i used it oprah web browser gave me cancer. ymmv.

Re:That's simply not an adequate response

[fermion]

Hopefully competition will push Flash to become less user hostile. Control of flash cookies is a step forward, but not enough. First, browsing is almost impossible when flash cookies are set to "ask". I think they might be doing this on purpose.

What we make me want less opposed to flash is if the site included an option to not autoplay flash content. True, we can use flashblock, but if flash is truly a tool for the user, and not just a way to deliver advertising, this little tweak should not be such a huge problem.

Re:That's simply not an adequate response

[mcbutterbuns]

Maybe when Adobe stops blocking the HTML5 spec.

Re:That's simply not an adequate response

[JackAxe]

Sorry Adobe, for this guy's ignorance.

Re:That's simply not an adequate response

[ytpete]

That statement has been pretty widely discredited by now.
(note: first link includes NSFW illustration)

Re:That's simply not an adequate response

[Hurricane78]

Depends. Will there still be people who don’t have the balls to stand up to their customers and say: Get a real browser, or fuck off!

Interestingly you can exactly see how this would work, if those people had balls, by looking at flash support on websites: If you surf with an old Flash plugin, you will often simply get a “please update your Flash plugin“. Even on the biggest sites?

And? Does it drive away anyone? No. Not significantly. Everybody just updates Flash and is done with it.

The same thing would happen with IE and HTML5. Imagine the following:
1. You surf to Google, or YouTube, etc.
2. “Sorry, your browser is extremely outdated, buggy, and a huge security risk (read more). To protect yourself, gain millions of new possibilities, and see our site in its full glory, please update to one of those modern browsers: [List of browsers]”
3. What do you think happens? Pretty much every user will just click one of the links, wait 1-2 minutes, then click “open”, “next”, “next”, “next”, “done”, and be done with it.
4. User will never want to go back.

Firefox extensions

[pydev]

Get FlashBlock or NoScript to turn off flash altogether.

Get BetterPrivacy to automatically delete Flash cookies on exit; it seems to work well.

Re:Firefox extensions

No flash?
I think you're forgetting why people use 'privacy-mode'.

Re:Firefox extensions

[JackAxe]

This is why plug-ins are good, they can be blocked. Do you have any recommendations on a way to block those advertising pop-up bubbles?

Re:Firefox extensions

[Hurricane78]

Even better: Get netcat to turn off images, CSS, HTML, and graphical renderers entirely. ;)

Re:Firefox extensions

[pydev]

Like porridge, privacy has to be just right: neither too much nor too little of it is good.

Oh snap...

[FF8Jake]

This will also introduce the "alert('omigoshhaxedurflashcookie')" vulnerability.

Better Privacy extension

[harmonise]

This feature is here now for Firefox users with the Better Privacy extension.

FLASH, another word for BEND OVER

bend over baby

Burn All Flashes

[Renderer+of+Evil]

Remember this site? http://burnallgifs.org

We need a similar campaign for Adobe Flash. It's dinosaur technology built for the internet stone age. Time to get rid of it for good.

Re:Burn All Flashes

[BoppreH]

I'm not sure about you, but I prefer playing Flash games instead of downloading suspicious .exe files.

If you don't play Flash games, it's not a good reason to forbid everyone else to do so.

Re:Burn All Flashes

[Fex303]

Ah yes... because that campaign was completely successful.

I can barely remember the last time I came across a site that uses GIF images...

Re:Burn All Flashes

[blitzkrieg3]

burnallmpegs.org makes more sense, since it's technologies like h.264 that are preventing widespread use of the tag.

Re:Burn All Flashes

[BoppreH]

I bet you can't remember the last time that you came across a site that uses patented GIF images, which was the point of the campaign.

Re:Burn All Flashes

[larry+bagina]

The point of the campaign was to sit around pulling their pud for 5 years until the patent expired? Are they also in charge of the "Don't re-elect Barack Obama in 2016" campaign?

Re:Burn All Flashes

[ytpete]

It's dinosaur technology built for the internet stone age. Time to get rid of it for good.

I get this funny feeling that you know very little about Flash. Coming from a background of AJAX / DHTML development, to me the Flash "platform" actually feels far more modern, stable, and well-designed (for web app development) than anything else out there. If anything, DHTML is what feels like an outdated hack on top of an even more ancient tech stack, little of which was designed with its current uses in mind.

Re:Burn All Flashes

[Hurricane78]

Extremism — “The choice of the wise man.”(TM) ;)

Apostophe usage problem

[sych]

"The world rolled its eyes when the problem of Flash cookies came to light several months ago.[...]"

There, fixed that for you.

Re:Apostophe usage problem

[noidentity]

I think the original was just missing quotes. I read it as

The world rolled, "It's eyes!" when the problem of Flash cookies came to light several months ago.

where they were using the 19th definition of rolled: 19. To make a sustained, trilling sound, as certain birds do. In other words, it was another way of saying they Tweeted it. Clearly they were referring to the fact that these cookies flashed a bright light, and were answering the question of the thing they affect. Their answer was "it is eyes!". Simple, really.

