Facebook's New Chief Security Officer Wants To Set a Date To Kill Flash 283
An anonymous reader writes: Facebook's new chief security officer, Alex Stamos, has stated publicly that he wants to see Adobe end Flash. This weekend Stamos tweeted: "It is time for Adobe to announce the end-of-life date for Flash and to ask the browsers to set killbits on the same day. Even if 18 months from now, one set date is the only way to disentangle the dependencies and upgrade the whole ecosystem at once."
Why? (Score:2, Interesting)
Why on earth would Adobe want to kill flash?
Re:Why? (Score:5, Funny)
So they can stop getting mentioned every time a security vulnerability is exposed?
Re:Why? (Score:5, Funny)
Adobe is a strong believer in "There's no such thing as bad publicity."
Re: (Score:2, Interesting)
So they can stop getting mentioned every time a security vulnerability is exposed?
Then shouldn't Oracle end Java?
Re: Why? (Score:5, Insightful)
Spotted the flash 'developer'
Comment removed (Score:5, Insightful)
Re: (Score:3)
Yes, give the tools some time to mature. It's been over a decade now. Perhaps another 10 years then?
I heart HTML5, but seriously, the "give it time" argument was long in the tooth many years ago.
Re:Why? (Score:5, Insightful)
Re:Why? (Score:5, Insightful)
but what will you use then to play happy wheels?
look, all this talk about "bad corporations do intentional obsoleting of software to sell new software" and then *bam* start asking for them to make tens of thousands of games unplayable.
nice, real nice.
yes kill date implies that you wouldn't be able to _use_ it at all after the date, which would actually work as an incentive to not update to any such version that has a kill date. kill date would also mean no further security fixes.
putting a date on it would be stupid for everyone involved. adobe can just(and pretty much has) quit developing new features for it, thus driving people to other things.
Re: (Score:2)
Re: (Score:2)
Re: (Score:2)
That's just the cover story; it's actually an effective deployment platform for the NSA.
You really think it's just decades-long incompetence that just as one hole is patched, another brand-new one is quickly discovered? They're issuing hole exchanges, not patches.
Re: (Score:3)
Obviously, for the same reasons Facebook new chief security officer wants to kill Facebook's anti-privacy defaults: None whatsoever.
Re: (Score:2)
Because he only has 14 hours to save the Earth!
Re: (Score:2)
General Kala, Flash Object approaching.
What do you mean Flash Object approaching, open fire, all weapons. Send out HTML5 with AJAX to bring back its body.
Re: Why? (Score:3, Insightful)
We should set a date to end Facebook. Even if 18 months from now, one set date is the only way to disentangle the dependencies and upgrade the whole social networking ecosystem at once.
Re: (Score:2)
NPAPI vs. PPAPI (Score:3)
Adobe did not kill Flash Player for Linux. It killed Flash Player for Linux NPAPI due to limits of NPAPI. Flash Player for PPAPI was alive and well in Google Chrome for Linux last time I checked.
Re:NPAPI vs. PPAPI (Score:5, Interesting)
Re:NPAPI vs. PPAPI (Score:4, Informative)
Re: (Score:2)
Re: (Score:3)
Re: (Score:3)
I use Firefox on Linux, and I've no trouble obtaining or using Flash for it.
Can we set it for 2006? (Score:5, Insightful)
Can you set an EOL date in the past? Maybe by a decade, give or take a bit? If causality doesn't currently permit that, we should look into patching this functionality into reality as a special case.
Re: (Score:2)
and release securty updates every two days for it
Flash, Flex won't die... (Score:2)
I worked for http://www.boardvantage.com/ [boardvantage.com] this company for a spell. It was a shit company, and a really shit product. Somehow the CTO has convinced Board rooms around the world that the flex client is the most secure thing ever, and every time some flash vulnerability was announced, he could always dance his way around it.
Point being that as long as those in positions of power can be convinced it's a needed evil, it will be a used evil.
