Flash as spyware

Ben Scott dragonhawk at gmail.com
Wed Mar 29 12:04:00 EST 2006 

On 3/29/06, Bill Sconce <sconce at in-spec-inc.com> wrote:
>> I also don't like sensationalizing problems that are really not all
>> that new to the computer world, or unique to Flash.
>
> <Bill McGonigle says:>
>>> I actually hear web designers say, "I can't wait until we don't have to
>>> use HTML anymore and everything is all Flash".
>
> <to which Ben responds:>
>>   Must... not... kill...
>
> Q.E.D.  (Gotcha.  Flash IS unique.    :)

  Er, no.  I say the same things about web designers who use
JavaScript instead of HREF, or animated GIFs, or the BLINK tag, or
sounds, or crazy fonts and colors, or a navigation model like an M. C.
Escher painting, or...

  I object to stupidity, not Flash.  Flash can be used for stupidity. 
Hell, it usually is used for stupidity.  So's the rest of the
Internet, near as I can tell.  :)

> I see Web designers say, "users aren't smart enough to know which
> cookies to allow, so we'll go around them and use Flash".

   Yup, another arms race.  Stupid designers use cookies badly. 
People panic and disable all cookies.  Stupid designers come up with a
way around the cookie blocking.  Next step will be to block all the
Flash cookies.  Then the web designers will come up with some other
stupid thing.

> That's not for animation, or for a better "Web experience".  That's for
> letting the website developer use your computer without your knowledge.

  Sure is.  Nothing new there, either.  Or did you actually desire
banner ads as a feature when they first hit the scene?

  And, really, "without your knowledge" is perhaps a bit wrong in the
phrasing.  By that line of thinking, all web sites use my mom's
computer without her knowledge, since she knows *nothing* about how it
works.

  I think the key point here is the question of developer intent, not
user knowledge.  *Why* are they using cookies, and *why* Flash cookies
as opposed to HTTP cookies.  When they're doing it with the explicit
goal of tracking customer behavior against the customer's wishes,
that's naughty.

  Then there's the issue that even with full disclosure, many people
will continue with known harmful behavior.  I know someone who refused
to stop using the Gator password manager because she feared change so
much.  *shrug*

> "Without your knowledge" makes any distinction between shared local
> objects and outright Bot technology a splitting of hairs.

  I can't say I'd agree with that.  We're talking cookies here. 
Client-side saved state.  There's a bit of a freaking difference
between that and autonomous code running on your computer.  :)

  I might point out that you can achieve much the same effect with
nothing more then a long URL.  So I guess URL's are evil, too.

> Does "everything" suck *that* much?

  As near as I can tell, yes.

> ... and of course "trust us and our secret  code to do what the control panel says" ...

  Or the not-so-secret code.  There have been Trojan horses in Open
Source before.  Most people don't even stop and think about trust
before installing software, let alone perform code review.  More
suckage.

  Interesting case-in-point: Someone yesterday posted a link on
Slashdot to a Firefox extension designed to add useful features to
Slashdot.  I'd wager dollars to donuts that the vast majority of
interested Slashdotters installed the extension with no code review at
all.  I sure did.  Is that any different than the legions of clueless
users who install spyware because "the computer told me to"?

-- Ben

More information about the gnhlug-discuss mailing list