Re:Apostophe usage problem

You spelled apostrophe wrong, dick.

Re:Apostophe usage problem

Apostrophe

You better be careful with my Flash cookies

[BoppreH]

That's where I store my saves for sites like Kongregate.

Please, think of the Flash games.

Re:You better be careful with my Flash cookies

That's where I store my saves for sites like Kongregate.

Please, think of the Flash games.

Isn't this patented?

http://www.freepatentsonline.com/6714926.html

Surf with VM and revert to snapshot

[OnTheEdge]

Surf using a virtual machine and revert to a stored snapshot upon close. Problem solved.

Re:Surf with VM and revert to snapshot

[AusIV]

It seems a tad excessive to have all the overhead of an operating system for private browsing.

A technique I've used before was to use UnionFS with a ramdisk over my .mozilla folder. All changes during the session would be written to RAM, and once I no longer needed the session I'd destroy the RAM disk.

And after that..

[Peter+Cooper]

After that feature, could they make Flash respect the "Block Pop Up Windows" features in Safari and Firefox? I expect NO popups when I have this set.. yet Flash seems to be able to open them still!

use 'shred' not 'rm'. or encrypt your hard drive.

[ericbg05]

So I've been using this line in my crontab for a long time now without any problems (well no more problems than I usually experience with Flash under Linux):

* * * * * rm -fr /home/me/.macromedia

I think this solves the problem, but maybe I'm mistaken...?

That depends on your threat model. Your cron job might keep your kid brother from discovering your cookies. If you *really* don't want people to know what flash is caching, I'd s/rm -rf/shred -uf/ there for starters. Then I'd think about putting my whole OS on an encrypted partition (trivial these days with Fedora, not sure about other distribs).

Of course, you still have problem with sniffing and all manner of malware, all of which could defeat your goal of preventing people from knowing what kind of flash content you're downloading.

I hung out with Bruce Schneier for a 1-hour talk once. If you want to scale up your paranoia further, you can do what he does: never let your computer touch a network or another person's hands. He has no wireless card, never plugs an ethernet cord into the slot, and never gives his compy to anyone else. Very difficult to sniff traffic that doesn't exist (but not impossible).

Change Permissions on Flash Cookie Directory

[caffeinejolt]

A while back I got tired of everybody tracking me online so I cracked down on permanent browser storage. I ended up getting rid of all cookies on browser close and ran these commands:

rm -rf ~/.macromedia/Flash_Player/*
rm -rf ~/.adobe/Flash_Player/*

With sudo:
chown -R root.root /home/user/.macromedia /home/user/.adobe/Flash_Player/
chmod -R 0600 /home/user/.macromedia /home/user/.adobe/Flash_Player/

The flash cookie problem was solved and I have not noticed anything has changed. Of course, I don't really see much flash other than flash ads - so it might break some things I am unaware of.

On windows the same directories are stored elsewhere - but the same overall technique should work fine I would think.

Re:You said you prefer suspicious .exe files

[BoppreH]

You are telling me that the chances of getting a virus from a .swf file is the same as a .exe one? Really?

Yeah, there are exploits every now and then, but I have yet to know someone affected by them.

be sure to fully close between session types...

from the article:
"Likewise, if the browser is in normal browsing mode when the Flash Player instance is created, then that particular instance will forever be in normal browsing mode (private browsing is turned off). Accordingly, toggling private browsing on or off without refreshing the page or closing the private browsing window will not impact Flash Player."
so be sure you close all your ff windows and fully close, then start a fresh session, and enter private browsing mode before hitting any sites, then fully close and start a fresh session before resuming normal browsing.

Re:be sure to fully close between session types...

Spoken like someone who has never used FF's private mode.

Hint: It closes your current Firefox process(es) and launches a new one in private mode.

Overreacting?

[BoppreH]

The website knows that I'm the same person as before. So what?

Can someone explain me how can this be used against me if the cookies are stored in my personal computer?

Re:Overreacting?

The reason is that third party ad sites use Flash ads.

You visit site A which is about midget pr0n, third party site drops a cookie there.
You reset your IP address.
You visit site B which is about beer bongs, same third party sees the cookie it dropped when you were at site A, stores that info combined with your IP in a database.
You visit site C which is about fart lighting, same third party fetches the LSO and knows that you have been to the above two sites even though you had "pr0n mode" active on your browser which clears cookies.

On some sites, every page you click on, ad servers check the LSO and can build a definite profile on you that follows you even if the browser clears cookies, and even when you change IPs.

Later on, you enter some username/password information in on a site. *bam* They now have a name to the profile and browser history. This now can be sold to anyone who wants it, be it an estranged spouse, a would-be employer, or an adversary in a lawsuit who will use the information in front of a jury to humilate.

This is a great boon for data miners, not a good thing for consumers.

Re:Overreacting?

[BoppreH]

That would be indeed very disturbing, but your hypothesis is technically flawed.

