Beta
×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Lingering Questions On the Extent of the Adobe Hack

Soulskill posted more than 2 years ago | from the known-unknowns-and-unknown-unknowns dept.

Security 97

chicksdaddy writes "In the wake of Adobe's warning on Thursday about a high profile compromise on its network, security experts say the incident raises troubling questions about the extent of the breach at a company that makes software running on hundreds of millions of computers. Writing on Thursday, Brad Arkin, Adobe's Senior Director of Product Security And Privacy, reassured customers that the company's source code wasn't stolen, nor did the hackers have access to code for any of Adobe's core products like Adobe Reader or Flash. However, those with expertise in breaking into networks and cleaning up after hacks said the nature of the attack – which Adobe has described as having the characteristics of an 'APT' – or advanced persistent threat – make it difficult to know what attackers did or did not have access to and whether or not the threat has been removed. 'If you put yourself in the hacker's position you realize how much they must have known about Adobe internals to perform the hack they performed,' said Dave Aitel of Immunity Inc. 'If they had that kind of access it's very hard to say that they were limited in their access and are completely removed from the network.'"

Sorry! There are no comments related to the filter you selected.

Wouldn't it be just if ... (5, Funny)

John Bokma (834313) | more than 2 years ago | (#41502733)

They got in by having an employee of Adobe open a PDF or watch Flash...

Re:Wouldn't it be just if ... (1)

noh8rz10 (2716597) | more than 2 years ago | (#41503053)

I dont understand what could have been the purpose of this hack. was it to gain access to the pdfs that people watch? i guess if you can get code into the reader, then it could mail you any pdf that is opened. but what would be the benefits of this? most pdfs you can download from the internet anyway.

Re:Wouldn't it be just if ... (3, Insightful)

EdIII (1114411) | more than 2 years ago | (#41503357)

most pdfs you can download from the internet anyway.

Except all the ones used by businesses like insurance companies, financial companies, banks, etc. So many of them actually require Acrobat to open and run. More than a couple of the websites used for employees and 3rd party companies use embedded PDF to exchange documents relating to customers.

Adobe is not making any money on the majority of PDFs freely available for download. It's the corporations actually purchasing Acrobat and its related products that are creating revenue. You won't see any of that stuff on a public site.

Re:Wouldn't it be just if ... (1)

hairyfeet (841228) | more than 2 years ago | (#41507113)

Yeah I learned that the hard way when I started supporting SMBs, there really isn 't anything out there that works with PDF like Acrobat. You name the reader I've tried it and with home users Foxit or Sumatra is my go to for opening PDF files but the PDFs that businesses send to each other have so damned many layers and features you just can't seem to open them with anything else reliably.

And don't even get me started on Flash, while I think its an insecure format and we'd be all better off if we pushed Adobe to open the format so a player with security in mind could be designed for it frankly HTML V5 is a piss poor half ass format pushed by Jobs to give himself and his company more control and doesn't have shit to sell it on the technical merits. Its buggy as hell, slow as fuck, sucks CPU cycles like a drunk at a minibar sucks Jack Daniels, and it doesn't even cover half the use cases of Flash like graphics and gaming. its a shitty video delivery format pushed by suits that want more control.

The problem I've always had with Adobe is...sigh...they just don't know how to make good products to go with their formats. The Flash and Shockwave formats they got from Macromedia are good formats but Adobe just doesn't have a clue on how to write a good secure player to use those formats, and that's the same problem they have with Acrobat and PDFs. All three formats are feature rich and have a hell of a lot going for them and with another company with a better track record and grasp of security frankly I don't think the thought of replacing them would ever cross anybody's mind, but Adobe? They just suck when it comes to dealing with security as TFA shows.

This is why I truly hope Adobe opens their formats, if we got a company with a better handle on security to write a light but locked down player for these formats they'd be truly great but its obvious that Adobe simply isn't up to the task. They need to stick to Photoshop and let somebody else do the players and editors.

Re:Wouldn't it be just if ... (1)

nahdude812 (88157) | about 2 years ago | (#41514699)

if we pushed Adobe to open the format

This is a fairly common criticism of Flash, and it's also an invalid one. Flash is an open format, you can download the specification here on Adobe's website [adobe.com] . There are even open source players available, see Gnash, Swfdec, and Lightspark. Unfortunately none of them are feature complete, and most are lacking some major features.

What Flash is not is an open standard. Meaning only Adobe gets to advance the standard, and I don't believe the licensing allows for there to be a fork of their standard. They'll tell you how to interoperate, but only they get to guide the technology and decide what to include.