Same date to Kill Facebook too? (Score:5, Funny)
Use the same date to turn off Facebook too?
Re: (Score:2)
I wouldn't miss it.
Re: (Score:2)
I'd miss MyBrute.
Facebook or Google decides (Score:5, Funny)
Ad formats (Score:2)
Google and Facebook have the right to dictate what ad formats they will deliver. Google further has the right to dictate what file formats Googlebot will index. Historically, it has indexed SWF, but if Google wants to bury SWF, it'll index sites as if Flash Player is not installed.
Re:Ad formats (Score:4, Interesting)
Even if flash is "officially" killed, Google will still index it. Pages dependent upon Flash for their main content will take a quality hit (actually they already are), hence a rank loss
Android doesn't support it, and if you cant render content for that platform, well you just lose the ability to meet the needs of the user (or a major percentage of them).
Re: (Score:2)
Eh? My Android tablet supports Flash.
HTML5 is more broken than Flash (Score:2, Interesting)
HTML5 doesn't even work half the time because the browser implementation is off by one.
Take his own advice (Score:5, Interesting)
How about facebook just stop using flash and switch to html5 like youtube has.
Or do i need to put my tinfoil hat on and speculate why certain influential groups might want a large proportion of the internet dependent on a binary only browser plugin.
(yes yes in theory there is open source flash plugins, but nobody uses it because its mostly broken).
Re: (Score:2)
Flash is like IE 6 (Score:5, Interesting)
So many processes have dependancies that are so ingrained in corporate apps it will be impossible to get rid of. We still use IE 6 at work and even xp eol couldn't kill it due to 2 must have apps which are impossible to ever replace. Our training only works with ancient insecure flash 11 at work due to a 10 year old version of premier which created our slides. Lock the browser out of flash and we will stick with obsolete version
Re:Flash is like IE 6 (Score:4, Insightful)
Well maybe your job should look into hiring someone to remake the old code into newer one. Saying it's "impossible to ever replace" is the problem, stop thinking that way and start thinking "what can be done to replace this dinosaur"
Re: (Score:2)
Re: (Score:2)
Just making click-to-play the default would greatly hasten the death of Flash. As well as mildly annoying users who couldn't figure out how to whitelist, it would kill all Flash ads and drive-by malware.
Microsoft had success with this method when Vista came out. At first every app produced multiple UAC prompts constantly, but within months all the popular ones had been updated to avoid doing that and by the time Windows 7 came out most were well behaved.
Re: (Score:3)
Many slashdotters who never worked in non IT or .com companies are flabbergasted at posts like mine :-)
For the rest of us it's business as usual in a focus on sales and cutting IT costs by not changing what has always worked
Do your part nerds! (Score:5, Interesting)
Uninstall Flash. Just stop using it. Encourage your friends to do the same.
I uninstalled it a couple months ago. I no longer have to worry about updating it or being exposed to the vast amount of vulnerabilities - it should be clear to everyone by now that it is a /major/ vector for infection.
Only a few times have I hit content that still requires Flash - usually sites that have an old Flash video player. Most big sites or sites using modern players happily support HTML5 video. Those that don't I can live without. (Bonus: far less irritating animated ads. For now.)
But make sure you provide feedback to sites that still have Flash - let them know you can't use the site properly. Fortunately - largely thanks to Apple's refusal to allow Flash in iOS - there are fewer and fewer of these today.
Re: (Score:3)
Most big sites or sites using modern players happily support HTML5 video.
Last time I checked, Albino Blacksheep, Dagobah, Weebl's Stuff, Homestar Runner, Newgrounds, and Kongregate were all Flash. When did this change?
Re: (Score:2)
HomestarRunner already has you covered [homestarrunner.com].
(Requires Flash. Bite me.)
Re: (Score:2)
I would, but I listen to Pandora Radio on my desktop while at work. Pandora needs flash.