Flash files can not access cookies placed by other domains, i.e. the cookies are partitioned. Pay a visit to your Flash cookies directory and this differentiation becomes very clear, there's a different folder for each website domain.

Re:Overreacting?

[base3]

Yeah, but the advertising networks that advertise on the midget pr0n site, the beer bong site, the church site, etc. are all pushing Flash ads from the same domain and know what sites their ads were served from, so his hypothesis isn't all that flawed.

Re:Overreacting?

[BoppreH]

The problem of tracking a user is when he/she enters personal info and it gets indexed. You don't do that with ads, do you?


Without that, all they have is a user number. Back to the beginning:

The website knows that I'm the same person as before. So what?

Re:Overreacting?

[base3]

Do you think the ad networks never buy information from the using their ads?

Re:Overreacting?

[base3]

And a P.S. to that one: Google and MSN are two pretty huge ad networks. So anyone using Gmail or MSN can be tracked trivially by Google and Microsoft across sites using their respective ads. And perhaps some people give valid information when signing up for webmail . . .

Re:Overreacting?

[ArsenneLupin]

The problem of tracking a user is when he/she enters personal info and it gets indexed. You don't do that with ads, do you?

No, but some forms might still use the GET method instead of POST. In that case, your form submission becomes part of the URL, and is visible to any ad included in the landing page via the Referer header.

Plus any other number of possible subtle leaks.

Re:use 'shred' not 'rm'. or encrypt your hard driv

[solevita]

I hung out with Bruce Schneier for a 1-hour talk once. If you want to scale up your paranoia further, you can do what he does: never let your computer touch a network or another person's hands. He has no wireless card, never plugs an ethernet cord into the slot, and never gives his compy to anyone else. Very difficult to sniff traffic that doesn't exist (but not impossible).

That must make keeping his blog updated tricky though...

This doesn't really solve the problem...

I thought that the main problem wasn't that flash stored its own cookies, but that it doesn't separate the cookies by each flash program/website. The main problem being that any flash program can access the information. All this "private browsing" feature seems to do is delete the cookies, but if you delete the cookies after each session then what's the point of using cookies to begin with?

Re:This doesn't really solve the problem...

[Rejemy]

That is incorrect, at the most permissive mode, a flash program can only access cookies from the same domain as where it was loaded from.

Re:This doesn't really solve the problem...

[BoppreH]

It's a different issue, but localhost is considered a domain, thus making all local Flash files share cookies.

On OS X...

On OS X just delete all the downloaded content & local shared objects, then lock the folders:

~/Library/Caches/Adobe/Flash\ Player/AssetCache
~/Library/Preferences/Macromedia/Flash\ Player

Flash thinks it can save local shared objects, so things like Pandora work (if you're in to that -- I'm not), but nothing is actually saved.

Using the "locked" flag on the folders is better than using restrictive permissions since apps and installers often require you temporarily grant them admin privileges to reinstall or fix their folders if they don't like the permissions. They usually don't, however, look for the locked flag, nor know how to change it / work around it.

Please don't tell Adobe you can do this.

Re:On OS X...

or you can use Flash Settings Manager

Re:On OS X...

[mrmeval]

Is this like the immutable bit?

I'm to the point of spawning a bunch of ram drives when I start firefox which are destroyed when I close it.

Re:On OS X...

Yes, it's the immutable flag, although it behaved differently before OS X. The Finder in OS X gives GUI access to the immutable flag, allowing you to easily mark a file "locked" or "unlocked."

I like the RAM drive idea.

Re:use 'shred' not 'rm'. or encrypt your hard driv

That must make keeping his blog updated tricky though...

He probably uses many machines, one per threat model.

HTML5 is not an adequate response

[Dr.Syshalt]

Does HTML5 provides for the same level of rich client platform development as Flash/Flex? With numerous widgets just like in Motif/MFC, just easier to use? (MXML just shines in GUI development, far beyond of what Motif/MFC/AWT/Swing offer).

Does HTML5 allows you to play video with some advertisement in a running text over it?

Does HTML5 protects your video site from hotlinking? I.E. can you make sure that nobody can embed your videos into their pages and make sales while you pay for the bandwidth?

Sorry, HTML5 'video', 'audio' tags and other dings and wistles... you have your place (probably on YouTube), but you ain't gonna replace Flash anytime soon. Especially not on commercial sites (like pr0n tubes), not for RCP development either. World needs a full-blown rich client platform for the browsers and so far Adobe has been the only one who were able to provide a cross-platform, browser-independent solution. And they did it quite well, despite of some quirks. Sun with JavaFX has failed... would you like MS to take over with their Windows-only Silverlight technology?

Re:HTML5 is not an adequate response

None of those things should be done in the browser. NONE OF THEM.

Re:HTML5 is not an adequate response

Does HTML5 provides for the same level of rich client platform development as Flash/Flex? With numerous widgets just like in Motif/MFC, just easier to use? (MXML just shines in GUI development, far beyond of what Motif/MFC/AWT/Swing offer).

Sure. HTML combined with CSS and Javascript / AJAX will do 80-90% of what Flash is used for.

