Want to read Slashdot from your mobile device? Point it at m.slashdot.org and keep reading!

 



Forgot your password?
typodupeerror
DEAL: For $25 - Add A Second Phone Number To Your Smartphone for life! Use promo code SLASHDOT25. Also, Slashdot's Facebook page has a chat bot now. Message it for stories and more. Check out the new SourceForge HTML5 Internet speed test! ×
Privacy

Freaky Flash 6 Fishy Features 309

donpardo writes "I upgraded to Flash 6 last week (to patch a security hole). When I right clicked on a Flash ad at abcnews.com, and pulled down to Settings I got a tabbed dialogue box asking if I wanted to give them access to my cam and microphone. Clicking through on the tabs revealed that the microphone and the camera had already been detected and that the microphone was active. I doubt the camera or the microphone were sending information out but this still seems invasive. Here are Macromedia's statements about the mic and the camera. In addition there is a setting to ask how much information the site can store on your computer. The default value is 100K. According to the information statement "Data can be anything from your user name to your current score in an interactive game to a list of stocks in your portfolio ... The data is not public, but the privacy of this data depends on the policies of the web site where the movie is hosted."" I thought the first sentence of this submission was telling ...
This discussion has been archived. No new comments can be posted.

Freaky Flash 6 Fishy Features

Comments Filter:
  • Now im actually glad to have dial up
  • by thogard ( 43403 ) on Monday May 13, 2002 @06:15PM (#3512900) Homepage
    At work we have been blocking flash on and off for a while now and it now looks like that it will get blocked and stay that way. Its a shame too since cisco has finaly started using it for the only thing it was good for -- vector drawings.
    • how about SVG? (Score:4, Informative)

      by stego ( 146071 ) on Monday May 13, 2002 @07:03PM (#3513208) Homepage
      It does vector and is even a bit more open....

    • How can Flash be removed from 1) Windows, and 2) Linux?

      Reasons not to run Flash:

      Flash presents unknown security risks. Sometimes Flash and other Macromedia products have been the point of entry of trojans and viruses, as mentioned in this documentation of a very serious bug, Macromedia Flash Activex Buffer overflow [eeye.com].

      Flash on a website advertises Flash. There must always be some notice that says "Download Flash if you don't have it", and a link to Macromedia, so that web site viewers can get the latest version. This forced added content distracts from the intended content.

      Flash is nearly always used to provide images that are irrelevant to the content. Except for those who care about bright, shiny things more than content, Flash gets in the way. Flash authors are seldom qualified to provide moving picture content, and, even if they were, Flash is a very limited cinematic tool.

      Flash often causes long load times. Long load times communicate that the website viewer's time is less important than the website creator's love of movement. Flash often causes Website viewers to wait for "Loading..." messages.

      For website viewers who do not want to run Flash and other Macromedia software, or cannot, web sites using it are broken.

      By using Flash, authors of Flash content may cause the URL of their customers to be transmitted to Macromedia. If some disloyal Macromedia employee, or Macromedia itself, thought of some profitable reason to approach those customers directly, Flash content authors could lose business.

      Flash content is proprietary content. It is the money-making scheme of one company. This tends to undermine web standards like HTML. The Internet is a public utility for all of us to use. Proprietary methods go against that spirit.
      • Disabling Macromedia Flash on Microsoft Internet Explorer

        These instructions are known to work with Internet Explorer 6.0 on Windows 2000. They may require modifications on other versions of IE or Windows.

        1. Set Internet Explorer to prompt you before installing any ActiveX controls (plug-ins):
          1. Close all Internet Explorer windows.
          2. Open the Internet Options control panel.
          3. In the Security tab, click Internet, then click Custom Level.
          4. Make sure that Download signed ActiveX controls is set to Prompt, and that Download unsigned ActiveX controls is set to Prompt or Disable.
          5. Click OK to save the security settings.
        2. Remove Flash:
          1. Open the Internet Options control panel, if it isn't already open.
          2. In the General tab, under Temporary Internet Files, click Settings, then click View Objects.
          3. Right-click on the Macromedia Flash icon and select Remove.
          4. Close the Downloaded Program Files window.
          5. Click OK to close the Settings window.
        3. Clear the Internet Explorer cache:
          1. Open the Internet Options control panel, if it isn't already open.
          2. In the General tab, under Temporary Internet Files, click Delete Files.
          3. Click OK to close the Internet Properties window.

          If you stop now, Flash ads will not appear, but IE will pop up a dialog box every time you view a page containing a Flash ad. You can prevent this from happening 99% of the time by continuing to the next step.
        4. Prevent Internet Explorer from prompting you to install Flash:
          1. Click Start, then Run, and enter this command:
            notepad %systemroot%\system32\drivers\etc\hosts
            A Notepad window should appear with a file in which most of the lines begin with "#".
          2. At the bottom of the file, add the following line:
            0.0.0.0 download.macromedia.com activex.microsoft.com active.macromedia.com
          3. Close the Notepad window and click Yes to save changes.

          This last step will prevent your computer from ever accessing the Internet addresses where the Flash plugin is normally found. If you later find that you need to access one of those addresses, just remove it from the hosts file.

        • Thanks.

          I've been following Macromedia since they started. This Slashdot story was the last straw for me. If something goes wrong with my customer's computers, it will be me who is blamed. Deleting Flash is a sensible precaution on a business network.
      • Can we discuss this?

