Follow Slashdot stories on Twitter

 



Forgot your password?
typodupeerror
×
China GUI

When Adobe Stopped Flash Content, It Impacted A Chinese Railroad (jalopnik.com) 139

Jalopnik shares a story for our times: Adobe's Flash, the web browser plug-in that powered so very many crappy games, confusing interfaces, and animated icons of the early web like Homestar Runner is now finally gone, after a long, slow, protracted death. For most of us, this just means that some goofy webgame you searched for out of misplaced nostalgia will no longer run. For a select few in China, though, the death of Flash meant being late to work, because the city of Dalian in northern China was running their railroad system on it.

Yes, a railroad, run on Flash, the same thing used to run "free online casinos" and knockoff Breakout games in mortgage re-fi ads...

Hell, YouTube used to run on Flash until 2015. It wasn't all stupid little web games but, that said, I can't for the life of me fathom why anyone would want to run a freaking railroad network on it, with physical, multi-ton moving railcars full of human beings on it. So, when Adobe finally killed Flash-based content from running, this Tuesday Dalian's railroad network found itself ground to a halt for 20 hours.

The railroad's technicians did get everything back up and running, but the way they did this is fascinating, too. They didn't switch the rail management system to some other, more modern codebase or software installation; instead, they installed a pirated version of Flash that was still operational. The knockoff version seems to be known as "Ghost Version." This, along with installing an older version of the Flash player to work with the knockoff Flash server setup, "solved" the problem, and the railroad was back up and running.

UPDATE: ZDNet reports that "later reports from Chinese media clarified that railway traffic never stopped in Dalian because of the Flash end-of-life": However, the reports also admitted that there's some truth in the original report and that, indeed, some internal traffic statistics system had stopped working at the rail station on Jan. 12, when Adobe blocked Flash content from working.
This discussion has been archived. No new comments can be posted.

When Adobe Stopped Flash Content, It Impacted A Chinese Railroad

Comments Filter:
  • by GayLinuxDev ( 6040718 ) on Sunday January 24, 2021 @01:40PM (#60986200)
    I do a lot of security work and Flash has been a headache. Besides, Flash no longer works on Chrome, Mozilla, or Microsoft browsers, and HTML 5 effectively ended Flash's cause for existence. Adobe stopped supporting it with security updates in December, which means Flash Player is vulnerable to hackers trying to gain access to personal computers.
    • by BAReFO0t ( 6240524 ) on Sunday January 24, 2021 @01:50PM (#60986252)

      Fun fact: HTML5 is just Flash all over again.
      Except with full GPU access, websockets, background threads that can and do persisit even if the tab is closed. (Or even the entire app, like I verified on Android.)

      Yeah, running basically an OS with software from unknown sources on your system is always gonna be a security nightmare. With browser security theater or without.

      • by OrangeTide ( 124937 ) on Sunday January 24, 2021 @02:08PM (#60986326) Homepage Journal

        You can access gamepads and MIDI instruments from inside a webpage now, that primarily is used to track your browsing habits. It's a whole application platform that goes beyond the invasiveness of Flash or Java applets (old shit, but same old shit).

      • Exactly, and it seems they're adding all sorts of dangerous web extension with the name Web(add your dangerous extension here) such as WebSockets, WebGL, WebUSB and others that I may not be aware of.

        These are basically JavaScript wrappers around a computer's "private parts" and seem to riding roughshod over all the security sandboxing JavaScript was originally designed with.
        • by hjf ( 703092 )

          WebSockets? WTH. WebSockets is just a long lived HTTP connection where the server can send you notifications instead of you polling it constantly.

        • by arglebargle_xiv ( 2212710 ) on Sunday January 24, 2021 @07:32PM (#60987334)
          Nin hao, my name is Zhang Wei. I like having alligator clips applied to my nipples, being kicked in the nuts by Mistress Lien, but most of all having to write train control software in Adobe Flash.
      • Fun fact: HTML5 is just Flash all over again.
        Except with full GPU access, websockets, background threads that can and do persisit even if the tab is closed. (Or even the entire app, like I verified on Android.)

        Yeah, running basically an OS with software from unknown sources on your system is always gonna be a security nightmare. With browser security theater or without.

