Beta
×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Next Flash Version Will Support Private Browsing

kdawson posted more than 4 years ago | from the en-oh-wye-bee dept.

Privacy 192

An anonymous reader writes "The world rolled its eyes when the problem of Flash cookies came to light several months ago. Even if you're careful about cookies or even if you use your browser's private surfing feature, sites can still track you through cookies stored by Flash. However, soon enough the next version of Flash, 10.1, will support private browsing and will integrate with browsers to turn it on when the browser itself is in private browsing mode. Browsers still store data during a private browser session, but they will delete it all at the end of the session. The same will be true of Flash private browsing."

Sorry! There are no comments related to the filter you selected.

Remind me why (2, Insightful)

Anonymous Coward | more than 4 years ago | (#31162292)

Remind me why Flash needs to be stateful, again?

Re:Remind me why (-1, Troll)

Anonymous Coward | more than 4 years ago | (#31162330)

Remind me why you stretched your ass, took pictures and then uploaded them, again?

Re:Remind me why (4, Interesting)

Cryacin (657549) | more than 4 years ago | (#31162638)

When spoken in the context of Flash, then yes, it makes perfect sense to not have those pesky 'shared objects' aka cookies on your machine.

However, with the advent of Flex (now Flashbuilder to confuse and confound more), there are many applications out there that legitimately store information on the client.
There has been a large mention of games already, but to that mix, I would add business software. There are many RIA's out there that manage data and distribution using Flex, and hence, pull a large amount of information from servers. Yes, sure, you could reload the data every time that you navigate away from a particular flash harness page, or you could store data within the shared object and not need to spend the vendor's bandwidth, nor stuff the client's pipe with information that was just sent a few minutes ago.

With the introduction of P2P channels in Flex 4, this opens up a whole range of possibilities to send data to a cluster of peers on a destination network, rather than clogging up outgoing pipes with information. There are a range of business cases for this technology.

That said, however, there is a need to curb the wild west attitude to data storage. There should be an option to default allow/deny/question whether Shared Objects should be allowed. Currently it is auto accept up to 100kb which falls outside of many legitimate applications anyway. Most importantly, there should be an option to always allow shared objects from a particular website.

We can't let the abuse of a technology proclude us from legitimate use when there are perfectly valid and reasonable strategies to manage and distinguish between positive and negative use cases.

Re:Remind me why (2, Informative)

DragonWriter (970822) | more than 4 years ago | (#31162758)

However, with the advent of Flex (now Flashbuilder to confuse and confound more), there are many applications out there that legitimately store information on the client.
There has been a large mention of games already, but to that mix, I would add business software. There are many RIA's out there that manage data and distribution using Flex, and hence, pull a large amount of information from servers. Yes, sure, you could reload the data every time that you navigate away from a particular flash harness page, or you could store data within the shared object and not need to spend the vendor's bandwidth, nor stuff the client's pipe with information that was just sent a few minutes ago.

Doesn't HTTP define a whole slew of metadata headers and specified caching behavior to specifically address this kind of thing? Why build "rich" web apps that don't leverage HTTP features that specifically address the need you are dealing with?

Re:Remind me why (2, Informative)

abulafia (7826) | more than 4 years ago | (#31163144)

Doesn't HTTP define a whole slew of metadata headers and specified caching behavior to specifically address this kind of thing? Why build "rich" web apps that don't leverage HTTP features that specifically address the need you are dealing with?

HTTP page caching doesn't have semantics for things not of 'document' granularity. Think database records. People want to use these things as front ends to corporate directories and whatnot, be able to futz around with them on a plane, and have them sync when they're back in touch with the mothership. HTTP doesn't try to provide anything at all close to record level caching.

Re:Remind me why (4, Insightful)

fuzzyfuzzyfungus (1223518) | more than 4 years ago | (#31162348)

Because Advertisers are the customers that matter, and they love having something that survives a naive "clear cookies" attempt by the pitiful consumer?

Re:Remind me why (2, Insightful)

davester666 (731373) | more than 4 years ago | (#31163046)

> Because Advertisers are the customers, and they....

Fixed that for you. People with the flash player aren't customers of Adobe's, because they aren't paying Adobe anything.

Just like, up until very recently, cell phones were designed for the needs of the manufacturers customers, namely wireless carriers, and as such, were designed [and/or redesigned] to meet the desires of the wireless carriers. If actual end-users liked the design and/or specific features, those features had to be removed :-)

Re:Remind me why (2, Insightful)

digitalunity (19107) | more than 4 years ago | (#31163698)

Your example of cell phones is apt in this case. Innovation in the cell phone industry has been limited to what carriers will allow. I hope Google starts a trend to buck the subsidized phone business.

Cell phones have been capable of so much more for a long time, but in this case the true customers are the carriers - not the end users.

