Flash as spyware
Bill McGonigle
bill at bfccomputing.com
Mon Apr 3 18:31:01 EDT 2006
On Mar 29, 2006, at 09:58, Ben Scott wrote:
> On 3/29/06, Bill McGonigle <bill at bfccomputing.com> wrote:
>> Hey, if you're a popular website you could use Flash to store an
>> offsite copy of your enterprise backup in your users' Flash cache!
>
> You could do that with HTTP cookies, too.
4K vs 100K; well-known management tools vs. obscure website. Education
would definitely help (thanks, Dr. Sconce!).
So far, volvokeene.com is the only site to go over the cookie-size
convention on my system. They stored 13K of something on my computer.
I talked my sister into a Subaru anyway.
> Flash cookies are limited in size. I'm not sure exactly what the
> limits are. I don't think you should send *that* much data.
Looks like 100K is the default - 'unlimited' is the max. I found it
interesting they also have a preference to control when a website can
use your microphone and webcam via Flash. Gawsh, I hope that prefs
code isn't buggy!
> See also:
thanks, great links
>> ... install spyware.
>
> I'm curious about this one. Source?
Forget where I read that - maybe SANS. Here's an article which
doesn't explicitly state it, but you have to assume spyware attackers
will chose not to exploit this vector for it to mean anything else:
http://www.securitypipeline.com/181504092?CID=rssfeed_pl_scp
> I also don't like sensationalizing problems that are really not all
> that new to the computer world, or unique to Flash.
No, but most people think because IE and/or Firefox is auto-updating
security patches they're covered for browser security. Something like
Flash doesn't really fit into the realm of what, say, Firefox Update
can handle. Microsoft Update or Mac Software Update have the necessary
tooling but neither are open platforms. Fortunately more enlightened
operating systems have this solved already:
http://macromedia.mplug.org/
>> I'm interested in what happens to the SVG/Flash rivalry now that Adobe
>> owns Macromedia.
>
> As a guess, I'd say we could expect Adobe to sue people for reverse
> engineering Flash. :-(
SWF is an open standard (as well as SVG). All they can do is change
the SWF license and sue us out of existence over patents on future
versions. IIRC, SVG is a W3C standard now so they don't have that
option on SVG. I don't know who acquired who, politically. I was
hoping they'd make Flash render SVG and put the Flash advantages on an
SVG 2 track:
http://www.carto.net/papers/svg/comparison_flash_svg/
-Bill
-----
Bill McGonigle, Owner Work: 603.448.4440
BFC Computing, LLC Home: 603.448.1668
bill at bfccomputing.com Cell: 603.252.2606
http://www.bfccomputing.com/ Page: 603.442.1833
Blog: http://blog.bfccomputing.com/
VCard: http://bfccomputing.com/vcard/bill.vcf
More information about the gnhlug-discuss
mailing list