I'm denying the idea that "open-source is more secure" because... what... faries?

First of all, for the sake of clarity, I'm not saying that open-source software is necessarily more secure, just that it seems to me more likely--even if only a little bit--to be more secure.

As to the reason, the general idea is "potentially more eyes on the code".

The only way you make something more secure is to actually be motivated to make it more secure.

I won't argue against that, but I'd like to add that the number of motivated people may have an effect: the more (motivated) people that look at a piece of code, the more likely an issue is to be found.

For open source, this generally means interest in the product to be made secure, potentially motivated by monetary incentives provided by individuals or companies with a vested interest.

For closed source, this generally means interest in the product to be made secure by the actual developer (depending on work conditions), and threat of lost revenue or actual lost revenue.

I would argue that for open-source, this generally means interest in the product to be made secure by the actual developer, and any interested external parties.

In some cases there would be no such external parties, in which case it all comes down to a question of motivation on the part of the development team, just as in the case of close-source software. In cases in which there are such external parties, however, the same applies, but the efforts (due to motivation) of these parties may add to those of the development team, which isn't feasible with closed-source software.

As to motivation, Wikipedia notes that:

There is substantial evidence that monetary rewards are not effective outside the context of very rote work.[5] In some cases, monetary incentive plans may decrease employee morale, as in Microsoft's stack-ranking system, where the total reward amount is fixed and employees are graded on an artificially fitted distribution[6]

On another topic, I'd like to retract something that I said previously:

I don't know about the RAM or CPU usage--I haven't looked into either--but my own experience with the HTML5 version of the YouTube player was enough to convince me to install a Firefox extension that enabled me to switch back to the Flash version. I'm not sure of whether I had performance issues--I think that I may have--but the main issue for me was that for some reason the player lacked some of the resolution options offered by the Flash version, including the resolution that I find works best for me (480p), being of acceptable quality for most videos while streaming via my connection without buffering.



In all fairness, I'm using a fairly old machine, and running Ubuntu.

As it happens, I've just discovered that the problem appears to lie with the Linux version of Firefox. While the Windows and Mac versions (I gather) run the HTML5 player happily, the Linux version has several relevant components disabled by default. I could enable them, I gather, but I'm hesitant to enable elements that are--presumably--considered unready, and in any case I do most of my Youtube-watching on my 'phone these days.

In any case, I stand corrected on this point!

Also, why bother with a security hole at all when you could just force them to insert a proper downloader of your malicious code which only triggers when a special cryptographically signed piece of data is seen?

Because the people who are the most interesting don't run Windows Update. They're either wearing tinfoil, or their copy of Windows is pirated.

Even if they don't run Windows Update, why not go with the cryptographically secure path of the security hole? Flash especially has been so bad and full of holes that it has been successfully exploited by cyber criminals for years. Not even is that giving a software you would want people to use a bad name, it also actively endangers other pieces of own government because of the ease with which these holes can be exploited.

Besides, if I think about how Microsoft secretly placed a malware downloader (KB3035583) among its recommended updates not long ago, it looks like they're trying that anyway. Makes you wonder what's the intention behind the decision of their announcement of giving everybody in possession of some version of Windows (including people who have pirated it) a valid Windows 10 license, too.

Why would you give your best, most recent software version to someone who demonstrably steals your stuff and who is never going to pay you? Obviously because you want them to have that particular software for some reason. Marketing could be a reason (but you already know they're never going to pay you!), or trying to counter the adpotion of free software (pretty silly if you have to give your stuff away for free, too), trimming down botnets could be another (unlikely), but replacing their systems with something that has some particular property or functionality might be another valid motive.

I'm not keeping up with all of these affairs but as far as I know Microsoft is not just giving Windows 10 away. Everything I have read so far said they only give a valid Windows 10 license to holders of valid Windows 7 and 8 licenses. Not even everyone there, the holders of bulk licenses seem to be explicitly left out (for example from companies or universities). Pirates are out completely. So basically everyone who gets a free license already paid you in the past.
I'm not generally prone to speculating about some company's business practices but from what I could guess they are trying to establish Windows as a convenient platform with a nice, revenue-producing app store and high availability similar to the Mac app store or the ones on the mobile phones.
Obviously different Windows versions are not working out well for them, even with artificial constraints like not having current DirectX versions on the most widely distributed operating system. They cannot even really get rid of the completely unmaintained Windows XP.

That said, if I were planning to be truly subversive against some Western government, my first plan of action would be to ditch Windows completely. But I would have done so long ago, not just for Windows 10. Probably something from the BSD-family would work well, although since I'm not actively subversive against any Western government I have not currently invested much research into the matter.

While the Windows and Mac versions (I gather) run the HTML5 player happily, the Linux version has several relevant components disabled by default. I could enable them, I gather, but I'm hesitant to enable elements that are--presumably--considered unready

Are you sure they are considered unready?

Last time I looked, I could have sworn they were disabled because they had license-incompatibilities with Debian's open-source policies.

