Back issues & Flash plugin

OS's are developed and security issues are addressed during their service life but they do not have to cope with active content coming from unknown sources making the issues with Flash (and Postscript, JavaScript and even HTML5) more of a problem.

Regarding the open source question, while an enthusiast for it (2 of the four laptops by me now run Linux) the developer's job might possibly be even more difficult if they had to face a multitude of different rendering engine variants, even with access to the source code.

@Nick,

Security is a complicated subject and there are all kinds of ways our computers can get compromised. Same as Flash, modern browsers have their fair share of vulnerabilities. See e.g. these recent news. I don't think that Flash is inherently less or more secure than HTML5/JavaScript in our browsers. It is true that Adobe did somewhat poor job at maintaining Flash, including the security issues. They didn't put enough money/effort into it and allowed it to die.

Adobe open-sourcing Flash wouldn't necessarily mean a multitude of variants (forks). Open-source developers are well aware of pitfalls of forking, and most projects exist in only one variant. There are some cases when due to various reasons (personal or technical) there exist two (rarely more) versions of open-source software, e.g. OpenOffice and LibreOffice. There had been cases where projects had split and then, years later, merged back together.

The most relevant to our current topic would be FireFox, earlier Mozilla, earlier Netscape Communicator. It's an open-source browser and there's one main version of it, although there are multiple browsers "based on FireFox". These are all more or less niche browsers with a small user base, so their developers naturally aim for compatibility with FireFox in terms of being able to render all the same websites correctly.

Naturally web developers only test their websites and web applications on the most common browsers. E.g. the company I work for cares for these desktop browsers: Chrome, FireFox, Edge, Safari. We still support IE11 although the percentage of people who use is going down fast. We don't develop or test for any of the niche browsers. Too much work as it is, with all the browsers I mentioned!

Which is why Flash was easier to work with. For the most part it was: write once, works everywhere. In the several years I worked with Flash, I recall only one obscure bug in our application that caused IE to freeze while in FireFox it seemed to work ok. Turned out on IE a "load complete" event listener was fired immediately (synchronously) when loading a file, and asynchronously on Firefox. Our code assumed that every load is async (not the best idea). If there were many files to be loaded in a row, we had a call stack overflow on IE, which was for some reason just freezing the browser, instead of showing an error dialog.

Anyway, I think if Flash was open-sourced and given to the community, there would be a single organization taking care of it, and open-source contributors aiming for their contributions to end up back in that single "standard" Flash Player, rather than making their incompatible forks. We can only guess now, although in some alternate universe this might have happened

Couple of important differences between Flash and HTML5. Flash is closed-source proprietary and wasn't designed with security in mind - a common problem with pioneer software. Closed software is an instant security risk because no-one apart from the supplier knows how it works or can fix it. HTML5 is a standard, and it was designed from the outset with security in mind. Many implementations are open for inspection.

Flash isn't in the same league as HTML5! At the moment there are 45 CVE (Common Vulnerabilities & Exposures) identified for HTML5 compared with 1445 listed against Flash. And the HTML5 vulnerabilities are being fixed, whereas Flash is stuck with them.

The main problem with Flash is it's security problems are fundamental. It's not a product with a few loose ends that can be tidied up, the whole thing needs to be re-written from scratch to close multiple loopholes. Bit like putting up a greenhouse and then discovering it needs to be secure enough to protect gold bullion.

Adobe decided to walk away because mending fundamental security flaws is expensive, there's no profit in fixing it, and a new secure version is likely to break everything written for old Flash. Everyone is happy except those who've invested in Flash and don't care about user security! Vested interests always hate change.

Javascript is also riddled with security problems but it's possible for the Browser to contain most of them, basically by blocking insecure features. Javascript has 3129 CVEs, but they can mostly - we hope - be contained. Flash can't be sandboxed in the same way due to the way it's built.

Users and developers don't care about security until they've been stung. We like software that's easy to develop and use, and dislike anything that slows us down. If you want to get at your money quickly, take it out of the bank and keep it in a handy pile by the front door...

Dave

@Dave

I agree with most of what you said, but not about Flash's design being insecure from start. Flash Player is a virtual machine that executes (ActionScript code compiled to) bytecode. The capabilities the VM provides can be summarized as: displaying graphics, playing sounds, accepting user input, accessing camera/microphone (with user's permission), various network requests and do general purpose processing. There are no capabilities of executing arbitrary code, read/write arbitrary files on disk, etc.

