Adobe Flash Cookies: Yes They Are Dangerous, and More Cool Linux Hacks
By: Carla Schroder
Monday, March 30, 2009 01:43:28 PM EST
URL: http://www.linuxplanet.com/linuxplanet/reports/6711/1/
What Happens When You Disable Flash Cookies
Hopefully this is my last word on Adobe Flash cookies (the correct name is Local Shared Objects) for awhile, because I'm getting tired of the subject. But several readers sent me some useful comments and hacks that seemed worth sharing, so here they are.
Some good questions are "Are Flash cookies dangerous? What happens when you disable them completely, do you lose any important functionality?" Let's answer the second one first. Blocking Flash cookies completely shouldn't disable any Flash-enabled sites that you visit, though if you find one that refuses to work without LSOs you might ponder how badly you really want to visit such a site. You will lose some personalization on sites that use LSOs to save your personal settings: game scores, volume levels, keeping track of which dialog boxes you've already seen, saving playlists or queue, saving logins, and other personalized settings and data. If you have been encountering mysterious behavior on Flash-enabled sites that you like to visit, such as volume settings not related to your system volume settings, or saved playlists or logins even when you routinely delete HTTP cookies, most likely this is why.
Are Flash Cookies Dangerous?
Of course they are-- to your privacy and personal data security. As increasing numbers of Web surfers understandably object to being cyber-stalked by marketers, and their personal data used and abused in all kinds of ways without their knowledge or consent, they take extra steps to foil HTTP cookie abuse by blocking and deleting the little buggers. Flash cookies are used in deliberately sneaky ways to get around this. You can't always tell when a site is Flash-enabled, because Flash elements can be embedded invisibly."It's important to understand that even though this settings panel is part of Adobe Flash Player, the information will be used by an application created by a third party. Adobe assumes no responsibility for third-party privacy policies, actions of third-party companies in storing information on your computer, or such companies' use of such data or information."
Adobe's LSO manager lets you deny and allow Flash cookies on a per-site basis. You can also use it to disable third-party Flash cookies, which just like HTTP cookies are the worst offenders. Assuming you trust Adobe, which I don't, though you can easily verify that the manager is doing its job by simply looking in the relevant directories on your computer. (~/.macromedia on Linux.)
Another worry is Adobe's Flash player is closed-source, so there is no way to inspect the source code to see what is really going on, or to perform security audits. For years the Flash player was considered to be safe from being exploited in malicious ways, but this belief has been shot to heck as several exploits have appeared in recent times.
Running Adblock Plus and NoScript on Firefox (and any other browsers that support them, or that have similar features) are also helpful for keeping nasties off your system.
Helpful Linux Hacks
As usual when the subject is Linux regular expressions and fun commands (like in part 2), readers chime in with their own ingenious variations. Another way to block Flash cookies completely from nesting on your hard drive is to use the time-honored tactic of directing them to /dev/null with a symbolic link, which you can create by first deleting the ~/.macromedia directory and all of its contents, and then creating the soft link:
$ rm -rf ~/.macromedia
$ ln -s /dev/null .macromedia
Verify it with the ls command:
$ ls -ald .macromedia
lrwxrwxrwx 1 carla carla 9 2009-03-30 09:56 .macromedia -> /dev/null
If you followed the instructions in Part 2 to set your ~/.macromedia directory to read and execute only, you'll get a "permission denied" error when you try to delete it. Fix that by giving it write permissions:
$ chmod -Rv 0700 ~/.macromedia
If you care to dig through your Flash cookies manually and identify ones that you want to keep, which isn't too hard because their directory names include the originating domains, you can modify the find invocation we used in Part 2 to not delete them:
$ find -iname '*.sol' -not \( -name filename -o -name filename \) -exec rm "{}" \;
-o means or and -name means "this is the filename", so if you have more than one file you want to keep, list them separated by -o -name.
More Information
Adobe have been #1 on my Do Not Like/Boycott Forever list ever since they had Dmitri Sklyarov imprisoned and prevented from going home to Russia for over five months for giving a presentation (at DefCon, Las Vegas) on weaknesses in Adobe's eBook encryption software. Real criminals routinely get away with serving less time than Mr. Sklyarov did, and he was never convicted of a crime. Adobe execs to this day have not apologized or offered reparations; rather, they had charges brought against Mr. Sklyarov's employer, ElcomSoft. Mr. Sklyarov was not released or allowed to return home until he agreed to testify against ElcomSoft.
References
A very informative article by Rob Savoye, the main Gnash developer: "Looking at my list, I see over 100 websites that have been accessing the same cookie for the last year (the last time I formatted my computer)."US v. ElcomSoft & Sklyarov FAQ
Flash Player update available to address security vulnerabilities
Adobe Flash zero-day exploit in the wild
Carla Schroder is the author of the Linux Cookbook and the Linux Networking Cookbook (O'Reilly Media), the upcoming "Building a Digital Sound Studio with Audacity" (NoStarch Press), a lifelong book lover, and the managing editor of LinuxPlanet and Linux Today.