Flash is evil

[Jay T. Blocksom]

On Sun, 03 Apr 2005 12:53:13 GMT, in <alt.privacy.spyware>, Rick
<rsimon@cris.com> wrote:
>
[snip]
>
> Not that I'm overly fond of Macromedia, but the article you referenced is
> dealing with Macrovision, not Macromedia.
[snip]

I'll be damned. You are absolutely right. Over the past couple of years I
must have read dozens articles on this issue (plus several re-reads of the
cited one, since I tend to use it to explain why C-Dilla/SafeCast is evil);
and each time I've mis-parsed that name in the same way. No doubt this was
due to the same sort of neurological short-circuit responsible for the cliche
about adding the same column of numbers several times, and coming up with the
same *wrong* answer each time (hence the common wisdom to add them from the
bottom up, when attempting to check your work).

Nonetheless, between the "Local Shared Objects" nonsense and this:

<http://www.roughlydrafted.com/flash1.html>

it's pretty clear that Macromedia stuff should still be avoided.

And of course, Macrovision is a scumware outfit/product, for all sorts of
reasons we already know about *plus* this one.

Thanks for pointing out my error.

--

Jay T. Blocksom
--------------------------------
Appropriate Technology, Inc.
usenet02[at]appropriate-tech.net

"They that can give up essential liberty to obtain a little temporary
safety deserve neither liberty nor safety."
-- Benjamin Franklin, Historical Review of Pennsylvania, 1759.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Unsolicited advertising sent to this domain is expressly prohibited under
47 USC S227 and State Law. Violators are subject to prosecution.

[Jay T. Blocksom]

On Sat, 2 Apr 2005 00:09:45 -0600, in <alt.privacy.spyware>, <Vanguard> wrote:
>
[snip]
>
> Some sites only provide a Flash-enabled web page
[snip]

Then the authors and/or owners of those sites are incompetent, or malicious,
or both.

> because ...
[snip]

The "because" doesn't matter.

Any website which demands, for *whatever* reason, that I maintain trojanware
on my system is by definition beyond worthless.

> You can decide to not install Flash.
[snip]

Usually, yes. But be aware that many pre-packaged off-the-shelf systems sold
to consumers through mass-marketing channels like CompUSA, OfficeMax, etc.,
come pre-loaded with this trojanware. While the greatly preferable answer is
to simply not validate such sleazy tactics with your checkbook, some folks
will occasionally find themselves with little other practical choice. So it
becomes *vital* that the system be reconfigured (read: wipe the HDD and start
over from scratch; the presence of Flash is very probably the *least* of the
problems) *before* it is permitted to connect to the outside world.

> Just be aware that more site
> authors are attempting to protect their copyrighted content by NOT using
> simply HTML coding and relying on other mechanisms to secure their site
> code, like using Flash to hide the code.

Flash does not "hide" the site's HTML code. It is *executable* content that
is automatically downloaded to your system via links embedded in that HTML
code.

--

Jay T. Blocksom
--------------------------------
Appropriate Technology, Inc.
usenet02[at]appropriate-tech.net

"They that can give up essential liberty to obtain a little temporary
safety deserve neither liberty nor safety."
-- Benjamin Franklin, Historical Review of Pennsylvania, 1759.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Unsolicited advertising sent to this domain is expressly prohibited under
47 USC S227 and State Law. Violators are subject to prosecution.

[Jay T. Blocksom]

On 2 Apr 2005 03:58:20 -0800, in <alt.privacy.spyware>, "AvianFlux"
<neomoniker@hotmail.com> wrote:
>
[snip]
>
> There's something to be said for dial up connections.
>
> One) It's cheaper.
>
[snip]

Nearly always, correct.

> Two) Can be accessed over any available phone line connection.
>
[snip]

Well, most of them. Office PBX systems can be problematic. The same used be
so for hotels, but now most of them offer at least a POTS jack for dial-up
us;, and those who cater to the "business traveler" often offer some form of
broadband connection (with WiFi fast becoming the most popular form, since it
is so cheap to install).

> Three) More secure, anonymous, dynamic IP's.
>
[snip]

Ooops! And you were doing so well, up to this point.