Re:Wouldn't it be just if ... (1)

Anonymous Coward | more than 2 years ago | (#41503369)

So they can sign their own installers that look like official Adobe upgrades.

I'm getting concerned.... (4, Interesting)

dgatwood (11270) | more than 2 years ago | (#41502735)

I've been trying to order the Lightroom 4 upgrade all weekend, and their servers keep failing to accept the order at the very last step, either after accepting credit card information or after PayPal has processed the payment, depending on which payment method I choose. These may be isolated incidents, but the timing of these server failures is disconcerting, at the very least.

Re:I'm getting concerned.... (4, Funny)

machine321 (458769) | more than 2 years ago | (#41503233)

their servers keep failing to accept the order at the very last step, either after accepting credit card information or after PayPal has processed the payment

They're not Adobe's servers any more... someone else 0wns them.

Re:I'm getting concerned.... (3, Funny)

cerberusss (660701) | more than 2 years ago | (#41505011)

Knowing Adobe, I would actually expect the service to get better.

Re:I'm getting concerned.... (3, Funny)

Zero__Kelvin (151819) | more than 2 years ago | (#41503321)

Why do you keep repeating the process? The hackers already got your credit card number during the first failed attempt ;-)

Re:I'm getting concerned.... (2)

dgatwood (11270) | more than 2 years ago | (#41503385)

Insanity. You know, doing the same thing over and over, but expecting different results.

Re:I'm getting concerned.... (1)

Zero__Kelvin (151819) | more than 2 years ago | (#41503417)

Unless you use Windows, in which case the definition is doing the same thing over and over and expecting the same results. ;-)

Re:I'm getting concerned.... (1)

Cruciform (42896) | more than 2 years ago | (#41506371)

I have a subscription to Creative Cloud. This is kind of scary.
On the up side maybe really awesome art will start appearing on my computer.

Re:I'm getting concerned.... (0)

Anonymous Coward | more than 2 years ago | (#41506853)

Creative Cloud = "a fool and his money are soon parted"

Re:I'm getting concerned.... (2)

Cruciform (42896) | more than 2 years ago | (#41507311)

Let's see... 50 dollars a month which I can afford. Or several thousand dollars all at once which I can not afford.
There is no better legitimate deal for a hobbyist learning all the tools. And I don't download warez.

Why the fuck (2, Insightful)

Anonymous Coward | more than 2 years ago | (#41502771)

would you have ANY machine with access to the source code, connected in any way whatsoever to the outside world?

Easiest way not to get compromised (from the outside at least) - don't connect *everything* to the fucking Internet.

Re:Why the fuck (3, Insightful)

muon-catalyzed (2483394) | more than 2 years ago | (#41502839)

Source code? I want them to immediately and clearly state whether my credit card info is safe. If they can't tell then we must assume all CC data have been compromised.

Re:Why the fuck (0)

Anonymous Coward | more than 2 years ago | (#41505053)

That would assume someone actually paid for Photoshop once.

What's next, you're going to say someone registered WinZip?

LOL good one!

Re:Why the fuck (0)

leppi (207894) | more than 2 years ago | (#41502909)

So people can code without sitting in their cubicle prison? Also, if you act like its still 1980, people will work around it (d/l the source to their laptop), or you will get employees that suck and hate their jobs (government contractors).

Re:Why the fuck (1)

Anonymous Coward | more than 2 years ago | (#41503177)

Your sense of entitlement is astonishing. You think because I want you to sit in the office and code, instead of "work from home" or fuck around on the internet, it's "still 1980" and/or you'll hate your job.

Guess what. That attitude rules you out as an employee, I don't give a flying fuck how good a programmer you are. You represent everything that's wrong with the modern work ethic.

Re:Why the fuck (0)

Anonymous Coward | more than 2 years ago | (#41503279)

lol

Re:Why the fuck (1)

leppi (207894) | more than 2 years ago | (#41503691)

Sense of entitlement... haha. Employees wanting to enjoy their jobs is entitlement now. Good job AC. Maybe the 1080s would have been a better time for you to be a "boss".

Re:Why the fuck (1)

leppi (207894) | more than 2 years ago | (#41503843)

OK, that wasn't really helpful... I'd delete it if I could. My point is: If we can't trust each other as an employee and employer (espeically in the world of software development, where you have really smart, creative people in the job), I will find a way to screw you and you will find a way to screw me. That sucks. I'd rather work for a company that trusts and respects its developers and puts in reasonable (relative term I know) limits to protect against mistakes.

Making it so I'm working at a dumb terminal to code is not a reasonable limit.