Businesses do not intentionally implement exploits. If they did, they would lose customers extremely quickly. Just look at how many customers several large businesses have lost on the mere implication that they might expose user data to the NSA in the future under US law. Not because they actually have, but because they might, simply by being in the US or hosting data in the US.Never attribute to malice that which can be adequately explained by stupidity (or naiveté)

Google, Microsoft and Facebook still have plenty of customers despite revelations that they actually are completely complicit with five eyes spying... So ironically, us customers are also pretty naive/lazy.
E.g. I'm aware of this, but too lazy to change

Ha - valid point. Course, there's something to be said for when the only other options you have are also based in the US... (or based in countries with a worse track record)

The tyranny of convenience. I could use something else... but I haven't been hacked yet and I don't know the downsides/issues/holes in the other guy's system.

< Thesis on the declining relevance of Flash in the face of mobile >

I don't have any disagreement with this in an overall sense, but I do think there are at least some important niches where Flash games are still more successful than mobile games. The easiest example I can think of is horror games, because it's a genre I'm especially comfortable with, and I definitely hear of a lot more flash horror games than horror games targeting mobile devices specifically. I wouldn't be surprised if the primary (or sole) cause is just that horror doesn't work as well in the situations where people want to play phone games.

Yeah, I'd agree with that.

Another thing I've noticed (and this is definitely a biased sample as well because of my particular interests) is that I see a lot more video reviews / let's plays of Flash games than mobile games. I'm sure the fact that they might be slightly easier to record probably affects this as well.

This is true, but Let's Plays and Twitch don't seem to affect/drive mobile gaming much. It's an almost fundamentally different kind of activity—interstitial distractions, rather than dedicated pastimes—so the media/commentary activity around them is also overwhelmingly more snack-sized. I'm not a huge gamer, but I've noticed that early on when I did download mobile games, I was looking for console-like experiences… which I ended up never playing. (Seriously, I own a bunch of titles that I've never even fired up, or put less than 30 minutes lifetime into: Infinity Blade I, II and III; #Sworcery: Superbrothers EP; Real Racing 3; Sky Gamblers: Air Supremacy. In contrast, I've sunk hours into 2048, Threes, Tiny Wings, Sudoku Pro 2, Bonza, FRAMED, The Incident, Fist of Fury, Flight Control (and Flight Control: Rocket), Monument Valley. You get the idea.)

The games that I find myself actually playing, and having conversations about with people, are almost fundamentally different from the games I thought I wanted when I first started gaming on mobile. Their mechanics are different, native to or optimized for touchscreen, pick-up-and-go play, etc. But this is the nature of software development: technological advance affords new capabilities and creates new opportunity, while legacy experiences gradually fade in appeal. 20 years ago it was the introduction of cheap polygonal 3D that led to vastly different gameplay experiences than the ones I grew up with as a boy; 2D side scrollers live on, of course, but they are either deliberately wrapped in retro-tinged nostalgia (pixel graphics that emphasize their low resolution*, e.g. Fez, Super Meat Boy), or they try to present the perspective as a design choice that is selectively broken away from (Counter Spy, Shadow Complex). We call that progress.

(*I backed The Bitmap Brothers on Kickstarter, and in a recent update a point that one of the artists made about bitmapped graphics design of the time was that the objective then was to hide the low pixel and color resolution, whereas today's "pixel graphics" movement is all about emphasizing it. See: retro, kitsch )

All in all I still don't think browser games are going to die off completely, even if Flash does. Portals for browser games are still fairly popular, and the fact audience members can very easily jump from game to game with no barrier to entry (since they'll only need to install a couple of plugins and be able to play them all) still seems like a useful way of attracting new players.

Has the Atari 2600 died off completely? Nothing ever dies completely, it just moves from being an active target for development, production and release into an object of nostalgia and kitsch.

The thing is, someone will make a flash emulator for HTML5 once it takes off. At that point flash will be useless anyway.

I swear I said this exact thing three pages ago!

Flash-to-HTML5 conversions. Not quite an emulator (at all) but moving in the right direction, IMO.

Flash relies on a computer OS run service/app, that serves its shockwave instructions. It has potential of any, but as well to any exploit you can think of, and will never be a secured provider. On the other hand, browsers are unable to perform possibly any exploit without a plugin, solely themselfs of their standard.

Are you sure they are considered unready?

Last time I looked, I could have sworn they were disabled because they had license-incompatibilities with Debian's open-source policies.

Heh, no, I'm not sure at all! ^^;

(I did say that my conclusion there was a presumption, and I'll confess to being perhaps a little dozy today, in my defence. ^^; )

It's entirely possible that you're correct. So do I understand correctly, then, that the components are present in Firefox, but Mozilla isn't allowed to activate them by default because of issues with their licences? If so, what does that imply with regards to my manually activating them?

(I realise that this is a bit of a tangent--my apologies for that! Hopefully it will be a brief one.)

If so, what does that imply with regards to my manually activating them?

That you are not a GPL zealot, and won't mind if your pristine computer is infected by the stench of non-GPL code?

At least, that's my reading of it.

That you are not a GPL zealot, and won't mind if your pristine computer is infected by the stench of non-GPL code?

Heh, I'm pretty sure that I already have plenty of non-GPL elements installed. (I would imagine that the Flash player is one of them.)

But fair enough, and thanks! (I was primarily uncertain of whether I might be running afoul of some legal requirement or another, I believe.)

I'll likely double-check your interpretation in the new day (as I said, I'm a bit dozy at the moment), but if your reading is accurate then I may well end up enabling those components and switching over to the HTML5 player.