        Reasons not to run Flash:

        Flash presents unknown security risks. Sometimes Flash and other Macromedia products have been the point of entry of trojans and viruses, as mentioned in this documentation of a very serious bug, Macromedia Flash Activex Buffer overflow [eeye.com].

        So, ok, _ONE_ security notice. No known exploits of this hole. Company acknowledgement and fix in less than a day.

        What other risks? WHat other holes or past vulnerables? Any known exploits? Name them. I think the case can be made that Macromedia is more diligent with security than many in this business, and more worthy of trust.

        Maybe the problem is with using a browser that requires Activex?

        Flash on a website advertises Flash. There must always be some notice that says "Download Flash if you don't have it", and a link to Macromedia, so that web site viewers can get the latest version. This forced added content distracts from the intended content.

        The Flash plug-in is just about default on most browser installs, so few see that download message. The plug-in's truly free, and not nagware like QuickTime or Real. And most people aren't developers, so not a very targeted campaign, is it? The real ad value is that the plugin works well for the majority of users.

        Flash is nearly always used to provide images that are irrelevant to the content. Except for those who care about bright, shiny things more than content, Flash gets in the way. Flash authors are seldom qualified to provide moving picture content, and, even if they were, Flash is a very limited cinematic tool.

        Those comments are more often applied to television.

        So should Flash have a taste filter to prohibit the creation of tacky content?

        Flash is just a tool, not an artistic movement.

        Flash often causes long load times. Long load times communicate that the website viewer's time is less important than the website creator's love of movement. Flash often causes Website viewers to wait for "Loading..." messages.

        Flash is currently one of the most eficient and reliable formats for delivering dynamic interactive content. It's success comes from the fact that there's not really any other interactive animated format that competes with it yet.

        Download time is a contract between author and viewer; if the content is good, they'll accept the delay. With broadband, the majority of Flash pieces download in a few seconds.

        For website viewers who do not want to run Flash and other Macromedia software, or cannot, web sites using it are broken.

        Sites are broken because the author didn't care enough to put in detection for the plug-in, and didn't include alternate non-Flash content. By the way, the Flash plugin (presence and version) is VERY easy to detect via javascript or other means (unlike Quicktime)

        By using Flash, authors of Flash content may cause the URL of their customers to be transmitted to Macromedia. If some disloyal Macromedia employee, or Macromedia itself, thought of some profitable reason to approach those customers directly, Flash content authors could lose business.

        Uh huh.... right. Big software company secretly wants to run tiny boutique webshop in converted factory loft making way kewl Flash pieces.

        Flash content is proprietary content.

        No more or less than ANY content.

        It is the money-making scheme of one company. This tends to undermine web standards like HTML. The Internet is a public utility for all of us to use. Proprietary methods go against that spirit.

        The Flash movie format SWF is an open format. Write your own authoring tool. Others have.

        • You sir are correct. More times then not I see folks on here spaz out about stuff such as this. It is NOTHING. Even if they had access to your camera and mic, they'd have to have MASSIVE amounts of storage to make it worth anything. Also, there's been alot of false reporting that flash can bring virii and stuff onto your machine but I have YET to see an exploit that wasn't patched before it could be executed. Which is more then I can say about Outlook! Security paranoid users can freak about it, if they want. Now I am off to play some Lenny Loosejocks games....:)

        • "So, ok, _ONE_ security notice. No known exploits of this hole. Company acknowledgement and fix in less than a day."

          Flash has caused several very serious security breaches, and the company acknowledges this. A computer under my supervision was totally owned by someone exploiting a bug in a Macromedia product.

          "The Flash plug-in is just about default on most browser installs, so few see that download message."

          You forgot something very important. Sometimes there has been more than one upgrade to Flash within a month. If a web site uses a later version of Flash than is installed, you see the message.

          "Sites are broken because the author didn't care enough to put in detection for the plug-in, and didn't include alternate non-Flash content. By the way, the Flash plugin (presence and version) is VERY easy to detect via javascript or other means (unlike Quicktime)"

          Your answer to this extremely serious problem can be shortened to "Sites are broken..." It is VERY bad advertising if a user gets an error message instead of a web page. That happens a lot with Flash sites, for many reasons. For example, the user may have Javascript disabled, or it may be an imperfect implementation of Javascript, such as with version 5 of Opera.

          "Uh huh.... right. Big software company secretly wants to run tiny boutique webshop in converted factory loft making way kewl Flash pieces."

          Your answer is an attempt to influence by innuendo, not logic. Several years ago I was getting about 40 pieces of spam a day. Many seemed to have a connection with AOL. It just happened that someone from AOL called, trying to sell me something. I complained about the spam. Immediately it stopped. Was AOL doing the spamming? Maybe not; maybe it was someone who worked for the company who was making some money on the side. Would someone wanting to make money try to breach your computer security? Here is a small list of attempts to do so: The Spyware Infested Software List [fcenter.ru]

          The fact remains, when you use Flash, you are giving your customer list to Macromedia, and to whomever has access to Macromedia computers.

          "Download time is a contract between author and viewer; if the content is good, they'll accept the delay. With broadband, the majority of Flash pieces download in a few seconds."

          The viewer is not aware of any contract. The viewer is aware that he or she must wait. Again, this is extremely bad advertising.