Flash is in an almost identical situation. Allowing even savvy end users to manage their privacy would hamper advertisers efforts to track us. Flash is a dominant force because everyone uses it. If there is fragmentation, Adobe will lose it's power, mindshare and eventually its revenue.

Re:Remind me why (0)

NecroPuppy (222648) | more than 4 years ago | (#31162390)

There are a number of flash based games which use the flash cookies to save info you might want around so you don't have to start from scratch each time.

Re:Remind me why (1)

chromas (1085949) | more than 4 years ago | (#31162502)

Using a browser cookie, generate the page calling the Flash applet and pass an identifier as a parameter.

Re:Remind me why (2, Informative)

sopssa (1498795) | more than 4 years ago | (#31162726)

That really adds unnecessary complexity. There are tons of those flash games sites and they would all need to generate same kind of database scheme or make a standard on how you pass the data between the site and flash applet.

Instead more controls about it is the way to go. Personally I would also like an option to globally disallow all cookies, but let it ask me if I want to save data.

I noticed earlier today that theres beta of 10.1 out [adobe.com] and interestingly it also supports hardware accelerated video with NVidia cards. Lowered dramatically CPU usage when playing video in full-screen. Seems that this private browsing thing isn't included yet tho.

Re:Remind me why (0)

Anonymous Coward | more than 4 years ago | (#31163234)

The "added complexity" is a small Javascript which sets a browser cookie when the Flash object needs to store information and reads a browser cookie when the Flash object wants to read back its stored information. That script could very well be part of the standard "create a Flash object" cross-browser script that Adobe publishes on their website for Flash developers, thereby reducing the overhead for developers to zero.

Browsers should really be the only arbiter of state and information about the local system. If Flash wants to store/load some state or get a list of installed fonts, it should ask the browser, not the OS. Flash is supposed to be a plug-in, not a standalone application. A plug-in should obey the restrictions imposed by the host program. IMHO the plug-in interface needs to be changed to include a sandbox to prevent plug-ins from accessing storage and other information leaking system APIs.

BTW, I don't give a rats ass about private browsing modes. I configure my browser like that by default. My browser of choice doesn't even have a private browsing mode. If that means that Flash will happily store Flash cookies, then that's a complete privacy failure. Well, it would be if I allowed Flash in my primary browser or had not prevented it from creating persistent state in the other browser. Flash will not be back in my main browser before it stops giving advertisers more information about my system than the browser alone would.

Re:Remind me why (1)

BoppreH (1520463) | more than 4 years ago | (#31162904)

You talk like if it's the game developer fault that browsers treat Flash cookies differently. It's not the Flash player that controls what will be erased when the user clears his navigation history.

Re:Remind me why (0)

Anonymous Coward | more than 4 years ago | (#31163304)

Flash cookies are beyond the control of the browser. For example, they're shared between all browsers that use the Flash plug-in, so no single browser can simple delete them: The user most likely will not understand that "delete all cookies" means that his highscores in the other browser which he uses for games are also going to be deleted.

A Flash game developer could use browser cookies to store state, but of course they won't, because it's easier to use Flash cookies and they're more likely to survive, because most users don't know they're there, let alone how to delete them. This is very clearly Adobe's fault. The introduction of a form of persistence separate from browser cookies was unnecessary and the privacy user interface is an abomination. An improvement of the user interface is hardly enough. Flash cookies need to go, period.

Re:Remind me why (1)

DragonWriter (970822) | more than 4 years ago | (#31162678)

There are a number of flash based games which use the flash cookies to save info you might want around so you don't have to start from scratch each time.

If its a flash-based game on an account-based site, you could just save the state to a resource on the server linked to the user account and restore it from that the next time the user opened the game.

This also doesn't rely on the user using the same browser to continue the game.

Re:Remind me why (2, Informative)

Rejemy (78237) | more than 4 years ago | (#31162798)

Flash cookies are shared by all browsers.

Re:Remind me why (1)

DragonWriter (970822) | more than 4 years ago | (#31162872)

Flash cookies are shared by all browsers.

On the same computer, sure; I was somewhat imprecise in my language. When I referred to a different browser, I really meant a browser on a different computer. Transparency to the use of which is, I would think, one of the main reasons to want to use an internet-based application (game or otherwise) rather than something locally-installed.

Re:Remind me why (3, Informative)

broken_chaos (1188549) | more than 4 years ago | (#31162400)

Online games are a major user (as opposed to abuser) of storing data with Flash. There are some that actually are complex and long enough (and fun, too!) to warrant a save function. It can also be mildly-to-moderately helpful for some other Flash 'applications', like a video/audio player storing settings like volume levels.