        I notice you didn't mention other things like the fact that they run sandboxed, the code is actively maintained, and for all your ignorant ramblings there's been less critical CVEs issues for HTML5 in its time than for Flash.

        But I expect nothing less of our most prolific ignorant poster.

        • Comment removed (Score:4, Informative)

          by account_deleted ( 4530225 ) on Sunday January 24, 2021 @08:06PM (#60987432)
          Comment removed based on user account deletion
          • by jeremyp ( 130771 )

            Flash has nothing to do with Adobe Acrobat. It's a different technology to PDF.

            Having said that, your general point is completely correct.

          • Flash was more "sandboxed" than HTML 5's features. Flash applications didn't even have access to the HTML on the page they were embedded on.

            Holy shit did you miss the point of sandboxing. It's not about isolating from what is displayed on the page, it's isolating from other tabs, the OS, the hardware etc. There's a reason Flash was such an incredible lucrative target for exploits that basically never saw a time when there wasn't a critical unpatched zero day. By comparison Webkit's handling of HTML5 is fucking Fort Knox.

      • by NateFromMich ( 6359610 ) on Sunday January 24, 2021 @04:08PM (#60986714)

        Fun fact: HTML5 is just Flash all over again. Except with full GPU access, websockets, background threads that can and do persisit even if the tab is closed. (Or even the entire app, like I verified on Android.)

        Yeah, running basically an OS with software from unknown sources on your system is always gonna be a security nightmare. With browser security theater or without.

        That's nothing: https://webassembly.org/ [webassembly.org]

      • by Tablizer ( 95088 )

        That might be, but you have just one leaky UI engine instead of two: the browser and Flash. It's similar to Java applets. I don't believe they are necessarily more risk than browser-based apps that do the same things, it's just less parts to go wrong to only have an HTML-based browser. It's arguably unfair to Flash and applets, but that's the reality of the situation. Winner-take-all is common in many aspects of the modern world. However, we are putting all our eggs in the browser basket.

    • by bobby ( 109046 )

      Ugh, these online discussions. Everyone makes sweeping statements. There are many scenarios you may not be aware of. I have a client who bought a security camera system that uses Adobe Flash to display remotely. Flash only. NO html5 or anything else. He now has no ability to view his building / parking lot. Camera system is only 2 or 3 years old. Who should pay for a new one? Or do you know of some other fix?

      • I have a client who bought a security camera system that uses Adobe Flash

        Anyone who does uses Flash in a security context has a terminal case of Kruger-Dunning.

        Your client should be on a charge of conspiring to leak data, and moved to an institute for the mentally deranged at the earliest opportunity.

      • by Pimpy ( 143938 )

        2 to 3 years ago the impending end-of-life of flash was already well documented, so to some extent it's your client's fault for not doing his due diligence when selecting a supplier. On-going support for something that requires external software over which you have no control should be near the top of anyone's risk list when comparing options, particularly on things that are going to be installed in the field and generally left alone for years. If it's still under warranty, he would have a good case to dema

        • >That being said, if the vendor is actually a camera manufacturer and not just a Chinese importer, they'll presumably have some incentive to provide a workaround.

          I'm trying to figure out what incentive a camera manufacturer would have to provide a workaround that removes your need to buy new cameras...

      • He now has no ability to view his building / parking lot.

        He has the ability to buy a new system, and this time look into it better before wasting his money.

      • by cusco ( 717999 )

        If it's an Avid system there was an update last year.

        https://avid.secure.force.com/... [force.com]

        • by bobby ( 109046 )

          Thank you for a civil, polite, and informative answer. No, not an Avid. Being I'm in the A/V world a little, I know them.

          Not sure what to call some of the responses I got above. Not sure why people have to post stuff like "he should have known better". Camera system literature says NOTHING about using Flash. Not sure how someone could have anticipated that, especially someone non-technical.