No. Dial-up is neither "more secure" (except perhaps in the "security by
obscurity" sense, which is always very poor security at best) or even close to
anonymous. And dynamic IP is not a distinguishing characteristic of dial-up,
since most "consumer broadband" (i.e., DSL and "cable modem") services also
use DHCP to assign dynamic IPs to their users.

> I'm sticking with dial up. It's all I really need.

That's fine. But don't kid yourself about what it does (and does not)
provide.

--

Jay T. Blocksom
--------------------------------
Appropriate Technology, Inc.
usenet02[at]appropriate-tech.net

"They that can give up essential liberty to obtain a little temporary
safety deserve neither liberty nor safety."
-- Benjamin Franklin, Historical Review of Pennsylvania, 1759.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Unsolicited advertising sent to this domain is expressly prohibited under
47 USC S227 and State Law. Violators are subject to prosecution.

"Jay T. Blocksom" <not.deliverable+usenet02@appropriate-tech.net> wrote
in message news:fcl0519k307gmtmu6s94isap9j7mftpn86@news.speak easy.net...
> On Sat, 2 Apr 2005 00:09:45 -0600, in <alt.privacy.spyware>,
> <Vanguard> wrote:
> >
> [snip]
> >
> > Some sites only provide a Flash-enabled web page
> [snip]
>
> Then the authors and/or owners of those sites are incompetent, or
> malicious,
> or both.

Well, gee, of course everyone in the world is coding their web site just
for you. Get real, buddy. The world doesn't revolve around you. The
author codes his web site based on the audience he/she wants to target.
If you are in that audience, I'm sure the web owner doesn't give a
gnat's fart about losing your visit there.

> > because ...
> [snip]
>
> The "because" doesn't matter.

So why even bother with HTML, XML, CSS, Javascript, or any of the other
technologies available for coding a web site. They should all just
write it all in plain text for lil ol' you.

> Any website which demands, for *whatever* reason, that I maintain
> trojanware
> on my system is by definition beyond worthless.

According to your definition, VisualBasic, C/C++, Pascal/Delphi, the
Windows API, the Linux API, and every operating system is trojanware
because it enables malcontents to develop programs.

> > You can decide to not install Flash.
> [snip]
>
> Usually, yes. But be aware that many pre-packaged off-the-shelf
> systems sold
> to consumers through mass-marketing channels like CompUSA, OfficeMax,
> etc.,
> come pre-loaded with this trojanware.

And a Big Mac comes with mayo and pickles unless you ask to exclude
them. A product is packaged according to the market in which it garners
the most sales. If you want to tailor your host, do so and stop buying
pre-packaged goods. Some puny marketshare doesn't want Flash
pre-installed and you really think commercial sellers will give a damn
about loss of sales to such a puny market? Time to up the dosage,
buddy.

> > Just be aware that more site
> > authors are attempting to protect their copyrighted content by NOT
> > using
> > simply HTML coding and relying on other mechanisms to secure their
> > site
> > code, like using Flash to hide the code.
>
> Flash does not "hide" the site's HTML code.

Who the hell said that Flash hides HTML code. Flash coding of the
server-side stream doesn't use HTML at all. It is not executable
content, either. It's about time for you to start educating yourself on
how Flash really works. Some idiot journalist posts an article to pad
their portfolio and you go screaming mantra about trojanware without
basis. You really don't know what is a Flash "shared object", do you?
Can you say COOKIE!? Geesh, I suppose you think the .txt files for
cookies are executables, too.

Did you even bother to read the article mentioned in the originating
post? Obviously not becuase the article even tells you how to disable
the cache used by Flash. The PIE is just a Flash cookie file (.sol)
saved on your drive, just like other cookies, that can be used to
rebuild the cookies that you deleted. Well, if you don't permit them
saving their persistent identification element (PIE), aka Flash cookie,
on your drive then you revisiting that same web site won't let them
rebuild a deleted cookie. Read my other post here if you really are
interested in how to prevent local storage of Flash shared objects. In
the same way that a script, AX, or program can make use of the data in
the .txt cookie files, the PIE-enabled web site that runs a Flash object
that reads the .sol cookie file for Flash can use its *data* -- that is
DATA -- to alter its behavior or rebuild prior information. So don't
let Flash leave .sol files on your host.

No, I don't program using Flash (I'm not a web designer) but it doesn't
take a whole hell of a lot of effort to just go checkout what are shared
objects for Flash. Guess you never bothered to right-click on a Flash
object in a web page to notice the Properties context menu and the
options you get.

