Hacker News new | past | comments | ask | show | jobs | submit login
Adobe uses DMCA to nuke project that keeps Flash alive, secure and adware free (torrentfreak.com)
301 points by CTOSian 6 days ago | hide | past | favorite | 89 comments

Oh good, they're not going after https://ruffle.rs/ -- that project is a much better idea than repackaging old Adobe binaries.

They're actually up-to-date Adobe binaries as the article says that Adobe's Chinese Flash subsidiary still maintains Flash and releases security updates for it each month.

> The Chinese version of Flash receives one security update per month and can be freely downloaded from Flash.cn but also has significant strings attached. It comes preinstalled with an adware program called Flash Helper which, according to security sources, exhibits malicious behavior. Developed by ‘darktohka’ and previously located on Github, Clean Flash Installer solves these problems and more.

> “Clean Flash Installer installs this up-to-date freely available version of Flash, but it comes WITHOUT the adware program,” darktohka informs TorrentFreak.

I will never understand the perversion of walling off security updates behind paywalls or geographic walls.

...depending on your legal department, it might be to ward off out of geo liabilities or expectations of support (whether actual or simply perceived).

I've never heard of a company being held liable for releasing even a paid product with defective security, let alone a free one. They're not even held liable for deliberately including spyware [1]! That any lawyer would believe a company would be held liable for releasing an imperfect security patch is beyond absurd, and nothing more than a convenient excuse for abusive practices.

[1] https://arstechnica.com/information-technology/2013/11/lg-sm...

That looks like a sweet project. I'm happy to see web assembly being used in it too. I'll have to add it my long list of things I want to get around to tinkering with.

thats what I was thinking as well when I read the title. Good to hear its not about ruffle.


Is there a non-Adobe authoring tool for Flash that's still around?

One thing I can't understand is why Adobe is so insistent on keeping Flash really actually dead by saying it's "unsupported" yet still keeping the sources to themselves. If they aren't gaining anything from it anyway, why can't they just open-source it? I mean they won't lose anything either by doing that, right? The community would fix all the bugs eventually. Probably quicker and better than Adobe, too.

My guess is that to Adobe, "flash" was a set of authoring tools (developer IDE and bespoke language) and a runtime that allows execution in the browser.

Adobe, as a company, sells authoring tools. It doesn't make money building runtimes and then giving them away. Even the money from licensing runtimes (Air) is insignificant. The runtime was just a necessary overhead due to inconsistent and poor native rendering capabilities in the browser - it existed solely to allow the development of powerful authoring tools.

So after browsers improved their native support and announced they are dropping support for the plugin, Adobe migrated to a new version of the authoring tools (Adobe Animate) that can compile to the legacy flash player runtime if needed, but also to html/js, or svg, or other targets.

They still want to sell more of the authoring tools. They don't particularly care about flash, and are probably happy to be rid of it.

What they don't want is someone else taking control over the runtime and then building rival authoring tools for it, opening it up to other authoring tools, or creating any kind of rival authoring eco-system.

It's like if you give away razors to sell your own blades, and then you come up with razor 2.0, you still don't want people taking the razor 1.0 and keeping it alive by selling their own blades for it, or even giving away their own blades for it, as then you would be in competition with yourself.

Whether these business concerns are justified or not, or whether our IP laws are too extreme, is a separate question. These aren't simple questions.

As someone who got into game development by making Flash games as a kid, I would love to see Flash open sourced. I don't think it's necessarily true to say they have nothing to lose by open-sourcing it though. Who knows how many private shared libraries are in there that are still required by other still-active Adobe software. And they're also probably not excited to give up rights to a massive pile of code which they could conceivably want to use in future projects.

In other words Flash likely isn't some isolated directory they can just zip and share to the world, and even if it is they might want to pick the bones later so why throw it away? (from their perspective)

Can relate. Flash literally changed my life. I wouldn't have been the person I am without it. And my career path would've definitely been very different. I wouldn't have known most of my friends without those VKontakte Flash apps, because the connections to most of the people I know right now can be traced back to someone from that Flash app developer community.

