53 comments

[ 2.5 ms ] story [ 111 ms ] thread
Why would FedEx require users to enable Flash as "run always?" Is there really not a better solution available to simply whitelist their site or be given a pop-up in Chrome asking to enable it temporarily?
Who knows, but my best guess is that it was the easiest set of instructions to give. The more complicated you get, the less likely anyone is to actually do it.

It actually irks me a bit about Chrome/Firefox. I understand they want to kill these addons. But I still unfortunately am forced to use sites that require Java and/or Flash. I'm just grateful MS still has the older version of IE available in Win10 so I can get these important things done.

I get Flash, but Java, you use sites that have Java Applets on them? I can't even imagine which ones are actually left.
Lots of government websites in Spain, for instance.
Don't know about the original poster, but there are still a ton of crappy managed switches/APs/other embedded devices that use Java applets for configuration in operation.

In a past life, I had to keep two different browser installs, each with a different JVM version in obsolete browsers, aside from my "real" browser to deal with crap like that.

Those are probably ancient corporate tools, either made in-house or by some 3rd party that won't update to newer technology without enough of a monetary incentive.
I guess digital signature, mostly. Signing documents without your private key leaving the computer. It's not something you can do easily cross-browser.
One example: website which uses USB crypto tokens for digital signatures. In Kazakhstan (and, I guess, many other countries) every citizen can get digital certificate, signed by government CA and use it to sign electronic documents. It's used for many government internet services, for example. But there's no API even in modern browsers, to work with USB devices, so Java applet is one way to do it.

That said, Java applets are effectively dead, so government services now require installing and running separate program which listens at localhost for connections from browser. Honestly, it doesn't look like a big win for me, more like a big loose, from a security point. But here we go.

(comment deleted)
> every citizen can get digital certificate, signed by government CA and use it to sign electronic documents

This sounds crazy smart. Why don't western countries do this? You could even put the fingerprint in the barcode of your driver's license.

Because it's actually used to intercept encrypted communications of citizens. http://www.slate.com/blogs/future_tense/2015/12/14/kazakhsta...

Having said that, a better implementation would be pretty awesome.

Those are two separate issues. A certificate in a smartcard is not the same as a CA certificate used in devices to authenticate sites.
Those are rumors. Currently Internet in Kazakhstan works fine without installing any certificates. I wouldn't be surprised, if they would do it, but not yet.

And, yes, those certificates are unrelated, AFAIK.

Ubiquiti uses Java I think.
UniFi devices are configured with a standalone Java app, not a Java applet in a web browser.
And that Java app is basically just a web server, which they could rewrite in node or ruby and then I wouldn't need a JVM on my machine any more just to configure my router.
Sadly, we have some annual mandatory web-based training modules that use web applets in my workplace.
So does my workplace. Why do all offices use such horrific legal training software? Is that a valuable market to break into...
(comment deleted)
I just had to help someone enable Java applets earlier this week, in order to take an online typing test required by a temp agency. At some companies, it seems the 1990's never stopped happening. :/
Some ADP applications. A lot of enterprise-y time-clock/PTO applications in general. Other enterprise-y bullshit.
Education. A lot of science simulations I would use for my classes are Java Applets. Also the equation editor I have to use for creating tests (yes it's web based...) is a java applet.

It's a total nightmare because most of it is abandonware or is still for sale but unmaintained!

We're always happy to talk about personal experiences removing Java and never regretting it.

I've been through multiple attempts at doing it in an enterprise, one in January this year, and it always ends with the determination that Java applets are critical to websites used by the business and not going anywhere. Healthcare portals are a big offender.

If FedEx relies on opening a .swf file directly in a new window, you need to select Run Always, because Google apparently doesn't give a shit about doing things right and made it so no amount of whitelisting will allow it to run .swf files directly (instead it just downloads the .swf).
Doing things "right"...

I would rather know where flash beings and ends and have to jump through hoops. Actually I would prefer it never run at all ever. Flash not run is "right".

There have been too many security flaws where Flash would allow remote execution of arbitrary code, and that eventually means viruses. If my family gets a virus, then I am on the hook for it.