          This Slashdot story continues an impression of Macromedia. The company is like Microsoft in that they tend to push the limits of what people will accept so that they can make more money. Would you have a friend who continued to test your limits? No? Then don't have a business association that tests people's limits.
          • Flash has caused several very serious security breaches, and the company acknowledges this. A computer under my supervision was totally owned by someone exploiting a bug in a Macromedia product.

            what security breaches?

            You forgot something very important. Sometimes there has been more than one upgrade to Flash within a month. If a web site uses a later version of Flash than is installed, you see the message.

            afaik, there are flash versions 3 thru 6, with about 2 years between the version steps. there is no flash 5.2.

            The fact remains, when you use Flash, you are giving your customer list to Macromedia, and to whomever has access to Macromedia computers.

            you are providing them with the urls of companies that have an swf on their site. this could have been any authoring tool that generates swf. but you're right, they probably do this so they don't have to search the web for swfs.

            The viewer is not aware of any contract. The viewer is aware that he or she must wait. Again, this is extremely bad advertising.

            the viewer doesn't have to do anything. either he or she waits, or decides that it wouldn't be worth it. swfs are small. you can make big swfs, and you can make swfs that really suck. you also can make pretty shitty html sites. if you have that sort of talent.

            The company is like Microsoft in that they tend to push the limits of what people will accept so that they can make more money.

            they opened up the standart. i don't know what you mean by pushing the limits of what people will accept. but as a company, macromedia wants to make money. just like any other company.


            • Thanks for your reply.

              "i don't know what you mean by pushing the limits of what people will accept."

              I consider this Slashdot story is an example of pushing the limits. They are taking more control of the user's computer without making it clear in advance what they are doing. That's abusive, in my opinion. Your computer is your property. You wouldn't feel good about someone using your car without permission. You shouldn't feel comfortable having someone use your computer without permission.
  • by Anonymous Coward on Monday May 13, 2002 @06:16PM (#3512902)
    Just be sure to cover your webcam with your shirt before you start making out with the supermodel. You should be okay.
    • by Anonymous Coward
      More importantly, cover the camera before you start making out with yourself (so to speak) to the picture of the supermodel.
  • Ominous (Score:2, Redundant)

    by JanneM ( 7445 )
    Using IO and local storage; looks like they want to create a "web within the web" - except here they control the client and all the content. No more pesky 'open standards'. And, of course, if you want to create content, you'll have to pay the man...

    I'm getting sick of this.

    /Janne
    • Re:Ominous (Score:2, Informative)

      by pixel.jonah ( 182967 )
      It's basically like cookies.

      And you have the option to disable it on a per-site basis. Seems pretty aboveboard to me...
      • Re:Ominous (Score:2, Insightful)

        by Maserati ( 8679 )
        100k ? On that scale it's more like cupcakes.


        There's probably an ultrasecret club with $1000 membership dues that gets access to the stealth webcams.

  • Is there no shame (Score:3, Flamebait)

    by tfreport ( 458641 ) on Monday May 13, 2002 @06:16PM (#3512905)
    Ok, I understand that the technology is here and that it is possible. I understand that some people want to know what your working on in your computer or the sites you are visiting for advertising purposes and what not.

    What I cannot fathom, is how could anyone purposely write a program to spy into my room, listening to me or watching what I am doing? Doesn't anyone have a conscious anymore? Come on. This is my house, my life, stay the f@#k out!
    • What I cannot fathom, is how could anyone purposely write a program to spy into my room, listening to me or watching what I am doing? Doesn't anyone have a conscious anymore?

      Is there potential for someone to make money from it?

      Yes.

      Seems pretty straight forward to me...
  • Oh, well. Good thing they never bothered making a Flash 6 for Linux.

    - A.P. (is the sky still falling, slashdot?)
  • Check again... (Score:5, Informative)

    by djrogers ( 153854 ) on Monday May 13, 2002 @06:16PM (#3512907)
    The first tab is set to 'deny' access to both your mic and your cam by default. The fact that the mic is turned on or off has to do with your PC's settings, not flash players.

    Still, could be fun...
  • Jesus (Score:5, Funny)

    by papasui ( 567265 ) on Monday May 13, 2002 @06:17PM (#3512914) Homepage
    How can I make money selling my amateur porn if they can see it all without my permission?
  • by Scotch Game ( 442068 ) on Monday May 13, 2002 @06:20PM (#3512931)
    Okay, security's important, but come on people. The settings are configurable, the policy is easy to understand and what we're talking about in terms of the data being stored is essentially what amounts to Cookies for Flash. The camera and mic stuff can be turned off. If you don't like Flash this won't make you love it and if you love Flash this won't make you hate it. So people are posting about WHAT exactly?

    "I have to turn my camera off for Flash! Invasion of privacy! Invasion of privacy! Cookies are evil! The sun is disappearing, the dragons are coming! The dragons are coming!
    • by Anonymous Coward on Monday May 13, 2002 @06:26PM (#3512977)
      They are turned off by default, and everytime a new domain tries to access them, the user is prompted to give permission.

      mike chambers

      mesh@macromedia.com
      • They are turned off by default, and everytime a new domain tries to access them, the user is prompted to give permission.

        The problem is, it can't be proven. That's why things like open standards and open source exist.

        • That's why things like open standards and open source exist.

          No, that's why physical switches and pullable cable pugs exist.

          It beats me why anyone would trust software to turn off the cam/mic. If none of the zillions of virii or freeware downloads on your computer is spying on you, I bet your kids are.