I'm somewhat hopeful that Ruffle will somehow drive its resurgence. Older versions of Flash (the authoring software) aren't that hard to find, and maybe in due time someone would even build an open-source reimplementation of that, too. The SWF format itself definitely won't ever be dead by any means.

> As someone who got into game development by making Flash games as a kid, I would love to see Flash open sourced.

Ruffle is open source and works. See: https://ruffle.rs/

What is missing that Ruffle doesn't cover?

Last time I looked, ruffle did badger and similar videos well.

But as soon as there was any interactivity, e.g. random game from Kongregate (e.g. https://www.kongregate.com/games/moonkey/hexiom-connect or https://www.kongregate.com/games/kajika/planet-defender) ruffle just didn't do much other than hang at the loading screen.

My own personal use case for flash is to access baseboard management interfaces on servers. e.g. the Cisco UCS220B3 series uses a flash based interface. No dice with ruffle. It can do the login form and that's all there is.

> My own personal use case for flash is to access baseboard management interfaces on servers. e.g. the Cisco UCS220B3 series uses a flash based interface. No dice with ruffle.

Networking is the one thing that can't be fully reproduced by using a wasm thing vs a browser plugin, requiring changes on the receiving side. Flash player did cross-origin security quite differently. When you sent the first request to a new origin, it would first fetch /crossdomain.xml from that domain to see if you're allowed to do that, and only then proceed. Browsers rely on the Access-Control-Allow-Origin header instead. Then there are sockets, for Flash it's mostly the same idea: you could specify an arbitrary host and TCP domain, then Flash player would connect to it itself and send the string "<policy-file-request/>". The server is supposed to respond with the contents of a crossdomain.xml and close the connection. Flash would then connect again and this time hand over the socket to your code. Websockets don't work anything like that; you get one by upgrading an existing HTTP connection, and you can't have that on an arbitrary port either, and there's mandatory encryption.

ActionScript 3? Bitmap filters and blending modes? I tried throwing all the swf's I have laying around at it, and the older one is the more likely it will work. Some AS2 games are fully playable even.

It'll get there eventually of course as it's very much WIP. I wonder when will it stop calling itself a "flash player emulator" tho. It plays flash files. It's literally a flash player.

> Bitmap filters and blending modes?

This, in particular, is limited by manpower and reverse engineering. Simply documenting what Flash actually does would be a huge help. Volunteers welcome.

Rendering flash requires that you be pixel compatible to something that is not documented anywhere. That requires someone to do a lot of experiments on something that barely runs anywhere anymore, document what they find, and then have someone convert that into code.

As for Actionscript 3, here is the tracking issue: https://github.com/ruffle-rs/ruffle/issues/1368

Flash being dead, and yet many enterprises still relying on it, opens the opportunity for Adobe to sell a pricey contract that allows an enterprise servicing company to provide Flash support.

Just looked into this with CheerpX. You need the CheerpX license (15k/yr) and Flash license (25-50k/yr).

So the top comment mentions ruffle.rs which is basically the same thing as CheerpX without the insane licensing fee (correct me if I'm wrong).

With that said why the hell would a company pay for this when there a good OSS alternative. Is it all about support and covering your ass from any lawsuits?

CheerpX is the actual Flash player virtualized. I haven't used it, but would expect that means something regarding reliability. And its customer segment probably doesn't bat an eye at that kind of pricing for something "properly supported", whatever that means for such a hack. Seriously, enterprise environments are often prepared to pay a lot for compatibility stuff/extended support/...

ruffle.rs is a reimplementation, and YMMV, but none of the things I tried playing with it worked properly (although afaik plenty other things do) and still in active development.

They may not be legally able to. It's likely that Flash includes some 3rd party code that they've licensed under commercial terms from other vendors and which they can't release.

This is usually the real answer to why things aren't open-sourced when they become deprecated.