Re:Why the fuck (1)

Bill Dog (726542) | more than 2 years ago | (#41504841)

Employees wanting to enjoy their jobs is entitlement now.

Not just now, but always. The purpose for going to work is not to have an enjoyable time, it's to trade labor for money. Some jobs, like porta-potty cleaning, don't even really allow for enjoying the work.

With that said, however, some people take lesser paying jobs that are more enjoyable. If it's understood as part of the compensation package that's one thing. But otherwise, when it occurs (for those lucky enough for whom it can), it really is just an added bonus.

So unless you think you're somehow better than others, then you're not owed enjoyment at your job. (And if you think you're a better human being than those who do the more menial jobs, then the problem goes far beyond just a sense of entitlement.)

Re:Why the fuck (0)

Anonymous Coward | more than 2 years ago | (#41505193)

You are equivocating a task-that-sucks with a work-environment-that-sucks. With the right attitude you can get through cleaning porta-potties without taxing your psyche - that part even isn't even really very difficult. Working for someone who would post this is a completely different thing:

Your sense of entitlement is astonishing. You think because I want you to sit in the office and code, instead of "work from home" or fuck around on the internet, it's "still 1980" and/or you'll hate your job.

Guess what. That attitude rules you out as an employee, I don't give a flying fuck how good a programmer you are. You represent everything that's wrong with the modern work ethic.

That attitude rules him out as a person a qualified professional is going to want to work for.

Re:Why the fuck (0)

Anonymous Coward | more than 2 years ago | (#41505503)

No wonder no one wants to hire an American anymore.

Re:Why the fuck (4, Insightful)

EdIII (1114411) | more than 2 years ago | (#41503467)

Not having Internet access to every site you want is not cubicle prison. Sometimes security is quite necessary, because as you can see, shit like this happens.

While you sit there and complain about cubicle prisons are you also thinking about the risks to the customers? How would they be impacted if your company lost their private data? Security is about cooperation. You're not there to surf the Internet. You're there to work.

How many horror stories and tanked companies do you need to hear about before it sinks in that security, especially when dealing with business data, is paramount?

You would not be downloading source to your laptop at my company. In fact, your laptop could not even connect to the corporate network at all. Fuck that BYOD hippie utopia shit. USB is even disabled to prevent data leakage. Not just from you either. You know that the majority of the day you are not actually sitting in front of those computers right?

All this may make me sound like a tyrant, but I am huge proponent of breaks. I provide guest wireless everywhere in the company, and as long as it a personal device, you can go nuts doing whatever you want.

I still think people have become far too addicted to online communications to the point where it is unhealthy. You don't need to be running a full check on the Internet every 5 minutes to see if somebody twittered something new and interesting. Hey, as long as you are meeting your deadlines and getting stuff done, it's not my business where and when you take your breaks.

Anon does have a point about a sense of entitlement. It really does seem like all the new workers coming into companies these days believe that if they can't have full control over the system and access anything in the world they want, when they want it, that it is all of the sudden "fascism" and "cubicle prisons". When you try to calmly explain why security is important to protect business data, invariably, they roll their eyes and exclaim that you are too uptight and paranoid.

One of the side affects of all of the loss of privacy. None of those sadly naive little children will understand when the company goes out of business after being sued by customers. Ironically, I am sure they will ask why IT was not doing its job to protect them....

Bless your little hearts...

Re:Why the fuck (1)

leppi (207894) | more than 2 years ago | (#41503759)

Cubicle prison is Hyperbole.

Sorry, I just don't buy into the "the only way to guarantee software developers don't screw up is to lock down every single thing they do". I've worekd there. Bosses that monitor every URL visited by their employees, Companies that don't trust their developers to work, and instead make them fill out time cards for every 15 mintues spent on a task throughout the day (not for billing purposes), Internet firewalls that only let through a whitelist of sites, Full Disk Encryption on Desktop PCs so that build times go up by 4x but we can check the box with some IT blowhard, IT departments that control every single piece of software that goes on your computer, Threats of firing unless you comply with some silly IT regulation (really, you threaten to FIRE HIGHLY PAYED EMPLOYEES as a matter of general procedure??). Man, the list goes on and sounds whiny, I guess. But it sucks, it's an awful atmosphere to work in.

If I'm going to write software for you for a living, there is a better way. It's called trust. There are plenty of companies that trust their employees. Sometimes thieves steal things. No IT policy prevents it 100%, But draconian IT policies do prevent talented people from working at their companies. Some safeguards are good, not all.

