And just a thought. "Turn back the clock" and when the DC automatically changes the pc's time back? Oh got it, don't connect the PC to the network.
Let me guess "We take our customers security....."
Extreme Networks missed the deadline to expunge Adobe Flash from its management tools and is advising users they’ll therefore need to fiddle with their PC clocks to manage their networks. “Due to a last minute change in 3rd party licensing we have been tasked to update WiNG Manager to meet new enforcements related to Flash,” …
> Let me guess "We take our customers security....."
For the last 20 years Flash has meant: "We take our customers' security ... away by providing lots of handy holes for miscreants".
And now, anyone who prepared by air-gapping Flash, or deemed the risk acceptable on non-critical systems, has been royally screwed.
If one really wants to futz with the date so that a broken software application will continue to work (for some definition of "work" anyway), simply changing the system clock and/or hardware RTC is definitely not the best approach. Two alternatives: (a) run the broken application in a VM so that the incorrect time is visible only to software running in the guest; or (b) use a filter library that intercepts calls to gettimeofday(3c) via LD_PRELOAD when running the broken application, which will allow you to force the application to see whatever time you want it to but will not affect other processes. Of course, if you're using Flash at all, I sure hope you're already running it in a VM, preferably one you use for nothing else and destroy immediately after each use.
Inexcusable foot-dragging by application vendors aside, Adobe are putting on a masterclass in how not to manage obsolescence. Drop support? Great. No new releases? Certainly. Documenting the end-of-life process and the reasons for it? Yes, of course. Alerting users for several years whenever they download the software? Excellent. Prohibiting new downloads after the end of life date? That's only to be expected. Logic bomb that suddenly makes working locally-installed software stop working? Uhhh... no. If you really insist on the date-driven logic bomb approach, you should limit it to nagware ("If you wish to continue, type 'I agree to contact the supplier of this application and inform them that they need to stop using Flash' and press Enter; otherwise, click Exit to abort"). This is really the worst of all worlds, because it doesn't make the people who need these applications stop needing them. So they'll change their clocks, wreak havoc on everything else, and create a giant shitstorm for their own support staff (instead of the people at Extreme or Adobe, who deserve it). Way to go, Adobe. Just when we thought Flash couldn't create any more misery, you found a way!
I will say that the documentation provided by VMware (https://kb.vmware.com/s/article/78589) is a good workaround and is not specific to VMware.
The only thing that threw me off initially was that the folders "Pepper Data\Shockwave Flash\System" didn't exist on two computers with Chrome that I tried this on, so a bit of procmon to validate that they weren't typos was called for before proceeding.
With respect to Chrome, Flash is getting removed in version 88, which is slated for rollout starting next week.
And of course, managing this file across different browsers on the same computer lends me to possibly better refine this by using symlinks. Updating this file with a new URL for example, across all browsers installed on my computer require me to edit multiple but otherwise identical files in different locations. But I haven't tested this out.
But this is just a crutch. Everything still with flash is on a road-map, I just wasn't expecting the time-bomb this morning.
The developers will have been sending regular reminders to the project management, who will have been completely ignoring it until too late.
I see this kind of thing all the time.
Sometimes it's just because the PM has taken on too many projects and just can't cope. Sometimes it's because they don't want to consider the consequences of their decisions, other times it's because they expect to have moved onto another project or even employer before the go-dead-date and thus their successor will be the one to pick up the pieces.
Sadly, PMs have a longstanding habit of ignoring technical debt until the cost is astronomical.
The PMs probably are thinking along the lines "This is a problem in the browser, why should we allocate resources to fix it".
Given that we have project managers that will do absolutely anything to close a project regardless of the state it is in I am not surprised.
How about putting a service live with no DR test? They were told about this time and time again yet it was still more important to close the project than complete the work. The DR test now cannot be completed because, guess what, the sodding system is live and they don't want the down time.
"I was surprised by how late some companies left switching their systems away from Flash considering how much notice there had been about the death of Flash."
Quite a few probably thought it would just carry on "working" as normal, just sans any future updates. That's the usual EOL for local programs. Without defending Adobe and most certainly not Flash, it does seem a bit odd that they chose to EOL it by actually killing the uses locally installed software. Imagine the outcry if MS had done that to previous version of Windows?
Last month, Mozilla was still saying Firefox ESR would support flash until the 3rd Qtr of 2021, and we were working towards that timescale (it's been removed now), and absolutely no one at Adobe, had ever mentioned that Flash would be time-bombed, just that Adobe would stop supporting Flash, and that the latest browsers would drop support... (imagine if MS timebombed Windows 95, or Mozilla timebombed firefox 56.0 jeez... )
What happened was Adobe did a deal for $$$... so that Samsung/Harman could take Flash away using a Timebomb, then offer to licence it back for what is frankly obscene amounts of Money. (As far as I'm aware, MS is also keeping it, but only available for $$$ Enterprise licences). And it would be most effective at earning revenue if the Timebomb was kept quiet, than lots of companies would get caught out, and Harmon would make a tidy little earner.
We were up against it already following development work on the EU's Data Protection, then the UK's making tax digital, and then EU's Strong Customer Authentication, then Brexit customs/vat changes etc, then Covid-19 hit, and quite sensibly, the UK moved SCA enforcement back a few months to give us a breather...
Once I found out on the Adobe Flash forum late December that some enterprising soul had just tried putting his PC's clocks forward, and discovered Flash was timebombed, I prioritized the redevelopment of what is a tiny, but critical and horrible bit of remaining flash used on an internal network, but it was too late, our developers were to busy to fix it, it's hooked into some old legacy code which slow and difficult to fix. It will be done by the end of this month, meantime Adobe can do one, for foul business practices.
Something similar happened with Photobucket. What Samsung/Harmon and Adobe have done is not a million miles away from Ransomware...
Allegedly you could get Adobe flash player back, locked to one domain, for around $25,000 per annum. But actually Harman won't publish their prices... and their license T&C's... well lets just say we'll probably never know which organizations paid a ransom to Samsung/Harman to release their IT systems, or how much they paid. Seems like pricing was based on an organizations size, how desperate you were, and how much they thought they could sting you for.
Anyway, I reckon I'll have to pay out around 10k in redevelopment costs by the end of this month, but at least its going to nice people, and I'm not giving it to Shantanu Narayen.
Biting the hand that feeds IT © 1998–2022