The source code does sometimes "accidentally" leak, though.

Can't they just rip out the 3rd party parts and let the community fill them in with already existing open-source alternatives?

It depends how big the missing piece is. First, let me be clear that I know nothing about Flash's internals. Everything I'm saying here is just as an example. But suppose Flash depended on a specific 3rd-party graphics engine, and a lot of Flash's own code was written to adapt and work around bugs in that code. Replacing it might mean either 1) making a clean graphics engine and rewriting a large part of Flash to work with it, or 2) implementing a bug-compatible engine.

May instead of a graphics engine, it's a proprietary video codec, or a bytecode interpreter, or a network stack, or a sound library.

Things like these are a big reason lots of projects aren't released as FOSS. Take something that looks simple on the outside, rip out its guts, and you're left with what exactly?

Definitely video codecs, at least:

Flash Video FLV files usually contain material encoded with codecs following the Sorenson Spark or VP6 video compression formats. As of 2010 public releases of Flash Player (collaboration between Adobe Systems and MainConcept) also support H.264 video and HE-AAC audio.[3] All of these compression formats are restricted by patents. - Wikipedia’s page on FLV, the video format that YouTube was built around.

And these are definitely not a problem if ripped out because ffmpeg has them all. Source: I once wrote a (somewhat terrible) FLV player for an Android app that used libavcodec/libavformat.

Flash player is dead. Flash is still used for animation though, so they are still making money off it.

> I mean they won't lose anything either by doing that, right?

Not directly, but if someone were to use some of that code that a company put significant resources into developing, in a product that made someone else money, most companies would probably have a hard time mentally justifying that.

So license it as GPL, so that someone else would also have to make their source code public.

Doesn't give them anything. Even adds some risks that people sue them for copyright infringement. E.g. from using GPL projects.

> E.g. from using GPL projects.

Interesting — I just checked the standalone flash player I still have (and use sometimes), the "about" window doesn't list any free software. So either they aren't using any, or... But I find it unlikely that a company with this many lawyers would not read every letter of the license of every library they include in any of their projects.

I've worked with the Flash Player source code in the far off past (I worked for a company called Chumby which licensed Adobe's Flash Player to power apps running in a device similar to the modern Amazon Dash Look) and while you would see things in that codebase that make your head spin, improper use of GPL libraries was not one of them.

Usually stems from lack of leadership. Different legal arms not knowing what the mission of the company is, etc.

The most astounding thing in this article is that the developer is denying copyright infringement.

There are many arguments to be made for preserving flash and providing a clean, easy way to install a modified version of Flash with the necessary security updates. But claiming that there was no copyright infringement? The Gitlab screenshot [0] uses Adobe's copyrighted logo, looks suspiciously like it's affiliated with Flash by mimicking its installer and installs an illegally distributed Flash binary.

The real problem here is that the binary does contain propietary Flash code, but the code itself doesn't. I can't verify if the releases page hosted the full-fat executables or not; if they did, the DMCA seems quite standard. If they didn't, the DMCA was definitely filed under false pretenses because it claimed a violation of _Adobe's code_ rather than their resources.

[0]: https://user-content.gitlab-static.net/7cd707fa280480fd2947d...

The use of the Flash logo may be a trademark violation, but it's not a copyright violation. The logo is so simple that Wikimedia Commons has it labeled "does not meet the threshold of originality needed for copyright protection, and is therefore in the public domain":


Now I'm curious about their stance on the McD's logo.

Edit: same as the Flash logo. Didn't expect that...

“Secure”… not a chance. Flash was a tyre fire and even Adobe would say so. They did their best with massive resources, and still couldn’t claim it was secure. Please please please don’t claim this project is secure. It isn’t.

Adobe may have had massive resources, but either they are incompetent, or didn't spend any time on flash.

Multiple times, single devs working solo, wrote full flash interpreters over a few month.

Adobe just doesn't know what they're doing. Look how they cratered cold fusion too.