    • by MrP- ( 45616 ) <jessica@sup j e s s i c a . com> on Monday May 13, 2002 @06:31PM (#3513011)
      i think people are more worried about exploits that will let h4x0rs spy on you with your webcam, listen to top secret conversations with your mic, and access files using the flash cookies. thats why chris said "I thought the first sentence of this submission was telling ... " because in the first sentence it says "I upgraded to Flash 6 last week (to patch a security hole). "
    • It's not even security as an application poking its head where it does not belong. Is there any good/common reason for flash to do anything with anyone's webcam/microphone? I think not.

      Though I also think it's reasonable to at least muse the posibility that this was all just setup by the X10 camera people to setup a world wide voyeur web =]
    • Maybe that these days there are just so many things you have to opt-out of. Even if you are a /. reader it's beginning to take some time to securing your PC and keeping it that way.
      Then there is the deal with the huge amount of people that just don't know about these things and why should they? Wasn't the idea of the PC these days that you don't have to be a geek to operate them?
      Personally I spend a good deal of time in front of computers so I am aware of these things, but there's plenty of people who don't really care about the details of how it works and why? Because it is just a tool that they use in a busy day, just like they don't have to know how their car works.
      And it is not just a question about incasion of privacy. all those fancy features in different programs, including Flash, has often proved to include security holes. And forget about uninstalling it. After have visited the first 100 sites that prompts you to install the player, it gets really annoying.
      If these companies and people truly cared about people's security and privacy, they would all go the opt-in way instead, but what would happen was that only 2% would enable the features because the %98 are not computer people who are aware of these things. So the marketing/power/value of the product/features(flash player) would be a lot smaller.
      • At the risk of attracting trolls, this sort of internet lack-of-awareness is exactly why I recommend and give Macs to my friends and relatives.

        Plus, might I add, Mac OS X does it the better way: FTP, HTTP and SSH services are turned off by default. Nothing than can potentially allow someone in to your computer should be turned on by default. Nothing. And that's exactly what Flash 6 is doing: allowing access by default to your system. Netscape, while having access to cookies on by default at least also warns you by default (at least on Solaris, which is the default install I see every week - I have had them severely limited on my other machines for so long, I don't remember, because newer versions of Netscape also preserve preferences). This doesn't seem to even come with a small disclaimer. Perhaps buried in the EULA somewhere. But to me, this should be prominently displayed every time it is run, unless you tell it otherwise, or simply off by default.

        Want it done right? Use a Mac. Or spend your life fixing holes in Windows. Or get savvy enough to use one of the less user friendly *n?xes.

        Oh, and check all the preferences on everything you install all the time now, as well, it seems (although I don't remember AppleWorks calling the mothership when I install it). Bastard marketroids.

        • This is a case of false advertising, pure and simple.

          Flash is advertised as a 'media player' it plays flash movies, music (mp3s, etc.), and that's it.

          If it was advertised as a camera sharing / spy tool then fine, as long as you know that before you download it. The programs don't usually tell you things like that before you download it. Open source programs ( mozilla comes to mind) have a release notes section that tells you IN PLAIN ENGLISH ( or hopefully your native tounge ) what the update to the program does to your computer that is different from the past version.

          This has nothing to do with MAC vs WINDOWS vs UNIX, it has everything to do with 'free' software that is really 'free to download but with so many strings attached that you probably don't actually want to use it.'

          I spit on you, corp. america.
    • okay, I'm not a digital camera expert or anything (not got one myself) but your argument is "well I've read the privacy policy, and clicked the button in Flash to say 'please don't take photos of my bedroom' so nothing to worry about, right"

      right......

      And when did you last review the source code for this version of Flash player?

      We all know that "power corrupts" applies to programs as well as to people (think Kazaa, Windows XP, RealPlayer) so I'd say that even allowing a website plug-in access to that kind of information is unthinkably stupid (on the part of Macromedia's consumers, not on Macromedia themselves)

      "Thankyou for visiting irs.gov. For your security, and to prevent crime, we have logged your name, IP address, and a photo of whatever you're currently wearing."


    • So people are posting about WHAT exactly?


      Flash has been taking on more and more functionality. It used to be a plugin for animations and some user interaction. Now it interacts with hardware that has definate possiblities of abuse. One has to be sure that Macromedia will completely honor the end users' options AND has implemented these controls in a secure manner. This seems unlikely considering the increased influence of the advertisers in technology and the complete lack of understanding of security issues by the vast majority of developers.


      It also seems that Flash can also be used to track users, despite the popularity of controlling the usual method - cookies. I would be interested to see if it is possible to disable these methods in a simular manner as cookies can now be controlled. My guess is that it is not and that this is a key feature sold to developers of ad banners.


      The situation brings to mind other applications that have an apparent functionality bundled with hidden functionality; Kazaa and Comet Cursor to name two.



      "I have to turn my camera off for Flash! Invasion of privacy! Invasion of privacy! Cookies are evil! The sun is disappearing, the dragons are coming! The dragons are coming!"


      I handle infosec issues professionaly. It is sometimes amazing how often users and IT professionals shrug off infosec issues as some kind of "black helicopter" theory. They simply underestimate the potential for abuse many technologies present.