Shared Objects: Flash MX Cookies
http://www.kirupa.com/developer/mx/sharedobjects.htm

Flash TechNote: What is a local Shared Object?
http://www.macromedia.com/cfusion/kn...fm?id=tn_16194

[AvianFlux]

Jay T. Blocksom wrote:
> On 2 Apr 2005 03:58:20 -0800, in <alt.privacy.spyware>, "AvianFlux"
> <neomoniker@hotmail.com> wrote:
>
>
> > Three) More secure, anonymous, dynamic IP's.
> >
> [snip]
>
> Ooops! And you were doing so well, up to this point.
>
> No. Dial-up is neither "more secure" (except perhaps in the
"security by
> obscurity" sense, which is always very poor security at best) or even
close to
> anonymous. And dynamic IP is not a distinguishing characteristic of
dial-up,
> since most "consumer broadband" (i.e., DSL and "cable modem")
services also
> use DHCP to assign dynamic IPs to their users.
>
> > I'm sticking with dial up. It's all I really need.
>
> That's fine. But don't kid yourself about what it does (and does
not)
> provide.
>
> --
>
> Jay T. Blocksom
> --------------------------------
> Appropriate Technology, Inc.
> usenet02[at]appropriate-tech.net
>
> "They that can give up essential liberty to obtain a little temporary

> safety deserve neither liberty nor safety."
> -- Benjamin Franklin, Historical Review of Pennsylvania, 1759.
> - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
- - -
> Unsolicited advertising sent to this domain is expressly prohibited
under
> 47 USC S227 and State Law. Violators are subject to prosecution.

Dial-up dynamic IPs are more secure from directed hacks or DDoS. Where
broadband static/semi-static IPs that are fixed or change much less
frequently are more vulnerable. How often does DHCP assign new IPs to
their users? Once a day/a week/a month? Dial-up assigns a new IP with
each new logon to the ISP server.

[Jay T. Blocksom]

On 4 Apr 2005 21:21:23 -0700, in <alt.privacy.spyware>, "AvianFlux"
<neomoniker@hotmail.com> wrote:
>
> Jay T. Blocksom wrote:
[snip]
> >
> > No. Dial-up is neither "more secure" (except perhaps in the
> > "security by obscurity" sense, which is always very poor security at
> > best) or even close to anonymous. And dynamic IP is not a distinguishing
> > characteristic of dial-up, since most "consumer broadband" (i.e., DSL and
> > "cable modem") services also use DHCP to assign dynamic IPs to their
> > users.
> >
> > > I'm sticking with dial up. It's all I really need.
> >
> > That's fine. But don't kid yourself about what it does (and does
> > not) provide.
> >
> > --
> >
[snip quoted sig -- please fix your newsreader to respect sig delimiters,
and learn to trim your posts correctly]

> Dial-up dynamic IPs are more secure from directed hacks or DDoS.
[snip]

Those are two rather different things; but to the extent that they are
similar, they are also straw men (at least in this context). Such "directed"
attacks are very rarely aimed at individual end-users, regardless of the type
of connection said user may use. If you are running a very "visible" web site
or other public service (such as a DNSbl, for example), *that* is what may
attract such a "directed" attack; but then, you would not be doing this from a
dial-up anyway, so it's a moot point.

> Where
> broadband static/semi-static IPs that are fixed or change much less
> frequently are more vulnerable.
[snip]

This is simply an Old Wives' Tale.

It's not the "relatively stable IP" that makes most "consumer broadband"
connections a security issue; it their relatively high bandwidth and "always
on" characteristic, combined with the typically (grossly) misconfigured system
("administered" by an idiot) that is hung off the loose end of the string.

As stated above, the only type of "attack" that such "stable" addresses would
make (near-trivially) more convenient are not a practical concern for at least
most end-users anyway. So, moving on...

> How often does DHCP assign new IPs to
> their users? Once a day/a week/a month? Dial-up assigns a new IP with
> each new logon to the ISP server.

True, but irrelevant.

This is what I was referring to when I mentioned "security by obscurity"; and
it is essentially useless against the *only* "outside attack" threats most
end-users will ever be exposed to.

