On Mon, 04 Apr 2016 13:36:17 +0000 Mark Fletcher <email@example.com> wrote: > On Mon, Apr 4, 2016, 3:56 AM Adam Wilson <firstname.lastname@example.org> wrote: > > > > > The discussion of "security" in non-free software is something of a > > meaningless distinction, since non-free software is compromised by > > default. Adobe Flash was always evil- if this perceived > > "insecurity" is enough to help make people want to stop using it, > > then by all means it should be promoted. > > > > I wish we could get a clear statement of what all the fuss is about re > Flash. A complete stranger's unsupported assertion that Flash is evil > just doesn't cut it. And shouting louder by repeating the statement > over and over again, as some on this forum have done in the past, > doesn't cut it either. From the standpoint of ethics, Flash is most certainly unethical (evil), since it violates the right of people to have freedom, to control their own lives, and to control their own computing without having some other party pushing us around and preventing us from having true possession of the things we own. When I call Flash evil, I am not referring to its design, but rather to its nature in a system of ethics. It may be very well designed, for all I care, but a benevolent dictatorship is still a dictatorship, and should still be opposed. > There are evidently serious flaws in Flash, either its design or its > implementation, that warrant all the negativity, Design and implementation or secondary to licensing- a free license is necessary for us to even understand and study the design in the first place. This means that it can be quite hard to understand the design issues, and what we do know about the design and operation of non-free programs is the result of deduction rather than open study, as should be the case. However, these arguments are probably falling on deaf ears. I shall thus follow on to some secondary injustices caused by the primary injustice (non-free software). > but the odd thing is > that the clear technical unbiased treatment of the issue seems to be > completely swamped by quasi religious fervour. Those of us who > haven't seen the facts, now can't find them. Can anyone point to > anything unbiased that explains the issue? I think that in this case, the distinction between a biased and an unbiased source is somewhat irrelevant. Sources discussing Flash which point out that it is malware will most certainly be hostile to Flash and Adobe- sources defending Flash will be friendly to Flash and Adobe. "Neutral" sources (such as they exist) discuss things more from a web standards viewpoint rather than a discussion of the program in itself. Flash is malware because: It uses resilient "supercookies" (LSOs) to track users. Adobe has gone out of its way to make these hard to get rid of- they are specifically designed to weasel their way around browser cookie settings. (1) Many pieces of Adobe's non-free software report back to Adobe ("checking in") every thirty days, disrupting people's work. The only way to disable this feature is to stay disconnected from the internet. (2) Adobe Flash implements device fingerprinting which is used to track users- information which can then, of course, be given to other agencies (...). (3) Adobe has implemented and been aggressively been pushing DRM in Flash, which is grief for honest end-users (4), restricts access to information, and doesn't even move additional product (5). (6) Flash causes vendor dependence; the completeness of its public specifications is debatable, and no complete implementation of Flash is publicly available in source form with a license that permits re-use, so writing a free replacement is difficult. This is bad because open formats are what make a format re-implementable- as a result, there is not a single free implementation of Flash which is anywhere near usable on the modern web. (7) (8) (9) (10) Using Flash breaks conventions associated with normal HTML pages. (11) (12) (13) From Wikipedia: For many years Adobe Flash Player's security record (14) has led many security experts to recommend against installing the player, or to block Flash content. (15) (16) The US-CERT recommends blocking Flash (17). Security researcher Charlie Miller recommended "not to install Flash". (18) As of February 12, 2015, Adobe Flash Player has over 400 CVE entries (19), of which over 300 lead to arbitrary code execution, and past vulnerabilities have enabled spying via web cameras. (20) (21) (22) (23) Security experts have long predicted the demise of Flash, saying that with the rise of HTML5 "....the need for browser plugins such as Flash is diminishing", (24) yet a significant proportion of websites still use it. (25) (26) (1) http://www.imasuper.com/2008/10/09/flash-cookies-the-silent-privacy-killer (2) http://shallowsky.com/blog/gimp/non-free-software-surprises.html (3) http://arstechnica.com/security/2013/10/top-sites-and-maybe-the-nsa-track-users-with-device-fingerprinting (4) http://www.eff.org/deeplinks/2008/01/2008-drm-continues-punish-paying-customers (5) http://www.fistfulayen.com/blog/?p=127 (6) https://www.eff.org/deeplinks/2008/02/adobe-pushes-drm-flash (7) https://en.wikipedia.org/wiki/Adobe_Flash#Vendor_dependence (8) http://news.zdnet.com/2424-3515_22-199508.html (9) https://www.youtube.com/watch?v=juer_YCitJE&t=11m50s (10) https://www.youtube.com/watch?v=aYNLYIDZN48&t=22m52s (11) http://www.useit.com/alertbox/20050711.html (12) http://www.useit.com/alertbox/20001029.html (13) http://www.skillsforaccess.org.uk/howto.php?id=101 (14) https://www.adobe.com/support/security/#flashplayer (15) http://news.cnet.com/8301-27080_3-10396326-245.html (16) http://www.zdnet.com/protect-yourself-from-flash-attacks-in-internet-explorer-7000003921 (17) http://www.us-cert.gov/reading_room/securing_browser (18) http://www.oneitsecurity.it/01/03/2010/interview-with-charlie-miller-pwn2own (19) http://www.cvedetails.com/product/6761/Adobe-Flash-Player.html?vendor_id=53 (20) http://www.h-online.com/security/news/item/Adobe-remedies-webcam-spy-hole-in-Flash-1364631.html (21) http://www.h-online.com/security/news/item/Flash-Player-as-a-spy-system-1073161.html (22) http://www.macromedia.com/support/documentation/en/flashplayer/help/settings_manager.html (23) http://www.macromedia.com/support/documentation/en/flashplayer/help/settings_manager02.html (24) http://www.sophos.com/en-us/medialibrary/PDFs/other/sophossecuritythreatreport2013.pdf (25) http://w3techs.com/technologies/history_overview/client_side_language/all (26) http://www.fastcompany.com/3049920/tech-forecast/the-agonizingly-slow-decline-of-adobe-flash-player Read this: https://en.wikipedia.org/wiki/Adobe_Flash_Player#Security. There's more there, and I can't really be bothered to go on. Just DuckDuckGo "adobe flash spying" or something to that effect.
Description: OpenPGP digital signature