Facebook’s new CSO comes out swinging: “Death to Flash!” [POLL]

OK, so Facebook’s new Chief Security Officer, Alex Stamos, didn’t actually say, “Death to Flash.”

But he did say end-of-life, which is surely a synonym for death, and he used kill- in an imperative way.

And, OK, strictly speaking, he didn’t actually say it.

But he tweeted it over the weekend – and with close to 10,000 followers, that’s like saying it through the PA system in a jolly large auditorium:

It is time for Adobe to announce the end-of-life date for Flash and to ask the browsers to set killbits on the same day.

Stamos, who was with Yahoo until the end of June 2015, very recently stepped into the vacant shoes of Facebook’s outcumbent CSO, Joe Sullivan, who exited Facebook in April 2015 to become the first ever CSO of controversial not-a-taxi-company Uber.

So, what does the rest of the world think about Flash?

One of Naked Security’s acquaintances couldn’t resist quipping, upon seeing Stamos’s tweet:

And the people said, "Amen."

Flash has certainly been under the pump in the last few weeks, with numerous zero-days being reported and exploited in quick succession in the past week or so, including several extracted from the detritus of the recent breach at security company Hacking Team.

Zero-day, or 0-day with a digit if you want to be 31337, is the slang term for a security hole that crooks knew how to exploit, and actively started exploiting, before an official patch came out.

The “zero” part is a reminder that there were zero days you could possibly have been patched in advance.

But not everyone agrees with Stamos, who certainly stirred up a bit of a hornets’ nest.

We seem to do that, too, every time we suggest on Naked Security that you even consider uninstalling Flash, or at least turning the plugin off inside your browser.

For everyone who has learned to live without Flash, or to turn it on only occasionally when it is genuinely necessary, there seems to be someone else who is convinced that it’s impossible to move forward…

…not least because that means leaving the past behind.

The horns of a dilemma

On one hand, for Facebook to tell Adobe – a big, reputable, and successful player in the IT marketplace, just like Facebook itself – to put one of its products to the sword smacks of arrogance.

On the other hand, it might be just the encouragement, or even endorsement, that Adobe needs to let go of Flash to concentrate on more forward-looking things.

After all, HTML5, the greatly-expanded dialect of HTML that most modern browsers understand, is the open-standard path forward for just the sort of interactive web content that used to rely on Java applets or Flash.

→ To be fair to Adobe, HTML5 only became official, and even then only as a “recommendation” by the World Wide Web Consortium, in late 2014. The previous major version of HTML came out in 1997, so officially superseding Flash has not been a quick or simple exercise.

Indeed, Apple’s iPhones and iPads have managed without Flash for several years, apparently without causing any great digital lifestyle anxiety for their users.

Android, too, abandoned Flash about three years ago – and that was Adobe’s call.

Having said that, any rumours about, or even wishes for, the death of Flash seem highly unlikely to come true.

Adobe’s own roadmap for Flash was last updated less than a month ago, and still looks forward to browsers that use Flash as a vehicle for “adding features that are key for the gaming and video markets.”

Of course, Alex Stamos and Facebook could have things their own way right now in their own universe, simply by discontinuing the use of Flash entirely throughout Facebook’s web properties.

(In Firefox for example, Facebook videos still play via Flash if you have it installed, even though they don’t need to.)

Indeed, Facebook’s web pages could go one step further, by detecting if you have Flash installed and reminding you – for example while playing a video – that Flash isn’t being used, and thus making it clear that all of Facebook’s pages work fine without it.

What do you think?

If Adobe decides to call Facebook’s bluff, and kill off Flash, how long should Flash give the world before “setting the killbit,” as Stamos puts it, and pulling the pin on Facebook and everyone else?