          I never heard, anywhere, that Adobe had date-bombed the Flash players. You can backdate a computer and it'll run

      • by freeze128 ( 544774 ) on Sunday January 24, 2021 @11:04PM (#60987806)
        An elderly neighbor often asks me to do PC support for her. She likes to play Lucky Slots flash game on facebook. I have been warning her that Flash has been discontinued, but she still wants to play the games. Other players of these games on facebook have used http://flash.puffin.com/ [puffin.com] as a sort of proxy to run the flash games. The puffin web site loads and executes the flash code, and then delivers it to your browser via HTML5. It's a little bit slower, but seems to work as a stopgap. Perhaps it can help with your client's security camera system.
        • by bobby ( 109046 )

          You are awesome, thank you. Some positivity, rather than platitudes and "should have known not to buy the system". And the client is non-technical, so even if the stupid camera system company had disclosed that it was Flash-based, I don't think he would have known to not buy it, or to send it back once he did. Again, I had no idea that Adobe would brick the existing Flash players.

          I looked at flash.puffin.com and it looks like you have to upload the app to them and they run it. But I like the idea of an i

    • While certainly there are security issues with running a Flash program from an unknown source, what sort of problem have you seen in your work with internally developed applications?

    • I will not.

      I salvaged 32.0.0.371 binaries from archive.org, apparently the last without the time bomb, and I will use it for as long as I please. And if Mozilla his full stupid Google like, I'll get an old build of Firefox or other to run it.

      And if I need to, I'll use a VM.

      I'm aware of the security risks, I only want to use it to run local swf files. You'll day I could use the standalone flash projector, but despite being made by Adobe too, is buggy AF compared to the browser plug-in. And gnash is worse, an

  • Two things (Score:5, Insightful)

    by quonset ( 4839537 ) on Sunday January 24, 2021 @01:42PM (#60986210)

    A) Good for them. It should not be up to a company to unilaterally make a piece of software unusable. If someone wants to run the software years after it expired, that is their business, not the company's.

    B) How? In what form could they make the railroad be reliant on this? What programming did they have to do to even make this feasible? And of all the things they could have used, why Flash?

    • Re:Two things (Score:5, Informative)

      by Forty Two Tenfold ( 1134125 ) on Sunday January 24, 2021 @01:51PM (#60986260)

      A) Good for them. It should not be up to a company to unilaterally make a piece of software unusable.

      EFF agrees and they are working to prevent that by promoting open formats and open source.

    • Re: (Score:3, Insightful)

      by Anonymous Coward

      A) Good for them. It should not be up to a company to unilaterally make a piece of software unusable. If someone wants to run the software years after it expired, that is their business, not the company's.

      Exactly right. I own my computers, not Adobe. If Adobe wants to stop supporting Flash, that's their business, but if I want to continue running Flash on my computers, that's none of Adobe's business.

      How much Flash sucks is irrelevant. How much everyone hates Flash is irrelevant.

      • Exactly right. I own my computers, not Adobe. If Adobe wants to stop supporting Flash, that's their business, but if I want to continue running Flash on my computers, that's none of Adobe's business.

        Sure, you own your computer. But you don't own Flash and thus you don't own the right to use Flash indefinitely.
        You're free to implement your own version of Flash that doesn't infringe on Adobes intellectual property.

        • by nagora ( 177841 )

          But you don't own Flash and thus you don't own the right to use Flash indefinitely.

          I think I do, actually. Not that I want to; it's shit.

      • Exactly right. I own my computers, not Adobe. If Adobe wants to stop supporting Flash, that's their business, but if I want to continue running Flash on my computers, that's none of Adobe's business.

        Good for you. Don't worry, I'll get off your lawn.

    • by pottsj ( 318426 )

      How? Don't know for sure, but perhaps they made the mistake of developing their front end in Flex [wikipedia.org]

    • by Pimpy ( 143938 )

      A company certainly has the option of shutting down servers that provide external services within the terms of their licensing agreements. Absent some costly SLAs, they are under no legal obligation to provide the service beyond the licensed period. That being said, for software that has no interaction or dependency on their infrastructure besides e.g. license verification, they certainly could have handled this better. One option would be to make an EOL license available for users that still wish to use it

    • In what form could they make the railroad be reliant on this?

      The summary says:

      Yes, a railroad, run on Flash, the same thing used to run "free online casinos"

      Riding their trains was probably a gamble?