They also had a security / license daemon, lmgrd. What a joke, used MAC addresses for license issuance, was buggy, could be defeated with a simple ifconfig command.

Why would people be using Adobes insecure implementation if multiple random guys wrote replacements in a few months? The answer is that these of course are not the complete, bug for bug backwards compatibility monstrosities that Adobe Flash Player is.

Adobe is competent in some regards, but seemingly not in others. Flash was riddled with bugs and vulnerabilities, so in this regard Adobe seems incompetent, or lazy at best. But the flip side to this coin is the reason flash became so popular; artists and designers saw in it a tool that scratched their itch well, not knowing or caring about the technical shortcomings. In this particular regard, making software that designers and artists like to use, Adobe seems to have a track record of competence.

Flash wasn't their own technology. They got it by acquiring Macromedia.

And Macromedia acquired it from FutureWave: https://en.wikipedia.org/wiki/Adobe_Flash#FutureWave

> or didn't spend any time on flash

This is the same company that assigned a whopping 0.5 FTE to porting the Director plugin from OS9 to OSX, which subsequently took years and killed the platform.

I would not make the assumption that Flash development was well resourced. Which is a shame because despite the bad rep it was an amazing tool for creatives.

One way the developer can work around this is to provide a program that doesn't distribute Flash at all, but allows the user to either modify the Flash installer or binary, or modify the system post-install, to achieve what the original project achieved.

Wouldn’t be too hard to extract the files out of the installer and install it yourself with a companion program and just hot link the installer. No clue why they didn’t just do that.

Having read about the situation more, the author of the code claims that they didn't distribute any copyrighted software that they don't have a right to distribute. Maybe they actually did what either of us suggested.

On another note, Adobe keeps downloading bloatware on my laptop anytime I open creative cloud. Such a disappointment they’ve become

Is it not still possible to run an outdated browser version with Flash installed in a container? Don't get me wrong, that's a hassle but at least it's not lights out for Flash for these people.

Why stop there? You could virtualize an outdated operating system with an outdated browser.

You can buy old hardware and have the whole vintage web experience!

With great difficulty now, due to pervasive HTTPS

I'm now imagining an old beige-box desktop with a Raspberry Pi acting as a de-HTTPS proxy... with more compute power than the desktop

People definitely do this

Ooh, I don't think I've ever visited a Flash site with HTTPS.

I am still running an outdated version of the flash plugin shared library plugin that I downloaded and installed manually because I need it to handle some tasks for a specific client. Maybe one day I will have a monopoly and become really rich.

What's even stranger is that there is an open source project under Apache for Flex. One that even has not only the blessing of Adobe but the support of the company. Their answer has been write an app in Flex and get in compiled to JS. No need for Flash! Several developers using it happily in the Lansing area.


I thought they were going after Ruffle. I was all ready to be outraged and -- nope, if he's illegally redistributing the binary that's a legit action. If he distributed a patchkit, maybe that would technically be on the right side of copyright law (at least in the USA), but Adobe would still probably cry havoc and let slip the dogs of lawfare.

I read elsewhere in these comments that Adobe keeps Flash alive in China. If this is true and Adobe doesn't want China to take over Flash (Re: China & ARM), they won't open source it and they'll keep clones down/DMCA requests going to keep business with China. Just my 2¢.

Lack of open source licenses haven't stopped Chinese government or industries from stealing IP in the past.

When people say to not rely too much on proprietary software, this is why. "Oh, flash will be around forever! There's nothing to worry about". Same could be said about so many other things.

This is the company that blocked Ninite from having automated Flash installs, so… more of the same from Adobe ?

Sounds exactly like those frivolous complaints that afaik are prohibited by DMCA.

How so? This is identical to piracy. Taking IP one doesn't own, stripping it of it's ability to make money (removing ads), and redistributing it without permission.

Copyright infringement can get complex but this is one of the simple cases. Was the software under protection? Yes. Did the redistributor have permission? No.

This is simply untrue.

