Slashdot Mirror
Facebook's New Chief Security Officer Wants To Set a Date To Kill Flash
An anonymous reader writes: Facebook's new chief security officer, Alex Stamos, has stated publicly that he wants to see Adobe end Flash. This weekend Stamos tweeted: "It is time for Adobe to announce the end-of-life date for Flash and to ask the browsers to set killbits on the same day. Even if 18 months from now, one set date is the only way to disentangle the dependencies and upgrade the whole ecosystem at once."
Why on earth would Adobe want to kill flash?
Can you set an EOL date in the past? Maybe by a decade, give or take a bit? If causality doesn't currently permit that, we should look into patching this functionality into reality as a special case.
Seems as good a time as any.
If you're not using HTML5 by now, you're a fucking dinosaur.
Political debates have me rolling my eyes so much I think I got optical whiplash. I should sue. - Foamy The Squirrel
It took Microsoft cutting the cord on Windows XP to get the majority of people and businesses to upgrade.
Sometimes the only way to fix things is to break them first.
You see, killbots have a preset kill limit. Knowing their weakness, I sent wave after wave of my own men at them until they reached their limit and shut down.
I worked for http://www.boardvantage.com/ this company for a spell. It was a shit company, and a really shit product. Somehow the CTO has convinced Board rooms around the world that the flex client is the most secure thing ever, and every time some flash vulnerability was announced, he could always dance his way around it.
Point being that as long as those in positions of power can be convinced it's a needed evil, it will be a used evil.
Use the same date to turn off Facebook too?
So Facebook wants to decide what will work on the Internet now? I thought that was Googles job.
HTML5 doesn't even work half the time because the browser implementation is off by one.
How about facebook just stop using flash and switch to html5 like youtube has.
Or do i need to put my tinfoil hat on and speculate why certain influential groups might want a large proportion of the internet dependent on a binary only browser plugin.
(yes yes in theory there is open source flash plugins, but nobody uses it because its mostly broken).
If you're not using HTML5 by now, you're a fucking dinosaur.
Just as people go to museums to see fossils of dinosaurs, people go to Newgrounds, Albino Blacksheep, Dagobah, Homestar Runner, Weebl's Stuff, and the like to view vector animations in SWF format. What would you suggest to convert existing SWF vector animations to HTML5 format or to create new vector animations in HTML5 format?
Windows 7 and 8 include "compatibility mode" for running applications designed for Windows XP. Heck, Windows 7 Pro even included a coupon for a copy of XP in a virtual machine at no additional charge. What would be the counterpart to compatibility mode for running SWF objects?
So many processes have dependancies that are so ingrained in corporate apps it will be impossible to get rid of. We still use IE 6 at work and even xp eol couldn't kill it due to 2 must have apps which are impossible to ever replace. Our training only works with ancient insecure flash 11 at work due to a 10 year old version of premier which created our slides. Lock the browser out of flash and we will stick with obsolete version
http://saveie6.com/
Adobe did not kill Flash Player for Linux. It killed Flash Player for Linux NPAPI due to limits of NPAPI. Flash Player for PPAPI was alive and well in Google Chrome for Linux last time I checked.
Uninstall Flash. Just stop using it. Encourage your friends to do the same.
I uninstalled it a couple months ago. I no longer have to worry about updating it or being exposed to the vast amount of vulnerabilities - it should be clear to everyone by now that it is a /major/ vector for infection.
Only a few times have I hit content that still requires Flash - usually sites that have an old Flash video player. Most big sites or sites using modern players happily support HTML5 video. Those that don't I can live without. (Bonus: far less irritating animated ads. For now.)
But make sure you provide feedback to sites that still have Flash - let them know you can't use the site properly. Fortunately - largely thanks to Apple's refusal to allow Flash in iOS - there are fewer and fewer of these today.
Google and Facebook have the right to dictate what ad formats they will deliver. Google further has the right to dictate what file formats Googlebot will index. Historically, it has indexed SWF, but if Google wants to bury SWF, it'll index sites as if Flash Player is not installed.
Too many internet pages rely on Flash for video and advertisements... and,as much as we hate them, advertisements means money...
I'm not saying that progress isn't being made. Youtube dropped Flash this year and is now using HTML5 as the default for video, but that doesn't fix legacy videos.
http://www.theverge.com/2015/1...