    • by havana9 ( 101033 )
      Problem is that someone was convinced by some saleswasel to use Adobe Flex to build an internal system, maybe for a vertical application, and due a time bomb the system got inoperable. At least Microsoft didn't put a time bomb into MSDOS or Windows 2000. Next time what will Adobe make unusable Photoshop? Illustrator? Acrobat? Premiere?
    • Re:Two things (Score:4, Interesting)

      by cusco ( 717999 ) <brian@bixby.gmail@com> on Sunday January 24, 2021 @05:39PM (#60987026)

      It's likely they put the control room display in a browser, if the controllers can't tell the status of the switches on the line they have to shut it down.

      • It's likely they put the control room display in a browser, if the controllers can't tell the status of the switches on the line they have to shut it down.

        Which likely was a completely reasonable solution at the time it was built. In Flash's heyday it was one of the the best cross-platform UI stacks around. People decrying "why did this use this?!" don't seem to understand that all tech eventually becomes obsolete, the question is not "if" but "when".

    • by jythie ( 914043 )
      There was a time when Flash/Flex was being marketed as a general solution. Any place you could use Java, Flash/Flex could fill the same role.
  • by innocent_white_lamb ( 151825 ) on Sunday January 24, 2021 @01:43PM (#60986218)

    I have a Linux flashplayer executable on my computer that's dated May 26 2019. I use it for playing local copies of flash games (I particularly recommend Minute Maid Mahjong) and it still works fine.

    I didn't really go out of my way to find a flashplayer executable without the time bomb; it just happened that I downloaded the flashplayer executable from Adobe (in 2019, apparently) and never bothered to try to find another one after that since it's just a local executable and isn't used for any online stuff.

  • Only in China would Railroad Tycoon [wikipedia.org] be taken seriously by an actual railroad.
  • First of all: Did you think they'd code an entire new railroad management system in 10 hours or what? Tje stupidity of your mindset in no way is any better than that of people running a railroad on Flash.

    Secondly, what do you mean "pirated"?
    Leaving aside the fact that you are using a word, delinerately misused by organized crime, to equal people who do not accept playing along with racketeering schemes andbeing stolen from with seafaring rapist thugs ...
    As far as I know, Flash Player is freely available fro

    • They had a decade to do the reasonable thing. That's 8760 times the 10 hours you're yapping about.
    • It really depends on what the Flash was doing and how it was implemented. Presumably it was just HMI, and quickly getting the critical functions re-implemented would be about making calls to an abstraction layer and not actually handling the logic.

    • by HiThere ( 15173 )

      OTOH, the discontinuation of Flash has been public knowledge for a long time. So it isn't like they didn't have warning. Therefore point one fails.

      As for the second point...well, I don't know what the company required the system to do, and I've never programmed in Flash. So I'm not sure that FlashPlayer would handle the requirements. But countries can definitely set their own copyright laws, and I wouldn't be surprised if China explicitly allows companies connected with the government to continue to use

  • by Anonymous Coward

    Where I work there are lots -- and I mean *lots* -- of mission-critical things that require flash. We got a system-wide broadcast email recently that read, essentially, OMIGOD NON OUR SOFWAR WILL WORKS NO MORE!@!!

    They've had, what, a couple of YEARS to adapt? But no.

    The cynic in me thinks it was a conspiratorial dragging of the feet to force the hiring of consultants to fix things ASAP and bump up the IT budget, a flexing of muscles to remind people how important IT is.

  • by The MAZZTer ( 911996 ) <megazzt.gmail@com> on Sunday January 24, 2021 @02:04PM (#60986306) Homepage
    Over 5 years [youtube.com]. There's really no excuse.
    • My GameFAQs signature used to be "It has been [0] days since the last Adobe Flash exploit was discovered"

  • Pirated Flash? Why? (Score:5, Informative)

    by williamyf ( 227051 ) on Sunday January 24, 2021 @02:06PM (#60986314)

    They are a FilesyetmCheking Railroad Company. For companies this big, official support for Flash can be easily had from Harman (a Samsung subsidiary) to which Adobe offloaded all Flash related activities.

    Services include keeping your flash infrastructure working until 2023 and beyond, and helping you migrate:

    https://services.harman.com/pa... [harman.com]

    As for the client, the latest Flash client in China can still be downloaded from Adobe.cn, and has no time bomb....

