[conspire] About conditioned helplessness

Rick Moen rick at linuxmafia.com
Fri Sep 2 15:38:50 PDT 2011


Quoting Luke S. Crawford (lsc at prgmr.com):

> But, okay, everyone at my company uses Linux.   So this would mean 
> prohibiting flash and PDF, and enforcing the use of noscript or the
> like.  

Nope.

Although both Flash and the proprietary Adobe Flash interpreter are
buggy rubbish, I don't think the holes in it are fatal as long as you
keep up with the patching treadmill.  If I had such a firm, I might be
really tempted to have a go at doing without Adobe's Flash spaghetti
code and seeing if a well-crafted Gnash + Video Download Helper or one
of the many equivalents.  However, the point is that I've never heard of
a Linux machine getting security compromised by an attack against the
current rev. of Adobe Flash.

PDF is a very slightly different case, in that the problem is severe
_and_ is pretty much entirely specific to Adobe Acroread.  Acroread is
not only buggy rubbish, but also... were you aware that it has a
JavaScript interpreter built in?  I kid you not.  They really do.

You can disable that support in Preferences, and I know all about the
justifying use cases for when Javascript would be useful in user
interaction with certain PDFs.  _However_, having that functionality 
be present and enabled 24x7 in handling of arbitrary PDFs lobbed at the
software from arbitrary locations is ludicrous and proof-positive, as
if we didn't already know it, that Acroread is simply unacceptable
software.

So, don't install it.

Evince works great.  xpdf works great.  PDFedit works great.  Nobody
actually needs flippin' Acroread.

> What do you think my employees are going to say when I say they can't 
> have flash and they can't have PDFs? 

I expect they'd say 'What's wrong with Gnash and Evince, Luke?'





More information about the conspire mailing list