My thought is that Flash will be around for another 3 to 5 years. The quoted "18 months" is just wishful thinking....
I've never seen a Flash update that protects end users from Adobe, not one!! I may get get rich off off blocking companies looking to profit from me. Or I might not. But in the end what is mine is mine, and fuck you for trying to suck it out of me.
Time is what keeps everything from happening all at once.
Is Professor Zoom the Facebook CSO now? I can't keep up with all the retcons.
In this analogy, Shumway (an independent reimplementation of SWF named after the creature from ALF) would be like switching from Windows to X11/Linux and using Wine (an independent reimplementation of Win32 named after an age-restricted beverage). This isn't the same thing as compatibility mode in Windows, which I'm told uses actual copies of the previous version's DLLs. Is there a counterpart to Wine AppDB for Shumway, to give someone a good impression of how well it will handle the majority of things on Newgrounds and Albino Blacksheep? What can be done when bug reports filed against Shumway for particular URLs remain unfixed for months or years?
Despite flash being a scourge, it would be better for the internet to pick a day to kill off facebook.
One of the (in my opinion) major aspects should not be forgotten: As long as porn sites like youporn rely on flash, flash will not die.
A lot of the content (like Homestar Runner and Weebl's Stuff) is also available via their official YouTube channels. You lose all the interactivity, though.
Rendering the video to pixels and compressing it with H.264 or VP8 bloats files by a factor of ten in my tests. The era of dial-up is mostly over, but the era of monthly quotas and pay-per-bit last miles is still very much with us.
https://addons.mozilla.org/en-us/firefox/addon/watch-with-mpv/
I need bbc news video clip support though as bbc news web developer basically suck at there jobs. They push HTML5 video for iPads which don't support Adobe Flash, but output a message telling everybody else who doesn't have Adobe Flash installed to install it. I DON'T want to f'ing install it you idiots. I like the Gardian better, but they've got fewer articles. The Gardian does appear to do HTML5 by default too.
A software crash is NEVER the fault of the user. Ever. Any developer that blames the user is an idiot. Period.
,,,is there an equivalent development program for HTML5? Like, would I really have to code absolutely everything including the x,y positions of literally every shape to grace the screen, or is there something with a drag/drop transform interface to modify shapes directly on the canvas?
Didn't see "Alex Stamos - Facebook CSO" on en.wikipedia.org/wiki/List_of_Flash_enemies Perhaps the article needs updating?
Is it possible for major browser vendors to implement a sandbox for obsolete technology? When a tech becomes too outdated, put them in and restrict their functionality, hence reducing the different ways of attack and slowly let them fade away gracefully, giving other people time to update their stuff.
According to Mozilla:
All versions of Adobe’s Flash Player plugin are currently deactivated by default, until Adobe releases an updated version to address known critical security issues.
Not a peep from Slashdot about this. Thanks for dropping the ball, guys!
kill it!!!!!
Then think about the world-wide pain they perpetrated
Replace the word "Flash" with any other plugin or technology that geeks don't like. Will it still be okay if we go out of our way to kill it and make sure nobody can use it? Replace "Adobe" with "Free Software Foundation". Is that better? How about we talk about the Unity3D plugin? That's a plugin, too, just like Adobe PDF and Java, so that means it's bad. It's easy to pick on Flash and I can't say I really like the plugin, but when organizations with a large amount of industry influence start talking about killbits, that makes me really nervous.
I'd have no problem with Facebook urging other web sites to stop using Flash, especially if they're willing to support development of an alternative. When they talk about actively killing things for the good of the community, that's going too far. This starts leaning to the direction that it's okay to execute prisoners because nobody likes them.
Sometimes I'm really disturbed by the will of the community. I'm already pissed enough that I can't run certain Java applets anymore because the great Oracle says I'd hurt myself if I tried. Heaven forbid they give me a warning and I make up my own mind. As for grandma's computer, I could just configure the web browser to not use Java or install any other plugin.
The TFA page cited in the post has an embedded video. It is the "SoundCloud" video player, which my Ghostery plugin blocked.
Like a good neighbor, fsck is there
considering the fact that if I log in to Facebook from my PC it loads Flash.