I don't know if it is something that I am doing, but in the last month or two, flash seems to crash far, far more often. Several times per day (and often several times per hour). I have installed a flash-block plugin and will see if things improve.
Re: (Score:3)
I would, but I listen to Pandora Radio on my desktop while at work. Pandora needs flash.
Facepalm. Dude, it's called a boycott. It's part of the idea that you have to make compromises for it.
Re: (Score:3)
Facepalm. Dude, it's called a boycott. It's part of the idea that you have to make compromises for it.
So you think that Pandora will change their ways if a small fraction of one percent of their userbase stops using it?
Re: (Score:2)
Re: (Score:2)
Re:Do your part nerds! (Score:4, Funny)
Dude, you can't just mention "furry porn flash games" and not link to any. That's just rude.
Re: (Score:3)
I don’t hit many problems other than the BBC insist on using Flash to serve video and increasingly serve articles as video only (sigh)
Makes it easier to hide the increasing number of spelling and grammatical errors seen in BBC articles.
Not going to happen any time soon... (Score:5, Informative)
Too many internet pages rely on Flash for video and advertisements... and,as much as we hate them, advertisements means money...
I'm not saying that progress isn't being made. Youtube dropped Flash this year and is now using HTML5 as the default for video, but that doesn't fix legacy videos.
http://www.theverge.com/2015/1... [theverge.com]
My thought is that Flash will be around for another 3 to 5 years. The quoted "18 months" is just wishful thinking....
Re: (Score:2)
bug porn
Oh, hi. [memecdn.com]
The Anti-Monitor Couldn't Even Do This (Score:5, Insightful)
Is Professor Zoom the Facebook CSO now? I can't keep up with all the retcons.
I have a better idea. (Score:4, Funny)
Despite flash being a scourge, it would be better for the internet to pick a day to kill off facebook.
Re: (Score:2)
Why, because you don't like a service that 1.4 billion people around the world use?
Re: (Score:3)
No, it's not simple like or dislike. Online social dynamics were better when they were more anonymous. Sites like facebook trashed these old rules by forcing people to use real identities and linking them to other real life details online. This way they could fuel adolescent-like narcissism and insecurity in users as they interacted with each other, keeping them psychologically and socially dependent on the service. The company uses this fermented mentality to continually extract information on its user bas
Re: (Score:3)
Online social dynamics were better when they were more anonymous
Yep like 4chan became the bastion of online social dynamics. I would just call you a retard now to further disprove your point because I am hiding behind a pseudonym but I'll educate you instead. There's no difference in social dynamics now than before. There are still places for anonymous online venting, and if that' your idea of what it a social interchange requires then by all means continue to do so, Facebook does nothing to stop you.
On the flip side Facebook is about a circle of people you know, so rig
Re: (Score:2)
The exact same argument can be applied to Flash, at least a few years ago when it was used by vast majority of users on the internet.
Re: (Score:2)
There's no argument there. You are 100% right. Facebook is transient but it won't die because a single person doesn't like it, just like Flash didn't die because a single person didn't like it.
These things die when they are replaced with something of equal or greater value to the end users, or if the value proposition ends. Flash's value started eroding a long time ago, before HTML5. Now please go and create something amazing to replace Facebook, because it's not going to simply get switched off due to rand
Porn (Score:3, Insightful)
One of the (in my opinion) major aspects should not be forgotten: As long as porn sites like youporn rely on flash, flash will not die.
just installed Watch with MPV & works great (Score:2, Informative)
https://addons.mozilla.org/en-us/firefox/addon/watch-with-mpv/
I need bbc news video clip support though as bbc news web developer basically suck at there jobs. They push HTML5 video for iPads which don't support Adobe Flash, but output a message telling everybody else who doesn't have Adobe Flash installed to install it. I DON'T want to f'ing install it you idiots. I like the Gardian better, but they've got fewer articles. The Gardian does appear to do HTML5 by default too.