Re:Remind me why (2, Informative)

Wingman 5 (551897) | more than 4 years ago | (#31162412)

I can give one good legitimate example, flash games. It allows you to save your game and allow a more complex game that that could need more than one sitting to beat.

Re:Remind me why (1)

Rejemy (78237) | more than 4 years ago | (#31162826)

It's very useful for games. Let's say you've made an online game, and you want settings for things like volume, key controls, etc. Sure, you could have the server remember those things and send them up to the flash player each time. But what if you have a different keyboard at home and want a different key layout? What if you want the volume off at work, but on at home? These are perfect applications for client-side flash variables.

Re:Remind me why (0)

Anonymous Coward | more than 4 years ago | (#31162958)

It's very useful for games. Let's say you've made an online game, and you want settings for things like volume, key controls, etc.

I can give another good and equally redundant example, flash games. Online games are a major user (as opposed to abuser) of storing data with Flash. There are some that actually are complex and long enough (and fun, too!) to warrant a save function.

Re:Remind me why (2, Informative)

Anonymous Coward | more than 4 years ago | (#31163082)

Sorry for comment hijacking.

Adobe provides Flash Settings Manager [macromedia.com] to allay your privacy concerns. Of course, it is not very user-friendly for average Joe but average Joe probably can't be bothered about privacy anyway. And there is "Delete All" button as well, for paranoids.

Horay! (4, Funny)

Wingman 5 (551897) | more than 4 years ago | (#31162298)

Now I can plan that birthday party without anyone knowing.

On a more serious note (-1, Troll)

Anonymous Coward | more than 4 years ago | (#31162336)

I am very interested in hearing what you, my fellow Slashdot readers, would consider to be 'mysterious piss'. Let me know your own thoughts and feelings on this issue! I'm looking for some real insightful comments here, so be detailed, and let your mind take you into the world of 'mysterious piss'.

Re:On a more serious note (-1, Troll)

Anonymous Coward | more than 4 years ago | (#31163270)

I am very interested in hearing what you, my fellow Slashdot readers, would consider to be 'mysterious piss'. Let me know your own thoughts and feelings on this issue! I'm looking for some real insightful comments here, so be detailed, and let your mind take you into the world of 'mysterious piss'.

You can learn much more about mysterious piss by signing up for an email newsletter at www.mysteriouspiss.com [rupissed.com] . Make sure you have flash enabled.

And remember, never, ever, piss into the wind, and always designate a driver!

Re:Horay! (0)

fuzzyfuzzyfungus (1223518) | more than 4 years ago | (#31162372)

All my "birthday parties" end up being absorbed by tissues. I'm not sure why I keep bothering to plan them...

Re:Horay! (1)

catd77 (1743104) | more than 4 years ago | (#31163224)

Well, then they don't find out about the suprise party. OR whatever you call it.

Crontab to Delete Flash Cookies (2, Interesting)

baez (873590) | more than 4 years ago | (#31162300)

So I've been using this line in my crontab for a long time now without any problems (well no more problems than I usually experience with Flash under Linux):

* * * * * rm -fr /home/me/.macromedia

I think this solves the problem, but maybe I'm mistaken...?

Re:Crontab to Delete Flash Cookies (0)

Anonymous Coward | more than 4 years ago | (#31162402)

Perhaps just "sudo chown root:root /home/me/.macromedia" to prevent flash from storing files to begin with?

Re:Crontab to Delete Flash Cookies (1, Informative)

Anonymous Coward | more than 4 years ago | (#31162484)

I tried that and found some sites no longer worked. The "Zero Punctuation" videos were one I remember

Re:Crontab to Delete Flash Cookies (2, Informative)

Anonymous Coward | more than 4 years ago | (#31162408)

sudo chown 0:0 .macromedia
sudo chmod 0000 .macromedia

Re:Crontab to Delete Flash Cookies (1)

Bottles (1672000) | more than 4 years ago | (#31162458)

The other option is to make that directory non-writable, which is what I've done on every machine I own.

Re:Crontab to Delete Flash Cookies (1)

baez (873590) | more than 4 years ago | (#31162476)

I like the idea of chown/chmod on the directory. I'll have to give that a shot.

I did just look again, and it appears that they've changed the storage directory to:

/home/me/.adobe/Flash_Player/AssetCache

use 'shred' not 'rm'. or encrypt your hard drive. (1)

ericbg05 (808406) | more than 4 years ago | (#31162632)

So I've been using this line in my crontab for a long time now without any problems (well no more problems than I usually experience with Flash under Linux):

* * * * * rm -fr /home/me/.macromedia

I think this solves the problem, but maybe I'm mistaken...?

That depends on your threat model. Your cron job might keep your kid brother from discovering your cookies. If you *really* don't want people to know what flash is caching, I'd s/rm -rf/shred -uf/ there for starters. Then I'd think about putting my whole OS on an encrypted partition (trivial these days with Fedora, not sure about other distribs).