      Cookies are a great example. Double-click was the king of using ID-tracking cookies in online advertisements. People used to scoff at those who were concerned with this practice. After all, these cookies were anonymous! Double-click stated so. And they promised they would remain so. Then Double-click bought the largest mail order database in the United States. And they began a program that would link these anonymouse IDs (and all the collected browsing data associated with them) with real identities contained within their new database. This program was put on hold due to public backlash. Expect it to resurface once Double-click has managed to lobby the appropriate laws to ensure this behavior is legal.


      They may not fit your definition... but the "dragons" ARE out there.

  • "Local Storage" (Score:2, Insightful)

    by Zordok ( 90071 )
    Is it just me, or does this sound like domain-limited cookies?

    It says: "This data may be accessed by the Flash movie that is running or by another Flash movie on the same web site."

    My impression is that the data it collects is not data sitting on your hard drive, it is data that relates to the flash application you are using.

    -Zordok
    • It's just you.

      Yes, the data it collects "relates to the flash application you are using," but the data does sit on your hard drive. It's an "AND" proposition, not an "OR" proposition. Plus, there's nothing but their word that other Flash sites -- or Macromedia themselves -- won't access the information. So it's not domain-limited cookies, it's Macromedia-specific super cookies.

  • IIRC, access to cameras and mics (if present) was also a feature of Flash 5 certainly, and maybe Flash 4 as well -- the feature was just a little bit more buried then, and perhaps the detection built into the OS at the time wasn't as good.

    I remember wondering what on earth a website would do with data from my microphone. Count the number of obscenities I muttered as I waited for the stupid flash-enabled splash screen to go away?
    • No, these features are new to the Flash 6 plugin.

      They got a custom video codec built by Sorenson built to do this. That's what Apple is suing Sorenson over.

      The thing is that it's a full video code and weighs in around 75k. Pretty impressive really. Audio is MP3 encoded.
    • I remember wondering what on earth a website would do with data from my microphone. Count the number of obscenities I muttered as I waited for the stupid flash-enabled splash screen to go away?

      I'm just guessing in the dark here (hey, this is ./ after all), but I imagine their intended purpose for this is to allow authors of flash apps a means to write applications which allow you to send video/audio greetings, take snapshots of yourself for profiles, record a voice greeting for a remote voicemail system, etc, etc. At least, the optimist in me wants to think these are the noble intentions they have (yeah, I'm probably wrong but in my fantasy world beer is free, pizza has no calories, and corporations are good - you'd like it here).

      Shayne

  • Ok, it's good to be concerned, but if you read the description, it's simply a method for a Flash movie to store information on your computer in a similar fashion as a web page stores information through a cookie.

    This info is only available to other Flash movies from THE SAME SITE, similar to the protection provided for cookies.

    It's simply a way to provide persistance from session to session at the same web site. I still wouldn't trust it with my credit card numbers, but Macromedia isn't Hitler reincarnated.

    Calm down. This has only been a test.

    q:]

    MadCow.
  • The porn banner industry will just LOVE this.
  • by 56ker ( 566853 )
    Sounds like yet another loophole unscrupulous crackers could exploit.
  • What can they store in 100KB?

    In 100Kb, you've said "Damn, it's another bl**dy flash site". No more room for video, unless they get lucky, and get a 1-frame shot of your appalled face to go with it.

    Now don't get me wrong, this is an invasion of privacy, especially if they have full control of a machine (say, Windows). I could think of a few things I'd grab, though, if I was feeling malicious. And I'm a pretty honest guy.

  • by seangw ( 454819 ) <seangw@@@seangw...com> on Monday May 13, 2002 @06:24PM (#3512960) Homepage
    If by default your options are turned off, then is there really any large amount of harm?

    Storing information on your computer is an old practice (cookies), and contrary to popular belief, isn't all that bad.

    How many of you stay logged in on slashdot when come back to the site? That wouldn't be possible without "maintaining state" between visits.

    Personally I commend Macromedia for giving developers access to such important features (stored variables) and trying to get others into the mainstream (integrating video and mic).

    If you think this is an underhanded deed, then why don't you check your cookie files, you'll see quite a few, 90% are there solely to help you (10% could be tracking information, which in the end, just gives the user more relevant information).
    • If you think this is an underhanded deed, then why don't you check your cookie files, you'll see quite a few, 90% are there solely to help you

      Really? 100% of the cookies that I allow are there to help, but at least 60% of my banned cookie site list is from advertisers, who I doubt are are putting cookies there to help me.

      • I've moved to a whitelist now.... I have Knoqueror toss all new cookies unless the site is in my allow list. If a site nnot in my whitelist needs cookies I can enable them for that session.
    • How many of you stay logged in on slashdot when come back to the site? That wouldn't be possible without "maintaining state" between visits.

      However, it is not neccessary to allow THIRD PARTIES (aka the websites themselves) to save state on YOUR computer, to do this.

      That's what mozilla 'password manager' is for.

      For any additional state, the website should invest in some decent web server software, that is capable of saving user-linked state on the SERVER, without crashing/caving under the load of all those .ASP scripts.

      Once the user has identified themselves via the standard HTTP auth type mechanisms, it should then be up to the server to say, "okay, I remember you; here's where you should be now".

