Looks like it is time to remove Macromedia Flash player plugins from your computers.
Richard Johnson
In short, they can put back cookies, and malware after you have deleted it
if you have the Flash player installed in your favorite browser. Just what
will they think of next?
Benny
disabling existing versions of Flash on your computer, and preventing
websites from installing it. I don't know about Flash installing malware-
SpywareBlaster offers the option to protect you against unwanted advertising
stuff, and does not suggest that Flash has any evil intentions.
--
Benny
*******
"Richard Johnson" <ri...@remove.this.tairedd.com> wrote in message
news:d2ko4...@news3.newsguy.com...
Richard Johnson
I don't think the folks that make flash player had this in mind, but now
that it is known how to do it by using the other company's product, malware,
spyware, as well as cookies will not be removable by the user. That to me
is a VERY large problem. I have deleted Flash Player on my machines based
upon this story. Until Macromedia allows me to modify it's security
settings to fully disable this feature I am not installing it again. I also
think that everyone should follow suit to prevent this type of security
breach. (If a user wants no or limited cookies, spyware, or malware on
their machine.) By the way, spyware removal tools won't get it off either.
Flash players security issue allows malware to simply puts it back upon
deletion as I understand the story.
Rich
"Benny" <p...@se.reply.to.newsgroup.only> wrote in message
news:d2kveb$h8l$1...@spacebar.ucc.usyd.edu.au...
Howard Kaikow
--
http://www.standards.com/; See Howard Kaikow's web site.
"Richard Johnson" <ri...@remove.this.tairedd.com> wrote in message
news:d2ko4...@news3.newsguy.com...
>
Vanguard
news:d2ko4...@news3.newsguy.com...
Visit http://www.macromedia.com/ or any site that shows Flash content.
Right-click on the Flash content and select Settings. Click on the
Folder icon button. Set their cache to zero and check the box to
remember your setting. Flash uses its own cookie files which have the
.sol filetype.
If the web page you visit with Flash content has disabled user
configuration of some settings, visit Macromedia's online settings
manager at
http://www.macromedia.com/support/documentation/en/flashplayer/help/settings_manager02.html
(they have yet to deliver a seperate utility that you can run locally).
Unlike UI applications that open their own window, the mouse cursor will
not change when you hover over clickable objects in that web page; i.e.,
you click on the tab buttons to change between panels but you won't see
the mouse cursor change to indicate they are clickable. If you use the
Website Privacy Settings panel (5th tab) to clear the Flash cookies
(.sol files), not all are deleted as a file search will shows some still
around, one of which retains the settings you configured.
I use PopUpCop as my popup blocker (works better than the rest that I've
trialed) but haven't yet managed to convince its author to include .sol
files in its cookie whitelist feature (the author isn't familiar with
Flash cookies enough to want to touch them yet).
And what is with the deliberate scare tactic by the OP claiming the
article says that Flash is going to be used to install malware? All it
mentions is using a shared object to rebuild Flash cookies, but if you
set the Flash caches to zero than you have no locally saved shared
objects.
--
____________________________________________________________
Post your replies to the newsgroup. Share with others.
E-mail reply: Remove "NIXTHIS" and add "#VS811" to Subject.
____________________________________________________________
Michael Pelletier
I don't know about you guys but if someone is going to use me (and my pc)
for marketing research, which they SELL, aren't we entitled to the money
also? I am being serious, this should be a class action lawsuit...
The shit gets installed on your PC, companies SELL the info taken from your
pc and make millions. Basically, they view the PC users as nothing more
than a resource to exploit...
I SAY CLASS ACTION LAWSUIT! THINK ABOUT IT!!!!!!!!!!!!!!!
Michael
--
"Microsoft isn't evil, they just make really crappy operating systems." -
Linus Torvald
donnie
##########################
I block all cookies. Do I still need to get rid of Flash?
donnie
Howard Kaikow
news:0l76511nignonf8i4...@4ax.com...