Therefore it's inherently a sandboxed environment, same as JavaScript code running in a browser. Most if not all security vulnerabilities are bugs in the particular implementation of the Flash Player VM, which may lead to potentially escaping the sandbox and doing something nefarious. So the implementation may indeed suck with regards to security, but it doesn't mean the whole design is bad.

If Adobe would have donated the whole thing, I'm sure enthusiasts would have fixed the bugs or rewritten the complete Flash Player from scratch. As an example, enthusiasts had more than a decade ago developed an ActionScript compiler superior to what Macromedia/Adobe ever offered, which has since evolved to use it's own language (Haxe), it's compiler can produce bytecode for Flash Player / AIR runtime, but can also output JavaScript, C++, Java, PHP code, to name just several of all supported targets. We will see what this Ruffle project will produce. But for sure it's going to be a niche offering, because HTML5/JavaScript is (for better or worse) not the future, but already the today.

Many developers these days do care about security, because security issues are a huge liability for companies. The company I work for has a dedicated team looking for vulnerabilities, trying to break into our own systems. Fortunately, this is becoming more common.

One of biggest security holes is Windows, I think it would be wiser to stop using Windows, than to discontinue Flash

I might have steered this discussion a bit too far off topic.

Back on topic:

Summary:

- New digital issues, and some back issues (>= #278) use an HTML5 reader, and so are not affected by the Flash End-Of-Life

- Majority of the back issues (<= #277), are not accessible anymore, unless one goes to some trouble to re-enable Flash.

How to re-enable Flash:

Here's what I found so far.

Adobe announced the end of Flash in 2017. It is likely that the "time bomb" (Adobe will block Flash content from running in Flash Player beginning January 12, 2021) was inserted into the Flash Player already at that time. One solution would be to install a pre-2017 Flash Player - full of known unpatched security holes. Not the best.

There's an official proper way to continue to use Flash for specific things. In the Flash Player Administration Guide there is a section "Enterprise Enablement". It explains how to add particular locations to a whitelist of allowed URLs. After this is done, Any allowed Flash content will continue to run on browsers that have not disabled Flash Player (even after January 12, 2021).

Proposed solutions to the magazine:

- Prepare an easy-to-follow, step-by-step guide with a lot of screenshots, so that anyone could set this up. Could be as simple as a downloadable ready-to-use mms.cfg and instructions where to copy-paste the file, depending on OS.

- Make older back issues available as PDF downloads. Let this be available for subscribers only, or if you're feeling generous, for everyone. If somehow you don't have the archive in PDF, I can tell you where to get them

- Consider providing new digital issues in PDF as well. Like I've discovered, it's already trivial (for a subscriber) to download the new issues (in jpg or pdf, individual pages - one file per page). These download links are not even password protected, so once any subscriber shares a link somewhere, anyone without a subscription can download them. Would be more convenient if there was a proper single-file download option, this should be password-protected (require a valid subscription)

Flash has always been a massive security risk, due to the way it works. However, the risk is in what you download and run on it, and one may reasonably assume the good people at MEW are not out to get us.

Presumably the Flash versions are powered by some sort of backend; I can't imagine that it would be a huge amount of work for someone suitably skilled to create a script to churn through this backed and produce PDF versions of these back issues. The archive wasn't the only reason I subscribed, but it was a big part of it. I am sure I can find a way round it, but a future-proof system seems preferable.

"Due to the way it works" sounds vague and unsubstantiated. It works in a quite similar way to a modern web browser. This is significantly more secure than a normal program that you download and run on your OS, because Flash and browsers run Flash and web applications (respectively) in a sandbox with limited access to a subset of your computer. At least in theory. In practice the sandbox has bugs and can be escaped if suitable ones are found and cleverly exploited.

I just noticed that somehow the Flash Player still works in Firefox on my work MacBook. I opened issue #269 and observed the network traffic (using a tool called Charles). The individual pages are downloaded as jpg files. As with the HTML5 player, the files are not password-protected and you don't need to log in as a subscriber to download them. Here's a link to page 30 of issue #269, for example:

https://www.mydigitalmagazine.co.uk/de/7/2787/pubData/source/images/zoompages/zoompage30.jpg

You can download all the pages and then stitch them together using one of various tools or online services (e.g. here's one from Adobe). I would also recommend to try the djvu format, could result in smaller file size.