    • If it's equivilent to cookies, is there any reason they just didn't use real cookies? Even today some people are worried about the security of cookies, and IE has come a long way in protecting against all the little tricks that people use to trick people out of their cookies (framesets on domain X that include frame Y will not allow Y cookies to be read on either part of the frame). Why introduce another security hole? Cookie features are also much more mature. IE will allow you to block 3rd party cookies. The P3P standard uses cookies to set rules on allowing/denying cookies. Macromedia just wants everything to go their way, instead of using an established standard. People often critisize IE for letting the webmaster get too much control of the browser, changing the scroll bar color is nothing compared to a mic and webcam. Sure, they're trying to make it feature rich so users will download and use the plugin, but on the other end they're trying to give features to the web masters so they will buy Flash. And what's good for web masters isn't always good for users.
  • by Anonymous Coward on Monday May 13, 2002 @06:24PM (#3512961)
    you can read what the camera and microphone settings are for here:

    http://radio.weblogs.com/0106797/2002/04/30.html#a 24 [weblogs.com]

    they are going to be used in a forthcoming flash communications server that will allow you to stream audio and video.

    whats the big deal?
  • Hey, at least they aren't as bad as Real, and its' software.
  • What about dialup? (Score:2, Insightful)

    by Anonymous Coward
    All these scumwares that check for updates or send my browser history, bookmarks, cookies, registry keys, and directory trees to various sites keep freezing my ssh sessions. If they started to broadcast my mike, I'd be screwed. My dialup bandwidth isn't a resource any program can use at anytime, it's my precious property and I'm pissed off everyone is abusing it.
  • First off if you are concerned about Flash security, read the whitepaper about it before spouting off about it:
    http://www.macromedia.com/desdev/mx/flash/whi tepap ers/security.pdf

    Everything is set to deny by default. The plugin can see your mic and camera because its on your computer! It can't send that information unless you give it permission to. Again, read the security white paper.

    The new camera and mic abilities of Flash allow you to do some really powerful things that you simply can't do any other way. In fact there was a story about someone trying to build custom web conferencing software last week and I told them to wait a couple months for the server that uses these features of the Flash plugin... I was modded up to 4!

    This kind of thing is going to push the web to new places. Technology is driven by innovation which later turn into standards, not the other way around.
  • by anonymous_wombat ( 532191 ) on Monday May 13, 2002 @06:33PM (#3513019)
    All they can do is see you and hear you.
  • by dbretton ( 242493 ) on Monday May 13, 2002 @06:36PM (#3513044) Homepage
    Tomorrow's InBox:

    From: xxxx
    Subj: Come see My Hot WebCam!
    From: xxxx
    Subj: We're waiting for you!
    From: xxxx
    Subj: Flash Installed, See Bubba pick at his ass-crack

  • by VValdo ( 10446 ) on Monday May 13, 2002 @06:40PM (#3513064)


    What happens if I do nothing?

    The Macromedia Flash Player automatically detects any default microphone or other audio recorder on your computer, and sets microphone sensitivity to a medium value.

    ....

    What happens if I do nothing?

    The Flash Player automatically detects any video cameras on your computer and displays the name of the default camera it will use. If you do not select another camera from the pop-up menu, the Flash Player uses the default camera. To see a live display of the image being detected by the default camera, click the video preview area.


    Now this is scary.

    But picture this-- a virus that takes your picture, records you for a minute, compresses into .mp3, then sends the sound and a snapshot as an email attachment to the next person...

    I think Back Orifice [bo2k.com] already has this in as a plugin, but man, a viral version of this... What's the best way to disable a laptop mic?

    W
    • Get a mic and cam with physical turn off switches.
      • Yeah, but that would rule out most laptops, which have built-in mics...I guess anyone with a laptop is potentially bugging their own computer...not a nice thought.

        How many web cams have physical "turn off" switches? ...although they can at least be pointed in another direction...but you have to remember to do that EVERY time ;)

        W
    • But picture this-- a virus that takes your picture, records you for a minute, compresses into .mp3, then sends the sound and a snapshot as an email attachment to the next person...


      Why not make it interesting? Modify that virus so that it detects when the user is surfing lots of pr0n sites, waits 5 minutes, then captures a short video clip from the user's webcam and emails that snippet to everyone in the user's address book...


      (evil grin)

      • Why not make it interesting? Modify that virus so that it detects when the user is surfing lots of pr0n sites, waits 5 minutes, then captures a short video clip from the user's webcam and emails that snippet to everyone in the user's address book...

        Because on average, 5 minutes is more than enough for majority geeks.
  • by Technician ( 215283 ) on Monday May 13, 2002 @06:41PM (#3513074)
    Ever since they made it so that play, loop and other right clickable consumer controls could be made unavaliable, I made the program unavaliable on my machine. Unlike IE past Win 98, it is still removable. The worst case I saw before I pulled the plug was a right click put the dialog box on the other side of the screen and not where you were trying to stop an annimation and where a right click brought up only one option "about Macromedia" I contacted the company concerning these trends in loss of control. I received no reply. I prefer Netscape over IE, because any page with flash content brings up a dialog box in IE, "do you want to install......" There is no option in IE "do not ask me again". I got tired of telling it "NO NO NO NO NO!" I would suspect MS and Macromedia have the same agenda to have your computer skip ads the same way your DVD player skips the FBI warning. Somebody is paying bucks to have the content delivered like it or not.
    Since most flash is used for forced advertising and not for content, my main machine is flash and IE disabled by choice. At the rare site with actual flash content, my standby machine still has it, but it's rare I fire up that antique.
  • Uninstalling Flash (Score:3, Insightful)

    by FattMattP ( 86246 ) on Monday May 13, 2002 @06:41PM (#3513078) Homepage
    One of the best things I ever did for myself was uninstall flash from all my browsers. 99% of the time Flash is just needless eyecandy, IMO. I also set my activex settings in IE to disable activex entirely. That way I don't even get prompted over and over to install it.

