back to article Extreme Networks misses death-of-Flash deadline, suggests winding back PC clocks to keep its GUI alive

Extreme Networks missed the deadline to expunge Adobe Flash from its management tools and is advising users they’ll therefore need to fiddle with their PC clocks to manage their networks. “Due to a last minute change in 3rd party licensing we have been tasked to update WiNG Manager to meet new enforcements related to Flash,” …

  1. IGotOut Silver badge
    FAIL

    Wow...

    ...just wow.

    And just a thought. "Turn back the clock" and when the DC automatically changes the pc's time back? Oh got it, don't connect the PC to the network.

    Let me guess "We take our customers security....."

    1. Pascal Monett Silver badge

      Re: Wow...

      Indeed. Fiddle with the clock to manage your network ?

      I have another suggestion : get a proper network management tool.

    2. big_D Silver badge

      Re: Wow...

      "We take our customers security....."

      and throw it in the bin.

      Sorry, but how can a network company that doesn't take security seriously even be considered as a supplier?

    3. Anonymous Coward
      Anonymous Coward

      Re: Wow...

      > Let me guess "We take our customers security....."

      For the last 20 years Flash has meant: "We take our customers' security ... away by providing lots of handy holes for miscreants".

      And now, anyone who prepared by air-gapping Flash, or deemed the risk acceptable on non-critical systems, has been royally screwed.

      1. Anonymous Coward
        Anonymous Coward

        Re: Wow...

        "Anyone who prepared by air-gapping Flash, or deemed the risk acceptable on non-critical systems, was an idiot."

        There, fixed it for you.

  2. Anonymous Coward
    Anonymous Coward

    Surely not

    If one really wants to futz with the date so that a broken software application will continue to work (for some definition of "work" anyway), simply changing the system clock and/or hardware RTC is definitely not the best approach. Two alternatives: (a) run the broken application in a VM so that the incorrect time is visible only to software running in the guest; or (b) use a filter library that intercepts calls to gettimeofday(3c) via LD_PRELOAD when running the broken application, which will allow you to force the application to see whatever time you want it to but will not affect other processes. Of course, if you're using Flash at all, I sure hope you're already running it in a VM, preferably one you use for nothing else and destroy immediately after each use.

    Inexcusable foot-dragging by application vendors aside, Adobe are putting on a masterclass in how not to manage obsolescence. Drop support? Great. No new releases? Certainly. Documenting the end-of-life process and the reasons for it? Yes, of course. Alerting users for several years whenever they download the software? Excellent. Prohibiting new downloads after the end of life date? That's only to be expected. Logic bomb that suddenly makes working locally-installed software stop working? Uhhh... no. If you really insist on the date-driven logic bomb approach, you should limit it to nagware ("If you wish to continue, type 'I agree to contact the supplier of this application and inform them that they need to stop using Flash' and press Enter; otherwise, click Exit to abort"). This is really the worst of all worlds, because it doesn't make the people who need these applications stop needing them. So they'll change their clocks, wreak havoc on everything else, and create a giant shitstorm for their own support staff (instead of the people at Extreme or Adobe, who deserve it). Way to go, Adobe. Just when we thought Flash couldn't create any more misery, you found a way!

    1. Robert Grant

      Re: Surely not

      The worst of all worlds would actually be if they hadn't done all that other stuff.

    2. FILE_ID.DIZ
      Boffin

      Re: Surely not

      I will say that the documentation provided by VMware (https://kb.vmware.com/s/article/78589) is a good workaround and is not specific to VMware.

      The only thing that threw me off initially was that the folders "Pepper Data\Shockwave Flash\System" didn't exist on two computers with Chrome that I tried this on, so a bit of procmon to validate that they weren't typos was called for before proceeding.

      With respect to Chrome, Flash is getting removed in version 88, which is slated for rollout starting next week.

      And of course, managing this file across different browsers on the same computer lends me to possibly better refine this by using symlinks. Updating this file with a new URL for example, across all browsers installed on my computer require me to edit multiple but otherwise identical files in different locations. But I haven't tested this out.

      But this is just a crutch. Everything still with flash is on a road-map, I just wasn't expecting the time-bomb this morning.

  3. Potemkine! Silver badge

    Extreme Networks: we make management of networks extreme.

    1. Anonymous Coward
      Anonymous Coward

      Extreme Networks

      It's an extreme FAIL, that's for sure.

      (How unfortunate it would be if lots of forum posts mentioning their name in the title were to mess with search engine results for them… It sounds like it couldn't happen to a more disorganised bunch of incompetents…)

  4. A Non e-mouse Silver badge

    I was surprised by how late some companies left switching their systems away from Flash considering how much notice there had been about the death of Flash.

    1. Anonymous Coward
      Anonymous Coward

      I'm not at all surprised

      The developers will have been sending regular reminders to the project management, who will have been completely ignoring it until too late.

      I see this kind of thing all the time.

      Sometimes it's just because the PM has taken on too many projects and just can't cope. Sometimes it's because they don't want to consider the consequences of their decisions, other times it's because they expect to have moved onto another project or even employer before the go-dead-date and thus their successor will be the one to pick up the pieces.

      Sadly, PMs have a longstanding habit of ignoring technical debt until the cost is astronomical.

      1. Doctor Syntax Silver badge

        Re: I'm not at all surprised

        "The developers will have been sending regular reminders to the project management, who will have been completely ignoring it until too late."