So yeah, with a bit of effort all the back issues can be downloaded and converted to pdf or djvu. All that's needed is to figure out a way you can still run Flash (I posted about it couple of posts above), log in as a subscriber, open all the back issues one by one, and monitor the URLs being requested with a suitable tool. Take a note of base URL for each issue, then download all the pages with a simple script, and convert to desired format. Could be a fun little challenge.

Of course this would be much simpler if MyTimeMedia would take care of this for us

Or, like I mentioned before, you can find all the back issues already available as PDF downloads, in a shady back alley somewhere on the internet. It's not piracy if you already paid for access, or is it?

Edited By Gene Pavlovsky on 14/01/2021 16:07:36

Edited By Gene Pavlovsky on 14/01/2021 16:10:51

It would be interesting to know precisely what native format these flash crippled magazines are stored.

.

See Gene’s post, above

MichaelG.

Thanks Paul, I was OK with the post-Flash copies on the site, but hadn't thought of trying Pocketmags again. However, when I did it only gave me access to the recent copies and no archive copies at all. So I'm still no better off. Looks like i'll just need to grin a bare it! Regards Mike

Similar probs today...

Have found it; issue 251, the problem is that Adobe flash is not supported any longer & I cannot open digital issue to retrieve dwgs. This is a flaming nuisance! Is MTM going to address this point?. My renewal is due soon, am I to no linger to be able to access long time back digital issues, if so what is the point of renewing subscriptions if I can no longer refer to back issues. Can moderators look into this?. Does anyone have access to issue 251 & possibley down load article & forward via mail.

George.

Sorted, have to go through 'Pocket mags' web site, sign in to registered MEW a/c then can access digi back issues; convoluted way of going about it !

George.

Edited By JasonB on 15/01/2021 16:52:50

Edited By JasonB on 15/01/2021 16:54:15

George, somehow your post is breaking layout on my browser. I wonder if it's just my browser, or some funky edit you did.

I tried pocketmags.com, the username/password I use to log in to model-engineer.co.uk doesn't work there. Is this the right website? How do you log in?

Gene

Gene, you have to have a digital subscription and need to enter your 10digit subscriber number.

J

PS sorted out Georges formatting.

That's what I had to do, thanks for sorting formating.

Geo.

All right, so I logged in to PocketMags, and the earliest back issue I can see is Feb 2020 (I subscribed in Jan 2020).

So, I can't access any old mags this way.

--Gene

Below you will find something I read on Hackaday today:

What’s that they say about death and taxes? Apparently that maxim doesn’t apply to Flash, at least when it comes to the taxman. As we noted last week, the end of the Adobe Flash era took with it a scheduling and routing app for the railway system in a Chinese city. This time around, it’s the unfortunately acronymed SARS, for South African Revenue Services, having Flash woes. They still have several online tax forms that haven’t been migrated to HTML5, so to keep the revenue flowing they built their own Flash-enabled browser. Taxpayers are free to download and use the browser while SARS works on getting the rest of their forms migrated. It sort of reminds us of those plans the Internal Revenue Service has to ensure tax collection continues after a nuclear apocalypse — death and taxes indeed.

Hi Gene,

Feb 202 is the issue published in Jan 2020 - this is the way magazines are dated in the UK.

Pocketmags is the viewer for your subscription issues. These you can download and keep as long as you have a Pocketmags account.

While your subscription is active, you can also access the back issues via the online archive, which is being migrated to HTML5.

All explained here.

Neil

Yes the archive is being updated to HTML5

Neil

Hi Neil,

Thanks for addressing this. Do you have any rough ETAs on when the update will be complete? Is it going to be on pocketmags as well?

I didn't find the option to download them, using pocketmags website on PC. Does this downloading refer to being able to read the mags offline within the mobile apps, or is there some "download pdf" option on the website? I did find the web reader is downloading pages one by one as single-page pdfs, so as a software developer myself, it's trivial to write a script that downloads all the pages and then what's left is to merge them into a single pdf with one of pdf editors such as Acrobat, FineReader etc. But if there's some convenient "download pdf" option already available on pocketmags, I would like to know about it.

Thanks

--Gene

Hi Gene,

Unless it has changed, you cannot download from Pocketmags, only print 1 or 2 pages at a time (to office printer or pdf, etc) . Then merge pdf's into a single file or use the mobile app to read offline. I can't do this because the app requires Win 10 and I am runnin g Win 7.

Paul

Edited By Paul Lousick on 08/02/2021 22:14:19