Tuesday, July 22, 2014

One Last Reminder About Flash and Java

I'm late to the game, but via TenFourFox Development and reiterated at PowerPC Liberation, the danger from Flash and Java on OS X PowerPC is no longer hypothetical but real. We knew sometime back that the Flashback virus exploited holes in older versions of Java, and if anyone ever compiled its payload as a universal binary we'd be screwed, too. Now we have recent news that Flash has its own killer virus out in the wild called Rosetta Flash. It works in a similar fashion, using security holes to take over your machine, and PowerPC versions of Flash will not be updated to fix it. So like Cameron Kaiser says, it's time to definitely stop using it.

As fiftysixk suggests, though, saying goodbye to Flash can also be an opportunity. There are dozens of ways to bypass its plug-in and stream video through external players. There's PPC Media Center, MacTubes, YouView, TenFourFox's QTE plug-in, various Mplayer plus Youtube-dl hacks, to name a few. The Youtube-dl hacks can be interesting. Youtube-dl supports a ton of sites, not just Youtube, and is frequently updated. In fact, it's the backend for PowerPC Media Center. You can also use Youtube-dl with Mplayer, with a terminal command like this (UPDATE: it appears this no longer works as Youtube broke the "--prefer-insecure" option, natch):

mplayer -quiet -framedrop -cache 8192 -cache-min 10 -cookies -cookies-file ~/.cookie.txt $(youtube-dl -gf 18 --prefer-insecure --cookies ~/.cookie.txt $(pbpaste))

Unpacking it from the inside out, "pbpaste" pastes the copied video URL into the Youtube-dl command retrieving the direct video URL, which is then passed to Mplayer to play. The "--prefer-insecure" option is needed because Mplayer can't play HTTPS links. However, Linux users can use Mpv and drop that option since Mpv plays HTTPS links just fine. Also on Linux, you'd want to install the package xsel and replace "pbpaste" above with "xsel --clipboard". Then save it as a bash script and you're rockin'.

As for Java, a faustian informant tells me there's a Java 6 version available for OS X PowerPC, but I believe it's too old to have the security fixes for the Flashback virus. There's a thread at the Minecraft Forums talking about it, and people also talk about using it to play Runescape, but it's still a huge security hole. You don't want to do any gaming like that unless you can completely disconnect from your network.

Let's stay safe out there!

11 comments:

  1. For people who need to keep some flash ability on PowerPC, just make sure to use a completely different browser family for it (I use TenFourKit - https://code.google.com/p/tenfourkit/). Since it uses different folders and save areas than TenFourFox/Camino/Firefox/Tor, it should be somewhat safer - as long as the user ONLY uses it for flash content (no passwords, etc).

    For those interested in this, I have also made an applescript super-cookie cleaner for WebKit and completely wipes all flash cookies/super-cookies out on browser-quit - this coupled with locking the 'Safari' folder, provides a very high-level of security against spywear and such (effectively disables disc caching). Anyone who would like to set this up on their PPC mac can find my email in the Applescript code-comments of PPC Media Center (link above) and I will happy help you to get it going.

    Adam A.

    ReplyDelete
  2. Have you had any experience using GNU Gnash in Debian? I don't use my Power Mac G4 for downloaded media, so it's not really an issue for me. Just wondering.

    Tom

    ReplyDelete
    Replies
    1. The last time I tried was over a year ago. I couldn't get anything to work. Youtube videos wouldn't load, other sites' simple Flash features didn't work, etc. Same results with Lightspark. :(

      Delete
    2. Just for the hell of it I went to Raspberry Pie Community Projects (We RISC folks have to stick together.) They had a tutorial on getting Gnash to work with Debian's Iceweasel...

      http://www.raspians.com/Knowledgebase/how-to-gnash-lightweight-java-plugin-for-iceweasel-browser/

      I'm listening to Tom Waits' Hell Broke Luce as I write this. It's pretty herky-jerky... But it works.

      Delete
  3. Thank you for providing information for the various flash workarounds. Your blog is an awesome resource. Thank you for everything you do!

    ReplyDelete
  4. just added this to be notified re followup comments

    ReplyDelete
  5. what? my comment got eaten? i was asking if there was any hope for me to use a web based java/flash hybrid -- which i can with Safari -- with TenFourFox instead. I'm looking to finally switch completely. i'm just not freaky enough.

    the page i have in mind hosts a reanimation (mine) of the web based graphic app 'Splashup.' i like it so much that when it died i had to bring it back to life, and now i can only use it with Safari.....

    i use the FBforFBPPC plugin of course.....

    ty for the left handed h/t above -- unless that isn't about me --

    ReplyDelete
    Replies
    1. Your comment may have gotten eaten by Blogger's arbitrary spam filter. I haven't tested it lately, but for awhile Blogger thought I was a spammer and was deleting every comment I made on other people's blogs. I think they even deleted my comment on my own blog once.

      As for the Splashup animation, if it requires a plug-in, then TenFourFox won't display it. The only potential solution I can think of is to convert it somehow to an html5 animation.

      Delete
  6. ok, i need i compose these in textedit -- hold on -

    ReplyDelete
  7. "reanimation" may have been an bad choice of words on my part. i meant it in the H.P. Lovecraft sense:

    Splashup was a web-based imitation of Photoshop, one whose curator, it appears, went belly up a year or two ago. it was my favorite -- only -- means of producing work such as the last two images on this page, and when no longer available, i took the liberty of reproducing it client-side.

    having played a little with HTML5 i think it would be a difficult trick to pull off again , but being curious, will certainly investigate.

    but damn, is there no way to enjoy a functioning applet without risk?

    grrr........

    ff

    PS it seems the comments do not get eaten unless the page has not yet recognized your 'comment as' profile, or rather, do get eaten until it does.

    PPS thank you, sir, (she said, rapidly hunting-and-pecking away at a PowerBook happily running Tiger) for daily impacting my off-the-beaten-path computer experience most favorably lo these many years, by the way.

    ReplyDelete