Games and animation site Newgrounds announced it is working on a way to play Flash content via emulation.
Ruffle is an open source Adobe Flash Player emulator written in Rust. It targets desktop and the web using Web Assembly, so unlike the plugin (which is scheduled for end-of-life in 2020), any security issues would be issues with the web browser itself.
While the creation of new Flash content instead of modern technology seems a Bad Idea, this Soylentil for one would be quite happy to replay some of the classics (which stopped working when the plugin was banned from his system).
[ Ed Note: the source article claims that open source is the reason why there won't be any vulnerabilities: "For anyone who is concerned about Flash's reputation for security - this project is entirely open source and any security issues would be issues with the web browser itself, whereas the traditional Flash plugin was a closed system that created unique opportunities for exploits." - Fnord666]
(Score: 2, Interesting) by Anonymous Coward on Sunday August 25 2019, @09:12PM (3 children)
I can play Time Fuck [newgrounds.com] again? That's awesome, thanks!
(Score: 2) by hendrikboom on Monday August 26 2019, @10:23PM (2 children)
Is there any reason to suspect the official Newgrounds Player isn't malware? Doesn't exfiltrate user data?
(Score: 0) by Anonymous Coward on Monday August 26 2019, @10:41PM (1 child)
Many of those old flash games do just that.
(Score: 0) by Anonymous Coward on Tuesday August 27 2019, @12:17AM
Just look for any that use Mochi Media. Now that they went defunct, many games won't work because they can't connect to the various ad, account, and other APIs.
(Score: 5, Interesting) by takyon on Sunday August 25 2019, @10:12PM (11 children)
Block HTML5 canvas (or javascript), or you will suffer from HTML5 animations or Ruffle flash animations.
But it's a good move for content preservation. Maybe Internet Archive will join in.
[SIG] 10/28/2017: Soylent Upgrade v14 [soylentnews.org]
(Score: 1, Informative) by Anonymous Coward on Sunday August 25 2019, @10:55PM (1 child)
Especially one doomed to oblivion along with the rest of Mozilla.
(Score: 2, Funny) by Anonymous Coward on Sunday August 25 2019, @11:12PM
Your negativity is in violation of Mozilla Code of Conduct. Please apologize.
(Score: 1, Interesting) by Anonymous Coward on Monday August 26 2019, @04:52AM
I've seen a couple of web archivers murmur about getting involved. One reason they like it is that the official flash player has broken old files in the past, so something like this could allow all flash content to be played, even the broken ones. Another is that, as open source, they won't have to worry about it suddenly disappearing or breaking beyond repair. However, based on that I have seen that apparently Rust (or the main toolkit) isn't considered stable, but that might be a matter of perspective.
And two other groups I've seen eyeing this with interest (and how I found out about the above) is the Tool Assisted Speedrun and Real Time Attack communities. Both like it because it makes adding the software they need to do their different approaches much easier than trying to hack them into flash or the browser or wrapping the player. However, both seem to be concerned about the accuracy and how reproducible the output is.
(Score: 2) by driverless on Monday August 26 2019, @05:16AM (5 children)
Uhhhh.... what? This "explanation" for why it's "secure" is almost as dumb as "all our code is written in IBM360 assembly language and if there are any bugs they'll cause an ABEND, therefore our code is bug-free" (that was actually claimed by a UK bank). It's going to have just as many bugs as Flash did, but Flash has had more than two decades of people trying to beat the bugs out of it while Ruffle resets the clock and gets to start with an entirely new set of bugs. If you try and emulate bug-riddled crap, you still end up with bug-riddled crap, even if you do write it in Rust.
(Score: 2) by takyon on Monday August 26 2019, @05:25AM (3 children)
If I'm reading it right, it doesn't require a "plugin". Instead it uses an extension to throw in some JavaScript in place of where the embedded flash would be in HTML pages. Any security issue would be a vulnerability affecting the entire javascript implementation and/or sandbox model of the web browser, so it's not Ruffle's problem to solve.
