… says computerworld.com.

This wouldn’t be funny if it was 100% true. I found this link (and this link) at a Russian IT community where the majority of people doesn’t really like Flash. So if they see “flash” and “flaw” in a topic title they usually behave like Pavlov’s dogs. I saw a lot of comments that Flash sucks, that it’s good time to install flash-blocking plugins and start using Silverlight or Java. But it seems nobody really knows what is going on.

1. This is actually not a bug
2. This is not a Flash specific flaw
3. This is a really old vulnerability

But nooo, people keep running around screaming and cursing Flash.

This is so funny reading you guys. You don’t know much about the subject but keep making weird conclusions. During his or her life a person once understands that “you sleep better if you know less” (there should be an English proverb like that). If you are saying that this is a “fundamental flash bug” you might not know that it is not even a tip of an iceberg.

If you spend half a day googling and reading books you might find out that danger is actually everywhere, you just don’t know about it assuming that all hardware and software is flawless. Well, this “flash” vulnerability is just one in the huge family of Cross-site Scripting vulnerabilities. There were a lot of them found and a lot of them are still hiding within your favorite browsers. Everything executed on client side is vulnerable to XSS attacks. The most common technology is JavaScript, almost every other attack involves JavaScript too, like using it to retrieve sensitive data from Flash, Java or Silverlight.

So, how does it work? An XSS attack is done using a vulnerability in client software which allows an attacker to inject malicious code into client’s trusted zone and execute it. Security system thinks that if this code is executed from example.com it is trusted and can have access to all data associated with this domain.

How is this related to Flash? This is related to Flash as much as it is to every other client-side technology, computerworld just took one and started blaming it. So, I somehow upload my SWF to example.com. If it allows me to upload SWFs of course. If it doesn’t I can either rename it to something else or join with something else, apparently Flash Player can load a file of any extension placed in src attribute of embed tag. Anyway, if this SWF goes into /uploads folder of example.com it is considered to be trusted, because someone long time ago assumed that if a file is within public access of a domain it could be uploaded there only by that domain’s admin, which is not usually true as we see. This SWF now has access to everything related to example.com via JavaScript. This would be really stupid to display it without allowscriptaccess=never on example.com itself. But the article above says that this SWF is loaded with an external link not from example.com. For example, someone pretending to be your friend John sends you a link which points to this SWF being loaded from example.com where you are logged in right now. Congratulations, the SWF just stole your cookie.

If I’m not mistaken, this vulnerability can be easily fixed if user uploaded content is kept on a separate subdomain.

This is not related just to Flash. As you see a lot of JavaScript is involved. And you definitely can do the same using Java. But what’s more, as I said there are ways to bypass server’s uploading restrictions. For example, it’s possible to combine GIF and JAR (it’s actually a ZIP file) or PDF and JAR into one file so it looks like a perfect GIF (PDF) and can be executed as a perfect JAR. Did you know that? Did you know that there are still a lot of vulnerabilities in your favorite browsers? I don’t even want to mention HUGE number of sites made by newbies which have absolutely no security, they allow SQL injections and XSS JavaScript Injections. And you trust them your private information and credit card numbers? Did you know that it’s even possible to trick Google and find out your password? Did you know that saved passwords in Firefox can be retrieved by hackers too?

Did you know that these are not even 1/10 of all vulnerabilities? But why have nobody hacked you yet? Probably someone already did, you just don’t know that. Or nobody is interested in you.

How is this related to Flash? This is not Adobe’s fault. Of course they can come up with something involving crossdomain.xml and even more restrictive policies, but you can just upload your own crossdomain.xml to example.com as you did with your SWF. This is not again Adobe’s flaw. This is probably because in the beginning of Internet all basic protocols were not designed with security in mind. And now people invented new ones and upgraded old ones fixing leaks here and there.

Sites owners must develop their projects with security in mind and not just blame Flash. This is stupid.

And the last one. I actually USED this vulnerability long-long time ago against one of Flash discussion boards. Once again, this is not new!

People complained about me being unprofessional posting a non-safe link for work to this game.

Come on guys! Playing games at work, this what definitely is unprofessional. Jeez.

Tweetr is an AS3 library to work with Twitter API. Looks like it supports all the functions of Twitter and should be good for custom AIR clients.

There’s not much information on AIRORM library apart from Getting Started tutorial. Here’s the video which doesn’t really says much about it too but may be helpful.

Another good video from 360|Flex is Advanced State Management by Troy Gardner. If you are not familiar with concepts of states and state machines you should definitely watch it. Even if you are, the guy says some interesting things there. The only thing I don’t quite agree is his implementation of a state machine. I liked what he said about video players and NetConnection dispatching same events meaning different things in different “states” though. I experienced that a lot and in fact used a state machine in my custom video player.

This video doesn’t load from the Web too (at least for me), so use Adobe media Player to watch it.

One of the great videos from 360|Flex is Advanced ActionScript APIs by Jacob Wright. A lot of cool information about Proxy class and using custom metadata. Will definitely be useful even for experienced AS3 developers.

It doesn’t play from the site for me, but plays fine with Adobe Media Player.

I’ve never used Adobe Media Player which came with CS3 (or CS4?) before. But when I started watching old videos from various Adobe conferences at tv.adobe.com I had to try it because some videos were not playing )8 What’s more, you can download all the videos you like with Adobe Media Player. It saves them to /Users/-user-/Library/Application Support/Adobe/Adobe Media Player/Local Store/cache as FLVs.

Just filter off unfunished ones, batch convert them for iPhone and watch/listen during your trip to work or while jogging.

I just started watching recorded sessions of Flex|360 and Adobe MAX 2008/2009. And it is fantastic how I see people dealing with same problems I was dealing last year and earlier this year. If only I have watched these videos earlier or attended these conferences… This could have saved me a lot of time. Yes, I found my own solutions, better or worse, but that was reinventing the wheel once again.

I am an active blogger and read a lot of blog posts on a daily basis. But nobody can read or know everything. Yet a lot of people simultaneously from opposite sides of the world are trying to solve same problems and come up with same brilliant ideas. They just don’t know about each other…

That’s why it is vitally important to be social. Internet is a great tool we must use. You should read blogs, you should watch recorded sessions from conferences you can’t attend. You may not have a personal blog but you must be hungry for new information. I don’t care if others find reading blogs a waste of time. Most of them are narrow minded people living in their own sandbox.

You must live on the edge of knowledge in your field, you must know what was done, what obstacles people faced in their projects. Learn on someone else’s mistakes.

What’s more, reading an article about something you found interesting but is not relevant right now is definitely not a waste of time. If you have a team of people who are information sponges you can do anything in a much more productive way. Any problem during development will be solved much faster, every decision will have much more probability to be right, because someone have read about another team facing same problem or that people say how bad that architecture rendered to be at the end. Someone might have attended a conference where he heard of an interesting framework which is ideal for your current needs.

You might have memorized only 3% of the whole article read or video watched, but you already know about the existence of a solution you might desperately need right now. You’ll spend a couple of hours googling instead of weeks of development.

***

I like reading technical books. Last books I read were about human genome, swarm intelligence, artificial intelligence, loosing weight, prolog, plants and branching structures. They don’t have much relation to what I am doing right now, I am just hungry for interesting stuff…

Check it out. When will we see the first web server running in AIR?

Why you shouldn’t use them. What’s more, every function call costs time, think about inlining simple functions code.