Obligatory Devil's Advocate (Score:5, Interesting)
Replace the word "Flash" with any other plugin or technology that geeks don't like. Will it still be okay if we go out of our way to kill it and make sure nobody can use it? Replace "Adobe" with "Free Software Foundation". Is that better? How about we talk about the Unity3D plugin? That's a plugin, too, just like Adobe PDF and Java, so that means it's bad. It's easy to pick on Flash and I can't say I really like the plugin, but when organizations with a large amount of industry influence start talking about killbits, that makes me really nervous.
I'd have no problem with Facebook urging other web sites to stop using Flash, especially if they're willing to support development of an alternative. When they talk about actively killing things for the good of the community, that's going too far. This starts leaning to the direction that it's okay to execute prisoners because nobody likes them.
Sometimes I'm really disturbed by the will of the community. I'm already pissed enough that I can't run certain Java applets [falstad.com] anymore because the great Oracle says I'd hurt myself if I tried. Heaven forbid they give me a warning and I make up my own mind. As for grandma's computer, I could just configure the web browser to not use Java or install any other plugin.
Ironic (Score:2)
The TFA page cited in the post has an embedded video. It is the "SoundCloud" video player, which my Ghostery plugin blocked.
Facebook uses flash (Score:2)
Ton of legacy (Score:3)
There's plenty of legacy stuff in intranets that require flash that is *not* easily upgradeable, or at least up to the user.
Case example on where I run every now and then in work, Cisco IMC controllers (server management cards).
http://www.cisco.com/c/en/us/t... [cisco.com]
Their UI is based on Flash (and Java), for remote console, status data, and so on. If I point a browser to a CIMC server, the first thing I see is "Install flash player" if it's not already installed. Even if Cisco would release an upgrade *today*, how often are people interested in rebooting their servers for firmware upgrades as long as it's running ok?
Re: (Score:2)
Case example on where I run every now and then in work, Cisco IMC controllers (server management cards).
Yes, that is almost as dumb as HP printers requiring Java to do shit you could have done with Javascript, even then. Same story. All that means is you should avoid Cisco in the future. They have proven themselves to be dumbfucks. From the first router to a backdoor for every router, so classic.
A Lost Cause... (Score:2)
Good Riddance! Just like we killed off GIF /SARC (Score:5, Insightful)
I'm so glad there's a move afoot to kill Flash, in which a few well-connected standards goonies who are not satisfied with the rollout for HTML5 think that no campaign to capture hearts and minds is complete without some form of digital strip mining, in which major portions of the Internet heritage are blocked by "newer, better" software and rendered dark, obsolete and broken overnight. It's just like a seat belt law,right? It's all about protecting Joe Sixpack from driving drunk on the web. And the big important players like Facebook have naught but our precious safety as a motive. /SARC
I hated Flash for its abuses and excesses at first, but I have grown fond of the things it has become useful for, and does well. Here is a low level instruction set of instruction and vector graphic primitives that has been used to accomplish amazing feats. Even self-contained and offline feats. Things that will never make it to HTML5 without a serious ride in the newer is better and bigger and much slower (though our processors are faster and memory is bigger so we pretend that it's faster and smaller) bloat-mobile. /NOTSARC
Remember when the Whole Damned World was ready for a GIF-killer? And PNG was one little tiny step away from doing so? The png image format was so ready to dominate the world, and we were maybe a few open source developer weekends away from having a GIFlike format with comparable non-encumbered LZW compression, and (as promised) simple animation too. To be able to animate in full RGB without shoving palettes down our collective throats. Well, some people on the Standards Committee, some <BLINK>anti-blink tag hipsters</BLINK> who were Running With Scissors cut out that promise and proceeded to punt the animate part of the bargain into the Next MNG generation, which would be a video-killer too and would happen Real Soon Now. The upshot was that the PNG rocket sled hit a big pile of jello, While MNG [wikipedia.org] was languishing, a whole generation of web-folk faced difficult times with GIF in which open source tools generated bloaty files unless you compiled them yourself (because they did not to fork money or paperwork to license the LZW) and the world was treated to... more of GIF! It is today's GIF! And do we have those <BLINK>anti-blink tag hipsters</BLINK> to thank? No, that is not really fair, they just wanted to build a better world. But bad decisions in retrospect do happen. /NOTSARC