[SIG] 10/28/2017: Soylent Upgrade v14 [soylentnews.org]
(Score: 3, Insightful) by driverless on Monday August 26 2019, @05:41AM (2 children)
Sure, but that's the same as the 360 assembly language argument, you can write buggy, insecure code in Javascript as well as any other language. In fact there's entire industries that churn out buggy, unsafe Javascript, and endless CVEs to accompany their work.
(Score: 2) by Pino P on Monday August 26 2019, @02:58PM
The difference is that should an escape be discovered in JavaScript or WebAssembly, the browser publisher has power to fix it in an update. If I recall correctly, the major browser publishers have a better record on sandboxing hygiene than Adobe ever did.
(Score: 0) by Anonymous Coward on Monday August 26 2019, @03:49PM
The difference is that with this solution, there aren't any more browser exploits than there were without it. Since everything is JS/HTML5, any exploits could be done just as well without this tool as with it (by simply using the proper HTML5/JS directly.
(Score: 2) by hendrikboom on Monday August 26 2019, @10:17PM
Well, being in Rust it won't have many memory leaks or free-before-use bugs.
And any exploits in those old games will probably be attacking old bugs, different from the ones in the *new* implementation.
Now we need to figure out how to download these swf files so that they can be divorced from the websites they are on, which websites may not be around next year.
And is there any flash decompiler so we have a hope of figuring out how the old games work in case they need to be patched?
-- hendrik
(Score: 2) by Pino P on Monday August 26 2019, @02:53PM (1 child)
It was indeed an SWF ad for Splunk on the green site that first led me to consider blocking Flash ads, first at the /etc/hosts level and later with click-to-play add-ons. I did so with a clear conscience: any advertiser wanting to reach me could still do so by using a medium other than SWF. But even if you block SWF, HTML5 video, GIF animation, and JavaScript, that still won't save you from autoplaying CSS filmstrips [pineight.com]. Avoiding animation becomes an arms race.
On the other hand, when the green site runs stories about the Flash Player sunset, I almost always see comments to the other extreme. Here's how such anti-preservation comments tend to go:
(Score: 2) by takyon on Monday August 26 2019, @02:59PM
Yikes. Sounds like that commenter needs a hot meal.
[SIG] 10/28/2017: Soylent Upgrade v14 [soylentnews.org]
(Score: 1, Interesting) by Anonymous Coward on Monday August 26 2019, @12:10AM
I hope they will think during implementation and make it efficient. When YT dropped Flash, they should pay some environmental pollution fine as poor implementation of any possible codec made energy usage at least two times more than with Flash. Maybe proprietary, but implemented with good assumptions instead of sponsors' wishes.
(Score: 2) by Snotnose on Monday August 26 2019, @12:21AM
There was one where you were a miner and shot hooks into the ground to grab nuggets. At the time I had a 20 minute link, plus any files you had to compile (change the wrong header file and you could go home for the day, even if it was 7 AM). That game was a great time sink while waiting for code to link.
/ 20 years ago
// got down to 10 minute links by maxing out RAM in our PCs. Company spent a lot of money researching options.
/// Some people hung out by the water cooler (or coffee pot), I played Flash games
Of course I'm against DEI. Donald, Eric, and Ivanka.
(Score: 1, Interesting) by Anonymous Coward on Monday August 26 2019, @12:28AM
There may be a solid use case for businesses. I have clients who rely on SaaS websites that still use Flash quite heavily and have been painfully slow to migrate away. These are large, complex systems for which no viable alternatives currently exist.
(Score: 0) by Anonymous Coward on Monday August 26 2019, @12:41AM (2 children)
If Adobe owns the property rights to all ActionScript, couldn't they shut this down? Also, Google and Mozilla have been pushing hard to kill Flash, what's to prevent them from blocking this too? Lastly, why wouldn't Adobe have ported to Web Assembly themselves? Why retire the product/tooling if there was a way to keep it going without the security risks? Was it not profitable?
