a writer's blog

A Pound of Flash

creed of reason

creed of reason

Adobe Flash, ceaselessly working for the greater good.

April last year, when Adobe CEO Shantanu Narayen called accusations about Flash draining battery power on Macs “patently false,” Gruber quipped:

Who are we going to believe, Shantanu Narayen or our lying Activity Monitors?

Regularly, the Flash browser plug-in shifts gears into amok mode, turning my machine into a mouthful of soggy Weetabix:

Flash Plugin

click to embiggen

But all that CPU time isn’t wasted—far from it. It’s ceaselessly working for the greater good! A bug’s been discovered that made it possible for remote sites to turn on a viewer’s camera and microphone. Sure sounds peachy enough… but there’s more! Adobe was able to ”close the hole without updating enduser software” because “the settings manager is hosted on Adobe servers.”

Excuse me sir, a what?

Steve Bellovin:

That’s right—code on a remote computer somewhere decides whether or not random web sites can spy on you. If someone changes that code, accidentally or deliberately, your own computer has just been turned into a bug, without any need for them to attack your machine. From a technical perspective, it’s simply wrong for a design to outsource a critical access control decision to a third party. My computer should decide what sites can turn on my camera and microphone, not one of Adobe’s servers.

The policy side is even worse. What if the FBI wanted to bug you? Could they get a court order compelling Adobe to make an access control decision that would turn on your microphone? I don’t know of any legal rulings on this point directly, but there are some analogs.

Luckily, no civilized government we know of would be stupid enough to ever go and try such a thing! Oh wait.

Share

Tagged as: ,