But Flash is different! Never mind how useful it has become, it must be killed. Because in this silly Collectivist world of planned obsolescence it is not enough to succeed. Something old must be declared evil, be systematically dismantled and ultimately fail not on its own lack of merit, but because some all seeing Standards Committee wishes to keep Joe Sixpack safe while driving drunk on the web. The insurance companies have already factored in the liability for HTML5 vulnerability coverage so we're good there. /SARC
From this day forward, any zero day vulnerabilities in HTML5 code will be tolerated in the civilized manner, and any emerging Flash exploits will be blamed on the Iranians and North Koreans, and those who continue to use and support Flash will have their hip-credentials revoked. /NOTSARC And we're ready to destroy all those vinyl LP phonograph records too, all the music that matters has been reissued, yeah, fuck that old music. /SARC
Because, God Forbid, the whole human race could never just gather to re-write a popular primitive procedural language without creating a shitload of new exploitable errors. It just cannot be done. /SARC
vmware vsphere is still on flash (Score:2)
that needs to go HTML5 soon and make it a free upgrade as well.
I prefer Flash video to HTML5 video. (Score:3)
Why? Because with Flash video I just get a big blank box I can click to play it, and shit never autoplays.
Autoplaying video needs to die.
Re:How about 2015 July 15 0000UTC? (Score:5, Insightful)
Seems as good a time as any.
It is not going to happen. Way too many companies rely on Flash and Flex applications, written by programmers that are long gone. If the browser vendors try to force this, people will just stick with the old browsers that still work, and it will be just like IE6 all over again.
Re: How about 2015 July 15 0000UTC? (Score:5, Informative)
Hell, VMware just released vsphere 6 a few months ago and it requires flash, it will be under support until 2020/2022 .
Re: How about 2015 July 15 0000UTC? (Score:2, Insightful)
Tells you a lot about VMWare though.
Re: How about 2015 July 15 0000UTC? (Score:5, Insightful)
Re: How about 2015 July 15 0000UTC? (Score:4, Informative)
That's better than VMWare 5.5, which required it's own NPAPI plugin, which barely worked with an old version of Chrome on Linux, and doesn't work with any distro you can just spin up. As a cross-platform management solution, it was dead before it was born.
Worse is Chinese no-name security DVRs that are still being deployed, that require an activex plugin.
Re: (Score:2)
Is ActiveX still required for any online banking in South Korea?
Re: (Score:2)
Re: (Score:2)
I kind of get why they want to make vSphere management less Windows dependent, but the Flash dependency is crazy. And IMHO, they are kind of shooting themselves in the foot by not adding new features to the fat client, even if it goes against their desire to be less Windows dependent as it makes most places less aware of engaged with new feature that require the web client because they all want to use the fat client (not to mention the clusterfuckery catch-22 of new features on standalone hosts without a v
Re: (Score:2)
There are still enterprise applications out there that depends on the Microsoft Java plugin.
People go to museums to see dinosaurs (Score:5, Insightful)
If you're not using HTML5 by now, you're a fucking dinosaur.
Just as people go to museums to see fossils of dinosaurs, people go to Newgrounds, Albino Blacksheep, Dagobah, Homestar Runner, Weebl's Stuff, and the like to view vector animations in SWF format. What would you suggest to convert existing SWF vector animations to HTML5 format or to create new vector animations in HTML5 format?
Re: (Score:2)
A lot of the content (like Homestar Runner and Weebl's Stuff) is also available via their official YouTube channels. You lose all the interactivity, though.