Yes, this is precisely why Chrome's current behavior is awful. It's forcing me to set Flash to "Run Always", which is a security and privacy problem, simply because one site I use opens .swf files in new windows instead of embedding them in HTML pages.
Where flash is concerned, for me, doing things right is exactly what Google are doing here.
No, they really aren't. If a site opens a .swf file in a new window, Chrome should behave exactly as though it opened an HTML page that embedded the SWF, i.e. letting me approve it, and playing it if I've whitelisted the domain. Instead it will always download the SWF if you have your Flash content settings set to anything else besides Run Always. It's really stupid and it means I have to keep Flash enabled globally (which I really don't want to do) simply because Google doesn't care enough to handle edge cases properly.
Just from 4 hours ago.
Judging by the upvotes and timestamp on that story (90 points, 4 hours ago), and not being able to find it on at least the first 3 pages of HN (for comparison, there's a story on page 3 with 33 points, 22 hours ago)...

That was one of those threads which just gets opaquely disappeared off the front page.

Which is something I've been noticing happening a lot lately. Really big turnoff from participating in this site.

> for comparison, there's a story on page 3 with 33 points, 22 hours ago)...

The ranking algo might be a bit more sophisticated.

Sure, but that's not all. Or maybe it is -- who knows. Certainly not you or I, because the only information that is public is the score and the date.

The problem is the opaqueness of it

Which leaves a lot of room for the appearance of capriciousness, and sometimes even (though not so much in this case, this is not nearly that consequential a story) malice.

http://sangaline.com/post/the-stories-that-hacker-news-remov...

You can't just compare points because flags don't affect points while they do affect ranking.
They obviously did the math...

Cost to migrate internal apps to HTML5 = $$$$$$

Cost to bribe users to use an outdated, security nightmare = $$$

Come on fedex... this is next level stupidity!

I'm imaging a few people around a table looking over a cost estimate, when one makes the joke "We could give every user $5, and it would still be cheaper"... when one person pipes up "well.... what if we did..."
OK people we need to brainstorm; remember no idea is too stupid.
They'd be crazy if they haven't already begun re-writing it. My guess is they're in the process of re-writing, they know it's a ways out, so this is a way to buy them some time.
> this is a way to buy them some time.

Literally ;)

I'm willing to give them the benefit of the doubt and think they had an "Oh shit, Chrome and Safari are blocking Flash now!" moment. And after that they immediately started working on a full HTLM5 version.

That said, whoever is in charge of development and I suppose FedEx bosses, too, should've seen this coming a mile away. They don't really have an excuse for not using HTML5 now.

$5 is not anywhere near enough to bribe me into turning on Flash. UPS will be getting my shipping business for the foreseeable future. I refuse to use USPS for anything critical after someone sending me a package made a typo of using "St" instead of "Dr" for the street I live on and it ended up in an overnight package destined for Illinois being sent to Florida.
I thought mail was firstly directed to a center dependent only on zip, and it's then further sorted. If the zip is correct, but a parcel ends up on the wrong side of the country, the mistake isn't due to a typo but probably physical mishandling of mail.
That was my understanding, too (and the ZIP + 4 were correct). I'm just recalling the excuse they used when my package went to the wrong state and arrived 3 days late.
Individually, for the one care package I sent to my sister last month (which was the only thing I have shipped personally in a long time), I'll happily install Flash for a $5 credit.

The real customers, though, are the businesses that ship hundreds of products. $5 is irrelevant.

I'm fairly sure I don't need Flash to print FedEx labels, however I don't use "FedEx Office", I have an actual FedEx shipping account.
This is such a band-aid fix when what they have is a gaping wound caused by a chainsaw.

I reckon, can they be held liable if for example, someone installed Flash and the machine got hacked or infected? It was their recommendation in the first place?

This is a spun headline. FedEx knows its site's reliance on Flash is awful and they're working on a fix, but it isn't ready. They feel bad so they're offering a $5 coupon to those who have to reactivate it to use their site. They aren't paying people to prop up Flash.
If that was truly the case, they ought to have moved away from flash "a long time ago".
This headline should really say $5 off coupon or $5 discount as it is a very different thing from giving people $5 in cash.