Of course, you still have problem with sniffing and all manner of malware, all of which could defeat your goal of preventing people from knowing what kind of flash content you're downloading.

I hung out with Bruce Schneier for a 1-hour talk once. If you want to scale up your paranoia further, you can do what he does: never let your computer touch a network or another person's hands. He has no wireless card, never plugs an ethernet cord into the slot, and never gives his compy to anyone else. Very difficult to sniff traffic that doesn't exist (but not [zdnet.com] impossible).

Re:use 'shred' not 'rm'. or encrypt your hard driv (1)

solevita (967690) | more than 4 years ago | (#31162706)

I hung out with Bruce Schneier for a 1-hour talk once. If you want to scale up your paranoia further, you can do what he does: never let your computer touch a network or another person's hands. He has no wireless card, never plugs an ethernet cord into the slot, and never gives his compy to anyone else. Very difficult to sniff traffic that doesn't exist (but not [zdnet.com] impossible).

That must make keeping his blog updated tricky though...

Re:use 'shred' not 'rm'. or encrypt your hard driv (0)

Anonymous Coward | more than 4 years ago | (#31162790)

That must make keeping his blog updated tricky though...

He probably uses many machines, one per threat model.

Re:use 'shred' not 'rm'. or encrypt your hard driv (2, Funny)

caluml (551744) | more than 4 years ago | (#31163426)

He has no wireless card, never plugs an ethernet cord into the slot, and never gives his compy to anyone else.

Meh. I hacked his computer twice. Once over Bluetooth, and then again over Infrared. All I found were secret plans of his to dominate the world - nothing unusual.

Re:use 'shred' not 'rm'. or encrypt your hard driv (1)

caluml (551744) | more than 4 years ago | (#31163474)

never let your computer touch a network or another person's hands. He has no wireless card, never plugs an ethernet cord into the slot, and never gives his compy to anyone else.

I wonder what it must be like to be as paranoid as him?
And seriously - at what point does a computer lose its usefulness - for me, it's pretty much when it has no network connectivity. I'm at a loss when I'm on a machine with no connectivity. It's like it isn't much use for anything.

That's simply not an adequate response (5, Insightful)

Anonymous Coward | more than 4 years ago | (#31162344)

Sorry Adobe, but it's time for HTML5.

Re:That's simply not an adequate response (5, Insightful)

Rejemy (78237) | more than 4 years ago | (#31162752)

By which you mean "it's time for HTML5 in 3 years when IE9 penetration is high enough, assuming IE9 supports HTML5 when and if it comes out".

Re:That's simply not an adequate response (1)

catd77 (1743104) | more than 4 years ago | (#31163230)

OR If everyone somehow miraculously switches to a web browser like Firefox or Chrome that are actually safe and fast.

Re:That's simply not an adequate response (-1, Troll)

Anonymous Coward | more than 4 years ago | (#31163456)

OR If everyone somehow miraculously switches to a web browser like Firefox or Chrome that are actually safe and fast.

Give me a break, Opera is much faster and far more secure than Firefox or Chrome, and consumes far fewer resources. They should change the name from Firefox to Firehog for all the memory leaks that grind any system down to a halt if you use if for more than one or two tabs.

Re:That's simply not an adequate response (1)

kiddygrinder (605598) | more than 4 years ago | (#31163620)

it may be faster but the last time i used it oprah web browser gave me cancer. ymmv.

Re:That's simply not an adequate response (0)

Anonymous Coward | more than 4 years ago | (#31163440)

Sorry pal, the hot linking alone makes HTML5 an economic liability to the Web 2.0 business model. While it may make head way in niche markets it will never take the top spot in sites that people actually want to visit. I'm afraid unless you got something cooking today that Flash is going to be king for at least another few years.

You may bemoan MS for catering to the non-open-as-in-speech crowd but these are the people with the real pull. MS (on the internet) is pulled by vendors, not the other way around.

HTML5 is not an adequate response (4, Interesting)

Dr.Syshalt (702491) | more than 4 years ago | (#31162858)

Does HTML5 provides for the same level of rich client platform development as Flash/Flex? With numerous widgets just like in Motif/MFC, just easier to use? (MXML just shines in GUI development, far beyond of what Motif/MFC/AWT/Swing offer).

Does HTML5 allows you to play video with some advertisement in a running text over it?

Does HTML5 protects your video site from hotlinking? I.E. can you make sure that nobody can embed your videos into their pages and make sales while you pay for the bandwidth?

