So we have an "on air" talk published on Youtube
Streamed live on 2 Nov 2016
It's under the #stuff category but it could also be in #flash and #air ... why ?
Well... what do JS dev do when they talk about the Web Platform ? they talk about Flash and how it is dead (shocker).
For the first 20 minutes it's mainly about the Brave browser, the history of the web and how stuff sort of happened, like the
Pretty interesting, but the meat of the talk it's here at 20m20s when your focus is Flash/AIR/AS3
and yeah, I gonna have to comment a little but I'll do that lightly as I don't want this to turn out into a "I absolutely want to defend Flash, the browser plugin" rant
by the way, I discovered this talk here, the twitter threads is full of comments off course
so at 20m20s
Kent: ... One thing you mentioned that Flash has so many vulnerabilities that if you got a dollar every time you'd be a billionaire. So I'm curious why that is. What is it about Flash that makes it so consistently vulnerable, and is there any chance that the web keeps adding more APIs, giving you more power as a web developer, is there any chance that we could see our browsers being just as vulnerable and dangerous as Flash was?
I was not really expecting better from JS dev, for them Flash is by default "vulnerable and dangerous" and off course is a "was" as if it was not existing anymore ...
the funny thing is that right there they can also admit that web APIs are not as powerful as Flash and then they gonna talk about Flash for quite some time and how it is the only plugin that most browsers support, I find all that quite ironic.
Brendan: I don't want to pick on Flash. Browser have vulnerabilities. Any significant code base is going have vulnerabilities. It's kind of a truism.It's a scientific fact, really, mathematical ... I was watching a talk by Sergey Bratus, and he said this is a consequence of undecidability. Turing and Church developed David Hilbert's 10th problem, which was Hilbert said, 'Can you make a mathematical system for solving certain kind of equations?' and this lead to the general idea of 'Can you make a computer that can look at a program and decide wether it halts?' the hating problem, and Turing proved you cannot. And this has serious consequences, including we cannot statically analyse our code and find all the bugs. SO we have test it at run time. Stack analysis is good. It's additive and complementary. I still find fuzz testing where you generate travesty inputs and feed them to programs is more productive than static analysis, but you want both. When people learn this sometimes they're, if they are far seen they realise this means security will be a job forever. It means you cannot hope for a day that comes when we suddenly fix the last remote code execution vulnerability and we're done, because living code always changes, and changing code needs testing, because you cannot statically find all the bugs.
I could not agree more.
Even outside of the scope of security I keep repeating to clients, other dev, etc. that the code is a living thing, and so it have to be maintained continuously, from bugs/fixes, to OS updates and tons of other things.
Brendan: ... So I don't wanna pick on Flash too much, except now I gonna pick on it because he is really has gone sour too, and the reason is, I think, Steve Jobs killed Flash but he did it with some Fist of the North Star super-punch that caused Flash to become a zombie that has been lurching around eating people's brain ever since, and eating my computer's brain until I turned it off the other year
ah! first I like a lot that Brendan Eich know about Fist of the North Star (hokum no ken)
the private joke about Flash is how Ken often says
"You are dead already but you don't know it yet"
and to be honest that's a fair comparison as I often compare Flash to a zombie too, but not in a "walking dead" reference but more as something that everyone think is dead but is still alive, anyway ...
Notice also how all JS dev laughs at the Flash zombie metaphor.
... Steve Jobs, two of his greatest contributions are "Thoughts on music" where he said 'no to the DRM' and "Thoughts on Flash" where he said basically 'Flash is like this other runtime, we already have our own web browser, we already have Safari Webkit, we don't need Flash, and Flash is just gonna suck power and be a second class citizen', I think he was right, people said he was unfair and there was things he said in the blog post that weren't true 'Flash is based on older code', wait a minute ... iOS / Mac OS are based on BSD Unix and the Mach project from CNU from the early 90s or whenever, there is a lot of old code in Apple software, but the age isn't the thing.
hehe never thought of that argument for the older code, I'll keep that on the side as it's very true
... It's wether it's living code that's been brought forward, and the problem with Flash it was a single vendor that had its day and did really innovate with Flash, truly innovated, ahead of the web, because the web was being monopolised by Microsoft, so while we were trying to do Firefox and take back the web and we did succeed in that, Macromedia was charging ahead with Flash and they did a bunch of cool stuff.
I was not expecting some praises for Flash but good to see those.
And yeah AS2 had classes, basically the current situation of JS as of today if you write JS code in TypeScript but under the hood it's still got "compiled" to good old ES3, AS2 was just syntaxic sugar and compiler check to then produce AS1 code.