    So, this is mone ineptitude from the chinese sysadmins than a fault of Adobe itself

    PS: I DO NOT AGREE with Adobe planting time bombs on the SW.

  • The only more fitting punishment for running such a system using Flash would be if it caused the train to derail. What the fuck are people thinking when they make shit like this?

  • by aaarrrgggh ( 9205 ) on Sunday January 24, 2021 @02:12PM (#60986342)

    Someone saw a picture of a train control HMI, looked at the cost of licensing the software, and decided to just have a few guys do it themselves. They chose Flash...

    (For the life of me though I can’t find/remember the name of the quintessential HMI package that everybody used to use for these things... so much for my Google-Fu as well.)

    • Wonderware. Wow... I guess I haven’t dealt with it in a decade or more, but funny what things you block out over time.

      • by cusco ( 717999 )

        Wonderware . . . OK, now I'm going to be having nightmares, I had managed to suppress that memory almost completely. Thanks for nothin'.

        I'd be surprised if it was anything more complex than then interface for the controller's screen, I have trouble figuring out how they would make flash talk to a SCADA system otherwise.

  • by nadass ( 3963991 ) on Sunday January 24, 2021 @02:25PM (#60986376)
    About 10 years ago, I spent several years at a "smart, green tech" firm which built customer- and consumer-facing performance dashboards illustrating their energy management performance metrics: electricity consumption, occupancy, energy production, etc.

    In 2012, I spearheaded the dev team to build an HTML5 dashboard tech with no reliance on Flash. By 2014, the powers-that-be decided that migrating existing clients *away* from Flash would... invalidate... the terms of the deployment contracts at customer sites. As of 2018, those clients were *still* relying on the Flash-based dashboards for their energy management decisions.

    TL;DR - Many companies built "mission-critical" UI's in Flash because they prioritized aesthetics over function. I laugh. They cry.
    • by Tablizer ( 95088 )

      Many companies built "mission-critical" UI's in Flash because they prioritized aesthetics over function. I laugh. They cry.

      It's not just Flash. JavaScript toys and other web page bloat are maintenance nightmares, as new browser versions/brands often break the bloated web stuff.

      Eye Candy over K.I.S.S.

      It's one of the reason it takes about 3 times longer to build the same web app than using the 90's desktop IDE's. Don't even get me started about fucking Bootstrap: Spaghetti Science galore. (I realize deployme

      • by Cito ( 1725214 )

        Ah... Remember the days of Frontpage and Frontpage Extensions?

        Heh, my first website I used a Frankenstein mess of Dreamweaver and some Macromedia Shockwave which I believe was the predecessor of Flash then installed server side Frontpage Extensions and used Frontpage to edit the website.

        Nowadays Im usually just lazy and spin up a lamp stack and throw WordPress & Nextcloud on it usually and call it a day. Hehe

  • We keep hearing of companies stuck in a hard place that their old systems can't be maintained anymore because the people that maintained them have all died. There is going to be legacy flash content run past it's end of support date for decades, running in insecure browsers and Adobe can't stop them
  • by nnet ( 20306 )
    Did vmware fix their webui so html5 could be used for ALL operations now?
    • Yes, they did. They took their sweet long time, but they did.

      But some people and organizations still cling to the Flash UI. Either because they are more familiar with it, or because they are still ussing obsolete/unsuported versions of vmWare.

  • There are many pieces of expensive carrier network and telecom gear where the management system is web based with a lot of flash. Some of the vendors released terrible HTML5 versions in the last few months, but many things will never get updated.

    In the real world there are still things like windows NT 4 servers running as management consoles for extremely expensive gear. Usually not on the Internet.

  • by AnonCowardSince1997 ( 6258904 ) on Sunday January 24, 2021 @03:12PM (#60986524)

    I decided to RTFA on the Jalopnik website.

    Mistake.

    That website is a crime against humanity. It’s more ad than article.

  • This is exactly how you’d expect this to be solved. The first step would be to get your critical system back into an operational state as quickly as possible by any means necessary.

