Adobe Flash security issues and OpenMRS response

OpenMRS has migrated from Adobe Connect to UberConference & phone. For future meetings, please use the following information:

Audio, Chat, & Screen Sharing (latest Firefox, Chrome, or other WebRTC-compatible browser)

Audio Only (Telephone or your favorite VoIP client)

Greetings! In the past few weeks, several zero-day vulnerabilities have been announced for the Adobe® Flash® Player that can allow anyone to install harmful code on your computer, and can give others control of your system.

More information on the vulnerabilities:

Because we want our contributors and other community members to be as safe as possible, the OpenMRS.org infrastructure team are taking steps to remove dependencies on Adobe® Flash® when participating in our community projects.

As part of this effort, we will stop supporting Adobe Connect for meetings. Instead of Connect, you should use UberConference to connect to real-time OpenMRS meetings. UberConference works with the latest versions of Firefox, Google Chrome, and Chromium browsers. UberConference also includes a text chat feature as well as file-sharing and screen-sharing features. (Note: To use screen sharing, you will need to run Google Chrome and install UberConference’s proprietary Chrome extension.)

Additionally, you can also connect to UberConference meetings by phone at +1-888-510-4073 (toll-free in the US), +1-213-992-5003 (from outside the US), or by dialing one of UberConference’s international numbers then entering the meeting number “888-510-4073”.

We plan to fully retire Adobe Connect by August 2015, so please begin to test UberConference as soon as possible. If you have any problems, you can open a case at our IT Help Desk for support. Audio recording of previous meetings will continue to be available at the links mentioned in meeting notes.

Finally, for your personal computing security, we strongly encourage you to immediately disable or remove Adobe® Flash® from your computer if at all possible. The following links contain directions on how to do this:

We appreciate your understanding and assistance as we keep OpenMRS a safe and productive place for all our contributors!

OpenMRS.org Infrastructure Team

1 Like

We have been using Adobe Connect for years. Is Indiana University eliminating connect.iu.edu? We routinely record sessions in Connect. I have referred people to recordings and used them myself to catch a forum that I missed. Does uberconference support recording of screen sharing?

Is it possible to put a message on the front page of uberconference? We can paste a link to notes in the chat in uberconference, but there are two drawbacks:

  • We don’t have the link from the last call handy (revising the last call’s link makes the easiest path to edit the date, keeping links in a consistent format so they can be guessed… which is a good thing). If people have to type links from scratch, we will end up with variable formats and they will disappear into the etherpad abyss.

  • The links to notes disappears off the screen as people are chatting in the call, so people won’t see the link unless they know where to look for it.

We haven’t heard what actions IU will or won’t be taking.

UberConference currently records audio only, via the open MP3 standard and can be played with any audio player software. It does not currently do screen recording, so we continue to encourage people to publish documents and link to them from meeting notes, and share videos/screencasts as appropriate.

One workaround would be to put a short URL in the meeting title.

You have to give it to Adobe that they fixed these vulnerabilities in less than 2 days after they were made public - https://blogs.adobe.com/conversations/2015/07/resolution-for-recent-flash-player-vulnerabilities.html

1 Like

Yes, thanks for that update @sunbiz. Adobe have patched the most recent vulnerabilities announced. If you still need Flash installed and have not yet removed it, it is critical to upgrade all your Flash installations immediately. (Users may have it installed multiple times and in different ways, based on the browser(s) they have installed.) However, users should expect for further vulnerabilties to be discovered and announced, but not until they have already been exploited in the “wild”.

For those who are not able to completely remove Flash for some reason, the OpenMRS.org Infrastructure Team strongly recommends at minimum to enable your browser’s “Click to Play” feature that blocks Flash elements by default. The article at http://www.howtogeek.com/188059/how-to-enable-click-to-play-plugins-in-every-web-browser/ has steps for each major browser. However, as the article mentions, “you shouldn’t rely on click-to-play for security”, and continue to be extremely cautious if you must run Flash.

1 Like

We need an easy way to record webcasts. Do we have a recipe for easily recording an uberconference screen share with audio – e.g., the presenter (ro one participant) recording a YouTube On Air session while viewing the screen? Does YouTube allow videos ownership to be transferred yet (so we could move these under the OpenMRS account)? If we had an easy recipe for recording a screencast like this, we could end up with something better than Adobe Connect (i.e., a YouTube video that nearly anyone in the community could create).

People wishing to record webcasts can use tools like https://obsproject.com/ which is multi-platform and supports both live streaming to online video services and recording.

At this time, we will not be supporting video recording of real-time meetings, since we do not have sufficient demand for that at this time.

Do you mean the weekly dev calls will not be recorded anymore?

All UberConference meetings will continue to be recorded and made available upon request to the help desk.

This sucks. We should be recording screencasts by default. If we’re abandoning Adobe Connect because we really think someone is going to be hacked by using it joining a developer forum, then we should come up with an alternative approach that supports screencast recording.

1 Like

We should aim to make recordings (including video) available on the meeting wiki page. Having to make a request to the help desk to get a recording is uber-lame.

1 Like

If we get a sufficiently large demand from people asking to watch recorded meetings of etherpad note-taking, we will be happy to revisit adding this to our infrastructure offerings. For now the alternative open/standards-based means of sharing video mentioned in this thread remain available for all.

Well I tried recording today’s dev forum via Hangouts on Air. Video looks good; however, my Push To Talk prevented the audio from being captured (except when it was pushed and I was talking)… so it’s Dante’s version of a dev forum where all you can hear is me. Next time, I’ll try it with my PTT disabled.

It would be awesome if we could get a dedicated machine to do this so (1) people wouldn’t have to hear me typing & coughing and (2) it could be recorded directly to the OpenMRS YouTube® channel.

It’s the showcases, works in progress, and presentations that we’d like to capture in sync with the surrounding discussion.