The .NET file that Adobe served a DMCA512 notice on doesn't contain any of Adobe's copyrighted code. It's an unpacker and installer that users run on the software they download separately from Adobe's Chinese distributor.

This is emphatically not a copyright violation of ANY kind, but it's especially not a violation of copyright that would entitle Adobe to use DMCA 512 to have it expeditiously removed. A DMCA 512 claim is explicitly - and solely - a mechanism for removing unauthorized copies of a copyrighted work. Again, this is a .NET file that has instructions for unpacking a standards-defined .ZIP archive and then installing its components. It's NOT a copy of Adobe's code. DMCA 512 has no place here.

And while it's NOT a violation of DMCA 512 to host this batch file, it IS a violation of DMCA 512 to file a baseless takedown against it. The DMCA's requirement for a "good faith belief" that a file infringes copyright, "on pain of perjury," makes Adobe the sole lawbreaker in this story.


Separately: You might be wondering if this is a DMCA 1201 violation (that's the part of the DMCA that deals with "circumvention" of "a technological protection measure" that "controls access" to a copyrighted work.

It's not. There's no TPM in a ZIP file, so there's no circumvention in unpacking it.

But even if it was, Adobe didn't send a 1201 takedown (those don't really exist, because there's no 1201 safe harbor, though sometimes firms send 1201-related cease-and-desists), they sent a 512 takedown.

Again, a 512 takedown only ever applies when there is distribution without authorization. There is no distribution. It's inarguable - and provable. The .NET code is (was) on github for anyone to inspect. It is unequivocally NOT a copy of Adobe Flash or any other work that originated with Adobe.

I'm convinced. My bad.

Unrelated, are you the DoctorOW who sent me a password reset link today?

It was me - my browser lost its cookie!

BTW, it looks like at least one version of the installer included a binary, though the creator says that's not true anymore, so you were (partially) right and I was (partially) wrong.

Did you read the article?

P.S. If the CleanFlash installer contains the Flash Player distribution, instead of downloading and patching it on the user's machine, then the author indeed deserves to be slapped with a complaint for such an obvious blunder.

> alive, secure, and adware free

But not open-source. Follow the rules, people.

they should have open sourced everything.. adobe keep making bad decisions, no wonder they are slowly decaying

Obviously the decay effects on finances aren’t seen for a while. However Adobe is currently around a top 25-30 company in the US by market cap. Their profits and revenue are enormous nowadays.

The decay is glacial at best right now.

decay starts from the reputation, then you'll see it with sales in the coming years

you said it perfectly, they are a really big company, you don't die overnight

Flash isn't and wasn't secure and keeping any part of it alive is a huge liability.

Still waiting for the day JavaScript isn't one of the top Pwn2Own contenders. The idea that there is any part of the web stack that isn't a Swiss cheese of security issues would be funny if reality wasn't so depressing.

Good job adobe. Flash and everything related to it simply needs to die off

Why do we want to keep Flash alive?

Maybe you want to play/watch the thousands of Flash games/animations that exist? Use legacy software that depends on Flash?

I agree that it's an insecure piece of crap that shouldn't be used in any modern system, but that doesn't mean that everyone should be restricted from trying to use old software that depends on it, as long as they asume the security risks of doing so.

There’s a lot of original content (animations and games mostly) that only lives in .swf format. It would be nice to keep flash around if just for archival purposes.

Same reason we have SNES emulators, or the MiSTer fpga project

Strong Bad. Probably Badger Badger Badger and some games, but mostly Strong Bad.

There's no interactive elements on YouTube though. I'm sure 99% of viewers don't really care, but it's not entirely the same.

Besides all the interactivity being gone, they never bothered to upload large chunks of the backlog.

So that Ferry Halim's Orisinal page does not have to show this message instead of presenting you with wonderful games: https://www.ferryhalim.com/orisinal/

It's more about the precedent set by the ease with which large companies can issue takedowns like this. Eliminating that ability is the issue at hand.

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact