[3stripe]

For such a seminal web technology, I thought the 'thanks/goodbye' page was a huge missed opportunity from Flash... there's so much goodwill and nostalgia for the old days and they "celebrate" it with urm... https://get3.adobe.com/flashplayer/thankyou/

[im3w1l]

What even...? Three lines of goodbye message, where the last line has the bottom cutoff by a huge ad? https://imgur.com/a/ooJI79Q

[x86_64Ubuntu]

You need to be happy they didn't ask you to install McAfee...

[vultour]

I have adblock and was wondering why there's a big blank box below the message... now it makes sense. This is almost "bundle ask toolbar with JRE"-level greed.

[im3w1l]

To be fair the ads seem to be purely for 1st party products, but still.

[stephenr]

Ah yes, the good old days when anyone with a bad idea and a little bit of time could chew up your CPU cycles and run ridiculously insecure code on your computer without consent.

[halvo]

Downsides to the tech don’t negate the millions of great experiences flash enabled

[angry_octet]

You can only say this if you haven't met people who have suffered from being hacked. Enormously painful stories. Flash is a trash fire, and Adobe and Microsoft externalised the penalties.

There is no reason we couldn't have had safe Flash except Adobe didn't care.

[ralphc]

I've heard the Flash codebase described as a big steaming pile of C++. Perhaps they cared but making a secure Flash was an impossible task. Windows has magnitudes more resources working on it and it still gets exploits all the time.

[angry_octet]

They could have reimplemented it in a safe(r) language and runtime. It would have been a big effort, and Adobe extracted the maximum cash for least effort.

Comparisons with Windows don't make much sense because it is an OS and a thousand SDKs and ever growing attack surface.

[sammorrowdrums]

And hopefully wasm sandbox with Ruffle will provide a better start for security than Flash had too.

[velmu]

Yea, Ruffle seems like the best option for making all the wonderful content built with Flash available.

https://developers.ibexa.co/blog/embed-flash-swf-content-wit...

[stephenr]

The comment talked about "goodwill and nostalgia".

The only people with "goodwill and nostalgia" about Flash, are either wearing ridiculously rose tinted glasses, or have zero clue about technology.

[jasonwatkinspdx]

It can both be true that flash was a security disaster and also was the basis of many successful startups and indie casual game developers.

[Closi]

I have huge amounts of nostalgia, from when my parents bought me a version of flash from my birthday to kickstart my whole interest in programming, to building animations and games for Albinoblacksheep - Without flash I would never have learned to code.

So yes, some people have nostalgia with no rose tinted glasses, and I would like to think I have a clue about technology.

[oblio]

We're so lucky that this has changed (narrator: it hasn't).

It definitely doesn't happen anymore (narrator: it still happens).

And it definitely doesn't happen in absolutely every browser out there and it can't really be blocked (narrator: it does, it is just done with JavaScript, which only hermits disable).

[throwaway_pdp09]

You acknowledge javascript has all the serious downsides of flash, then denigrate us who disable it for the very reasons you've given?

[oblio]

I'm making fun of you because it's not very realistic to disable it, especially due to network effects.

All the popular sites, including many intranet sites in every company I've worked for, use Javascript. I mean, you can disable it/enable it selectively, maybe I should try it with some Firefox extension. But I expect 95% of the web to break if I disable it.

So it's kind of a revolutionary attitude, which works out if you have nothing to lose, I guess. Or if you're trying to prove a point, but along the way you're probably hurting yourself, too.

[doodpants]

> I mean, you can disable it/enable it selectively, maybe I should try it with some Firefox extension.

The one I use is called, appropriately enough, Disable JavaScript [0]. It puts a simple toggle button in the toolbar, and remembers the setting on a per-domain basis. If a website has annoying behavior, it's little effort to switch JavaScript off to see if the site is still usable that way, or to re-enable it briefly to glance at some missing content. I recommend it; it's surprising how many sites I've disabled JS on, and left that way because there's no major breakage.

[0] https://addons.mozilla.org/en-US/firefox/addon/disable-javas...

[throwaway_pdp09]

> maybe I should try it with some Firefox extensions

So you're making fun of me although you haven't tried it. Yeah, okay.

> But I expect 95% of the web to break if I disable it

And you'll be wrong, it is much lower than that (except if you're talking about adverts failing to display, then I guess yes, in that respect it does).

I don't give a damn about other sites (and I don't browse intranet sites on my home machine -- if I'm in an office I use their office machine). If they don't work I don't use them except in rare cases when I really need to in which case they get run in a VM.

> you're probably hurting yourself, too

That's deeply patronising from somebody who admits they haven't even tried doing what I do, nor has even asked why I and others do it (hint: it's for many of the reasons you described). It sounds like you're talking to a rather stupid child.

[oblio]

I have tried it a long time ago (4, maybe 5 years ago?). Many, many things broke and I didn't have time to fix them all.

I already use the strictest Tracking Protection stuff in Firefox, for example, and I do hit sites that don't work correctly.

Maybe it's worth revisiting but something tells me that the web uses more JavaScript, not less, since I last tried this experiment.

And regarding the patronizing aspect, let's say your bank's website uses JavaScript, what do you do?

Edit, actually, sorry, I re-read your comment and you answered my question:

> I don't give a damn about other sites (and I don't browse intranet sites on my home machine -- if I'm in an office I use their office machine). If they don't work I don't use them except in rare cases when I really need to in which case they get run in a VM.

Q.e.d.

I'll just rephrase things to something less offensive: you're not "hurting" yourself, you're limiting yourself, sometimes with drawbacks not everyone is able/willing to endure.

[stephenr]

Name one browser-embedded technology in distribution today that has had even half as many security vulnerabilities as Flash has had over its lifetime?

If your world view is "block javascript or let any and all javascript run", I don't know how to help you, because that isn't reality.

[oblio]

> Name one browser-embedded technology in distribution today that has had even half as many security vulnerabilities as Flash has had over its lifetime?

Why should I name a "browser-embedded technology"? I can just point out browser vulnerabilities.

https://www.cvedetails.com/product/3264/Mozilla-Firefox.html...

https://www.cvedetails.com/product/15031/Google-Chrome.html?...

If anything, they're not that great against Flash:

https://www.cvedetails.com/product/6761/Adobe-Flash-Player.h...

Keep in mind that Flash itself was a runtime, much as a browser is. More limited, but still pretty big.

> If your world view is "block javascript or let any and all javascript run", I don't know how to help you, because that isn't reality.

You can't help me, I think no one can. For now we can still kind of run ad blockers, even though Chrome is working hard on stealthily removing them.

But for regular users, who don't run them (probably 99% of users out there), how do they protect themselves from cryptominers? From nasty ads?

[est31]

10 years ago, it was nearly impossible to browse the web with Flash disabled. Which means that most people had it installed, and thus a vulnerability in Flash would mean all users were exploitable. Browser vulnerabilities only mean the users of that browser are exploitable, which limits its scope somewhat. Of course, the Chrome monoculture that has established itself doesn't help here :).

[stephenr]

> For now we can still kind of run ad blockers, even though Chrome is working hard on stealthily removing them.

You're using a browser build by a giant privacy abusing ad company, and you wonder why it isn't so friendly to ad-blocking/privacy-protecting plugins?

COLOUR ME SURPRISED.

[oblio]

I'm using Firefox...

[Doctor_Fegg]

Depends if you view pervasive tracking as a security vulnerability.

[h-1]

That sounds like a great time to me!

Zombocom has more value than all today's social media combined.

You can do anything there.

[prawn]

Gabocorp!

[swiley]

How is this any different from javascript in HTML5?

The bad thing about flash is they also had network access without SOP... oh wait websockets does that. They also had FS access... which HTML5 has too now. Well the sandbox had some CVEs occasionally but then again, all software does.

I guess the worst thing was that it meant you had to install a closed source package from a large SV company... like most people do with Chrome.

[rad_gruchalski]

Maybe, but Flex and Air were ahead of their time. No current web based technology comes close.

[Cthulhu_]

what do you mean 'good old days', lol.