Flash 10 Security Changes Good and Bad, Mostly Good (Full Screen Input, RTMFP, Clipboard, Local Save and Load)

Flash 10 security changes requiring user interaction are pretty breaking but they are for good reason.  Still though, the user could be inundated with prompts much like UAC on Vista. But, it is necessary otherwise security holes can be troublesome with the flash player and the “sandbox” of the web.  Much like Java signing, Active-X acceptance, and thus local file access, these actions need some user approval, it is that liability thing.

But what is a bit lost in this is some of the new support specifically for game development and app development.

Support for things like RTMFP which is bringing UDP support to flash.  UDP and reliable UDP (ordered) is really needed when it comes to larger scale networking applications and support for p2p apps.  Games for instance, that are large like MMOs and highly interactive real-time engines, need UDP to be able to scale.  So this is pretty useful, yet it currently looks like it is tied to Flash Media Server.  It appears Adobe is staying ahead of SmartFox, Red5 and OpenFMS with stuff like this.

Another great move in the way of security updates for Flash 10 for games is the allowing input from keyboard keys while in full screen mode. All these games and apps look pretty sweet in full screen until you try to use them.  There is only support for “Tab, the Spacebar, and the (up, down, left, right) arrow keys” but that is a start.  Enough keys for a casual game.  But still most keys could safely be used it must be a multi-platform support thing.

Limited full-screen keyboard input

Currently Flash Player does not allow keyboard input when displaying content in full-screen mode. Flash Player 10 beta will change this, allowing for a limited number of keys to be usable in full-screen mode. These include Tab, the Spacebar, and the (up, down, left, right) arrow keys.

Flash 10 is getting local save and load, this is great for any type of online editor, game or application. The ability to work on a file immediately without the server round trip initially is great.  I hope this is extended much further to local save and load with very high limits, there has been some confusion on the file size limitations here. Ideally this would be extended much further if the product direction is right. Typically making apps or games with more than 5-25MB of content quickly become non-economical in bandwidth such as gaming assets due to browser cache size limitations (defaults IE=50MB, Safari 5-25MB, FF3=50MB), I wish there was a better way to allow local saving for long periods of time.  Almost installing apps via flash with extended cache, talk about killer app feature. Downloading 10 MB of gaming assets that you know will be there for the month rather than the day.

Paste events can read the clipboard.  Using the clipboard is another great useful tool in applications and online editors.

Data can be read from the Clipboard inside a paste event handler

In Flash Player 9, the system Clipboard could not be read at any time. With Flash Player 10 beta, the new ActionScript 3.0 method Clipboard.generalClipboard.getData() may be used to read the contents of the system Clipboard, but only when it is called from within an event handler processing a flash.events.Event.PASTE event.

So yes, the security user interaction changes do break current features but it also takes this platform a bit more into secure applications and game features from security changes, hopefully these features are extended much further but they are on the right track.

as3Query – Actionscript Port of jQuery

This is older, from january, somehow I missed it but… nitoyon has created an AS3 port of jQuery. jQuery is my favorite javascript tool besides javascript itself. Mootools, prototype, and others like mochikit are all great but jQuery was the first to do lambda chain decorating and others followed suit.

But having this power in as3 is a great thing! $ selectors, common access methods to properties, methods, etc. All good stuff. Again this shows the fun in as3 or ES4 based languages like Actionscript because people are porting all sorts of libraries to it. If this performs I may just start using it daily TODAY!

For instance setting the stage align for use in full screen:

$(stage).attr({scaleMode: "noScale", align: "TL"});

That is too fun… The only thing not cool about this is all the spam at nitoyon‘s blog : )

How about a functional Tweener call:

function animate(f:Boolean):void {
				// Select 'RoundRect' elements using CSS selector
				$("RoundRect:" + (f ? "odd" : "even"))
					.addTween({
						rotation: 90,
						scaleX: 0.5,
						scaleY: 0.5,
						time: 0.6,
						delay: 0.3,
						transition: "easeOutCubic"
					})
					.addTween({
						scaleX: 1,
						scaleY: 1,
						time: 0.5,
						delay: 0.9,
						transition: "easeOutElastic",
						onComplete: function():void {
							// restore the rotation and call again.
							this.rotation = 0;
							animate(!f);
						}
					});
			}
			animate(false);

Stuff to see and try

AS3 Nascar Game By mr. doob – AS3 Flash Library Mashup

I have been one upped by mr. doob! I did a little nascar like RC pro am like prototype in march ’07 when the pv3d kit showed up on my screen and I was hooked like most suceptible flashers who have longed for 3d in flash! Only my version is like Nintendo64 and his is like xbox360 with updated effects and physics kits and some doob magic. All these are based off of, of course the original race car driver in Papervision and its creator Carlos Ulloa (Adobe should be paying this man).

To the feature! This is a sweet game by mr. doob, called burn and brag for Nascar.