Sorry, HTML5 'video', 'audio' tags and other dings and wistles... you have your place (probably on YouTube), but you ain't gonna replace Flash anytime soon. Especially not on commercial sites (like pr0n tubes), not for RCP development either. World needs a full-blown rich client platform for the browsers and so far Adobe has been the only one who were able to provide a cross-platform, browser-independent solution. And they did it quite well, despite of some quirks. Sun with JavaFX has failed... would you like MS to take over with their Windows-only Silverlight technology?

Re:HTML5 is not an adequate response (0)

Anonymous Coward | more than 4 years ago | (#31162926)

None of those things should be done in the browser. NONE OF THEM.

Re:HTML5 is not an adequate response (5, Informative)

Anonymous Coward | more than 4 years ago | (#31163072)

Does HTML5 provides for the same level of rich client platform development as Flash/Flex? With numerous widgets just like in Motif/MFC, just easier to use? (MXML just shines in GUI development, far beyond of what Motif/MFC/AWT/Swing offer).

Sure. HTML combined with CSS and Javascript / AJAX will do 80-90% of what Flash is used for.

Does HTML5 allows you to play video with some advertisement in a running text over it?

Sure. Just use a CSS layer.

Does HTML5 protects your video site from hotlinking? I.E. can you make sure that nobody can embed your videos into their pages and make sales while you pay for the bandwidth?

This is a HTTP issue and server side security issue. It is trivial to grep a Flash file for the raw SWF download location most times.

Sorry, HTML5 'video', 'audio' tags and other dings and wistles... you have your place (probably on YouTube), but you ain't gonna replace Flash anytime soon. Especially not on commercial sites (like pr0n tubes), not for RCP development either. World needs a full-blown rich client platform for the browsers and so far Adobe has been the only one who were able to provide a cross-platform, browser-independent solution. And they did it quite well, despite of some quirks. Sun with JavaFX has failed... would you like MS to take over with their Windows-only Silverlight technology?

Hardcore Flash games I can see and some super heavy duty flash "applications", but so often this can be done in HTML with CSS / AJAX. The designers are normally just clueless and have no wish to learn code or how stuff works after taking their 1-week Adobe course and getting accreditation as a "web developer".

Re:HTML5 is not an adequate response (0)

Anonymous Coward | more than 4 years ago | (#31163096)

Does HTML5 provides for the same level of rich client platform development as Flash/Flex? With numerous widgets just like in Motif/MFC, just easier to use? (MXML just shines in GUI development, far beyond of what Motif/MFC/AWT/Swing offer).

Care to offer specifics or just leave it at a rant?

Does HTML5 allows you to play video with some advertisement in a running text over it?

yes, HTML 5 can do this

Does HTML5 protects your video site from hotlinking? I.E. can you make sure that nobody can embed your videos into their pages and make sales while you pay for the bandwidth?

Your web server can do this for you....have it send alternate content

Sorry, HTML5 'video', 'audio' tags and other dings and wistles... you have your place (probably on YouTube), but you ain't gonna replace Flash anytime soon. Especially not on commercial sites (like pr0n tubes), not for RCP development either. World needs a full-blown rich client platform for the browsers and so far Adobe has been the only one who were able to provide a cross-platform, browser-independent solution. And they did it quite well, despite of some quirks. Sun with JavaFX has failed... would you like MS to take over with their Windows-only Silverlight technology?

Sorry, but your ill informed thoughts around HTML 5 and the horrid Adobe Flash / M$ Silverturd proprietary environments blinds you to the reality of where the web is heading. The world does not need a full blown rich client platform in the form of a proprietary, patent encumbered plug-in.

Re:HTML5 is not an adequate response (2, Insightful)

h4rr4r (612664) | more than 4 years ago | (#31163100)

Not everything should be done in the webbrowser.

Get off my lawn!

Re:That's simply not an adequate response (1)

westlake (615356) | more than 4 years ago | (#31163236)

Sorry Adobe, but it's time for HTML5.

Whn will there be a final HTML 5 standard to support?

Firefox extensions (5, Informative)

pydev (1683904) | more than 4 years ago | (#31162354)

Get FlashBlock [mozilla.org] or NoScript [mozilla.org] to turn off flash altogether.

Get BetterPrivacy [mozilla.org] to automatically delete Flash cookies on exit; it seems to work well.

On OS X... (2, Informative)

Anonymous Coward | more than 4 years ago | (#31162748)

On OS X just delete all the downloaded content & local shared objects, then lock the folders:

~/Library/Caches/Adobe/Flash\ Player/AssetCache
~/Library/Preferences/Macromedia/Flash\ Player

Flash thinks it can save local shared objects, so things like Pandora work (if you're in to that -- I'm not), but nothing is actually saved.

Using the "locked" flag on the folders is better than using restrictive permissions since apps and installers often require you temporarily grant them admin privileges to reinstall or fix their folders if they don't like the permissions. They usually don't, however, look for the locked flag, nor know how to change it / work around it.