If you want to know more about JS2 check that powerpoint
Oh yeah the similarities with ES4/AS3 are there already
And remember, ES4 was not standardised not because it was bad, but because it was too radical, these notions of packages and namespaces at the same time are pretty advanced, you can see bit from it in AS3 but those namespaces are rarely used, check out the chapter 1.9 Namespaces in the AS3 specification.
Brendan: ... And it was a single vendor, so to the extend that they worked diligently and they used fuzz testing and stack analysis, they could have kept ahead of their security bugs. But I think it's hard, because they were closed source and they were single vendor for them to do that, and after SteveJobs' thoughts on Flash and it was clear that it was not going into iOS, Adobe had a real problem.
Well ... I could say a lot about security here and how comparing then (2006'ish) and now (2016'ish) is comparing apples to oranges, but I will not, later you will see a whole point about security/vulnerability.
Let's go with the interesting internal story first
I'll tell a story about this. When I was at Mozilla, we were still facing this hard problem of getting Flash working right on mobile, and the only way I think that at that point Adobe was doing Flash on mobile was on Android. Android was not like Lollipop ... or whatever, it was pretty old, and it had this terrible webkit version. This was like Gingerbread or even earlier. But they had Flash, and Google had thrown engineers at Adobe doing things like the Pepper API plugin version of Flash. This was like a better plugin API. And so there was a meeting, it was a very weird meeting. It was like we were stuck at Mozilla thinking 'How are we gonna get Flash working on mobile? If we're trying to get on Android and there's still a lot of Flash content', which there was then, this was 2011 I believe, 'How are we gonna do it?'. And we went to Adobe and we said 'Can we get a really good Flash embedding going for the Mozilla engine, Gecko?' and they said 'Why don't you just use Pepper?' and we said 'We can't really use Pepper because that's like using Chromium, so we would have to get rid of Gecko or do some kind of mashup between the two and it would be a lot of work and we'd rather just take the Flash that we have in Gecko and make it better. Why don't we do that?' and the Adobe people were like 'We feel like we're children whose parents are fighting, and we don't like it. Why can't you just get along with Google? I'll help you get on the phone with somebody at Google, who I happen to know already.' and I said 'Look, I'm here to meet with you, not with Google. Why are you talking about Google all the time?' and they were doing this sort of 'Why can't Mom and Dad get along?' and Mozilla is a lot smaller than Google. It was a very strange meeting. What followed in two days, I kid you not, was they said 'Oh, never mind. We're dropping Flash on mobile.' and by mobile they meant Android, because Steve Jobs had already killed it on iOS, which means it not gonna be on mobile. If it's not on the shiny, best mobile device, it's not worth putting on Android and Adobe threw the towel, and that was 2011.
Very interesting insider story.
The only thing I could say is that those big companies either Adobe, Google, Mozilla (they are not that small), to me they feel quite arrogant at times, the same way Adobe could have thought that Flash on the web was untouchable and did not (could they?) anticipated what will happen with iPhone and iOS, you can also see that it was out of question for Mozilla to cooperate with Google on the browser side of things, eg. old NPAPI vs new PPAPI.
But, Flash still on the web, especially on what you see on your big screens, your laptop and desktop, it's still used for ads that were created within the last six years, sometimes five years ago, but they're still being sold. In New York, there's somebody, a media buyer is out there looking for space to fill with ads and they have some Flash ads that promote some product that's still on the market. Flash ads are still trending up last I heard from a friend at Microsoft. I think this might be out of date now, I hope it is, but two years ago, and then a year ago I heard that they were seeing in Microsoft Edge a rising tide of Flash ads. My solution with Brave is to block those, and I think nobody really needs Flash ads, but this is why Flash lives. It's like a zombie.
I think nobody need advertising, period. Wether it is Flash or HTML5 based or as a video that you can not skip on your TV, nobody likes ads.
But I could also add why Flash was so much used for ads on the web, because the SWF format allow to pack a lot of things in a small binary that can be easily stored on some ad exchange servers, eg. it's all-in-one, you can get code, animation, images, sound, etc. in just 1 file, this is a huge advantage compared to HTML where all resources/assets are mainly external (base64 encoding for images see Data URI scheme is not really widely used).
The reason it's lingering is sort of bad legacy, and since Adobe kind of walked from it and did Creative Cloud and went to a subscription model and said, 'We're a service company', and software as a service, and then platform as a service, or Omniture, whatever, there's no incentive for them to really lean into Flash and all the fuzz testing and all that hard work figuring out deep in the Actionscript Virtual Machine or in the C++ code why there's a memory safety bug that can allow remote code execution. So Flash is just a sort of toxic, brain eating, vomiting zombie.