Does HTML5 allows you to play video with some advertisement in a running text over it?

Sure. Just use a CSS layer.

Does HTML5 protects your video site from hotlinking? I.E. can you make sure that nobody can embed your videos into their pages and make sales while you pay for the bandwidth?

This is a HTTP issue and server side security issue. It is trivial to grep a Flash file for the raw SWF download location most times.

Sorry, HTML5 'video', 'audio' tags and other dings and wistles... you have your place (probably on YouTube), but you ain't gonna replace Flash anytime soon. Especially not on commercial sites (like pr0n tubes), not for RCP development either. World needs a full-blown rich client platform for the browsers and so far Adobe has been the only one who were able to provide a cross-platform, browser-independent solution. And they did it quite well, despite of some quirks. Sun with JavaFX has failed... would you like MS to take over with their Windows-only Silverlight technology?

Hardcore Flash games I can see and some super heavy duty flash "applications", but so often this can be done in HTML with CSS / AJAX. The designers are normally just clueless and have no wish to learn code or how stuff works after taking their 1-week Adobe course and getting accreditation as a "web developer".

Re:HTML5 is not an adequate response

Does HTML5 provides for the same level of rich client platform development as Flash/Flex? With numerous widgets just like in Motif/MFC, just easier to use? (MXML just shines in GUI development, far beyond of what Motif/MFC/AWT/Swing offer).

Care to offer specifics or just leave it at a rant?

Does HTML5 allows you to play video with some advertisement in a running text over it?

yes, HTML 5 can do this

Does HTML5 protects your video site from hotlinking? I.E. can you make sure that nobody can embed your videos into their pages and make sales while you pay for the bandwidth?

Your web server can do this for you....have it send alternate content

Sorry, HTML5 'video', 'audio' tags and other dings and wistles... you have your place (probably on YouTube), but you ain't gonna replace Flash anytime soon. Especially not on commercial sites (like pr0n tubes), not for RCP development either. World needs a full-blown rich client platform for the browsers and so far Adobe has been the only one who were able to provide a cross-platform, browser-independent solution. And they did it quite well, despite of some quirks. Sun with JavaFX has failed... would you like MS to take over with their Windows-only Silverlight technology?

Sorry, but your ill informed thoughts around HTML 5 and the horrid Adobe Flash / M$ Silverturd proprietary environments blinds you to the reality of where the web is heading. The world does not need a full blown rich client platform in the form of a proprietary, patent encumbered plug-in.

Re:HTML5 is not an adequate response

[h4rr4r]

Not everything should be done in the webbrowser.

Get off my lawn!

Re:HTML5 is not an adequate response

[jo42]

Do not want - have no need - for any of that crap. Want Flash to dry up and blow away like old dog shit.

Re:HTML5 is not an adequate response

[naz404]

Does HTML5 allows you to play video with some advertisement in a running text over it?
Sure. Just use a CSS layer.

Not if you're embedding 3rd-party videos on stuff like blogs, forums, etc the way people embed Youtube et al right now. Flash is great because it gives you a little widget that shows you a whole lot of options like contextual links, etc when embedded in 3rd party websites, giving the viewer the ability to check out related videos,etc.

Hardcore Flash games I can see and some super heavy duty flash "applications", but so often this can be done in HTML with CSS/AJAX.

You obviously are not a game developer and are talking out of your ass. "Easy to port HARCORE Flash Games often to CSS" my ass. CSS/AJAX has no equivalent for the timeline-based animation which makes putting animated stuff in Flash games so easy. Also, Flash has an excellent multi-channel sound API, something which is very rudimentary on HTML/Javascript. Sound is an important part of many games these days for the user experience, and Flash gives developers and the user good access to this.

Also, doing stuff in Javascript/CSS bloats the hell out of downloads since the interpreted Javascript code is in plaintext, unlike Flash which compresses it down to bytecode. Moreover, games built on the Flash platform can be made in a single SWF package which you can redistribute and embed to a whole bunch of different sites, unlike a DHTML-based game. Sure, you can build arcade games with Javascript/CSS, but they will not match the richness and features of Flash games.

Other stuff HTML5 doesn't have: support for microphone, webcam, multi-touch, accurate percentage loaded (down to single bytes) of assets (for preloaders which are important to the user so they can see accurate download progress and see when they can start using the apps), or client peer-to-peer support. Flash does. Let's see you try running relatively complex animated true-3D polygon models with texture mapping *at decent framerates* in DHTML too.

Yeah? That's what I thought. Flash is NOT YET dead.

Re:HTML5 is not an adequate response

in HTML 6 there will be a tag. Then we can get rid of flash.

Re:HTML5 is not an adequate response

[shmlco]

"...will not match the richness and features of Flash games."

All of which assumes that we want them in the first place.

Re:HTML5 is not an adequate response

[JasterBobaMereel]

Flash will soon be dead for video (good)

Flash will then be used only for annoying adverts, annoying websites who can't code and games .... ...there are better games platforms ....

