On Mon, 04 Apr 2016 13:36:17 +0000
Mark Fletcher <mark27q1@gmail.com> wrote:
> On Mon, Apr 4, 2016, 3:56 AM Adam Wilson <moxalt@riseup.net> wrote:
>
> >
> > The discussion of "security" in non-free software is something of a
> > meaningless distinction, since non-free software is compromised by
> > default. Adobe Flash was always evil- if this perceived
> > "insecurity" is enough to help make people want to stop using it,
> > then by all means it should be promoted.
> >
>
> I wish we could get a clear statement of what all the fuss is about re
> Flash. A complete stranger's unsupported assertion that Flash is evil
> just doesn't cut it. And shouting louder by repeating the statement
> over and over again, as some on this forum have done in the past,
> doesn't cut it either.
From the standpoint of ethics, Flash is most certainly unethical
(evil), since it violates the right of people to have freedom, to
control their own lives, and to control their own computing without
having some other party pushing us around and preventing us from having
true possession of the things we own.
When I call Flash evil, I am not referring to its design, but rather to
its nature in a system of ethics. It may be very well designed, for all
I care, but a benevolent dictatorship is still a dictatorship, and
should still be opposed.
> There are evidently serious flaws in Flash, either its design or its
> implementation, that warrant all the negativity,
Design and implementation or secondary to licensing- a free license is
necessary for us to even understand and study the design in the first
place. This means that it can be quite hard to understand the design
issues, and what we do know about the design and operation of non-free
programs is the result of deduction rather than open study, as should
be the case.
However, these arguments are probably falling on deaf ears. I shall
thus follow on to some secondary injustices caused by the primary
injustice (non-free software).
> but the odd thing is
> that the clear technical unbiased treatment of the issue seems to be
> completely swamped by quasi religious fervour. Those of us who
> haven't seen the facts, now can't find them. Can anyone point to
> anything unbiased that explains the issue?
I think that in this case, the distinction between a biased and an
unbiased source is somewhat irrelevant. Sources discussing Flash which
point out that it is malware will most certainly be hostile to Flash
and Adobe- sources defending Flash will be friendly to Flash and Adobe.
"Neutral" sources (such as they exist) discuss things more from a web
standards viewpoint rather than a discussion of the program in itself.
Flash is malware because:
It uses resilient "supercookies" (LSOs) to track users. Adobe has gone
out of its way to make these hard to get rid of- they are specifically
designed to weasel their way around browser cookie settings. (1)
Many pieces of Adobe's non-free software report back to Adobe
("checking in") every thirty days, disrupting people's work. The only
way to disable this feature is to stay disconnected from the internet.
(2)
Adobe Flash implements device fingerprinting which is used to track
users- information which can then, of course, be given to other
agencies (...). (3)
Adobe has implemented and been aggressively been pushing DRM in Flash,
which is grief for honest end-users (4), restricts access to
information, and doesn't even move additional product (5). (6)
Flash causes vendor dependence; the completeness of its public
specifications is debatable, and no complete implementation of Flash is
publicly available in source form with a license that permits re-use,
so writing a free replacement is difficult. This is bad because open
formats are what make a format re-implementable- as a result, there is
not a single free implementation of Flash which is anywhere near usable
on the modern web. (7) (8) (9) (10)
Using Flash breaks conventions associated with normal HTML pages. (11)
(12) (13)
From Wikipedia: For many years Adobe Flash Player's security
record (14) has led many security experts to recommend against
installing the player, or to block Flash content. (15) (16) The
US-CERT recommends blocking Flash (17). Security researcher Charlie
Miller recommended "not to install Flash". (18) As of February 12,
2015, Adobe Flash Player has over 400 CVE entries (19), of which over
300 lead to arbitrary code execution, and past vulnerabilities have
enabled spying via web cameras. (20) (21) (22) (23) Security experts
have long predicted the demise of Flash, saying that with the rise of
HTML5 "....the need for browser plugins such as Flash is diminishing",
(24) yet a significant proportion of websites still use it. (25) (26)
(1)
http://www.imasuper.com/2008/10/09/flash-cookies-the-silent-privacy-killer
(2) http://shallowsky.com/blog/gimp/non-free-software-surprises.html
(3)
http://arstechnica.com/security/2013/10/top-sites-and-maybe-the-nsa-track-users-with-device-fingerprinting
(4)
http://www.eff.org/deeplinks/2008/01/2008-drm-continues-punish-paying-customers
(5) http://www.fistfulayen.com/blog/?p=127
(6) https://www.eff.org/deeplinks/2008/02/adobe-pushes-drm-flash
(7) https://en.wikipedia.org/wiki/Adobe_Flash#Vendor_dependence
(8) http://news.zdnet.com/2424-3515_22-199508.html
(9) https://www.youtube.com/watch?v=juer_YCitJE&t=11m50s
(10) https://www.youtube.com/watch?v=aYNLYIDZN48&t=22m52s
(11) http://www.useit.com/alertbox/20050711.html
(12) http://www.useit.com/alertbox/20001029.html
(13) http://www.skillsforaccess.org.uk/howto.php?id=101
(14) https://www.adobe.com/support/security/#flashplayer
(15) http://news.cnet.com/8301-27080_3-10396326-245.html
(16)
http://www.zdnet.com/protect-yourself-from-flash-attacks-in-internet-explorer-7000003921
(17) http://www.us-cert.gov/reading_room/securing_browser
(18)
http://www.oneitsecurity.it/01/03/2010/interview-with-charlie-miller-pwn2own
(19)
http://www.cvedetails.com/product/6761/Adobe-Flash-Player.html?vendor_id=53
(20)
http://www.h-online.com/security/news/item/Adobe-remedies-webcam-spy-hole-in-Flash-1364631.html
(21)
http://www.h-online.com/security/news/item/Flash-Player-as-a-spy-system-1073161.html
(22)
http://www.macromedia.com/support/documentation/en/flashplayer/help/settings_manager.html
(23)
http://www.macromedia.com/support/documentation/en/flashplayer/help/settings_manager02.html
(24)
http://www.sophos.com/en-us/medialibrary/PDFs/other/sophossecuritythreatreport2013.pdf
(25)
http://w3techs.com/technologies/history_overview/client_side_language/all
(26)
http://www.fastcompany.com/3049920/tech-forecast/the-agonizingly-slow-decline-of-adobe-flash-player
Read this: https://en.wikipedia.org/wiki/Adobe_Flash_Player#Security.
There's more there, and I can't really be bothered to go on.
Just DuckDuckGo "adobe flash spying" or something to that effect.
Attachment:
pgpaIjNin3FGB.pgp
Description: OpenPGP digital signature