The *vast* majority (way better than 99%) of the attacks seen by end-users are
essentially random in nature -- the product of port-scanning 'bots and various
worms that are *constantly* looking for targets anywhere they can find them.
To these very mindless processes, an IP address is an IP address is an IP
address; it matters not whether said address is static or dynamic, or served
through a 56Kbps dial-up or a 2.5Gbps OC-48. It is not unreasonable to think
of it simply as "background noise", because it is *always* there, any time you
connect to the outside world[1].

If at any given moment the noise gets too loud, it can effectively constitute
"sort of" a DDoS attack; but even when this happens, the attack is not being
directed at you specifically. Similarly, if you happen to be connected when a
"magic packet" happens along (as they do quite regularly, if not as often as
some other types of malicious traffic), and your underlying system is
vulnerable to such things, then your system will likely lock up or crash. The
functional mechanics of this particular nastygram make it somewhat closer to a
true DoS attack; but it is still just part of the "random noise" of the
internet, and is *not* being "directed" at you in particular.

It inescapably follows from this that the likelihood of being "hit" by any of
these "robo-attacks" during any given minute online is NOT dependant on
whether you were or were not connected the minute before ("chance has no
memory") or whether your IP address has changed recently. Yes, you can reduce
your total exposure somewhat by reducing the amount of time you spend
connected; and indeed, dial-up would seem to accomplish that end. But the
thing is, there is *so* much of this sort of "random malicious traffic"
floating around at all times[2] that even if you were to connect for only 5
minutes at a time, it is near-certain that you would get hit several times
during each connection. So in the end, it's still not *really* any more
secure.



Footnotes:
[1] - Or even to "only" your own ISP, for that matter. In many cases, most of
the traffic from these 'bots and worms that you actually see will be sourced
from *within* your own ISP's network, due to border-router filtering
implemented by your ISP that is not effective *within* the network.

[2] - I mostly blame irresponsibly lazy/skinflint ISPs for this sad state of
affairs. They *could* effectively put an end to at least the vast majority of
this crap, *if* they wanted to; as the saying goes, it's not rocket science.
It wouldn't even cost all that much -- but it wouldn't be free; and in the
ultra-competitive and horridly low-margin ISP industry, any "security" measure
that costs more than a nickel simply won't happen unless it is absolutely
necessary to keep their network functioning, or there is a very visible public
outcry.


--

Jay T. Blocksom
--------------------------------
Appropriate Technology, Inc.
usenet02[at]appropriate-tech.net

"They that can give up essential liberty to obtain a little temporary
safety deserve neither liberty nor safety."
-- Benjamin Franklin, Historical Review of Pennsylvania, 1759.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Unsolicited advertising sent to this domain is expressly prohibited under
47 USC S227 and State Law. Violators are subject to prosecution.

[Jay T. Blocksom]

On Mon, 4 Apr 2005 21:21:10 -0500, in <alt.privacy.spyware>, <Vanguard> wrote:
>
> "Jay T. Blocksom" <not.deliverable+usenet02@appropriate-tech.net> wrote
> in message news:fcl0519k307gmtmu6s94isap9j7mftpn86@news.speak easy.net...
> > On Sat, 2 Apr 2005 00:09:45 -0600, in <alt.privacy.spyware>,
> > <Vanguard> wrote:
> > >
> > [snip]
> > >
> > > Some sites only provide a Flash-enabled web page
> > [snip]
> >
> > Then the authors and/or owners of those sites are incompetent, or
> > malicious,
> > or both.
>
> Well, gee, of course everyone in the world is coding their web site just
> for you. Get real, buddy. The world doesn't revolve around you.
[snip]

I didn't say that it did; and your comment in no way relates to what I *did*
say.

> The
> author codes his web site based on the audience he/she wants to target.
[snip]

OK, let's assume for the moment that's correct. So it follows that if he
insists on that "audience" having trojanware installed, he's going after rank
idiots. Why would you want to be part of that crowd?

> If you are in that audience, I'm sure the web owner doesn't give a
> gnat's fart about losing your visit there.
>
[snip]

Huh?!?

If I'm part of the target audience, the site owner doesn't care if I visit or
not? How is that anything but self-contradictory?