Re:HTML5 is not an adequate response

[ianezz]

Also, doing stuff in Javascript/CSS bloats the hell out of downloads since the interpreted Javascript code is in plaintext, unlike Flash which compresses it down to bytecode.

For this specific point, I believe you can simply gzip your javascript/CSS: web browsers have been supporting HTTP's content-transfer-encoding: gzip for ages. This, of course, doesn't imply that, given a task to perform, an implementation using JavaScript+CSS would be smaller than an implementation using Actionscript (and Flash files could be gzipped as well, where it makes sense).

Re:HTML5 is not an adequate response

[ytpete]

I'm sorry, but whenever I read comments like this I have to ask – how much AJAX web development have you really done? It's easy to build a couple pop-up menus and accordion controls and then decide that DHTML + CSS is all-powerful. But, frankly, it's not even close yet.

I spent years doing bleeding-edge AJAX development, and DHTML is by far the shabbiest development "platform" I have ever used. Frameworks like Dojo help, some. HTML5 will help, some. But it's all wallpaper overtop one core flaw: HTML was fundamentally never designed as an interactive-content development platform. Its programming language is embarrassing. It lacks any mechanism for reusing markup code (componentization). It lacks declarative data binding. It makes animated transitions far too hard. Its layout model is absurdly complex. And that's not even getting into the issues with browser and API fragmentation, backwards-compatibility, etc.

One other question for you: have you ever tried using Adobe Flex? Don't knock it till you try it. It is imperfect, for sure, but it positively screams maturity when you try it after years of banging your head on AJAX development. And sorry, but I just don't see HTML5 turning that around any time soon.

Re:HTML5 is not an adequate response

[dreamchaser]

"All of which assumes that we want them in the first place."

Apparently a lot of people do, given the growing popularity of fairly advanced flash based games.

Re:HTML5 is not an adequate response

[Hurricane78]

Sure. HTML combined with CSS and Javascript / AJAX will do 80-90% of what Flash is used for.

No. XHTML5+CSS3+JS2+AJAX+DOM3+SVG+Video/Audio will not only do 100% of what Flash does. It will do more. Like being able to seamlessly embed everything that Flash does with the rest of the page.
And there is no reason why JavaScript can’t be as fast or faster than ActionScript. After all it’s pretty much the same language.

Here are some examples: http://people.mozilla.com/~prouget/demos/ (Try the movement tracker.)

Re:HTML5 is not an adequate response

[mini+me]

Its programming language is embarrassing.

Objective-J is actually quite nice to work with. Which brings me to my next point which is that frameworks like Cappuccino completely abstract the underlying HTML. At that point your code can just as easily run on top of a generic container that is tuned specifically for applications.

I feel we are on the cusp of actually seeing the write once, run anywhere dream of Java come to fruition. Going back to Cappuccino for a minute: With a little planning, one codebase can already target three platforms: Mac, iPhone, and the web browser. We also know the API is also suitable for Windows and Linux development (see: YellowBox, GNUstep). With a little effort there is no reason why they could not be added as targets also. Mix in the idea of the container specifically designed to support these types of web applications (think ChromeOS) and you suddenly have a very appealing development environment that literally can run anywhere.

Re:HTML5 is not an adequate response

[ytpete]

Objective-J sounds interesting. But it's a real challenge to provide good tools when the runtime language differs so much from the code the developer sees. Can you set a breakpoint and step line-by-line through the Objective-J code? Or are you forced to drop down to the raw compiled JS? When you get an exception stack trace, are there tools to magically convert it from "native" JS back to Objective-J? Hats off if they can solve those challenges.

But Flash's ActionScript language has been able to do all those things for a long time. Right now, today, Flash enables that "write once / run anywhere" dream you're talking about. One codebase can target Win, Mac, browser, iPhone, Android, and more.

Personally, with that already here today I have no desire to hold my breath waiting for someone to fully wallpaper over all of DHTML's inadequacies.

Yeah, nice design

[dangitman]

However, soon enough the next version of Flash, 10.1, will support private browsing and will integrate with browsers to turn it on when the browser itself is in private browsing mode.

That's such an elegant and simple design, that isn't problematic at all! I mean, who cares about essentially having a browser within your browser, as long as your browser can communicate stuff to the other browser, at the whim of each browser developer?

Re:Yeah, nice design

[BoppreH]

Yo dawg, I herd you like browsers...

Re:Yeah, nice design

[ceoyoyo]

It's kind of like the idea of having an OS within the OS. Now the sub-OS gets to run a browser.

Re:Yeah, nice design

[dangitman]

It's kind of like the idea of having an OS within the OS. Now the sub-OS gets to run a browser.

That's so comforting.

Re:Yeah, nice design

[ceoyoyo]

There's always a silver lining. While the rest of the world is running Flash within their web apps within their browsers under their OSes, Intel and AMD will be making faster chips so those of us who prefer a few less layers can have cool toys.

Re:You said you prefer suspicious .exe files

[larry+bagina]

A buddy of mine got a virus from a single white female. He has all kinds of exploits, though ... drinking, fucking, disorderly conduct, etc.

Several months ago?