Please don't tell Adobe you can do this.

Re:On OS X... (0)

Anonymous Coward | more than 4 years ago | (#31162978)

or you can use Flash Settings Manager [macromedia.com]

Re:On OS X... (1)

mrmeval (662166) | more than 4 years ago | (#31163700)

Is this like the immutable bit?

I'm to the point of spawning a bunch of ram drives when I start firefox which are destroyed when I close it.

Oh snap... (1)

FF8Jake (929704) | more than 4 years ago | (#31162376)

This will also introduce the "alert('omigoshhaxedurflashcookie')" vulnerability.

Better Privacy extension (3, Informative)

harmonise (1484057) | more than 4 years ago | (#31162378)

This feature is here now for Firefox users with the Better Privacy [mozilla.org] extension.

FLASH, another word for BEND OVER (0)

Anonymous Coward | more than 4 years ago | (#31162424)

bend over baby

Burn All Flashes (4, Insightful)

Renderer of Evil (604742) | more than 4 years ago | (#31162434)

Remember this site? http://burnallgifs.org [burnallgifs.org]

We need a similar campaign for Adobe Flash. It's dinosaur technology built for the internet stone age. Time to get rid of it for good.

Re:Burn All Flashes (3, Insightful)

BoppreH (1520463) | more than 4 years ago | (#31162584)

I'm not sure about you, but I prefer playing Flash games instead of downloading suspicious .exe files.

If you don't play Flash games, it's not a good reason to forbid everyone else to do so.

You said you prefer suspicious .exe files (-1)

Anonymous Coward | more than 4 years ago | (#31162634)

flash files can be just as suspicious as .exe files

Re:You said you prefer suspicious .exe files (1)

BoppreH (1520463) | more than 4 years ago | (#31162666)

You are telling me that the chances of getting a virus from a .swf file is the same as a .exe one? Really?

Yeah, there are exploits every now and then, but I have yet to know someone affected by them.

Re:You said you prefer suspicious .exe files (-1, Offtopic)

Anonymous Coward | more than 4 years ago | (#31162762)

Try visiting (WARNING this will likely crash your browser if you have flash installed) this page [dempsky.org] then. If you have Flash installed, your browser will likely crash. Adobe have know about this issue for years, but marked the bug 'private' whilst bullshitting that there were no known expliots in their engine. You can read about it via the reddit page [reddit.com] - and this is just one of many similar 'known but undisclosed' issues

Re:You said you prefer suspicious .exe files (2, Funny)

larry bagina (561269) | more than 4 years ago | (#31162898)

A buddy of mine got a virus from a single white female. He has all kinds of exploits, though ... drinking, fucking, disorderly conduct, etc.

Re:You said you prefer suspicious .exe files (1)

mysidia (191772) | more than 4 years ago | (#31163290)

That depends on what version of flash you're running, how many unpatched 0-day vulnerabilities it contains, and if the person who constructed the .swf for you knew about them.

On the other hand... by sheer numbers, there are probably more dangerous .EXE files in circulation than .SWF files, numerically speaking.

The suspicious .EXE file almost certainly is highly dangerous... the suspicious .SWF might be (under certain conditions), when not run in a proper sandbox, or with additional precautions such as IDS to jail flash or the browser from running or installing arbitrary code.

You have a much better shot viewing a flash file when running MSIE 8 in Protected mode on Windows 7, than clicking 'run' on a susupicious .EXE file on your windows system, or even suspicious .SH file on your Linux system.

Re:You said you prefer suspicious .exe files (1)

mysidia (191772) | more than 4 years ago | (#31163220)

I prefer suspicious .dmg, .img, .iso files, and suspicious printed CDs with suspicious C:\autorun.inf files :)

Re:Burn All Flashes (1)

Fex303 (557896) | more than 4 years ago | (#31162680)

Ah yes... because that campaign was completely successful.

I can barely remember the last time I came across a site that uses GIF images...

Re:Burn All Flashes (1)

BoppreH (1520463) | more than 4 years ago | (#31162778)

I bet you can't remember the last time that you came across a site that uses patented GIF images, which was the point of the campaign.

Re:Burn All Flashes (1)

larry bagina (561269) | more than 4 years ago | (#31162942)

The point of the campaign was to sit around pulling their pud for 5 years until the patent expired? Are they also in charge of the "Don't re-elect Barack Obama in 2016" campaign?

Re:Burn All Flashes (1)

blitzkrieg3 (995849) | more than 4 years ago | (#31162750)

burnallmpegs.org makes more sense, since it's technologies like h.264 that are preventing widespread use of the tag.

Apostophe usage problem (3, Insightful)

sych (526355) | more than 4 years ago | (#31162466)

"The world rolled its eyes when the problem of Flash cookies came to light several months ago.[...]"