> > > because ...
> > [snip]
> >
> > The "because" doesn't matter.
>
> So why even bother with HTML, XML, CSS, Javascript, or any of the other
> technologies available for coding a web site. They should all just
> write it all in plain text for lil ol' you.
>
[snip]

You are being facetious -- and missing the point by a country mile.

> > Any website which demands, for *whatever* reason, that I maintain
> > trojanware
> > on my system is by definition beyond worthless.
>
> According to your definition, VisualBasic, C/C++, Pascal/Delphi, the
> Windows API, the Linux API, and every operating system is trojanware
> because it enables malcontents to develop programs.
>
[snip]

Wrong. And I'll thank you to stop trying to put words in my mouth.

> > Usually, yes. But be aware that many pre-packaged off-the-shelf
> > systems sold
> > to consumers through mass-marketing channels like CompUSA, OfficeMax,
> > etc.,
> > come pre-loaded with this trojanware.
>
> And a Big Mac comes with mayo and pickles unless you ask to exclude
> them. A product is packaged according to the market in which it garners
> the most sales.
[snip]

And as is well-known in marketing circles, the biggest market is the lowest
common denominator -- i.e., the rank idiot. I repeat my question from above:
Why would you want to be part of that crowd?

> > > Just be aware that more site
> > > authors are attempting to protect their copyrighted content by NOT
> > > using
> > > simply HTML coding and relying on other mechanisms to secure their
> > > site
> > > code, like using Flash to hide the code.
> >
> > Flash does not "hide" the site's HTML code.
>
> Who the hell said that Flash hides HTML code.
[snip]

You did -- or at least, that's what you attempted to imply. See above.

> Flash coding of the
> server-side stream
[snip]

....is meaningless doublespeak.

Got any more "kewl" buzzwords you'd like to throw around at random?

> doesn't use HTML at all.
[snip]

Then how does the .SWF file get loaded by the browser, hmmm?

> It is not executable
> content, either.
[snip]

Yes, it is. It is tokenized cross-platform code, as opposed to
platform-specific binary, so it needs an interpreter (the Shockwave Flash
Player, in this case); but it *is* executable.

> It's about time for you to start educating yourself on
> how Flash really works.
[snip]

Physician, heal thyself.

> No, I don't program using Flash (I'm not a web designer)
[snip]

Didn't think so.

--

Jay T. Blocksom
--------------------------------
Appropriate Technology, Inc.
usenet02[at]appropriate-tech.net

"They that can give up essential liberty to obtain a little temporary
safety deserve neither liberty nor safety."
-- Benjamin Franklin, Historical Review of Pennsylvania, 1759.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Unsolicited advertising sent to this domain is expressly prohibited under
47 USC S227 and State Law. Violators are subject to prosecution.

"Jay T. Blocksom" <not.deliverable+usenet02@appropriate-tech.net> wrote
in message news:ism9519a6jjfjho22foqvtmpspj3vtl0ms@news.speak easy.net...
> > It is not executable
> > content, either.
> [snip]
>
> Yes, it is. It is tokenized cross-platform code, as opposed to
> platform-specific binary, so it needs an interpreter (the Shockwave
> Flash
> Player, in this case); but it *is* executable.

Didn't realize you were confused about the topic. I was talking about
the shared objects (i.e., the Flash .sol cookie files), not about the
intrepeter that locally executes the applet which then reads these data
cookie files. JVM is not evil because an applet you download does
something you might not want, like announce to you your own IP address
under the pretense that it is exposed. Word isn't evil because it can
run macros: anti-virus programs scan using signatures against macros
rather than block macros altogether.

Flash isn't evil. The shared objects (data cookies) aren't evil since
you can even choose to simply not keep them. The applet you download
might be "evil". While IE has an option to prompt you when an AX
control is to get downloaded, it doesn't have a similar option regarding
Flash/Shockware .swf files and its cookie management does not extend to
..sol files. So, right now, your choices are: as a workaround, allow
..swf files but block the local storage of shared objects (by zeroing the
cache size) to render PIE ineffective; or, block Flash altogether (by
not installing it); or, kill all ActiveX support in the browser or use
one that doesn't support ActiveX.