The OP (AC) said "would you have ANY machine with access to the source code, connected in any way whatsoever to the outside world?". I would not work at that company. If I can't get to the internet while I work (and access the source code), I won't work for you. Call that entitled, call it childish, but I call it normal business in 2012. Software developers have options, and I bet if you have that culture at your company, they don't want to work for you and do it *only* because they are stuck there, or aren't good enough/motivated enough to find something better. (I'm speaking to the general you, not you specifically EDIII).

Re:Why the fuck (0)

Anonymous Coward | more than 2 years ago | (#41504459)

Wow, your disk encryption software totally sucks.

I use full disk encryption (it's company policy but I'd been using it for years before that happened) and it barely makes a dent. We also use it on the database servers so that if you waltz up to the DC with a truck and a shotgun and literally steal our servers you don't get the data. Meanwhile we'd restore from (yes, encrypted) backup onto our disaster site and be up and running in an hour or so.

Trust is valuable, but disk encryption is one of the things you can do that makes up for human error. So far in the years I've worked this way two employees have left encrypted laptops on trains and one had his company PC stolen in a burglary. None of those machines had customer data on (that's prohibited by policy), but they did have credentials, company confidential documents, and so on. All safe thanks to disk encryption.

Re:Why the fuck (2, Insightful)

EdIII (1114411) | more than 2 years ago | (#41504703)

Sorry, I just don't buy into the "the only way to guarantee software developers don't screw up is to lock down every single thing they do". I've worekd there. Bosses that monitor every URL visited by their employees, Companies that don't trust their developers to work, and instead make them fill out time cards for every 15 mintues spent on a task throughout the day (not for billing purposes), Internet firewalls that only let through a whitelist of sites, Full Disk Encryption on Desktop PCs so that build times go up by 4x but we can check the box with some IT blowhard, IT departments that control every single piece of software that goes on your computer, Threats of firing unless you comply with some silly IT regulation (really, you threaten to FIRE HIGHLY PAYED EMPLOYEES as a matter of general procedure??). Man, the list goes on and sounds whiny, I guess. But it sucks, it's an awful atmosphere to work in.

It's not about you screwing up. I paid you to develop software, not be a security expert. Machines are locked down to an extent, but some developers may not have some restrictions.

White list and Internet firewalls? Absolutely. Not going to change anytime soon. You don't need Facebook to do your job, or Twitter, or CNN, or Slashdot, etc. StackOverFlow? Sure. Any reasonable site, that is trustworthy enough, can get on the white list if it is beneficial to the job.

Threats of firing? Only if you are persistent in violating or circumventing the security policies. I don't care what software you install, as long as it is relevant to the job. Actual termination would only occur in extreme circumstances. In the few times that is happened, quite frankly, there were laundry lists of other actions and character flaws. IT related stuff was minor.

If I'm going to write software for you for a living, there is a better way. It's called trust.

I work for a company that trusts its employees. However, you're not all security experts, nor do you have an expert grasp on what is and is not a threat. The security policies exist not because I don't trust you, but that I need to protect the company.

Do remember that people can use your credentials to access data and systems too. While I trust you, that does not mean I can give you root access to everything. You don't need to be insulted just because your access is limited. That's like being mad at your operating system because it wants you to run as a user most of the time instead of God Mode.

Sometimes thieves steal things. No IT policy prevents it 100%

Of course not. However, good security policies can greatly mitigate the damage and in quite a number of cases catch people before they can harm the company fatally. For instance, if you are logging all access to customer files, and heavily restrict direct access to any systems that have customer data, you can see that Bob in customer service attempted to access 6000 customer files when the average customer service agent only accesses maybe 50 per day. Stuff like that.

Some security can prevent you from doing your job. Lack of unfettered access to the Internet is not one of them. Restricting developers to exactly what programs they can install and run is pretty stupid though. Depending on what you are developing, you might even need root access to do it.

The OP (AC) said "would you have ANY machine with access to the source code, connected in any way whatsoever to the outside world?". I would not work at that company. If I can't get to the internet while I work (and access the source code), I won't work for you. Call that entitled, call it childish, but I call it normal business in 2012

It's not normal business for anyone that is serious about staying in business. Quite frankly, it is entitled.

Question. If I refuse to give you access to the Internet on your computer to check Facebook, Twitter, etc. but provided separate access for your smart phones, tablets, and other personal devices would you still feel so restricted? Is it really that big of a deal that you can not be monitoring portions of the Internet on the exact device you are developing code with?

Software developers have options, and I bet if you have that culture at your company, they don't want to work for you and do it *only* because they are stuck there, or aren't good enough/motivated enough to find something better.

The culture of a company is not solely dictated by security policies themselves, but how those security policies may be implemented.