There, fixed that for you.

Re:Apostophe usage problem (2, Funny)

noidentity (188756) | more than 4 years ago | (#31162944)

I think the original was just missing quotes. I read it as

The world rolled, "It's eyes!" when the problem of Flash cookies came to light several months ago.

where they were using the 19th definition of rolled: 19. To make a sustained, trilling sound, as certain birds do. In other words, it was another way of saying they Tweeted it. Clearly they were referring to the fact that these cookies flashed a bright light, and were answering the question of the thing they affect. Their answer was "it is eyes!". Simple, really.

Re:Apostophe usage problem (0)

Anonymous Coward | more than 4 years ago | (#31163066)

You spelled apostrophe wrong, dick.

You better be careful with my Flash cookies (1)

BoppreH (1520463) | more than 4 years ago | (#31162534)

That's where I store my saves for sites like Kongregate [kongregate.com] .

Please, think of the Flash games.

Re:You better be careful with my Flash cookies (0)

Anonymous Coward | more than 4 years ago | (#31163414)

That's where I store my saves for sites like Kongregate [kongregate.com] .

Please, think of the Flash games.

Isn't this patented?

http://www.freepatentsonline.com/6714926.html

Surf with VM and revert to snapshot (3, Insightful)

OnTheEdge (136784) | more than 4 years ago | (#31162550)

Surf using a virtual machine and revert to a stored snapshot upon close. Problem solved.

And after that.. (3, Insightful)

Peter Cooper (660482) | more than 4 years ago | (#31162608)

After that feature, could they make Flash respect the "Block Pop Up Windows" features in Safari and Firefox? I expect NO popups when I have this set.. yet Flash seems to be able to open them still!

Change Permissions on Flash Cookie Directory (1)

caffeinejolt (584827) | more than 4 years ago | (#31162652)

A while back I got tired of everybody tracking me online so I cracked down on permanent browser storage. I ended up getting rid of all cookies on browser close and ran these commands:

rm -rf ~/.macromedia/Flash_Player/*
rm -rf ~/.adobe/Flash_Player/*

With sudo:
chown -R root.root /home/user/.macromedia /home/user/.adobe/Flash_Player/
chmod -R 0600 /home/user/.macromedia /home/user/.adobe/Flash_Player/

The flash cookie problem was solved and I have not noticed anything has changed. Of course, I don't really see much flash other than flash ads - so it might break some things I am unaware of.

On windows the same directories are stored elsewhere - but the same overall technique should work fine I would think.

be sure to fully close between session types... (1, Informative)

Anonymous Coward | more than 4 years ago | (#31162702)

from the article:
"Likewise, if the browser is in normal browsing mode when the Flash Player instance is created, then that particular instance will forever be in normal browsing mode (private browsing is turned off). Accordingly, toggling private browsing on or off without refreshing the page or closing the private browsing window will not impact Flash Player."
so be sure you close all your ff windows and fully close, then start a fresh session, and enter private browsing mode before hitting any sites, then fully close and start a fresh session before resuming normal browsing.

Overreacting? (2, Interesting)

BoppreH (1520463) | more than 4 years ago | (#31162704)

The website knows that I'm the same person as before. So what?

Can someone explain me how can this be used against me if the cookies are stored in my personal computer?

Re:Overreacting? (3, Insightful)

Anonymous Coward | more than 4 years ago | (#31162950)

The reason is that third party ad sites use Flash ads.

You visit site A which is about midget pr0n, third party site drops a cookie there.
You reset your IP address.
You visit site B which is about beer bongs, same third party sees the cookie it dropped when you were at site A, stores that info combined with your IP in a database.
You visit site C which is about fart lighting, same third party fetches the LSO and knows that you have been to the above two sites even though you had "pr0n mode" active on your browser which clears cookies.

On some sites, every page you click on, ad servers check the LSO and can build a definite profile on you that follows you even if the browser clears cookies, and even when you change IPs.

Later on, you enter some username/password information in on a site. *bam* They now have a name to the profile and browser history. This now can be sold to anyone who wants it, be it an estranged spouse, a would-be employer, or an adversary in a lawsuit who will use the information in front of a jury to humilate.

This is a great boon for data miners, not a good thing for consumers.

Re:Overreacting? (1)

BoppreH (1520463) | more than 4 years ago | (#31163272)

That would be indeed very disturbing, but your hypothesis is technically flawed.

Flash files can not access cookies placed by other domains, i.e. the cookies are partitioned. Pay a visit to your Flash cookies directory and this differentiation becomes very clear, there's a different folder for each website domain.

Re:Overreacting? (3, Informative)

base3 (539820) | more than 4 years ago | (#31163702)

Yeah, but the advertising networks that advertise on the midget pr0n site, the beer bong site, the church site, etc. are all pushing Flash ads from the same domain and know what sites their ads were served from, so his hypothesis isn't all that flawed.