Wow ... so many things I could say here, but first I don't feel the same at all, where Adobe walked away from Flash ? oh I forgot for JS dev only the web exists, they don't see that even if Flash the browser plugin never ran on iOS, something like Adobe AIR reuse the whole Flash technology stack and produce native apps on iOS since iOS v1.0, or that even if you can use a browser on a smartphone, users prefer to use native apps to run you know ... apps, instead of running apps in their mobile web browser (classic example is gmail as you would certainly prefer to use the native app vs using gmail in the browser when you are on a mobile).
But the main argument I would have here is that security and vulnerability threats have evolved a lot in the last 10 years, it is a bit too easy to blame Adobe saying they did not keep up, see later a more detailed point about that.
Brian: It's been forsaken. Well, plus it sucks to update. Nobody wants to update Flash. You have to close all your browser tabs.
Brendan: It's a pain.
and yeah everyone is laughing wholeheartedly ...
yeah that's the classic JS dev "mafia" that laugh at the "death of Flash" announced since 2010, an obvious classic by now, just a little reminder that it's been 6 years already and Flash is still around and HTML5 has still not catched up on everything.
Brendan: Jobs was right. Jobs didn't like extra layers of stuff, and I used to own Apple Mac IIci back in the old, old days. ...
sweet old memories ...
Brendan: It was a tight little machine, I think it was System 6, and say what you will about Apple, I think they always liked to have a tight hardware software integration. They have IOKit. They have AppKit, WebKit. Some of these are better than others, in my opinion, as piece of software in terms of design and implementation quality, but they don't have a lot of extra fat. They don't have two everything or three everything, and so Flash would have definitively been one too many compared to WebKit, especially since the original iPhone was supposed to be about the web. They said 'The web works.' Jobs said, he held up the phone, he said, 'The web finally works', and that was their app model for the first 10 months.
The blindness continue, sure I understand JS dev see only JS and the web and are completely oblivious of all the rest, sure if Steve Jobs says "The web works" and the web is your core philosophy you can only agree with it.
Except it was a bit different from my point of view, see if Apple did not want Flash on their mobile platform was not really because the web works and they could not tolerate a doublon "doing the same thing as the web browser" ... it was mainly because, at the time, if you have put a mobile browser app next to a Flash app running in the browser, the flash app would have destroyed the web app in term of features, it would have not even been fun to compete as "too easy to win".
Why do you think Apple reverted their decision to allow only web apps in iOS after 10 months ?
because developers complained, it was just impossible to produce quality apps with the web, it was just not possible, and Apple knew perfectly that without a developer ecosystem their new mobile platform would not go very far.
And so there first iOS SDK arrived, and then Adobe ported the Flash technology to AIR for mobile (Adobe Integrated Runtime as it was known at the time), as they did previously for the desktop and as of today Adobe AIR is still a killer platform.
But the only thing JS dev saw is that smartphone had mobile browsers so they could run web app on mobile browsers while there were no Flash plugins.
So anyway, that's why Flash is particularly bad. I think it's been forsaken. I think it's economically Adobe can't justify too much effort on it, but they do try to patch it, and that's why there was a patch yesterday for a very dangerous bug that was being exploited in the wild. And so back to the Angler Exploit Kit in malvertising, the Angler Exploit Kit was the kit that was attacking not only Flash but Silverlight. To be fair, Microsoft copied Flash. They called it Silverlight, what were they thinking?
Indeed, what were they thinking?
Notice how earlier it was mentioned that nobody wants to update Flash and how it's all cool now that browsers often produce updates ...
Personally I really don't like how this whole part kind of imply that this whole malware / ransomware stuff is Flash's fault.
They used not to, but Microsoft learned the hard way and did a good job reforming itself on security, patching over the years. And Brave updates often. We update often just to add features, too, cause we're so young, but really do need software, it needs to be living, that means maintained and fuzz tested and analysed. It means also that you're getting updates to your users or they gonna be vulnerable. Nevertheless, there's a big black market for exploits. It's the big story in security now. You just can't keep ahead of them. It feels like not only an arms race, but kind of a losing race in that people are using C++ and C, these are powerful languages. C++ is great, right? It's evolving still, it's got as lot of great features, formerly unsafe. You can talk about using template types and being careful. At the end of the day, it's unsafe. That's one of the reasons at Mozilla I sponsored Rust, and that's why I'm excited about Rust.
Funnily enough it is also why I do Redtamarin, eg. allow dev to write safe code in AS3 instead of writing it in C/C++, anyway ...
We also see other safe languages coming before. I just wanted to say I was kind of pessimistic about security, because of the undecidability problem. There are better tools, and there are better programming languages, and I'll pause there, because that's a hopeful note for the future.I think if we use those better languages like Rust, e will have fewer security bugs down the road.
