Re: [Gnash] spyware buried in Flash movies

[strk]

On Mon, Jan 30, 2006 at 08:38:48PM +0000, Alias wrote:
> On 1/30/06, strk <address@hidden> wrote:

> > Do you trust all sites you visit ?
> > What prevents your browser from loading and playing a movie
> > embedded in a web page ?
> > The cross-domain.xml thing we're talking about is not there
> > to allow *you* (the computer owner) to decide what to load
> > and what not. It doesn't give *you* this choice.
> > Rather, it is there to allow a movie publisher to decide
> > who can or cannot load it, based on the loading movie's url.
> 
> The point is that it prevents the *author* from creating malicious
> scripting content. It's not about restricting the user's choice. It's
> easy to get around via a server side proxy script anyway - a few lines
> of PHP is all it takes. Weigh that against the potential for misuse.

What would the malicious script do, for example ?
And how would the cross-domain (in)security model prevent it ?
It might be me not getting it, but can't find an answer to these questions.

> > The current restriction disallows loading a public jpeg from a movie,
> > unless that jpeg publisher explicitly wrote the IP from which that
> > movie has been loaded. Isn't this a legitimate use ?
> 
> Generally, if you are using someone else's images, without their
> consent, that's bandwidth theft. It's not *illegal* but it's bad
> etiquette.

The images would be get in HTTP, usually using the same caching strategies
of a normal browser, so there would be no difference. The fact that
Flash players will not get those images won't save that bandwidth from
being *stolen*. Anyway, there's no theft unless the publisher explicitly
forbids use of that resource. Also, there are technical means to
provide autorized access only, and these are enforced on the publishing
system, not the user system. The HTTP protocol defines authentication
mechanisms, also the TCP protocol itself allows for allowing/disallowing
given domains. This would be the way to go to protect content.

Discriminating access policy based on user agent is a dumb thing
(at best) or a fascist thing (at worst). It's like saying: flash
players are *forbidden* access to these resources; but you can
get them with any other mean.

> There are lots of potentially legitimate uses for pop-ups too, and
> look how popular they are. Flash is easy enough to use for evil as it
> is - don't make it easier.

Welcome Gnash again.
Evil thing can happen only when *you*  (the user) can NOT control
what you run. Since we're making a Free player users will be able
to control what to play and what to not, what resources to use 
and what not... power must be in users hands!

--strk;