Forums

"Safe" way of running Flash under Firefox

Started by Don Y October 11, 2014
Hi,

I tend NOT to install Flash on outward facing machines just to
eliminate one more set of bugs, opportunity for advertisers,
cookie jar, etc.

SWMBO has been increasingly grumbling about not being able
to view the (silly) videos her friends send her way.  (sigh)

So, I'm looking for options on "safe" ways to provide her with that
without adding to the amount of maintenance I have to do, here.
(e.g., even updating Flash is considered a maintenance task!)
Ideally, have Flash *off* until she finds *a* video that she
wants to view; turn it on to view THAT video; then have it OFF,
again.

One approach is to set up another machine for her to muck with.
Then, just "restore" it periodically when it gets wonky.

Second is to run browser in a sandbox so nothing is persistent.

Third is to install some plugin (?) and hope it does what I want.

etc.

Thanks!
--don
On 11/10/2014 3:41 PM, Don Y wrote:
> Hi, > > I tend NOT to install Flash on outward facing machines just to > eliminate one more set of bugs, opportunity for advertisers, > cookie jar, etc. > > SWMBO has been increasingly grumbling about not being able > to view the (silly) videos her friends send her way. (sigh) > > So, I'm looking for options on "safe" ways to provide her with that > without adding to the amount of maintenance I have to do, here. > (e.g., even updating Flash is considered a maintenance task!) > Ideally, have Flash *off* until she finds *a* video that she > wants to view; turn it on to view THAT video; then have it OFF, > again. > > One approach is to set up another machine for her to muck with. > Then, just "restore" it periodically when it gets wonky. > > Second is to run browser in a sandbox so nothing is persistent. > > Third is to install some plugin (?) and hope it does what I want. > > etc. > > Thanks! > --don
Is Flashblock not suitable for this purpose? Sylvia.
On Fri, 10 Oct 2014 21:41:08 -0700, Don Y <this@is.not.me.com> wrote:


>SWMBO has been increasingly grumbling about not being able >to view the (silly) videos her friends send her way. (sigh)
I don't blame her. I'd be pissed if someone tried to tell me what I could do in my own home!
> >So, I'm looking for options on "safe" ways to provide her with that >without adding to the amount of maintenance I have to do, here. >(e.g., even updating Flash is considered a maintenance task!) >Ideally, have Flash *off* until she finds *a* video that she >wants to view; turn it on to view THAT video; then have it OFF, >again.
You're being far too paranoid. I've had an unprotected XP machine sitting behind a good router running DD-WRT for years with no molestation.
>Second is to run browser in a sandbox so nothing is persistent.
Best: Install Linux and Firefox which runs plug-ins in sandboxes. Better: A modern Winders running Firefox which also sandboxes plug-ins.
> >Third is to install some plugin (?) and hope it does what I want.
there are a number of plug-ins for FF that do what you want. I use FlashBlock. It blocks all flash, displaying instead a box outlining the embed and a "play" arrow. The only problem I have encountered with this plug-in is that it gets stuck in a loop with whatever flash player the Washington Post uses. John John DeArmond http://www.neon-john.com http://www.fluxeon.com Tellico Plains, Occupied TN See website for email address
On 10/10/2014 10:14 PM, Sylvia Else wrote:
> On 11/10/2014 3:41 PM, Don Y wrote: >> Hi, >> >> I tend NOT to install Flash on outward facing machines just to >> eliminate one more set of bugs, opportunity for advertisers, >> cookie jar, etc. >> >> SWMBO has been increasingly grumbling about not being able >> to view the (silly) videos her friends send her way. (sigh) >> >> So, I'm looking for options on "safe" ways to provide her with that >> without adding to the amount of maintenance I have to do, here. >> (e.g., even updating Flash is considered a maintenance task!) >> Ideally, have Flash *off* until she finds *a* video that she >> wants to view; turn it on to view THAT video; then have it OFF, >> again. >> >> One approach is to set up another machine for her to muck with. >> Then, just "restore" it periodically when it gets wonky. >> >> Second is to run browser in a sandbox so nothing is persistent. >> >> Third is to install some plugin (?) and hope it does what I want.
> Is Flashblock not suitable for this purpose?
Dunno. That's why I've asked (*I* have no need for flash videos so don't miss the extra resources spent on it, advertisements presented by it, etc.) Thanks, I'll take a look at it.
On 10/10/2014 10:15 PM, Neon John wrote:
> On Fri, 10 Oct 2014 21:41:08 -0700, Don Y <this@is.not.me.com> wrote: > >> SWMBO has been increasingly grumbling about not being able >> to view the (silly) videos her friends send her way. (sigh) > > I don't blame her. I'd be pissed if someone tried to tell me what I > could do in my own home!
She can do exactly what she *wants* -- if SHE wants to assume responsibility for maintaining HER computer! :> She notices how much time her friends have their computers "down". How often they claim to need to be "replaced". How much spam they receive. etc. And, notices how LONG ours stays up, "clean" and spam free. Makes the choice a no-brainer for her! ;-) (especially in light of the videos typically being silly wastes of bandwidth: "Oooo, look! A cat climbing into a tiny box! I'm *so* glad I didn't miss that!" NOT)
>> So, I'm looking for options on "safe" ways to provide her with that >> without adding to the amount of maintenance I have to do, here. >> (e.g., even updating Flash is considered a maintenance task!) >> Ideally, have Flash *off* until she finds *a* video that she >> wants to view; turn it on to view THAT video; then have it OFF, >> again. > > You're being far too paranoid. I've had an unprotected XP machine > sitting behind a good router running DD-WRT for years with no > molestation. > >> Second is to run browser in a sandbox so nothing is persistent. > > Best: Install Linux and Firefox which runs plug-ins in sandboxes. > Better: A modern Winders running Firefox which also sandboxes > plug-ins. > >> Third is to install some plugin (?) and hope it does what I want. > > there are a number of plug-ins for FF that do what you want. I use > FlashBlock. It blocks all flash, displaying instead a box outlining > the embed and a "play" arrow. The only problem I have encountered > with this plug-in is that it gets stuck in a loop with whatever flash > player the Washington Post uses.
That's what I'm looking for, then. E.g., like ancient versions of Mozilla that would let you turn *images* (pictures) on and off from the menu bar.
On 10/10/2014 10:14 PM, Sylvia Else wrote:
> On 11/10/2014 3:41 PM, Don Y wrote:
>> I tend NOT to install Flash on outward facing machines just to >> eliminate one more set of bugs, opportunity for advertisers, >> cookie jar, etc. >> >> SWMBO has been increasingly grumbling about not being able >> to view the (silly) videos her friends send her way. (sigh) >> >> So, I'm looking for options on "safe" ways to provide her with that >> without adding to the amount of maintenance I have to do, here. >> (e.g., even updating Flash is considered a maintenance task!) >> Ideally, have Flash *off* until she finds *a* video that she >> wants to view; turn it on to view THAT video; then have it OFF, >> again.
> Is Flashblock not suitable for this purpose?
Apparently, Flashblock relies on Java script running (i.e., NoScript interferes with it). It seems the most reliable solution may just be to build a "secured" machine just for those times when you want to engage in these sorts of activities. A disturbing number of security issues listed for Flash suggests it will continue to be a "risk" issue. (sigh)
Don Y <this@is.not.me.com> wrote in news:m1aho5$7fo$1@speranza.aioe.org:

> On 10/10/2014 10:15 PM, Neon John wrote: >> On Fri, 10 Oct 2014 21:41:08 -0700, Don Y <this@is.not.me.com> wrote: >> >>> SWMBO has been increasingly grumbling about not being able >>> to view the (silly) videos her friends send her way. (sigh) >> >> I don't blame her. I'd be pissed if someone tried to tell me what I >> could do in my own home! > > She can do exactly what she *wants* -- if SHE wants to assume > responsibility for maintaining HER computer! :> > > She notices how much time her friends have their computers "down". > How often they claim to need to be "replaced". How much spam they > receive. etc. > > And, notices how LONG ours stays up, "clean" and spam free. Makes the > choice a no-brainer for her! ;-) > > (especially in light of the videos typically being silly wastes of > bandwidth: "Oooo, look! A cat climbing into a tiny box! I'm *so* > glad I didn't miss that!" NOT) > >>> So, I'm looking for options on "safe" ways to provide her with that >>> without adding to the amount of maintenance I have to do, here. >>> (e.g., even updating Flash is considered a maintenance task!) >>> Ideally, have Flash *off* until she finds *a* video that she >>> wants to view; turn it on to view THAT video; then have it OFF, >>> again. >> >> You're being far too paranoid. I've had an unprotected XP machine >> sitting behind a good router running DD-WRT for years with no >> molestation. >> >>> Second is to run browser in a sandbox so nothing is persistent. >> >> Best: Install Linux and Firefox which runs plug-ins in sandboxes. >> Better: A modern Winders running Firefox which also sandboxes >> plug-ins. >> >>> Third is to install some plugin (?) and hope it does what I want. >> >> there are a number of plug-ins for FF that do what you want. I use >> FlashBlock. It blocks all flash, displaying instead a box outlining >> the embed and a "play" arrow. The only problem I have encountered >> with this plug-in is that it gets stuck in a loop with whatever flash >> player the Washington Post uses. > > That's what I'm looking for, then. E.g., like ancient versions of > Mozilla that would let you turn *images* (pictures) on and off from > the menu bar. >
NoScript + FlashBlock is a good combo. Have NoScript set to block Flash in general apart from specified sites e.g. YouTube and Vimeo. FlashBlock then cuts in on a permitted site to ensure the only Flash that plays is the one the user clicked. You will probably have to do the maintenance of adding permitted sites. -- Ian Malcolm. London, ENGLAND. (NEWSGROUP REPLY PREFERRED) ianm[at]the[dash]malcolms[dot]freeserve[dot]co[dot]uk [at]=@, [dash]=- & [dot]=. *Warning* HTML & >32K emails --> NUL
It might be worth running a double-NATted network,i.e. run an output port o=
f your current router into the WAN port of a second one, and running her co=
mputer off that.  That way you have two isolated subnets, so whatever gets =
on to her computer probably can't see yours.