(Score: 1, Insightful) by Anonymous Coward on Monday August 26 2019, @03:33AM
Back in the days of java and activex plugins, when the browser was immature and didn't have sufficient features baked in.
One it surpassed a certain subset of features it made more financial sense for Adobe to produce a product that generates HTML5+CSS+JS rather than attempting to keep Flash competitive with the web browser, particularly as security features and DRM were baked in.
The primary use of flash besides web animations, then interactive chat, was drmed videos. All of this fun functionality has been rolled in the browser and the security issues with flash mean that all trust in it as a secure plugin has been eroded, much like the jvm plugin, and as such it is better to leave maintenance to the browser developers and take advantage of the features they have in ways that an artist can use without delving too far into the specifics of browser compatibility.
(Score: 2) by Pino P on Monday August 26 2019, @02:55PM
Early on, the SWF specification was intended for use by authors of tools that output SWF, not by reimplementations of Flash Player. But in April 2008, Adobe announced it was dropping the ban on third-party SWF players as part of the "Open Screen Project" initiative.
Because it's not Adobe Flash Player. It's a different program that happens to read the same file format, and it runs in a virtual machine that the browser publisher controls. If an SWF player can escape, so can malware, and that's something a browser publisher both wants to fix and has power to fix.
Bingo. Requiring SWF authors to retire their paid-for copies of Flash MX or Flash CS in favor of annual licenses of Adobe Creative Cloud brings in more revenue.
(Score: 1, Informative) by Anonymous Coward on Monday August 26 2019, @03:03AM
Yeah, there were some security bugs, yeah it didn't integrate with the rest of the page, but it gave you 20 yrs ago what we are desperately trying to create today and still don't usually achieve despite countless man-hours and complexity.
The modern web is stupid. Give me a rewrite for those SPAs.
(Score: 4, Interesting) by bzipitidoo on Monday August 26 2019, @03:09AM (3 children)
Whatever happened to Gnash, the GNU replacement for Flash? I never did get Gnash to work on much, but improvements were supposedly coming soon.
(Score: 1, Informative) by Anonymous Coward on Monday August 26 2019, @05:14AM
That is from their README. They support most SWF that are version 7 or less. It also supports most up to, IIRC, v10. The big problem is that they have no AS3 and incomplete AS2 support. Gnash has 3 big problems that this project doesn't. When it first started, flash player was still available for free and so most people didn't see the need for an alternate "less than" player other than the philosophical grounds. They restrict (or at least did until 2014, when last I checked) their developers to people who have never agreed to the Flash Player EULA, which is probably a minority of the population, especially at the time. And, unlike this which already has a framework to handle the dirty work for outputting a complete application for the desktop and web browser, they had to build everything down to the supported system libraries, of which they provided multiple options.
(Score: 0) by Anonymous Coward on Monday August 26 2019, @05:03PM (1 child)
This is what i thought. Not only gnash, there was at least one other attempt at this. It not simple so neither came close, a lot of work here and I doubt this project will get anywhere near completion.
(Score: 0) by Anonymous Coward on Tuesday August 27 2019, @02:52AM
Shumway? Mozilla's attempt at implementing Flash in JavaScript:
https://github.com/mozilla/shumway [github.com]
(Score: 2) by Arik on Monday August 26 2019, @05:14AM
That's just wrong. Forget the plugin. Get a standalone player.
Flash was never such a bad thing, what made it suck was their insistence it needed to be installed as a plugin to the browser where it didn't belong.
If laughter is the best medicine, who are the best doctors?
(Score: 2) by Alfred on Monday August 26 2019, @01:31PM (1 child)
and it doesn't activate until I tell it to.
(Score: 2) by meustrus on Monday August 26 2019, @03:36PM
You won't, because they've all been ported to JavaScript already.
If there isn't at least one reference or primary source, it's not +1 Informative. Maybe the underused +1 Interesting?