Now I don’t’ particularly like Nascar all that much but who doesn’t like to peel out to some fiddlin’? I mainly do Nascar stuff because it is highly marketable and like the only answer most ad agencies have for getting the southern us markets it seems, that and c-o-u-n-t-r-y mu-si-c (must be said at a slower rate).

But I digress, this is a perfect mix of advertisment, game play, fun and experience. It is fast, simple, and playable. Exactly the simplicity and smoothness needed of gameplay and playback.  Great ad work but it also gives something fun to do and best of all it is built in AS3 flash with a plethora of libraries from the flash as3 community.

The game platform is emerging fantastically in the AS3 market. mrdoob used these kits to build this:

It would be cool to see a post on how he did the replays with tweener – I imagine just a series of points collected with car state (current position state) and then just play them back with a call back or time delay. You’d have to capture alot for smooth playback without laggy movements.  I am working on multiplayer games with this same issue for a current project.

Game on! The question is when will this be SOTD or SOTM at thefwa.com?

AS3 Water Effects in Papervision 3D, Away3D and Sandy3D

I was messing with water effects and Perlin Noise (sandy3d) and some other stuff and collected some water effects and simulations that are fluid like for research, a snapshot of the state of fluid and water effects in 3d in flash.

Ralph Hauwert, of course one of the original pv3d team members, posted some great samples on water effects on 3d objects in Papervision 3D. Of course the papervision list spawned this discussion from another great post on water simulation in papervision and away3d by Exey Panteleev .

Also, some other water like effects from Fabrice Closier and the notorious mrdoob.

Ralph’s Water Effect Demos:

Hey look, the water ball is smiling at you.

Exey Panteleev’s Water Simulation:

Some other Water Like Fluid Effects:

Water is hard in flash. Fluid dynamics will probably have to be cheated but it is still looking pretty good. The amount of processor usage depends on how real you want it to look.

If you are looking to make some agua, with x, the y AND the z in Flash or Flex, these are a good place to start.

AS3, Convert Python Code to Flex AS3 with flex-pypy

I have officially been sucked into the Python vortex. I recently have really been digging IronPython, Jython and good old plain Python but have not ventured here yet. Google (They employ Guido), Microsoft (IronPython) and Sun (Jython) are all becoming infected pythonistas as well. But this is just too cool, Python to AS3 code with flex-pypy. This project is very young but could be fun, source at Google Code.

Haxe has a similar premise where it can compile to Flash6-9 versions of actionscript 2-3 which makes for a system with better reach. Python code for this is lots of fun and very flexible. Python is becoming a baseplane language and one great language for transcending platform lock-in.

Check out this snippet pulled from here (click to see sample game)

#/usr/bin/env python
“””
This simple example has very little to do with the pygame
chimp example, except that it will act the same (more or less)
and it uses the same resources, only they got converted to
mp3s, pngs.
“””

#Import Modules
from pypy.translator.flex.modules.flex import *

class MyRect:
def __init__(self,x,y,w,h):
self.x, self.y,self.w,self.h = x,y,w,h

SCREEN_W = 468
SCREEN_H = 60

class Game:
def __init__(self):pass

def init(self,screen):
self.screen = screen
screen.layout = ‘absolute’
screen.setActualSize(SCREEN_W, SCREEN_H)

screen.addEventListener(‘mouseMove’,mousemotion)
screen.addEventListener(‘enterFrame’,do_loop)
screen.addEventListener(‘click’,chimp_whip)

self.bg = load_sprite(“py_background_png”);
self.screen.addChild(self.bg)

self.chimp = load_sprite(“py_chimp_png”);
self.screen.addChild(self.chimp)

self.orig_y = self.chimp.y

img2 = self.fist = load_sprite(“py_fist_png”)
self.screen.addChild(img2)
img2.move(400,img2.height/2)
self.move = 1
self.spin = 0
self.hit = 0
self.hit_move = 1

self.sfx = {}
self.sfx[‘whip’] = load_sound_resource(“py_punch_mp3”)
self.sfx[‘nohit’] = load_sound_resource(“py_whiff_mp3”)

def loop(self):
img = self.chimp
if self.spin:
self.spin -= 1
img.rotation = self.spin*24
else:
img.x += self.move * 8
if img.x > SCREEN_W-img.width:
self.move = -1
if img.x < 0: self.move = 1 if self.hit: self.hit -= 1 self.fist.y += 6 * self.hit_move if self.hit SCREEN_W - img_halfw: newx = SCREEN_W - img.width if newx img.x and e.stageX < img.x+img.width: game.sfx['whip'].play() game.spin = 20 else: game.sfx['nohit'].play() def flash_main( x=1 ): game.init(castToWindow(x))[/sourcecode]

AS3 Flash FPS 3D Temple made with Away3d

Wow. This new away3d demo of a temple and FPS movement in Flash9 AS3 rivals that of the paradox engine in pv3d.

Both are extremely smooth movement and great looking textures, both of these efforts are amazing for Flash is at this level. I would say Paul Spitzer’s paradox papervision3d based engine is still a little more responsive and the textures have such good baked lighting that is is very smooth (he posted recently on some internals and usages of media in the engine). But from these two engines and iterations you can see that the FPS engine in Flash is not too far off.