No, see my post in this thread on how to block the shared objects.
winged
> Richard Johnson wrote:
>
>
> http://story.news.yahoo.com/news?tmpl=story&cid=74&ncid=74&e=5&u=/cmp/20050401/tc_cmp/160400719
>
>>In short, they can put back cookies, and malware after you have deleted it
>>if you have the Flash player installed in your favorite browser. Just
>>what will they think of next?
>
>
> I don't know about you guys but if someone is going to use me (and my pc)
> for marketing research, which they SELL, aren't we entitled to the money
> also? I am being serious, this should be a class action lawsuit...
>
> The shit gets installed on your PC, companies SELL the info taken from your
> pc and make millions. Basically, they view the PC users as nothing more
> than a resource to exploit...
>
> I SAY CLASS ACTION LAWSUIT! THINK ABOUT IT!!!!!!!!!!!!!!!
>
>
> Michael
>
From the scumware perspective, they fund the use of the Internet site
so, you have already been paid. Scumware in "freeware" is the same
logic. You are using the resources they funded (usually)(tanstafl). I
suspect from the legal perspective under current laws in the US the law
hasn't been broken. Even if they destroyed your PC so long as the
damage was under $500 (Patriot act) or $1500 trigger of the
Telecommunications act, they haven't broken the law except as a
technicality under some state laws. US privacy laws might as well be
non-existent.
The state of US LAW even with the Telecommunications act and the Patriot
act are not designed to protect users only corporations and business.
Just call the treasury dept next time a hacker plants a Trojan...you
will find them remarkably non-responsive. Even in the business
environment it usually takes a significant monetary loss to get
"authorities" interested, and you have to practically have the evidence
for the case in hand. Getting anyone even interested in hacker activity
even with the forensic evidence properly collected, is a rough road.
Legal authorities seem to only focus on gross offenses. Collecting
reliable, and irrefutable evidence has its own problems unless one has
the attackers equipment, unmodified and in posession.
The sad state of affairs is it is up to users protect their assets. I
would consider class action suits against the vendors of the products
which have big holes would be a more suitable target for class action
suits. Especially when some of the holes have been identified for
months and the same software vendor has not responded with a patch for
the threat. But of course there is that wonderful user license
agreement that pretty much limits their liability that we all read,
understood and clicked I agree on (active consent). I mean you could
have clicked "no" right?
Then many exploiters are homed outside of the shores (and jurisdiction
of US law) which makes the action under international laws which has
even less protections than US law.
Congress when considering legislation typically goes to industry or
special interests, or legal authorities for expert guidance, and they
have their own agendas for things they want so we end up with DMCA laws
and such to protect special interest rights, but users have little or no
voice nor advice for the representatives to use for guidance. They know
folks are pissed, but they are not computer experts, so they do not know
how to write an appropriate solution that would not be lobbied against
significantly by various special interests. Even with what little
expertise I have, I would be hard pressed to write an effective law that
would not infringe on some legitimate activity. When you get a
congressman who is interested (such as Orin Hatch of Utah), the folks
who have his ears, all have their own various initiatives they want to
implement "to fix the problem", but no one is really speaking from the
user perspective, for the user.
The user is pretty much on his own with software holes, hardware holes,
and an antiquated insecure IPV4 standard. If one plays in the wild wild
web, one can expect to run into bad guys, and there are very few
sherrifs in town, properly trained to collect forensic evidense. In
spite of all of the recent laws they good guys have far more
restrictions in collecting evidense, than the bad guys. We still are
not allowed to shoot blackhats (normally).
I wish I knew the magic bullet. I believe it will ultimately be a
computer that has been secured by an expert and booted off of a CD or an
isolated memory device with a clean copy of "things" on each init. It
may resemble that old hardware mounted OS (PS3?). While this does work
effectively in keeping systems clean, the current archetecture models do
not readily support adding software to customize the local system. The
only way I have found that works under the current archetecture model
are VM's. Even then the user still has to be cognizant of threats of
running unknown code.
The person who figures out how to build the useful and flexible secure
system, will get filthy rich.
Winged
PS. Loved the practice safe hex comment earlier.