This doesn't really solve the problem... (0)

Anonymous Coward | more than 4 years ago | (#31162720)

I thought that the main problem wasn't that flash stored its own cookies, but that it doesn't separate the cookies by each flash program/website. The main problem being that any flash program can access the information. All this "private browsing" feature seems to do is delete the cookies, but if you delete the cookies after each session then what's the point of using cookies to begin with?

Re:This doesn't really solve the problem... (1)

Rejemy (78237) | more than 4 years ago | (#31162764)

That is incorrect, at the most permissive mode, a flash program can only access cookies from the same domain as where it was loaded from.

Re:This doesn't really solve the problem... (2, Interesting)

BoppreH (1520463) | more than 4 years ago | (#31162848)

It's a different issue, but localhost is considered a domain, thus making all local Flash files share cookies.

Yeah, nice design (1)

dangitman (862676) | more than 4 years ago | (#31162884)

However, soon enough the next version of Flash, 10.1, will support private browsing and will integrate with browsers to turn it on when the browser itself is in private browsing mode.

That's such an elegant and simple design, that isn't problematic at all! I mean, who cares about essentially having a browser within your browser, as long as your browser can communicate stuff to the other browser, at the whim of each browser developer?

Re:Yeah, nice design (1)

BoppreH (1520463) | more than 4 years ago | (#31162920)

Yo dawg, I herd you like browsers...

It's all happening again! (1)

dangitman (862676) | more than 4 years ago | (#31163306)

I wonder if there might be a slashdot thread for this slashdot thread?

Re:Yeah, nice design (1)

ceoyoyo (59147) | more than 4 years ago | (#31163292)

It's kind of like the idea of having an OS within the OS. Now the sub-OS gets to run a browser.

Re:Yeah, nice design (1)

dangitman (862676) | more than 4 years ago | (#31163416)

It's kind of like the idea of having an OS within the OS. Now the sub-OS gets to run a browser.

That's so comforting.

Several months ago? (1)

NotBorg (829820) | more than 4 years ago | (#31163002)

... when the problem of Flash cookies came to light several months ago.

several: of an indefinite number more than 2 or 3 but not many.

Most of us knew about this many months ago. If you only found out several months ago you are behind the curve.

It would be nice if Adobe was responding to an issue that was discovered several months ago but this has been around and known for quite some time. Make no mistake about it Adobe isn't being quick to respond to the issue.

Re:Several months ago? (1)

XorNand (517466) | more than 4 years ago | (#31163662)

I personally implemented a Flash tracking cookie for an e-commerce site I developed back in 2002. The only thing it did was store a GUID. I was using it to track user metrics and remember shopping cart contents. I did it because back then cookie paranoia was much more widespread and people more routinely blocked them. These days, most web users don't seem to care. Perhaps because so many sites nowadays require cookies for basic functionality.

FlashBlock (4, Informative)

shovas (1605685) | more than 4 years ago | (#31163084)

Someone mentioned it in passing but I'll say it directly: FlackBlock [mozilla.org]

I'm not one to turn off the web with NoScript or not contribute to sites I'm visiting by using AdBlock. FlashBlock is a great compromise. Normal ads, no stupid flash instability. Click on the flash when actually want it to run for where it's actually needed. You'll be surprised how well it works.

s/FlackBlock/FlashBlock/ (1)

shovas (1605685) | more than 4 years ago | (#31163092)

s/FlackBlock/FlashBlock/

Flash must die (0)

Anonymous Coward | more than 4 years ago | (#31163260)

Anyone EVER visit a flash site and think, "man... wish the designer used MORE flash." Let's just get rid of flash... or at least beat it into submission so it only shows in spaces that make sense... er.... well... I'm open to suggestions.

Sounds great (1)

Locke2005 (849178) | more than 4 years ago | (#31163382)

When will Flash 10.1 be available for my Android G1 phone? How 'bout my Wii? How 'bout any device that isn't X86 based? Yes, Adobe's reluctance to support any platform other than a PC is the main reason why I think Flash should die a horrible (but quick) death and everybody should switch to HTML5 instead. Heck, I think even Silverlight is better supported by mobile devices than the latest version of Flash.

next version... HTML5? (0)

Anonymous Coward | more than 4 years ago | (#31163598)

Oh look.... private browsing is already a feature in html 5. Just sayin.

In Windows XP (1)

thethibs (882667) | more than 4 years ago | (#31163678)

In the meantime, this will lose them

del /S /Q "C:\Documents and Settings\marc\Application Data\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\*.*"
rd /S /Q "C:\Documents and Settings\marc\Application Data\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\"

Load More Comments
Slashdot Login

Need an Account?

Forgot your password?