[NotBorg]

... when the problem of Flash cookies came to light several months ago.

several: of an indefinite number more than 2 or 3 but not many.

Most of us knew about this many months ago. If you only found out several months ago you are behind the curve.

It would be nice if Adobe was responding to an issue that was discovered several months ago but this has been around and known for quite some time. Make no mistake about it Adobe isn't being quick to respond to the issue.

Re:Several months ago?

[XorNand]

I personally implemented a Flash tracking cookie for an e-commerce site I developed back in 2002. The only thing it did was store a GUID. I was using it to track user metrics and remember shopping cart contents. I did it because back then cookie paranoia was much more widespread and people more routinely blocked them. These days, most web users don't seem to care. Perhaps because so many sites nowadays require cookies for basic functionality.

Re:Several months ago?

[ytpete]

Make no mistake about it Adobe isn't being quick to respond to the issue.

I don't know if that's fair. "Private browsing mode" is a relatively new browser feature. How could Flash support a browser feature years ago that hadn't been invented yet?

FlashBlock

[shovas]

Someone mentioned it in passing but I'll say it directly: FlackBlock

I'm not one to turn off the web with NoScript or not contribute to sites I'm visiting by using AdBlock. FlashBlock is a great compromise. Normal ads, no stupid flash instability. Click on the flash when actually want it to run for where it's actually needed. You'll be surprised how well it works.

Re:FlashBlock

Then be surprised no more: http://seclists.org/fulldisclosure/2008/Jul/444
("exploit" link: http://secway.org/pr14/flashblock.htm)

Re:FlashBlock

[cerberusss]

FlashBlock is a great compromise. [...] You'll be surprised how well it works.

What I was surprised about, is after installation: the number of times that the little Flash icon appears. I was like "huh? This page didn't have Flash content before, right?". So I clicked the Flash icon to see what was actually happening and -- nothing happened. Apparently, a number of sites use Flash just as a very tiny, uneraseable way to track users. Regardless of Private Browsing. Mind you, it wasn't a porn site, just a huge eBay-like site in a particular North-West European country.

Re:FlashBlock

Oh shit.

Thanks for the information, now I have to review my web browsing habits.

Re:FlashBlock

[shovas]

That's a good find. I'm confident we'll get better blocking as time goes by.

s/FlackBlock/FlashBlock/

[shovas]

s/FlackBlock/FlashBlock/

Can also use this Flash program.

[antdude]

http://www.macromedia.com/support/documentation/en/flashplayer/help/settings_manager06.html to control your Flash player settings.

Re:You said you prefer suspicious .exe files

[mysidia]

I prefer suspicious .dmg, .img, .iso files, and suspicious printed CDs with suspicious C:\autorun.inf files :)

Flash must die

Anyone EVER visit a flash site and think, "man... wish the designer used MORE flash." Let's just get rid of flash... or at least beat it into submission so it only shows in spaces that make sense... er.... well... I'm open to suggestions.

Re:You said you prefer suspicious .exe files

[mysidia]

That depends on what version of flash you're running, how many unpatched 0-day vulnerabilities it contains, and if the person who constructed the .swf for you knew about them.

On the other hand... by sheer numbers, there are probably more dangerous .EXE files in circulation than .SWF files, numerically speaking.

The suspicious .EXE file almost certainly is highly dangerous... the suspicious .SWF might be (under certain conditions), when not run in a proper sandbox, or with additional precautions such as IDS to jail flash or the browser from running or installing arbitrary code.

You have a much better shot viewing a flash file when running MSIE 8 in Protected mode on Windows 7, than clicking 'run' on a susupicious .EXE file on your windows system, or even suspicious .SH file on your Linux system.

It's all happening again!

[dangitman]

I wonder if there might be a slashdot thread for this slashdot thread?

Sounds great

[Locke2005]

When will Flash 10.1 be available for my Android G1 phone? How 'bout my Wii? How 'bout any device that isn't X86 based? Yes, Adobe's reluctance to support any platform other than a PC is the main reason why I think Flash should die a horrible (but quick) death and everybody should switch to HTML5 instead. Heck, I think even Silverlight is better supported by mobile devices than the latest version of Flash.

Re:Sounds great

[ducomputergeek]

I'm sorry, but I've always found the lack of flash support on my iPhone to be feature, not a bug....

Re:Sounds great

[cbhacking]

Windows Mobile (mostly ARM) and Nokia N800/810/900 (ARM) devices have had Flash for a while. It's typically a version behind the desktop release, but it's the full player,a nd any applet that ran in that version of the player will run on the mobile device.

If it's important to you that your device can play Flash, you have three options: complain to Adobe directly, complain to the device/OS developer, or use a device/OS which already supports it (and has for years). It's obviously not a major technical problem; if Nokia and Microsoft can get it supported, then Google or Apple could too.

Re:Sounds great

[naz404]

When will Flash 10.1 be available for my Android G1 phone?