        Maybe they should have sent reminders to marketing instead, pointing out the reputational damage.

        1. monty75

          Re: I'm not at all surprised

          Have you ever tried to explain IT to a marketing droid?

          1. David 132 Silver badge

            Re: I'm not at all surprised

            "OK, one last time. These problems are small. But those problems are far away.

            Small.

            Far away."

            (Marketing droid Dougal shakes his head in utter incomprehension)

            "Ah, forget it!"

      2. Cynic_999

        Re: I'm not at all surprised

        The developers have long ago retired using their one-off cash-cow application, and cannot be found to do any updates at all.

      3. hoola Silver badge

        Re: I'm not at all surprised

        The PMs probably are thinking along the lines "This is a problem in the browser, why should we allocate resources to fix it".

        Given that we have project managers that will do absolutely anything to close a project regardless of the state it is in I am not surprised.

        How about putting a service live with no DR test? They were told about this time and time again yet it was still more important to close the project than complete the work. The DR test now cannot be completed because, guess what, the sodding system is live and they don't want the down time.

    2. John Brown (no body) Silver badge

      "I was surprised by how late some companies left switching their systems away from Flash considering how much notice there had been about the death of Flash."

      Quite a few probably thought it would just carry on "working" as normal, just sans any future updates. That's the usual EOL for local programs. Without defending Adobe and most certainly not Flash, it does seem a bit odd that they chose to EOL it by actually killing the uses locally installed software. Imagine the outcry if MS had done that to previous version of Windows?

  5. Anonymous Coward
    Anonymous Coward

    And if you have one of their older "end of life" products...

    ...you're SOL!

    Despite the fact that many of these devices (for example switching hardware that was high-end at the time of purchase) is still perfectly serviceable.

    At least the CLI is there still!

  6. Captain Scarlet
    Unhappy

    WING from Motorola/Symbol has always felt unloved

    Original Motorola hardware, changed to Symbol and then Extreme has always felt unloved by the purple switchers.

  7. Marcus_Bond

    Last month, Mozilla was still saying Firefox ESR would support flash until the 3rd Qtr of 2021, and we were working towards that timescale (it's been removed now), and absolutely no one at Adobe, had ever mentioned that Flash would be time-bombed, just that Adobe would stop supporting Flash, and that the latest browsers would drop support... (imagine if MS timebombed Windows 95, or Mozilla timebombed firefox 56.0 jeez... )

    What happened was Adobe did a deal for $$$... so that Samsung/Harman could take Flash away using a Timebomb, then offer to licence it back for what is frankly obscene amounts of Money. (As far as I'm aware, MS is also keeping it, but only available for $$$ Enterprise licences). And it would be most effective at earning revenue if the Timebomb was kept quiet, than lots of companies would get caught out, and Harmon would make a tidy little earner.

    We were up against it already following development work on the EU's Data Protection, then the UK's making tax digital, and then EU's Strong Customer Authentication, then Brexit customs/vat changes etc, then Covid-19 hit, and quite sensibly, the UK moved SCA enforcement back a few months to give us a breather...

    Once I found out on the Adobe Flash forum late December that some enterprising soul had just tried putting his PC's clocks forward, and discovered Flash was timebombed, I prioritized the redevelopment of what is a tiny, but critical and horrible bit of remaining flash used on an internal network, but it was too late, our developers were to busy to fix it, it's hooked into some old legacy code which slow and difficult to fix. It will be done by the end of this month, meantime Adobe can do one, for foul business practices.

    Something similar happened with Photobucket. What Samsung/Harmon and Adobe have done is not a million miles away from Ransomware...

    1. Ken Hagan Gold badge

      I'll stock up on popcorn then. Recent events west of the pond have more or less wiped out my supplies but this story looks like it might interest m'learned friends.

      1. Marcus_Bond

        Allegedly you could get Adobe flash player back, locked to one domain, for around $25,000 per annum. But actually Harman won't publish their prices... and their license T&C's... well lets just say we'll probably never know which organizations paid a ransom to Samsung/Harman to release their IT systems, or how much they paid. Seems like pricing was based on an organizations size, how desperate you were, and how much they thought they could sting you for.

        Anyway, I reckon I'll have to pay out around 10k in redevelopment costs by the end of this month, but at least its going to nice people, and I'm not giving it to Shantanu Narayen.

    2. big_D Silver badge

      I read it on a couple of tech sites in November/December that the last security update for Flash also contained a kill-switch.

  8. WallMeerkat

    Could they try the likes of https://github.com/ruffle-rs/ruffle as a temporary alternative?

    1. Anonymous Coward
      Anonymous Coward

      Sadly, ruffle only support 5% of ActionScript 3, which means everything written in the last 9 years or so.

  9. Marcus_Bond

    Remember...

    U.S. Dept of Treasury Warns.

    The U.S. Department of the Treasury's Office of Foreign Assets Control (OFAC) announced that paying ransom to cybercriminals is now illegal. Ransomware payments may also embolden cyber actors to engage in future attacks...

  10. Anon

    Extreme Networks says...

    "THREE-PEAT"

    We're so famous we don't even have to say what we do!

    No, really, why are they advertising for Gartner as the start of their website?

  11. Anonymous Coward
    Anonymous Coward

    fixed already

    bad miss, some inconvenience on our deployment. but they've already got the fix out today. not the end of the world.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like