Although there used to be crashes with away3d it has really improved and this is very smooth. My processor was actually quite chillin’ with all the software rendering carpet bombing from software rendered 3d in flash. But it really is starting to get much better with optimizations to flash this year and papervision, away3d and sandy getting more mature and further iterated to greatness.

The away3d sample if you walk through the rooms also has an interactive button, opening doors, room transitions (and if these are dynamic) a decent room engine with pretty sweet load times since the whole thing is under 300k.

AS3 Cryptography and Hashing Libraries for Encryption and Security (crypto)

AS3 libraries for crypto are pretty robust from the new RAW POWER in the AVM2 virtual machine that runs flash9/as3, cryptography, like compression, is very processor intensive and needs a fair amount of power to be worth the time (usually a balancing mechanism). I am working on a few security apps in AIR and Flash9 for a project and a product so this is the best of what I have found to share. I will be sure to post here when these projects are complete.

There are two that are pretty good as3 kits that have decent support for crypto and hashing, actually as3crypto is quite broad in their support or most common crypto algorithms, even hashing support up to SHA-256 and ciphers 3DES, AES, RC4.

This is not really a comparison just some kits that have tools you might need. as3crypto is definitely the way to go for more heavy ecryption with common ciphers, but if you are just hashing some text as3corelib might work for your project. as3corelib is a more broad toolkit that is made or sponsored by Adobe that has JSON, RSS, support and other tools. It is a great core lib, but not as deep in the encryption area. I am actually using both in the stuff I am working on, as3corelib for some other uses (JSON,RSS) and as3crypto for all encryption and hashing.

The two are:

  • as3crypto
    • Robust, broad encryption and security support
    • Open source
    • Demo
    • Browse source
    • Broad support of algorithms
        • TLS 1.0 support, exposed through TLSSocket and TLSEngine classes
        • X.509 Certificate support, including parsing, and validation
        • built-in list of common root Certificate Authorities
        • symmetric ciphers: AES, Blowfish, DES, 3DES, XTEA, RC4
        • confidentiality modes: CTR, CBC, CFB, CFB-8, OFB, ECB
        • public key crypto: RSA (encryption, decryption, signing, verifying and key generation)
        • padding: PKCS#1 (type 1 and 2), PKCS#5
        • BigInteger library
        • hashing function: SHA-256, SHA-224, SHA-1, MD5, MD2
        • HMAC support
        • prng: TLSPRF and stream-cypher-based PRNG.
        • minimal ASN-1/DER support for PEM key parsing and X-509 cert parsing
        • Crypto – Shortcut class to access many classes above.
        • Hex, Base64 – Static methods to convert binary data to and from text formats

As3 Crypto is a cryptography library written in Actionscript 3 that provides several common algorithms, as well as TLS 1.0 support. The library is offered under the BSD license, and include several derivative works from Java, C and javascript sources.

Here’s some numbers from as3Crypto home page that show the speed, note it has not been optimized just yet (since most of this is client side and only one user would be using it this is not an issue – server side is where this can have scale problems from parallel execution but flash is rarely server side if it is too slow, but it is quite fast)

The 'numbers' are in 1000s of bytes per second processed.
type             16 bytes     64 bytes    256 bytes   1024 bytes   8192 bytes
md2                  1.01k        3.64k       15.08k       53.89k      171.76k
md5                221.85k      447.32k      739.54k      893.72k      905.82k
sha1                82.28k      184.78k      286.76k      336.03k      345.41k
sha224              60.84k      125.67k      200.27k      234.28k      247.58k
sha256              60.52k      126.30k      199.19k      234.04k      246.01k
hmac-md5            48.37k      159.37k      282.87k      295.15k      341.21k
hmac-sha1           18.29k       64.82k      165.72k      277.60k      342.52k
hmac-sha224          5.75k       24.84k      125.71k      204.35k      256.36k
hmac-sha256         15.10k       49.33k      123.71k      206.17k      249.08k
rc4                117.24k      381.34k      878.93k     1315.01k     1539.44k
xtea-cbc             2.49k        6.48k       12.80k       33.00k       44.48k
aes128-cbc           1.61k        4.01k       22.97k       78.55k      205.01k
aes192-cbc           1.34k        5.13k       20.91k       69.45k      172.43k
aes256-cbc           1.48k        5.63k       18.87k       63.45k      150.39k
blowfish-cbc         2.77k       10.81k       42.28k      140.27k      343.05k
des-cbc              2.53k        9.73k       35.20k      124.84k      624.88k
3des-cbc             2.50k        9.72k       35.61k      115.21k      253.42k

The library has not been optimized for speed, and those numbers could probably be improved.

They both have minimal or none ASN.1 support which I will need but I can port much of this from my favorite Java/C# crypto kit from the legion of the bouncy castle of which I was happy to find was a substantial base for this kit.

Whatever you do don’t send any type of message from your crypto kits with aes 256 cipher and sha-256 hashing to Iran from the US. 🙂