Except, I don't think something like Rust can replace C++ when it comes to writing software like a browser engine, sure C/C++ is unsafe but it is the most "go to language" for when a company want to write such complex and advanced cross-platform desktop applications.
Kent: So obviously Flash is something that we want to not have running on our machines. I've disabled the plugin in my browser, but sometimes I go to a site that requires into watch a video or something. I have to open an incognito mode or something, but from what I understand, Google Chrome has started to or will soon automatically block Flash unless it's the only thing that's powering the site. have you heard about that and is Brave doing something similar, or how is Brave combating this problem?
That's where I can not take this kind of JS dev convo seriously, it's all about "hating on Flash" gratuitously, for them it's just obvious to hate Flash.
Brendan: Yes, I have heard about that, and I think it's a little bit slower. I wasn't sure what their plan was. I since it might be changing since we last looked. At first it sounded like they were gonna turn it off by default, but that had this sort of growing list of sites where they would actually allow it because, as I said, unfortunately, it's still required for some sites. That looks just too dangerous to us at Brave, so what we've done is we've turned it off by default, and if you go to a site that needs Flash, you will get a black plugin rectangle with some kind of prompt that allows you to turn it on, go into the general preferences and turn it on. That's the first line of defence for us. And then, if you do that, it's still off for any site, but we intercept the thing that tries to load it and we say "Do you wanna turn Flash on for this site?" and then you can do that. I think you might even have to reload.We really don't make it easy for you which is kind of intentional. And it remembers for that site, but we did something extra. Because Flash tends to have endless vulnerabilities, after seven days for that site, it disables again automatically. So what do we need the Flash? And I think that's appropriate, because that zombie, it's eating everything.
And when you will have a good amount of users either complaining they can not view Flash content easily or when they will move to other browsers just because of that, then because of economics ("please users don't leave our platform!") this decision will probably be reverted.
Kent: Wow, that's amazing. I love how hard you've made it
yeah let's make the user experience hard to artificially promote another technology on our agenda ...
That's why I predict too that this whole "blocking Flash by default and making it very hard for the user to run Flash" will probably fail miserably too, users want to consume Flash content, it's not only ads and video players, it is content, real content that been consumed for years by billions of users.
But the JS dev logic is "oh they just have to convert their Flash to HTML5 because y'know HTML5 is evolved now" ... so let create a lot of headache for the lambda user to run Flash content so they will automatically move to HTML5 content, so logic and so convenient ...
Except the lambda users do not give a flying fuck about the technology that is underneath their favourite apps, contents or whatever, want an example? just look at how easy it was for mobile users to favour native apps over web apps.
Even worst (for web apps), look at how app stores coming to desktop is the "app install model" favoured by users, sure some web apps like Facebook and gmail will keep going, but desktop apps are not going anywhere, they are certainly not being replaced by web apps.
Brendan: That's, An-su did all that work, so. And she's fielding different variations on a theme where Flash comes in through some sneaky embedding or some different way that we can't always intercept. SO we're working on it, so people shouldn't just assume that we hate Flash so much that there's no way to make it work on a given site.We'll take bug reports and we'll try to fix them, but we're definitively not gonna make it easy, and we're not gonna turn it on by default. It is off by default in Brave.
All that is assuming that the only threats to users is the Flash plugin, wouhou let's disable Flash and voila by magic now all our users are safe and secure.
Brian: But Silverlight isn't, or?
Brendan: No, Silverlight is off. We don't even have other plugins. I think Silverlight is dead anyway. The story there is that Silverlight was important, especially on the Mac, because Netflix needed it for some level of DRM sort of software, obfuscate DRM, and maybe on Windows earlier they needed it, but then Microsoft, Netflix and Google got together and did HTML5 encrypted media extensions, which is DRM for HTML5 video, and pretty soon, before that spec was even like, might not even been a working draft, I don't know what state it was in, they started shipping support for it because they wanted to get rid of Silverlight. So Silverlight is dead. And that's good, because the Angler Exploit Kit was targeting Silverlight as well as Flash, and maybe even the Java plugin, which Oracle was a very bad steward of for many years and finally got wake up calls with massive exploits. And I'm not sure how good it is either, but we don't , and Brave, we don't do any of those plugins. It's just plugins are dead, it's just a matter of time. They're the walking dead. (laughs)
OK, so plenty of interesting said in this convo, but sadly those JS dev falls into the same classic "let's binge on Flash hate" trap.
I mean, just look at this last paragraph, if Silverlight and every single other plugins are dead but not Flash, what does it tell you?
Me I read that as "users want to consume Flash content", but those JS dev apparently see that as "unfortunately those poor users are forced to use Flash content", and the only argument is what? security?
Let's talk in details about the security part, coming next.