Cheers

Phil Hobbs
On 10/11/2014 7:48 AM, Ian Malcolm wrote:
> Don Y <this@is.not.me.com> wrote in news:m1aho5$7fo$1@speranza.aioe.org:
>>>> So, I'm looking for options on "safe" ways to provide her with that >>>> without adding to the amount of maintenance I have to do, here. >>>> (e.g., even updating Flash is considered a maintenance task!) >>>> Ideally, have Flash *off* until she finds *a* video that she >>>> wants to view; turn it on to view THAT video; then have it OFF, >>>> again. >>> >>>> Second is to run browser in a sandbox so nothing is persistent. >>> >>>> Third is to install some plugin (?) and hope it does what I want. >>> >>> there are a number of plug-ins for FF that do what you want. I use >>> FlashBlock. It blocks all flash, displaying instead a box outlining >>> the embed and a "play" arrow. The only problem I have encountered >>> with this plug-in is that it gets stuck in a loop with whatever flash >>> player the Washington Post uses. >> >> That's what I'm looking for, then. E.g., like ancient versions of >> Mozilla that would let you turn *images* (pictures) on and off from >> the menu bar. > > NoScript + FlashBlock is a good combo. Have NoScript set to block Flash > in general apart from specified sites e.g. YouTube and Vimeo. FlashBlock > then cuts in on a permitted site to ensure the only Flash that plays is > the one the user clicked. > > You will probably have to do the maintenance of adding permitted sites.
YouTube would probably address most of the "silly" videos that friends point her at. But, not all. E.g., the grumble that prompted my post was her inability to preview a sample of an (commercial) instructional video. The site would never make it onto a general whitelist so I'd still have to "drop everything" and "make it work". <frown> I set up a small "lab" of XP computers with SteadyState about a year ago. As they would be used by kids (teens), I assumed places like YouTube would be high on their lists of preferences. So, installed Flash, etc. Added the "final" XP updates when those were released. Then, locked everything down. I've not heard any complaints (bugs, lockups, etc.) so I suspect it has worked well for them. I think I will try a similar approach, here, for SWMBO. Set up a laptop for her to use for these sorts of things. Create a persistent partition for the stuff she *wants* to save (so she isn't forced to use a thumb drive for everything). Then, just image the "volatile" portion of the system and hide a compressed (encrypted?) version of the image on a maintenance partition and arrange for it to be decompressed onto the volatile partition at each boot. That should allow me to get the SteadyState features beyond XP (IIRC, SteadyState is not supported beyond XP) without relying on any (buggy? vulnerable??) COTS implementation (e.g., I think W7 has some hooks that would effectively support this sort of behavior -- but, that relies on W7 itself not having bugs!) Alternatively, I could build a live CD of a minimal NetBSD system and just use the magnetic disk to store persistent things like bookmarks and email. In either case, I'd be able to walk away and leave her with simple instructions on how to "compute safely": reboot each time you switch between a "risky" activity and one in which you want to be "protected" (eCommerce).
On 10/11/2014 8:45 AM, Phil Hobbs wrote:
> It might be worth running a double-NATted network,i.e. run an output port of > your current router into the WAN port of a second one, and running her > computer off that. That way you have two isolated subnets, so whatever gets > on to her computer probably can't see yours.
My machines aren't routed. No chance of *anything* finding them as there is no connection between them and the outside world. Currently, we share *this* machine for email and surfing, exclusively (no other apps, here). And, don't store anything "precious" on the machine (i.e., if the disk dies, no real loss!) [Recently had exactly that sort of failure -- boot sector became unreadable. I opted to recover the email and bookmarks stored on the old disk before scrapping it. And, took the opportunity to upgrade "this" machine (faster processor, smaller/quieter "CPU", bigger display, nice clean keyboard, etc.)] This keeps the cost of maintaining *this* "visible" machine close to zero! I'd like it to remain that way :>