[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <AANLkTikcYjkH=eZYJKNSbj81ih4bNSebQzMvRQsB7A24@mail.gmail.com>
Date: Sun, 19 Dec 2010 22:25:16 +0100
From: Christian Sciberras <uuf6429@...il.com>
To: Marsh Ray <marsh@...endedsubset.com>
Cc: full-disclosure@...ts.grok.org.uk
Subject: Re: adobe.com important subdomain SQL injection
again!
"Personally, I kind of like Flash. It gives me a single kill switch for
90% of the useless blinking crap and popups on the internet. Flash is a
really appropriate name for exactly what I don't want to see on a web
page. I hope it remains the platform of choice for those who develop
such things." - Marsh Ray
I'll keep using that quote till I die...
On Sun, Dec 19, 2010 at 9:32 PM, Marsh Ray <marsh@...endedsubset.com> wrote:
> On 12/18/2010 05:30 PM, Victor Rigo wrote:
> > Let's see, flash is:
> >
> > - Cross-platform
> > - Cross-architecture
> > - Has it's own programming language
> > - Is embedded on websites
> > - Access to javascript to popup, local caches, etc.
>
> Not on my machine?
>
> > It's not ineptness, it's what you get when you right software that can
> > actually do stuff.
>
> Adobe comes from a time when you could write PC software without caring
> about security. Yeah, it was a heck of a lot easier to write just about
> anything back then because it was well and proper that anything could do
> anything.
>
> Nowdays, the first questions after "hey our software could do this" must
> be "but should it do that? What else could someone leverage that new
> capability to do? How does it combine with every other feature in our
> app or even on the whole platform? What if somebody does it repeatedly
> in a tight loop? With pathological inputs?" and so on. These questions
> take a long time to answer.
>
> So if a vendor is known for "letting app developers do more stuff" and
> not also known for "letting users control what stuff gets done on their
> own machines" then they are laggards, not leaders, in my view.
>
> > If Java applets were still the hip thing, you'd see the same thing about
> > that.
>
> There's undoubtedly some truth to that. But at the same time, it doesn't
> seem like a useful line of reasoning:
>
> * It's still not an argument for using Flash.
>
> * That Java plugins have had chronic security bugs doesn't mean that
> Flash doesn't suck too.
>
> * You seem to imply that you don't think that Adobe is likely to secure
> Flash any time soon. You're not saying "Adobe will secure Flash in the
> next patch and then it will be great." But you listed all the great
> stuff it does, so I have to think you would have said something like
> that if you believed it. You may be making Flash look worse than it is.
>
> * It's basically an "appeal to futility" argument: no one could make a
> development platform and browser plugin that is significantly more
> secure (or does a better job of managing the security vs. "doing stuff"
> trade off) so therefore we should accept the status quo. That's why it's
> not useful: it gives no guidance on directions in which to improve.
>
> Personally, I kind of like Flash. It gives me a single kill switch for
> 90% of the useless blinking crap and popups on the internet. Flash is a
> really appropriate name for exactly what I don't want to see on a web
> page. I hope it remains the platform of choice for those who develop
> such things.
>
> - Marsh
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
>
Content of type "text/html" skipped
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists