Chinese railway station knocked offline when Flash stops being supported

Originally published at: https://boingboing.net/2021/01/24/chinese-railway-station-knocked-offline-when-flash-stops-being-supported.html

…

How did they NOT know flash was getting killed off? This news has been all over Facebook, YouTube and Twi… oh, I see

Man, I thought China was churning out programs and software engineers at an fevered pace. It sounds like the government could stand to employ some of them.

It’s been a bit of a pain in the ass for many people, who were expecting the plugin only stop on browsers. I had several applications (who I used to play flash games offline) stop suddenly, with no recourse except stop using the app, patch the plugin or revert to a previous version.

Why would Adobe do this? If people want to run unsupported software that’s their business.

Was it just the displays for train schedules or the entire station was down?

The problem isn’t with the developers they have now. These systems were likely designed and implemented back when today’s developers were being born.

I suspect the railroad lacks a full, true, and current inventory of their software assets, including all dependencies. (That’s very common in organizations that aren’t technology companies, and that have existed since before the invention of the tech they now depend on.) The systems probably don’t even have an owner who manages this old tech anymore; I’d bet they contract support from some company that is paid to answer the phone and type in instructions from old manuals.

There’s some… conflicting versions of this story. One is that the entire railway system was shut down and passengers stranded, the other is that no trains were affected at all (this is the official version). Apparently Flash was being used for maps and schedules, which wouldn’t necessarily impact train function (except that it sounds like it was part of all the control systems, in which case it could have), but also for “current ordering of train cars” which seems like it would have caused everything to be shut down. So… /shrugs… it sounds like the entire train line did come to a standstill.

God I hope it wasn’t the signalling system.

The official version in China is very rarely the actual or full truth.

I’m sure there were a lot of disappointed people.

This 100%. People playing flash games know they were playing flash games because it’s in the name. Organizations that bought or contracted some app have no idea how the UI was implemented. Even then non-technical business types don’t get.

A couple years ago the suits where I was working saw an opportunity to make some quick money by resurrecting a retired service that used Silverlight as the front end. The developers of this ancient code were long gone. I explained in non-technical terms why this was going to be an expensive mistake. Even if we spent the time to replace the front end, the entire distributed mess was written using UDP in ways it should never be used so we would also need to replace the messaging infrastructure. But with dollar signs for eyes they just nodded and green lit the project.

I made a big enough stink that they assigned the work of getting the mess running to some other people (thank dog). After 6 months of two developers trying to fix what should have been burned to the ground the project was dropped. No money was made, much money was was wasted and the project they were pulled from had to go with 2 less developers for all those months.

tldr: Don’t expect the people in suits to understand the software they own or to make good decisions when money is involved.

Note: Not lecturing you at @jaded, Just venting into the void.

It’s a lot less dramatic than that. If you’ve got a legit commercial use for flash you can buy a still maintained version of flash. You could obviously do that even if you’re doing free stuff but it might not be worth the money. If you’ve got to stick with Adobe’s flash runtime you just edit a config file and whitelist the hosts you need. At least in a browser context that’s how it works, I’m sure standalone stuff has similar config file knobs.

This seems like one of the cases where the official line is hilariously divorced from reality.

Well, almost that bad, if a particular version of the story is true. Supposedly it was running enough critical systems that it wasn’t safe to run trains, at least at normal capacity.

There are old developers, who used to be young developers.

Yeah, you can use the flash projector, which should still work and it’s free to download: but the whitelisting is spotty and I’ve seen many people simply patching (you need to flip a couple bits inside the relevant dll) the plugin to disable the date check is the only 100% good way.

But still is something a bit… mean? just to disable all functionality of flash, online and offline. I mean, I’m used to companies doing that for profit, but I don’t see profit in disabling flash. Just stop updating and wash your hands if we keep using it.

grampasimpsonyellsatgooglecloud.gif /s

To be fair, it was good enough for Strong Bad.

Meh. If the whitelist isn’t behaving as expected, crank up the debug logging. It took me maybe half an hour to find the relevant info (including tidbits about where IE is different) and another fifteen to debug the pair of flash web apps I still use periodically. Patching a DLL? Good thing I’m not on Windows.

Disabling the Adobe runtime by default was done with a huge amount of warning. My guess is that Adobe is predicting further easily exploitable security vulnerabilities and wanted to avoid even a whiff of liabiilty. Beyond that a Flash runtime is being maintained by a third party and deprecating the Adobe runtime is a good way to force those who actually depend on Flash to use a supported runtime. Besides, doesn’t the Internet Archive have a freely available Flash runtime now too?

This topic was automatically closed after 5 days. New replies are no longer allowed.