Java Applets at the same time. Or maybe mandate a domain whitelisting for applets.
for its videos. Please start by fixing that first.
For those who seek perfection there can be no rest on this side of the grave.
The best time to kill flash was 20 years ago. The second best time is now.
urd
There's plenty of legacy stuff in intranets that require flash that is *not* easily upgradeable, or at least up to the user.
Case example on where I run every now and then in work, Cisco IMC controllers (server management cards).
http://www.cisco.com/c/en/us/t...
Their UI is based on Flash (and Java), for remote console, status data, and so on. If I point a browser to a CIMC server, the first thing I see is "Install flash player" if it's not already installed. Even if Cisco would release an upgrade *today*, how often are people interested in rebooting their servers for firmware upgrades as long as it's running ok?
It worked out really well for everyone on the internet with Windows XP...
Seriously though, great idea for general vulnerability stuff. The internet is full of talented people wanting nothing more than to mess with other generally law-abiding people for their own selfish gain. Quite a sad place now compared to what it was like 20 years ago when it was young and naive. Unfortunately, once Flash is more or less gone there will be other targets, possibly even more aggressive scams, botnets, attacks or whatever else they need to do to get rich quick at everyone else's expense.
Neither Ming the Merciless nor Gorilla Grodd has been successful. Who does this Alex Stamos think he is?
How about an easy to remember date? Something with a lot of 9s, like September 9th, 1999.
I suggest all of you bitching about it uninstall it and then try a porn site. HTML5 has a *LONG* way to go yet.
What did the blue background f say to the red background f? F you.
Getting rid of flash won't improve Facebook. You can't fix stupid.
Political correctness is really just herd psychology pushed by insecure people who desperately seek social conformity.
I just deinstalled Flash and tried Spiegel.de again. It still works.One more problem solved :-)
C - the footgun of programming languages
Maybe it'll force all browsers and devices to properly support webm so we don't get crying idiots anymore anytime it's used. GIF belongs in 1995. I can't believe that in 2015, everyone is totally ok wasting shittons of bandwidth on making animations that are color reduced to hell and run at about 5 fps yet weigh in at incredible filesizes, because they're trying to cram shit into it that the format was never designed for. It's like people on horses trying to travel the fucking freeway.
It may not have the security issues Flash does, but it's a problem nonetheless.
I'm so glad there's a move afoot to kill Flash, in which a few well-connected standards goonies who are not satisfied with the rollout for HTML5 think that no campaign to capture hearts and minds is complete without some form of digital strip mining, in which major portions of the Internet heritage are blocked by "newer, better" software and rendered dark, obsolete and broken overnight. It's just like a seat belt law,right? It's all about protecting Joe Sixpack from driving drunk on the web. And the big important players like Facebook have naught but our precious safety as a motive. /SARC
I hated Flash for its abuses and excesses at first, but I have grown fond of the things it has become useful for, and does well. Here is a low level instruction set of instruction and vector graphic primitives that has been used to accomplish amazing feats. Even self-contained and offline feats. Things that will never make it to HTML5 without a serious ride in the newer is better and bigger and much slower (though our processors are faster and memory is bigger so we pretend that it's faster and smaller) bloat-mobile. /NOTSARC
Remember when the Whole Damned World was ready for a GIF-killer? And PNG was one little tiny step away from doing so? The png image format was so ready to dominate the world, and we were maybe a few open source developer weekends away from having a GIFlike format with comparable non-encumbered LZW compression, and (as promised) simple animation too. To be able to animate in full RGB without shoving palettes down our collective throats. Well, some people on the Standards Committee, some <BLINK>anti-blink tag hipsters</BLINK> who were Running With Scissors cut out that promise and proceeded to punt the animate part of the bargain into the Next MNG generation, which would be a video-killer too and would happen Real Soon Now. The upshot was that the PNG rocket sled hit a big pile of jello, While MNG was languishing, a whole generation of web-folk faced difficult times with GIF in which open source tools generated bloaty files unless you compiled them yourself (because they did not to fork money or paperwork to license the LZW) and the world was treated to... more of GIF! It is today's GIF! And do we have those <BLINK>anti-blink tag hipsters</BLINK> to thank? No, that is not really fair, they just wanted to build a better world. But bad decisions in retrospect do happen. /NOTSARC
But Flash is different! Never mind how useful it has become, it must be killed. Because in this silly Collectivist world of planned obsolescence it is not enough to succeed. Something old must be declared evil, be systematically dismantled and ultimately fail not on its own lack of merit, but because some all seeing Standards Committee wishes to keep Joe Sixpack safe while driving drunk on the web. The insurance companies have already factored in the liability for HTML5 vulnerability coverage so we're good there. /SARC
From this day forward, any zero day vulnerabilities in HTML5 code will be tolerated in the civilized manner, and any emerging Flash exploits will be blamed on the Iranians and North Koreans, and those who continue to use and support Flash will have their hip-credentials revoked. /NOTSARC And we're ready to destroy all those vinyl LP phonograph records too, all the music that matters has been reissued, yeah, fuck that old music. /SARC
Because, God Forbid, the whole human race could never just gather to re-write a popular primitive procedural language without creating a shitload of new exploitable errors. It just cannot be done. /SARC
<blink>down the rabbit hole</blink>
it seems like the stupid ads on slashdot from flash ads cause firefox to crash atleast 2 times a day. So yeah, screw flash.