Avoiding all Flash content because of the potential "evil" of PIE,
especially when the workaround nullifies it, is like avoiding contact
with all humans because some are nasty (and, yep, for some folks that
has been their choice to be shut-ins). Of course, those ranting the sky
is falling because Flash is running on their systems and proselytizing
that Flash is evil and must never be installed really should be using a
browser that doesn't permit ActiveX controls at all, like Firefox.
After all, to them the problem isn't just with Flash but rather with all
ActiveX functionality. They could kill off all ActiveX support in IE,
too, and Java, and scripting, and ... well, maybe they should just be
using Lynx or some other text-only browser for safe surfing or even more
effective is to stay off the Internet and become a shut-in. If you
can't handle something like a data cookie file or bother to configure a
zero sized cache then you'll be a victim of far worse nasties on the
Internet. For those users, PIE would be the least of their problems.

Flash provides interactive movies. Since you inferred that you are a
Flash programmer, are the functions or methods available within Flash
less potent than those in a Java applet or more potent? While Flash
applets might be considered more stable than java applets, I thought
Flash applets were less potent (i.e., you can do more with Java than
Flash). Are the methods within the client-side Flash applet (.swf file)
executed locally, or are their actions effected at the server which then
alters the graphic content sent to the local Flash object (i.e.,
interactive movies with the actions sent to and committed on the server,
so the Flash applet is just the UI to execute server-side actions)?
ActiveScripting is the scripting language used by Flash, but its
description to provide interactive movies is that it is used for two-way
communications back to the Flash *server*. There do appear to be some
script commands that perform a local function, like controlling the
progression of a movie so it just doesn't play from frame 1 to the last
frame and then just repeat or stop there. While the program within the
applet is executed locally, it seems that its actions must be performed
back at the Flash server. The FSCommand method lets the applet use
scripting but I thought that was to use Javascript functions specific to
Flash movies.

I'm still trying to find where are these big evil nasties in the Flash
AX control that has some folks screaming that the sky is falling. I
already know that shared objects is not the nasty that has been claimed
in this thread. If the the Flash Javascript API (JSAPI) didn't restrict
the called Javscript objects to act only upon the Flash movie then there
would be potential for abuse (as far as Javascript can be abused).
Since the ActionScript language lets you write scripts to perform
actions in the Macromedia Flash Player environment (that is, while a SWF
file is playing), and since JSAPI is called from ActionScript commands,
it seems the Javascript only applies against the movie. The DOM
(document object model) for the Flash JavaScript API consists of a set
of top-level functions and the top-level flash object. So far, it seems
to be a well-protected program execution environment.

Someone writes a Flash applet that downloads from their server host to
your client host to safely execute its code locally within a protected
Flash environ which reads a PIE *data* file (the .sol cookie) to rebuild
a .txt cookie (which seems redundant and superfluous, anyway, since
they'd already have the info from the .sol file) but which is obviated
by setting the client-side caching to zero so there never was a PIE
cookie file to read, anyway. So where's the problem? That users don't
even bother to look on how to configure the settings for their Flash
player? How many times have you seen a lazy poster in the newsgroups
asking about OE blocking access to e-mail attachments simply because
they don't bother checking for an applicable option in the program that
alters its behavior?

Set the Flash player's local cache size to zero. The article mentioned
in the originating post already gave a link on how to do that. Problem
gone.

[Jay T. Blocksom]

On Thu, 7 Apr 2005 11:17:39 -0500, in <alt.privacy.spyware>, <Vanguard> wrote:
>
> "Jay T. Blocksom" <not.deliverable+usenet02@appropriate-tech.net> wrote
> in message news:ism9519a6jjfjho22foqvtmpspj3vtl0ms@news.speak easy.net...
> > > It is not executable
> > > content, either.
> > [snip]
> >
> > Yes, it is. It is tokenized cross-platform code, as opposed to
> > platform-specific binary, so it needs an interpreter (the Shockwave
> > Flash
> > Player, in this case); but it *is* executable.
>
> Didn't realize you were confused about the topic. I was talking about
> the shared objects (i.e., the Flash .sol cookie files), not about the
> intrepeter that locally executes the applet which then reads these data
> cookie files.
[snip]

I am not and was not confused about the topic; although I apparently did
"misunderstand" your meaningless gobbledygook buzzword-dropping. Here are the
*complete* quotes:

[From my Message-ID: <fcl0519k307gmtmu6s94isap9j7mftpn86@news.speakeasy .net>]
--> > Just be aware that more site
--> > authors are attempting to protect their copyrighted content by NOT
--> > using simply HTML coding and relying on other mechanisms to secure
--> > their site code, like using Flash to hide the code.
-->
--> Flash does not "hide" the site's HTML code. It is *executable* content
--> that is automatically downloaded to your system via links embedded in
--> that HTML code.