AIR and Flash Player coming for Android and Mobile Devices. Adobe has been showing demo videos of Flash running on Android phones since last year. This week at the Mobile World Congress in Barcelona, they showed Flash 10.1 and AIR 2.0 running on a whole number of devices. It's running on the Motorola Droid, Google Nexus One and other new Android phones like the HTC Desire & Legend.

They've also got it running for Blackberry and Palm Pre. Symbian has been running Flash Lite for some time now, so you'll also see Flash 10.1 and AIR coming to it. Browser Flash has running on Maemo for some time too, so no problem there.

Yes, Adobe's reluctance to support any platform other than a PC is the main reason why I think Flash should die a horrible (but quick) death

On the contrary, Adobe has been making a major effort to provide Flash for every single device and modern OS out there (The Open Screen Project). The fruits of this can now be seen at the Mobile World Congress where they're showing Flash 10.1 and AIR running on a whole bunch of mobile and internet devices. Check out the list of Adobe Open Screen partners (the only one missing is Apple who refuses to have Flash run on the iPhone and iPad, so Adobe got around that by providing export to native iPhone apps with Flash CS5)

Re:use 'shred' not 'rm'. or encrypt your hard driv

[caluml]

He has no wireless card, never plugs an ethernet cord into the slot, and never gives his compy to anyone else.

Meh. I hacked his computer twice. Once over Bluetooth, and then again over Infrared. All I found were secret plans of his to dominate the world - nothing unusual.

Re:use 'shred' not 'rm'. or encrypt your hard driv

[caluml]

never let your computer touch a network or another person's hands. He has no wireless card, never plugs an ethernet cord into the slot, and never gives his compy to anyone else.

I wonder what it must be like to be as paranoid as him?
And seriously - at what point does a computer lose its usefulness - for me, it's pretty much when it has no network connectivity. I'm at a loss when I'm on a machine with no connectivity. It's like it isn't much use for anything.

next version... HTML5?

Oh look.... private browsing is already a feature in html 5. Just sayin.

In Windows XP

[thethibs]

In the meantime, this will lose them

del /S /Q "C:\Documents and Settings\marc\Application Data\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\*.*"
rd /S /Q "C:\Documents and Settings\marc\Application Data\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\"

Re:In Windows XP

[selven]

On Linux, it seems like you need to remove from two places.

rm -r ~/.macromedia/Flash_Player/macromedia.com/support/flashplayer/sys/*
rm -r ~/.macromedia/Flash_Player/#SharedObjects/XDNY2S32/*

Although I might be wrong, anyone more knowledgeable want to confirm/deny/add?

Re:In Windows XP

[cbhacking]

Pretty sure you can shorten that path a lot using the APPDATA environment variable, as in
  "%APPDATA%\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\*"
or something like that. At least use "%USERPROFILE%\Application Data\..."

Flash Settings Manager is a Poor Solution

Telling Flash it can't save local shared objects and disabling third party storage through the settings manage is a poor solution for several reasons:

1) Some sites require that local shared objects are enabled.
2) Some sites require that third parties be able to save local shared objects (Pandora, for example).
3) Even with those settings disabled, Flash still stores a null local shared object for each site that requests one, so even though no data are stored within the local share object, Flash is still recording a metadata browsing history of sorts. Or at least it is on OS X; I don't know what it does on Windows or Linux.

Locking the folders solves all of those problems. You can allow first and third party shared objects so that sites work correctly, but block the objects from persisting.

If anyone is curious, you can access the settings manager here..

It probably doesn't make any difference for most people, but if you delete the folders mentioned above, then visit the settings manager to lock in any other preferences, and finally go back and lock any folders and files beneath the paths mentioned above, those settings will be permanently saved -- at least until you unlock them and move them to the Trash.

This is the same Flash

[joeflies]

that everyone's up in a tizzy just because the iPad doesn't support it? Mention iPad, and someone will say "but it doesn't support flash", and for platforms that do support flash, people say they don't want to run it.

Re:This is the same Flash

[BoppreH]

It's all about having the option to choose between privacy and convenience.

Any device that can only run Flash would be equally bashed.

Re:This is the same Flash

Different people have different opinions. Film at 11.

HTML 5

[__aazsst3756]

I don't get why anyone would argue for a closed Flash from a single vendor, when there is a capable open option in HTML 5. The sooner we all move on the better.

The world rolled its eyes

The world rolled its eyes when "it's" was used incorrectly on Slashdot for the 100,000,00th time

Flash Cookies View

[flinchlock]

http://www.nirsoft.net/utils/flash_cookies_view.html "FlashCookiesView is a small utility that displays the list of cookie files created by Flash component (Local Shared Object) in your Web browser. For each cookie file, the lower pane of FlashCookiesView displays the content of the file in readable format or as Hex dump. You can also select one or more cookie files, and then copy them to the clipboard, save them to text/html/xml file or delete them."

um

[Charliemopps]

Wait... flash isn't dead yet?

Re: HTML5 ready

[naz404]

When will there be a final HTML 5 standard to support?