that needs to go HTML5 soon and make it a free upgrade as well.
This is exactly how Oracle operates. 'We know what is best for you and shall disable XYZ'. Really FB, just go fuck yourself. Whether Flash is good/bad or something else, FB has no right to collude to deny computer users the right to use any program/plugin/interface outside of their own site.
I said the same years ago, even before Steve and was violently chastised and called a noob and troll (and worse) for it. Even here on Slashdot. Good to see the last death throes of fucking Flash and people finally wake up. I feel vindicated. Apologies accepted.
Why? Because with Flash video I just get a big blank box I can click to play it, and shit never autoplays.
Autoplaying video needs to die.
They are so full of themselves, they think they control the world.
Also, are there tools on par with Flash (the editor!) for animating HTML (CSS or Canvas)?
I'm not aware of any tools you can buy, but I've heard of one you can rent: Edge Animate.
Converting an existing Flash project is pretty easy.
Provided its author is still contactable and still has the .fla files. Good luck contacting authors of the majority of works on Newgrounds to follow through with this conversion.
Adobe's flash can export most any fla to html 5
Do sites that allow users to upload Flash files require the user to also upload the .fla, or only the .swf?
Nuff said.
Lisias@Earth.SolarSystem.OrionArm.MilkyWay.Local.Virgo.Universe.org
Pretty good rant.
But you still, like all Flash Advocates, missed out on the Elephant's Foot crushing your spine:
Bad Actors.
You know, those people in Advertising, Gaming, and Malware who ruined Flash for the rest of us.
Your points are valid, especially where it comes to PNG, but you really need to White Knight the bastards who took Flash to heart as a means to Ruin The Fun.
Yes, those Bastards will eventually migrate to HTML5, but only you, through your Flash Community connections, can cut the balls off of them _now_.
But you won't, and there is one telling phrase why not:
"Because in this silly Collectivist world of planned obsolescence..."
You have a mindset that can't be reasoned with.
Caveat Emptor is good advice when buying a used car, but to base a Political and Economic Philosophy on it is laziness of the highest order.
_You_ won't actively work to fix the Flash problems because you are too damn lazy. Yes, you may make excellent and inviolable Flash applications now, and you may reasonably disclaim any involvement in the Flash Trash out there.
But until you actually, and openly, do something about these problems, you are equally guilty.
Because you are lazy.
Comment removed based on user account deletion
You can't kill the flash, he's too quick. Besides the speed force would unravell and become the slow force.
did he?
...just like the batteries in the laptops that run it.
Will the Real Slim Shady please stand up???
The reality is, Adobe would have walked away from Flash by now if they could.
Even though the tool from Apple stood up in his high chair and scared the crap out of Adobe, they knew they couldn't dump it.
The problem with reality is that Flash was far too successful by then.
HTML5 has already failed to fulfil the goals originally set for it.
Something else will replace it.
Even now, if Adobe applied some genesis level product evolution effort towards re-birthing Flash, they would easily attract industry support and could have a world beater on their hands.
That would require someone within Adobe to stand out from the crowd. The payback would be a redefinition of what Adobe represents.
Flash is a sleeper product that won't die.