[From your Message-ID: <dradnQSRjL6Ka8zfRVn-rw@comcast.com>]
--> > > Just be aware that more site
--> > > authors are attempting to protect their copyrighted content by NOT
--> > > using
--> > > simply HTML coding and relying on other mechanisms to secure their
--> > > site
--> > > code, like using Flash to hide the code.
--> >
--> > Flash does not "hide" the site's HTML code.
-->
--> Who the hell said that Flash hides HTML code. Flash coding of the
--> server-side stream doesn't use HTML at all. It is not executable
--> content, either.

Despite the meaningless gobbledygook buzzword-dropping, it seems pretty clear
to me that the "topic" under discussion in these passages is Flash in general,
not one specific function of it in particular.

Then, two rounds of follow-ups later, you claim we were really talking about
something else, which wasn't even mentioned in the pertinent passages.

Riiiiiight.

> Flash isn't evil.
[snip]

That's your opinion.

My opinion is that, at the least, the presence of the (current) Flash
interpreter on your system enables evil things to be done. The fact that an
astute and alert user (which is by definition a rare bird) can (sometimes,
maybe) mitigate the damage through various "workarounds" does not change that.
Further, the company promoting and profiting from your (and everyone else)
having the Flash interpreter on your system is clearly going in the wrong
direction, in terms of the issues generally considered important in this forum
(cf. <http://www.roughlydrafted.com/flash1.html>, if you have any doubt about
that). Hence, the prudent, responsible, and (especially) ethical course of
action is to boycott that company's products en toto.

> Since you inferred that you are a
> Flash programmer,
[snip]

I "inferred" no such thing. I didn't imply it either.

Why do you make stuff up out of whole cloth?

--

Jay T. Blocksom
--------------------------------
Appropriate Technology, Inc.
usenet02[at]appropriate-tech.net

"They that can give up essential liberty to obtain a little temporary
safety deserve neither liberty nor safety."
-- Benjamin Franklin, Historical Review of Pennsylvania, 1759.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Unsolicited advertising sent to this domain is expressly prohibited under
47 USC S227 and State Law. Violators are subject to prosecution.

"Jay T. Blocksom" <not.deliverable+usenet02@appropriate-tech.net> wrote
in message news:701c511aa5k56hnfpetucacqmkj7b0thol@news.speak easy.net...
> On Thu, 7 Apr 2005 11:17:39 -0500, in <alt.privacy.spyware>,
> <Vanguard> wrote:
>
> Despite the meaningless gobbledygook buzzword-dropping, it seems
> pretty clear
> to me that the "topic" under discussion in these passages is Flash in
> general,
> not one specific function of it in particular.
>
> Then, two rounds of follow-ups later, you claim we were really talking
> about
> something else, which wasn't even mentioned in the pertinent passages.

The OP mentioned the article. The article mentioned shared objects. In
other posts, I noted how to zero the cache so you won't save any, and
the article mentioned a link to do that, too. Yeah, I was way
off-topic, uh huh. And, of course, it is always possible to discuss the
data files used by an applet without ever referring to the applet or the
interpeter for it.

>
> Riiiiiight.
>
> > Flash isn't evil.
> [snip]
>
> That's your opinion.
>
> My opinion is that, at the least, the presence of the (current) Flash
> interpreter on your system enables evil things to be done.

And by similar application of your rationale, korn shell with its
scripting ability, Perl interpreters that can run scripts, Word that can
run macros, or anything that "enable evil things to be done", which
includes even the operating system, are evil. Okay, disconnect and nuke
your computer. You don't get to use rationale on one interpreter
without the same logic applying against all of them. I'm not saying
that you must have Flash, anymore than I'm saying that you need Perl,
Korn, Word, Java, or any other code enabling product, but I don't think
a lot of folks want to regress back to flipping switches on an Altair
box.

> The fact that an
> astute and alert user (which is by definition a rare bird) can
> (sometimes,
> maybe) mitigate the damage through various "workarounds" does not
> change that.