After that, javascript SWF renderers become the only option. Mozilla reported that homestar runner's content mostly sort of worked in 2013, perhaps it's better now.
cap (Score:5, Informative)
A lot of the content (like Homestar Runner and Weebl's Stuff) is also available via their official YouTube channels. You lose all the interactivity, though.
Rendering the video to pixels and compressing it with H.264 or VP8 bloats files by a factor of ten in my tests. The era of dial-up is mostly over, but the era of monthly quotas and pay-per-bit last miles is still very much with us.
Re: (Score:2)
Mummy still pays your Internet bill? How nice for you.
Re:cap (Score:4, Insightful)
For comparison, think that Java applets haven't been a popular method of development for nearly 15 years, and they're still with us.
Re: (Score:3)
Adobe and Google both (to name two of possibly many) offer free html5 conversion.
Re:People go to museums to see dinosaurs (Score:5, Interesting)
Re:How about 2015 July 15 0000UTC? (Score:5, Insightful)
> If you're not using HTML5 by now, you're a fucking dinosaur.
Using HTML5 is not the same as killing flash. The entire multi-billion dollar programmatic advertising industry uses (predominantly) flash for waterfalling/timeouts/buffering and RTB interactions. See the IAB (which still mentions silverlight alongside javascript) which sets standards, about killing flash, then you might see change.
Re:How about 2015 July 15 0000UTC? (Score:5, Insightful)
See the IAB (which still mentions silverlight alongside javascript) which sets standards, about killing flash, then you might see change.
"I just browse the site on my tablet; it's almost like using Adblock." Would that get the IAB's attention?
Re:How about 2015 July 15 0000UTC? (Score:4, Insightful)
Interactive Advertising Bureau. Who'd've thought there could be such a thing?
Re: (Score:2)
Dinosaurs are one of the more successful types of animals on Earth, even now I can here one hooting out in the forest and probably hunting my cat, so what's the problem of being a dinosaur?
Re: (Score:2)
even now I can here one hooting out in the forest and probably hunting my cat
More likely it's the other way around.
Re: (Score:2)
If you're not using HTML5 by now, you're a fucking dinosaur.
Fair enough, but where are the authoring tools then? Coding everything by hand might be fun for a "look ma, no Flash!" demo, but a full blown application? Not so much. And don't get me started about Google, Apple, etc. pushing their slightly different flavour of HTML5...
RT.
Compatibility mode (Score:2)
Windows 7 and 8 include "compatibility mode" for running applications designed for Windows XP. Heck, Windows 7 Pro even included a coupon for a copy of XP in a virtual machine at no additional charge. What would be the counterpart to compatibility mode for running SWF objects?
Re: (Score:3)
Windows 7 and 8 include "compatibility mode" for running applications designed for Windows XP. Heck, Windows 7 Pro even included a coupon for a copy of XP in a virtual machine at no additional charge. What would be the counterpart to compatibility mode for running SWF objects?
Shumway: https://developer.mozilla.org/... [mozilla.org]
Shumway is more like Wine (Score:2)
In this analogy, Shumway (an independent reimplementation of SWF named after the creature from ALF) would be like switching from Windows to X11/Linux and using Wine (an independent reimplementation of Win32 named after an age-restricted beverage). This isn't the same thing as compatibility mode in Windows, which I'm told uses actual copies of the previous version's DLLs. Is there a counterpart to Wine AppDB for Shumway, to give someone a good impression of how well it will handle the majority of things on N
Re: (Score:2)
,,,is there an equivalent development program for HTML5? Like, would I really have to code absolutely everything including the x,y positions of literally every shape to grace the screen, or is there something with a drag/drop transform interface to modify shapes directly on the canvas?
I think the program you're looking for is called "Adobe Flash Pro CC": http://blogs.adobe.com/jnack/2... [adobe.com]
Re: (Score:2)
Formerly known as Jasc Trajectory Pro--a product I once held high hopes for, until Adobe assimilated it.
Re: (Score:2)
Re: (Score:2)