    Hopefully now they’ll continue on to step two, which is to put together a longer-term solution that’s not reliant on an obsolete technology... but I imagine that decision is being made by the same penny-pinching types who were ignoring the EOL warnings coming these several years already.

    Of course, there’s

    • Flash was hugely prolific in China, much more so that in "the west" in my experience. It was also a favourite of designers who just wanted their UIs working and flash they found easy for some reason. I don't think there was much awareness of the potential problems with proprietary products.
      Things have changed significantly, iinm. It's still a problem, but it is everywhere.

  • I work in the gaming industry and one of the biggest gaming management systems out there by Bally's runs on Flash
  • by Tablizer ( 95088 ) on Sunday January 24, 2021 @03:40PM (#60986614) Journal

    Many of our org's intranet training sessions run in Flash. They stopped working late last week. Everyone was scrambling to find a fix or work-around. Monday probably won't be pleasant.

    • One of the training courses we have to take at work uses Flash to show your scorecard for the final test. Now, you can take the test, but you don't have a score, so you can't pass. I had to take the test with Internet Explorer to get the scorecard to work.
      • by Bert64 ( 520050 )

        Try using an intercepting proxy like burpsuite, a janky old system like that will probably let you choose your own score.

  • by account_deleted ( 4530225 ) on Sunday January 24, 2021 @03:48PM (#60986640)
    Comment removed based on user account deletion
  • I understand the necessity to deprecate the cancer of Flash, but the users got what they signed up for.

  • Flash COULD look really nice and make a really nice looking front end to a control system. Probably was never actually the best choice, but I can see it.

    What I cannot forgive is actually exposing anything in that system to the Internet at all, especially to such a degree that the stuff can tell Flash is expiring. I would have locked that shit onto the version of Flash it was originally created for, maybe done some manual patches after that, but isolate and offline the shit.

    • by jythie ( 914043 )
      eh, they were probably trying to be good and keep up with patches and simply did not realize there was a self destruct timer in them.
  • I could buffer the entire video so that it was usable/watchable on slow connections, but html5 has no such ability. I'm happily corrected, if there is some way, BTW...

  • See map page [www.bl.uk] for example. All their zoomable maps are now broken. The “full size printable” alternatives don’t appear to have the same resolution as the Flash zoomable versions.

  • Not sure what is scarier.

    a) Using flash to run a train system. WTF!
    b) Not being aware your critical software is about to break from a widely announced update that has been known for years, face palm!
    c) Not controlling the software that runs said train system tightly so that it receives updates that kill flash! double WTF!
  • The source article [appledaily.com] doesn't read at all like the main link. The headline is full of snark and it ends with a section with netizens lauding the achievement with so much sarcasm that the official article which was hailing it as the highest order of technological achievement of 2021 was taken down.

    From the summary-linked article's "source"

    Chinese network users called the incident “the happiest technology news in early 2021.” The article in the official WeChat account of the “Dalian Train Department” may have something wrong in the message and the article has been deleted.

    Original article (not the Official one)Archived Copy [archive.org]
    This is an 'article' that looks like the English version [appledaily.com] with little more than running spellcheck. Worse, that article is related to the original Chinese version in nouns only.

    I don't expect much in the way of any review of posts by /. but this is sloppy even for them.

  • South African Receiver of Revenue (SARS) - tax authority also broke because they took too long to upgrade.
    More details here: SARS: Some taxpayers’ tax forms gone in a Flash https://www.dailymaverick.co.z... [dailymaverick.co.za]
  • Homestar Runner is still available and posting new content occasionally (including a short in 2021). You can go to https://homestarrunner.com/ [homestarrunner.com] and it works just fine. Legacy content uses Ruffle (a WebAssembly flash emulator written in Rust), newer content uses embedded YouTube videos.

  • How many software platforms and systems are based on old technologies that need to be transitioned?
    How many times have you been at a company, looked at the code / software / hardware stack and wondered why it's 20 years out of date and held together with band-aids?
    How many times have we seen an old library in a large system that seems to hold everything together, but can't be upgraded because it was EOL'd years ago?

    We can call out this railroad for running flash, but really this same scenario happens al

Think of it! With VLSI we can pack 100 ENIACs in 1 sq. cm.!

Working...