I am not sure what this qualifies as, but I right clicked and selected properties on the main flash menu on Macromedia's website and was suprised to find...
That Flash can Access your camera, microphone, file system etc.

Any one have any thoughts on this?

<img src=../images/dmxzone/forum/icon_smile_question.gif border=0 align=middle><font face='Arial'><b>***UPDATE***
Macromedia's home page no longer will show this screen, only the "About Flashplayer 5" caption. (UPDATE NOTE: I was on ANOTHER MACHINE with flash 5.0 installed, so I could not see the properties, so Flash 6.0 and 5.0 are backwards compatible to some degree. So Macromedia changed nothing. ***The Paranoid Survive!***)
</b></font id='Arial'>

<img src="home.attbi.com/~carolusholman/images/scary_privacy.gif" border=0>

Carolus Holman



Edited by - rolus on 04 Jun 2002 01:24:59

Edited by - rolus on 04 Jun 2002 01:26:36

Edited by - rolus on 04 Jun 2002 01:26:56

My thoughts on that are:

GREAT feature, most of all because the user can turn access off, I see no privacy invasion here, just great benefits if people were to actually use this <img src=../images/dmxzone/forum/icon_smile.gif border=0 align=middle>

With kind regards,

Dennis van Galen
Webmaster KPN Services
Financial and Information Services

<BLOCKQUOTE id=quote><font size=1 face="Verdana, Arial, Helvetica" id=quote>quote:<hr height=1 noshade id=quote>
My thoughts on that are:

GREAT feature, most of all because the user can turn access off, I see no privacy invasion here, just great benefits if people were to actually use this <img src=../images/dmxzone/forum/icon_smile.gif border=0 align=middle>

With kind regards,

Dennis van Galen
Webmaster KPN Services
Financial and Information Services
<hr height=1 noshade id=quote></BLOCKQUOTE id=quote></font id=quote><font face="Verdana, Arial, Helvetica" size=2 id=quote>

Well my issue is that one could write a flash app with out regard for people, and if you had a camera and microphone they (the author) could surreptitiously record your conversations and watch you as you surfed the web in your underwear.

Carolus Holman

Edited by - rolus on 02 Jun 2002 23:24:10

don't worry, they thought about that.
it defaults to don't use and you can turn it on or off for every domain you find flash movies, just try it dennisvg.homeip.net:8500/mx/ServiceManager/index.cfm
you will see that it defaults to not use it.

With kind regards,

Dennis van Galen
Webmaster KPN Services
Financial and Information Services

<BLOCKQUOTE id=quote><font size=1 face="Verdana, Arial, Helvetica" id=quote>quote:<hr height=1 noshade id=quote>
don't worry, they thought about that.
it defaults to don't use and you can turn it on or off for every domain you find flash movies, just try it dennisvg.homeip.net:8500/mx/ServiceManager/index.cfm
you will see that it defaults to not use it.

With kind regards,

Dennis van Galen
Webmaster KPN Services
Financial and Information Services
<hr height=1 noshade id=quote></BLOCKQUOTE id=quote></font id=quote><font face="Verdana, Arial, Helvetica" size=2 id=quote>

Yeah don't worry till someone figures out to 'Upskirt' or "At Home" you. I KNOW someone will figure out how to get past this.


www.macromedia.com/support/flashplayer/help/settings/

Anything that can access your local resources is something ELSE THAT CAN GO WRONG. I am no CHICKEN LITTLE, one day everyone will have to worry about who watching!

Carolus Holman

are you running Windooz ?
cause then most people can allready access your resources. Personally i like the feature, it allows for easy creation of visual chat apps, just to name an example. With every technology there's security involved, and every new technology has issues, i'm more concerned about how unsecure webservices are at this particular moment in time. And since most of us frequent the MM site on regular basis and are subscribed to their lists, we would be notified immediately if what you claim would be the case.

With kind regards,

Dennis van Galen
Webmaster KPN Services
Financial and Information Services

<BLOCKQUOTE id=quote><font size=1 face="Verdana, Arial, Helvetica" id=quote>quote:<hr height=1 noshade id=quote>
are you running Windooz ?
cause then most people can allready access your resources. Personally i like the feature, it allows for easy creation of visual chat apps, just to name an example. With every technology there's security involved, and every new technology has issues, i'm more concerned about how unsecure webservices are at this particular moment in time. And since most of us frequent the MM site on regular basis and are subscribed to their lists, we would be notified immediately if what you claim would be the case.