    You can find information on how to uninstall Flash here: http://www.macromedia.com/support/flash/ts/documen ts/remove_player.htm [macromedia.com]

    • I don't think all Flash is needless eyecandy, and some sites are only Flash. Of course some people will call that stupid, but look how popular it is! It's practically included in Internet Explorer now, and I am not a person who is only interested in the core information on a webpage. I enjoy (most of the time) watching the Flash movies that people have put their hard work into to make their site look better. In fact, I would like Slashdot more if it had more pictures to help navigate, and some other font besides Times New Roman. But this is coming from a web designer, not a usability expert.
    • Thanks on the information to stop MS browser from begging me to install Macromedia flash. I almost stopped using the IE browser completely because of that persistant nagging.
    • Why not eliminate those ActiveX problems altogether and use a browser other than IE [mozilla.org]?

    • But how can you possibly live without Joe Cartoon [joecartoon.com]?
  • Then, at long last, the TV is watching YOU!
  • by 3seas ( 184403 ) on Monday May 13, 2002 @06:52PM (#3513143) Homepage Journal
    ....register with us by giving us your life history along with your request for privacy.

    We need your life history to make sure it you.
  • ...you're not likely to see in the public:


    All the functionality of Back Orifice, now with animations!


    [1] [nwinternet.com]

    [2] [cultdeadcow.com]

  • At the risk of stating the obvious, if you value your privacy, you should probably have your web cam covered and your microphone unplugged whenever you aren't using them. It wouldn't be hard to write a virus/trojan/etc that activates them and eavesdrops without your being aware of it -- flash or no flash. The only way to be sure that doesn't happen is to physically disable the sensors.
  • This tech is pimarily focused on Video conferencing and tech/customer support. Imagine going to an online store and being greeted by a 'live' salesperson who can answer your questions in person.

    Obviously there is room to abuse as in any tech. As long as the features are turned off by default and always, always give you the choice of whether to use them or not, I don't see any problems.

    In the meanwhile if you don't like flash, pick a browser and plugin set that you can live with.

    IE isn't the only one out there. Mozilla works very well for me.

  • I know the slashbot line is going to be anti-BigCorp (in this case, Adobe), but I'm going to suggest an alternative. Hope it doesn't cause too many ulcers out there in slashdot land. ;)

    I advocate tough love. If this behavior continues, one of the following three things will happen.

    1. Users will get fed up with sneaky nigh-spy ware and vote with their wallets against these tactics.
    2. Users will get fed up with OS's that don't wrap devices with permissions to prevent these types of activities and vote with their wallets against such insecure OS's.
    3. Users will remain happy and ignorant, Adobe will get advertising money, and their products' (and competing products') prices will drop, benefitting everyone, those in and out of the know alike.

    All of these are acceptable in my opinion, so I'm not going to sweat it.

    • Adobe? Macromedia, methinks.

      a) Adobe will get advertising money

      b) and their products' (and competing products') prices will drop, benefitting everyone, those in and out of the know alike

      I don't see how b) follows from a). I think a more likely statement would be 'and Macromedia's stock price goes up, and their shareholders make a killing.'

  • Sandboxed? (Score:3, Insightful)

    by theolein ( 316044 ) on Monday May 13, 2002 @08:09PM (#3513589) Journal
    Flash started off as a very interesting technology about 6 years ago, and gained popularity amongst users because it was small (142k download or so), relatively innocuous (Only two exploits so far AFAIK) and it brought those things to the web that java applets had promised but failed to do. There was a huge demand for Flash coders in the middle of the Dotcom boom, especially when Flash 4 hit the scene with scripting abilities, allowing developers to make fancy interactive sites, and even more so when Flash 5 came around which improved the scripting and performance yet still remained small and relatively safe.

    What happened?

    Thousands of dotcommers made enormous flash intro animations to their sites (about half of them forgetting to make a "skip intro" link), which rapidly irritated many many visitors to said sites (a study on the irritation factor of flash intros and banners would be *very* interessting). At the same time as the dotcom scene started crashing around everyone's ears, desperate internet marketing whizzes decided that flash would be a brilliant vehicle for advertising, pushed along by an equally desperate Macromedia, whose products were no longer selling like hot cakes. The results of those ideas can be seen on almost every portal on the web (ZDNet is my favourite with slashdot also not doing too badly), and visitors reactions are known to everybody it seems except for the mindless marketing people who push it. In this way it is very similar to spam.

    Macromedia spent a fortune on making Flash a tool that would liven up the web and make colourful, interactive, animated, dynamic sites possible especially in conjunction with macromedia's backend flash application server, generator. Apart from a host of sites early on this trend has died out almost completely, because what macromedia didn't realise is that just like web designers/coders have to cope with different browsers, they also have to cope with users who haven't and won't use the plugin, and therefore go for the lowest common denominator in websites:html with one or two pics etc. Flash didn't save a single dotbomb from going under.