Adobe needs to ignore blustering crap from Apple, Facebook, and whoever else, bypass the internal political appeasements, and get their mojo back online.
I wouldn't kill flash altogether, maybe urge Adobe to open-source it's project and allow developers to fix it's many problems and hopefully make it into a stable package once again...
Adobe could easily open source the Flash AVM, re-package it around AIR (open source that too), provide support for additional scripting languages / markup languages (including HTML5).
Adobe already has much of this stuff available to them.
In one scenario AIR could then become a combined browser / application shop front - no need for Mozilla or anyone else.
When Flex was moved over to Apache, Adobe must have been surprised at the level of community support that occurred (and is still continuing now).
They would get a far stronger reaction again by open sourcing Flash.
The problem with Adobe is their product strategy, not their technology.
It seems Steve Jobs scared them somehow. I don't know why - ignoring some short term problems, someone with a strategic brain inside Adobe should have realised that rant of Jobs indicated that they were in fact onto a major winner. Backing down isn't the kind of behaviour that led to Postscript & PDF becoming de-facto standards, but that's what they did.
Roll forward - HTML5 isn't cutting it, and successor technologies are already being discussed.
The door is open for Adobe to open source Flash/AVM/AIR & extend across Javascript/Python/HTML5 as standards.
They could wrap it in a browser / tooling experience that would make Mozilla look like a Model T Ford.
But until you actually, and openly, do something about these problems, you are equally guilty. Because you are lazy.
Through the /SARC when it comes down to it you are right of course. Please +mod Parent as an amazingly and thought provoking response, a fine rant response. I must admit that over the years I have been part of the problem. Despite time put in to learn the mechanics of computer language, network, protocol and presentation, applying many an operations-oriented shim or patch or fix.. I have NOT delved deep into any single open-source project, taken the reins, become part of a team, or even one of those prolific lone wolf coders. I have no curriculum vitae in open source. Now that I look back on it that's kind of shameful, especially as I present myself as a critic of the times. I'll try to do better with the next half of my life.
Who are those bad actors and what is bad acting? Leaving aside the potential for cross site scripting, malformed instructions, rooting and malware for a moment. There was a time when smooth continuous motion on the borders of a web page, however clever the item, was considered distracting by static purists, who even objected to looping animation. I was never one of those, though I did see they clearly disliked the intrusive and unexpected. Then came the sounds, loud and lots. In a platform where a mute button or volume control must be explicitly coded few did and if your volume control was up you'd be blasted out of your seat muttering "What were they thinking?" But all that is past and gone. There are no aesthetic elements made possible by Flash that are not not do-able from HTML or JS.
And because migration is now possible some feel migration is necessary. The Register is cheekier than I, spicing urgent reminders with lambasting criticism. Clearly from Adobe's position proactive measures are necessary and a ground-up audit/rewrite is necessary using a compiler framework that (with performance penalty of course) mitigates the silly things like use-after-free. And in Open Source there have been reverse engineering projects and attempts to replicate Flash, lately even shims...
But what has been missing is an publicly audited open source Flash initiative that had begun years ago, begun right as Flash was introduced. Some would call such a thing intellectual property theft. I'd bring up OpenSSL as a shining example except for... certain things that have happened. Are they worse than the things that might have happened if some corporate actor, RSA for example, imposed bin-only blobs on everyone, Windows Linux and Apple? Who can say.
But you won't, and there is one telling phrase why not:
"Because in this silly Collectivist world of planned obsolescence..."
You have a mindset that can't be reasoned with.
What you really mean is, You reach down and you flip Flash over on its back. Flash lays on its back, its belly baking in the hot sun, beating its legs trying to turn itself over, but it can't. Not without your help. But you're not helping.
Point taken.
<blink>down the rabbit hole</blink>
Sure. Go ahead and set a date to kill Flash and Java.
I'd mention how much of a fail idea it is and try to convince you to stop. However, like Napoleon Bonaparte once said: If your enemy is making a mistake, don't stop them.
Its ubiquity is secure because it's the only one that can do the animation for games and as such will never fully die.
How about in order to _revitalise_ the flash add-on for browsers by rebuilding it from the ground up, make it work on mobile ðY"± devices so Steve Jobs will be spinning in his grave.
No offence meant to the apple ðYZ fan boys and girls.