With kind regards,

Dennis van Galen
Webmaster KPN Services
Financial and Information Services
<hr height=1 noshade id=quote></BLOCKQUOTE id=quote></font id=quote><font face="Verdana, Arial, Helvetica" size=2 id=quote>

Well to say that someone can arbitrarily access your resources because one is running windows is not 100% correct. ActiveX components can, with permisssion or with the knowledge of the computer owner access resources, however I as an end user will most likely pay more attention to a request from an ActiveX program asking to use my camera, microphone than flash; which up until now has been more in the background as a content delivery application. Now that flash has more interactivity some interesting things are bound to occur! By the way Macromedia has changed their front page, now when one clicks on the flash menu on the page, no properties are available to look at. Just the "About Flash Player 5". Hmmmm, coincidence? Or am I missing something?
<b>***UPDATE*** I was missing the fact that I was looking at this website with flash 5.0, which doesn't have the advanced properties information screen.</b>

Edited by - rolus on 04 Jun 2002 01:28:32

I have to agree with rolus on that point.

The Flash Player is not open source, and therefore who can be sure there's no possibility to break the Access Denied settings of the Flash player ?

Should the Flash Player be open sourced, we could be able to analyse much more deeply this feature and eventually find some security/privacy hole and submit patches for it.

This is a beautiful example of usefulness of open sourced code !!

Bruno

<BLOCKQUOTE id=quote><font size=1 face="Verdana, Arial, Helvetica" id=quote>quote:<hr height=1 noshade id=quote>
Just the "About Flash Player 5". Hmmmm, coincidence? Or am I missing something?


<hr height=1 noshade id=quote></BLOCKQUOTE id=quote></font id=quote><font face="Verdana, Arial, Helvetica" size=2 id=quote>

I think you must be missing something, i still can change settings on that movie.

I spotted this in my lunchbreak today, might be of interest to you:
www.macromedia.com/desdev/mx/flash/whitepapers/security.pdf
We always have to be aware of security, last night i found myself wondering why on that specific MM page my computer came, twice, with a popup saying "The new settings will take effect after you reboot, do you want to reboot now ?".

With kind regards,

Dennis van Galen
Webmaster KPN Services
Financial and Information Services

<BLOCKQUOTE id=quote><font size=1 face="Verdana, Arial, Helvetica" id=quote>quote:<hr height=1 noshade id=quote>
This is a beautiful example of usefulness of open sourced code !!
<hr height=1 noshade id=quote></BLOCKQUOTE id=quote></font id=quote><font face="Verdana, Arial, Helvetica" size=2 id=quote>

Imagine a hacker spots it before you do and doesn't share it with anyone but wants to make his point and ravages half the internet with the hole others are still trying hard to trace, meanwhile harddrives are being wiped worldwide, mainframes crashing, mobile phones start displaying, I OWN YOU !!!

do you think it's still a beautifull example ?

With kind regards,

Dennis van Galen
Webmaster KPN Services
Financial and Information Services

This is the usual response people does when they want to advocate security by using obscurity !!!!

Do you really think, that one lonely guy, with mischief in head, will discover a hole and that nobody would find it also ? Be serious !

Microsoft, as an example, has been using this kind of response, and how many security holes are found (even without source code) in IE and IIS or Windows ? How quickly are these holes fixed ? Some very well-known are published on the web on many websites and are still not fixed.

Open sources software are not immune to security hole, but if I recall correctly, the last import security hole in Mozilla has been fixed in less than three days.

How many times do you hear about a Apache security breach ?

How can you trust something you don't know anything about ??

What do you prefer honestly ? Something that everybody could have a look at, checking for the security and privacy, or relying on marketing statement ?

Bruno

i'm not a expert on security, but i do know how widespread the flash player is, it isn't at that point in europe yet, imode, communicator, cellphones etc have no flashy installed, not sure why, but that's more widespread in other parts of the globe. I recently learned that Xbox and PS2 have them installed as well ?!

Anyway, i'm not sure which is best for security reasons, open source or "in control" with people who know the software and therefore can respond faster because they allready had a fixed version but wanted to wait a week to add that fix that was higher threat then the one now discovered.

besides, we got people in the company who deal with IT security, i'm sure they'd be all over MM if their systems were at risk from a hole in their software.

i see no new message, weird email ?!
anyway i need to contact those guys from security and ask how i go about letting their one time sign in thingy secure my site so only our department can access it. Corporate IT is great, once you get used to the rules !

With kind regards,

Dennis van Galen
Webmaster KPN Services
Financial and Information Services

Edited by - djvgalen on 04 Jun 2002 00:12:11

Edited by - djvgalen on 04 Jun 2002 00:35:41

An imprtant point here is that the majority of web users don't know anything about security or source code or right clicking on flash movies etc..

If (the big IF) someone did manage to find a hole and access peoples multimedia devices without them knowing then i think this is a major boo-boo from MM and i'll watch the situation a lot more.

The fact that it isn't displayed in H1 tags across their screen
"WE CAN ACCESS YOUR MIC AND WEBCAM"
This worries me a little, as you will always get an idiot who wants to ruin it for everyone else.

I aint no expert, just a concerned user.

"Nobody ever said this stuff was easy"