Yes, only the astute can ever figure out to look at the options for a
program. As the topic grows through discussion and publication, more
users will be made aware of how to configure the Flash player based on
their interpretation of the supposed threat. But telling user to simply
wipe Flash from their system does them an inservice because it takes the
extreme approach while leaving them ignorant of the simple fix. So
instead of educating them on how to avoid the problem should they deem
it actually is one, your solution is to leave them ignorant and push out
a flat and uninformative "uninstall it" solution. The users don't have
to be rocket scientists to just be reminded that there are options
available for most programs that they use, and that includes the Flash
player, too.

When and if PIE actually gets implemented, the topic will be much more
discussed and it won't take some astute user that figures out how to
bother looking at the options to know how to eliminate the problem.
Your solution: wipe Flash from the computer. The real solution: set the
cache size to zero. Your solution: can never view any Flash content
again. The real solution: they get to use Flash without any potential
for abuse (which surmounts to just tracking them) from storing shared
objects. With your logic, since there is a flaw then it must be
abandoned, and that would apply to Windows itself - AND it would apply
to every other operating system since none are perfect; else, patches
would never be available.

> Further, the company promoting and profiting from your (and everyone
> else)
> having the Flash interpreter on your system is clearly going in the
> wrong
> direction, in terms of the issues generally considered important in
> this forum
> (cf. <http://www.roughlydrafted.com/flash1.html>, if you have any
> doubt about
> that). Hence, the prudent, responsible, and (especially) ethical
> course of
> action is to boycott that company's products en toto.

Macromedia isn't responsbile for what behavior the coding performs from
someone else, anymore than Borland is responsible for virus or spyware
developed using their C compiler, no more than you are responsible for
how any product that you have produced gets misused by some hacker or
malcontent. Imagine trying to sue Vinton Cerf
(http://web.mit.edu/invent/iow/cerf.html) just because he helped develop
TCP which resulted in enabling the spread of porn, spam, spyware,
viruses, and other malware. Most likely will be that Macromedia will
provide another option (yep, you'll probably have to be one of those
oh-so astute users that actually look at options) regarding PIE-enabled
web sites for those user that still want to locally cache some shared
objects. From what I've seen described of PIE, it will actually
identify itself, so the Flash player could be configured to prompt the
user just like the browser now allows prompting for cookies, or the user
could just configure to always accept or always reject. Until then, set
the cache to zero. Of course, Macromedia might just take the stance
that, hey, it is just another applet reading a data file that any applet
can do regarding the .sol files and this is just one particular case of
that scenario, and just leave us with the global option to never save
shared objects rather than trying to target just one domain. Actually,
you can already target just one domain to zero out any storage of shared
objects from just that domain but, alas, again that's a configurable
option and must surely be outside the realm of the typical user who is
already held hostage by all those other options in all those other
programs that they also run.

Telling users it is an option is no more rocket science than the same
folks, like you, telling them to uninstall it or always refuse to accept
its download and install, or telling them about any other option.

>
> > Since you inferred that you are a
> > Flash programmer,
> [snip]
>
> I "inferred" no such thing. I didn't imply it either.
>
> Why do you make stuff up out of whole cloth?

Sorry, my bad. I figured if you knew that I was wrong about the zero
cache solution which was also mentioned in the article in the OP and
also described at Macromedia that somehow you had more privy knowledge
of how Flash works than what is documented for it.

You don't like Flash and really do consider it evil because it "enables"
malcontents or the less moral to do things that you don't like. I don't
understand why that same logic doesn't apply against almost everything
else that falls under the title of "software". I figure Flash is okay
if you configure its behavior the way that you want it to behave. I
didn't abandon Outlook because they changed the pane layout to something
that I didn't like - because there was an option to make its layout the
way that I do like. You don't like Flash, but is it responsible to tell
users to simply uninstall it, or instead tell them that they can
configure it using an option to avoid the problem altogether (and
perhaps mention uninstalling it as the extreme solution)?

There are viruses that sit in the local Java cache and your solution
would be to uninstall the JVM rather than just flush the cache (and
optionally disable it). After all, the JVM "enables evil things to be
done". Oh wait, since it is an option then only astute users can retain
the product while altering its behavior. Yeah, toss the baby out with
the dirty bath water. Amazing how initiative is assumed dead everywhere
and no one ever considers to even bother to go look.