Seriously? In 2022. Read it and weep. http://www.webmonkey.com/blog/HTML_5_Won_t_Be_Ready_Until_2022DOT_Yes__2022DOT

Meanwhile, you should see wider adoption of it by 2012, which is when the world ends.

Cheers! :D

the next version of flash is html5

[binarybum]

the next version of flash will be obsolete, dead on arrival. it will be mourned by few.

Excellent move, can't wait for it

Flash adds a vibrancy to the interwebs that I'd ssooooo miss if it wasn't there. And the efficiency of the flash player is absolutely remarkable. Can't wait for the next version so I can see what wonderful OTHER new features have arrived!

Re:You said you prefer suspicious .exe files

[binarybum]

that's why Mac fans prefer fat chicks, yeah you pay more when you go out on dates and they're not as good in bed, but you don't have to worry about viruses.

But still no x64 Flash...

[Daswolfen]

Thats nice, but where is my x64 (NOT Linux) Flash? Its been 3 years Adobe!

Re:use 'shred' not 'rm'. or encrypt your hard driv

He has no wireless card, never plugs an ethernet cord into the slot, and never gives his compy to anyone else. Very difficult to sniff traffic that doesn't exist (but not impossible).

Also makes it kinda hard to surf for pr0n^H^H^H^Hsurprise birthday parties.

Re:You said you prefer suspicious .exe files

[josath]

It's actually fixed now. And in those two years, there are no known exploits, so it's maybe not as a big of a deal as if it were an actual exploitable hole.

Video "stealing": watch your tcp/http flows

[jonaskoelker]

Does HTML5 protects your video site from hotlinking? I.E. can you make sure that nobody can embed your videos into their pages and make sales while you pay for the bandwidth?

This is a HTTP issue and server side security issue. It is trivial to grep a Flash file for the raw SWF download location most times.

Or you can monitor the HTTP traffic you send to see which URL you're requesting. Or run the Flash in a rigged virtual machine which captures this information.

Whatever server-side test is done to see whether a request comes from someone visiting the server itself or a third party can be fooled; the third party just sends the data that'll make the server say "You're visiting me".

It's an unsolvable problem; any solution is at odds with how the internet works.

Oh those lazy designers!

[ElusiveJoe]

The designers are normally just clueless and have no wish to learn code or how stuff works after taking their 1-week Adobe course and getting accreditation as a "web developer".

Not willing to spend a year learning technologies, which were not intended to be used for games, then spend another year writing some kind of a game engine, which would try to bind these technologies together in a suitable way, then spend another year writing a game development environment for that engine, then at last actually making the game, then testing the game in different browsers, because the JS implementation still varies much between them, then making workarounds for browser incompatibilities ...

But it's the tru way, the slashdotter has shown us!

BetterPrivacy

Ouch, have you tried: BetterPrivacy
Auto deletes flash cookies on exit and/or after a user-configurable expiration timeout.

Cross Platform ?!?

[DrYak]

World needs a full-blown rich client platform for the browsers and so far Adobe has been the only one who were able to provide a cross-platform, browser-independent solution.

Sorry what do you mean by "Cross-Platform and Browser-Independent" solution ?
The damn thing only runs mostly correctly on Windows and Mac OS X, and is half broken on Linux. And that's only 32bits support - the 64bits support is currently catastrophic.
In the 90s, when Windows and Mac OS were the only platforms, your sentence would have had made sense.
In 2010, where smartphones are pervasive, when every single gadget seems to be internet-enabled, Flash is a big problem because it only runs on a fraction of what a modern user may find.
The iPhone has no official Adobe Flash support, for exemple.

Either Flash should die and get replaced by modern standards such as HTML5/CSS/Javascript/etc. (that's my preferred solution)
Or, Adobe should open their Flash and release some freely accessible specifications (and grant free use for any submarine patents) so people like the Gnash dev team could provide 100% compatible support for any platform under the sun.

But the current situation is far from the cross-platform heaven we need.

Re:Cross Platform ?!?

[Dr.Syshalt]

I've developed my recent client-server Flex commercial application on Linux only, using Intellij IDEA + Flex SDK. It looks consistent across all tested platforms, including MacOS and Windows, all fonts, controls etc have exactly the same L&F, everything works on all platforms exactly as it meant to work. So yes, it's cross-platform. Finished it in less then a month - I hate to think about the development time it would take to repeat it in DHTML, with all those browser-dependent JS issues, different font rendering and so on. And I don't give a f*ck about iPhone, actually. If Apple tries to force a developer into using their SDK, it's not my problem.

Misdirected Adobe

[wadeal]

How about instead of developing shit like this they FINALLY release 64 bit Flash for Windows.. Only taken 5+ years so far. If they can't now they should open source flash.

Simple solution

rm -r ~.macromedia/* ; chmod -w ~/.macromedia
problem gone

Why Flash?

[MathiasRav]

Who watches porn in Flash? I thought it was all QuickTime and JPEGs. No need for porn mode in Flash, is there?

Re:Why Flash?

If we tell you, you'll never leave the basement again...

Just delete?

[linuxcoder]

For security, it would have to overwrite the cache, not just delete it.