    Now, just like any other large company (ahem), they need to add "features" in order to carry on making money with their product. Flash 6(MX) now has built in video, microphone and cookies. I very much doubt this is suddenly going to improve the content of all the Flash we've been getting, although it may kill one or two other companies' media players(Quicktime, WMP, Real) but, in moving out of the traditional small player that they've had, it will fast become larger, and someone is sooner or later going to find some hole in their player (actionscript getting access to the drive while ostensibly looking for cookies? Exploiting a hardware driver(keylogger)?). For all my irritation with Sun's Applet saga and java on windows, Sun worked very hard to make the language and VM design secure (and the fact that of the few exploits with browser JVM's being mostly in MS' JVM does show this). Macromedia doesn't AFAIK have that much experience in security wrt clientside technologies and time will tell what will happen with this player.

    I used to be a Director programmer and with Director you could pretty much do anything on the client machine with no checks and shockwave, director's browser plugin went in the same direction as flash is going: first a straight player and then with laetr versions you could download all sort's of xtras onto the client machine. I once, as a security test, wrote a screensaver with shockwave, that everybody in the company loved (it even won an award for design). What no one realised until we tald them, was that the screensaver had been merrily scanning people's drives in the background and uploading filelists to us.
  • Remoting apps... (Score:3, Interesting)

    by wowbagger ( 69688 ) on Monday May 13, 2002 @08:16PM (#3513626) Homepage Journal
    One of the things Slackromediocre is trying to do with Flush6 is "remoting applications".

    You see, they had this wonderful insight:
    What if we run the apps on a BIG computer, and then we show the output on a little computer? We'll have means to encapsulate drawing commands into a format that can be transmitted across a network. Oh, and we'll need a way of getting keystrokes and mouseclicks, too. And wouldn't it be cool if we could move audio both ways across a network link!


    Of course, since nothing like this exists, we'll lock it all up into a proprietary protocol that we'll control, and everybody will have to pay us money!

    What a great idea!


    Of course, protocols for network transparent graphics, sound et cetera already exist, but they have that nasty four letter word in them (open).

    Sarcasm aside, I am sure the intent of this is to allow Flash 6 to provide Video conferencing type applications - just click on the link and there you go.

    I saw a most interesting article in InfoHurl about this - the funny thing was they showed apps being remoted to Windows, Mac-OS, and Linux. Yeah, I'll believe MacroMedia will be supporting Linux with a good Flash 6 player about the same time as BillG tongue-kisses RMS - the current Flash 5 player is MUCH slower than the Windows player on the same hardware (while strangely NOT taking all available CPU!), fails to sync video and audio, and generally is unstable (Heaven forfend somebody ELSE might want to access /dev/dsp, we'll just lock the browser up if we can't open it....)
  • by Dwedit ( 232252 ) on Monday May 13, 2002 @08:17PM (#3513629) Homepage
    Welcome to Zombocom... This is Zombocom... You can do anything at Zombocom...

    http://www.zombo.com/ [zombo.com]

    How's that for a nice flash intro?

  • From the source (Score:4, Informative)

    by Anonymous Coward on Monday May 13, 2002 @08:22PM (#3513652)
    OK, some people seem to have found info about what the camera and mic objects are for on the web but I'll post the link again for the people who skipped that posting before moving on: http://radio.weblogs.com/0106797/2002/04/30.html#a 24 [weblogs.com]

    1. The default the the camera and mic is to DISALLOW a site to access them.

    2. The camera and mic objects are there for something MM has coming down the tubes for a communication server via the Flash player, and the player will PROMPT users before ever granting a site access to their mics and cameras...I've got the beta of the server for testing purposes and it asks me every time (since I never check the little box asking me if I want the player to remember my setting)

    3. As many people have pointed out, the Local Storage settings are essentially cookies for Flash. They work in pretty much the same fashion (can only be accessed by the domain that created them, etc.) as cookies, but are only consumable by Flash.

    Personally, I wish some of the folks here would give the "Flash is evil" stuff a rest and see more people looking at the GOOD things that can be done with Flash rather than just the worthless drivel that a lot of people have produced, but that's the opinion of someone who works for MM, so I don't have much of a prayer there.
  • by techmuse ( 160085 ) on Monday May 13, 2002 @08:41PM (#3513729)
    for anyone using voice recognition, or any other application where keeping your mike at the CORRECT
    level is important. What right do they have to change my settings?!
  • I have never been a big fan of Flash. Not that it is a bad technology, but just like anything else that is remotely cool people use, abuse, and misuse it to the point where the cons outweigh the pros.

    I guess my biggest beef with Flash is that people make IT the content as opposed to using it to accent the content. Ever been to a site where you can't bookmark shit and none of the browser navigation does shit because hitting back only restarts the whole thing? That is the kind of stuff that drives me nuts...

    Just my $.02...

    --Jon
  • It must be Slushdot instead.

    News for Luddites. FUD that matters.

    To everyone worried about security holes that have never been exploited, the added bandwidth of streaming images and (god forbid) sound, and the thought that your microphone will be used to spy on you, here's a hint.

    INSTALL LYNX YOU LUDDITES!

    Thank you.
  • That is entirely upto the programmer. If he does it right load times can be as small as 30 seconds for a really rich flash document, as Flash MX now supports streaming audio and images that can be loaded from the server directly. MX also has new support for video (Sorenson) and is now at a very exciting stage. Btw a basic (text) flash document wil actually be smaller in size than a similar HTML document, and security for the content is also better than basic HTML..

Technology is dominated by those who manage what they do not understand.

Working...