If I walked around like a dick restricting wall paper changes, refreshing machines back to images each night, total lock down of Internet, no personal devices, etc. I would probably agree with you.

If you instead have a friendly atmosphere and encourage personal devices, give paths of least resistance, and make it clear that everyone is cooperating to protect the customer and the company... it's not all that bad. I swear.

Re:Why the fuck (0)

Anonymous Coward | more than 2 years ago | (#41505211)

It seems to me that Leppi (is that how you spell the name?) is adopting a very radical stance, considering only the two extremes. Either you lock down your users and put a ball and chain on them, or you open up everything and let everyone do whatever the fuck they want to. And he clearly advocates for the latter scenario. In my book, both of those positions are bound to fail miserably. The correct approach (and the one most companies with sensible security policies try to implement) is a balancing act between security and functionality. Exactly where does the optimal middle ground lie? There is no easy answer to that one, and it varies from company to company based on many factors. Believe it or not, there are many companies out there whose security policies are dictated by intelligent, perceptive people who actually understand how their companies do business. And although they may be under constant attack from their company's paranoid fascist PHB's on the one hand and from their bleeding-heart hippie employees on the other hand, if they do their job right and justify their decisions adequately, they can do a good job and keep the company both safe and productive.

Re:Why the fuck (0)

Anonymous Coward | more than 2 years ago | (#41508759)

Do me a favor and shut the fuck up.

You not NOW nor EVER HAVE BEEN a manager.

Re:Why the fuck (2)

EdIII (1114411) | more than 2 years ago | (#41509123)

You're right.

I'm a CTO, not a manager. Won't say which company since I value my privacy and keep a strong separation between my Internet identities and real life.

In any case, my arguments should be weighed on their merit. Not whether or not I may actually hold a position.

Do you have any positions or just profanity?

Re:Why the fuck (0)

Anonymous Coward | more than 2 years ago | (#41509063)

The problem is that companies (IT security specialists) assume that you can keep the bad guys out. That is why the levels of controls on corporate desktops. The problem is that this usually cripples the machine to just above the point of uselessness.

The safe assumption is that you will have sophisticated attackers inside your network and to plan for that. FWIW this was one of the initial assumptons of Project Athena which gave birth to a number of technologies either in use or adapted for todays network. They were dealing with security on a University campus...

not really secure, yet not free enough (1)

r00t (33219) | about 2 years ago | (#41509533)

You really need to get those development machines disconnected from the internet. A firewall is not enough. OTOH, less-restricted internet access is very useful for a developer. The solution is separate computers on separate networks.

Yes, it is an expense, but only the development machine needs to be nice hardware. For example you could use a Pentium II with 512 MB RAM for the internet, but use the latest Core i7 with 16 GB RAM on the development network. (adjust both as required for the budget) The internet equipment might get 100 megabit ethernet or worse, while the development equipment gets gigabit ethernet or better.

On the internet side, make a policy of frequently (randomly) doing clean OS installs. This keeps people from leaving company-proprietary stuff on them. Don't allow network services there except printers and external email. (No shares!) Don't allow email that could be sent on the internal network.

you are security FAIL (1)

r00t (33219) | more than 2 years ago | (#41509209)

If I can't get to the internet while I work (and access the source code), I won't work for you. Call that entitled, call it childish, but I call it normal business in 2012.

For security, this is FAIL. You should have two computers at your desk.

One is purely for the internet. The only services are network fundamentals (DHCP, DNS, etc.), printers, and external email. Email between employees should be blocked to reduce temptation.

The other is purely internal. It gets continuously monitored to detect an accidental or illicit connection to the internet. If an internet connection happens, an alarm goes off and/or power to the internet router is cut. You run all sorts of servers on this network: email, irc, wiki, slashcode, voip, etc. For this network, NO WIRELESS.

If you need to move data, burn a DVD. Normally, data should only move from the internet to the secure network.

Re:Why the fuck (0)

Anonymous Coward | more than 2 years ago | (#41505213)

None of those sadly naive little children will understand when the company goes out of business after being sued by customers.

You almost managed to make a good case for some of the security measures you mentioned. Then you went and ruined the whole post with a gem like this, throwing everything you wrote previously+in future and you yourself into a completely different light. Especially this statement:

All this may make me sound like a tyrant, but I am huge proponent of breaks.

Re:Why the fuck (1)

VIPERsssss (907375) | about 2 years ago | (#41513925)

Fuck that BYOD hippie utopia shit.

If I had any mod points, I'd give you all 5 just for that sentence right there.

* unless you use Windows (2)

Zero__Kelvin (151819) | more than 2 years ago | (#41503383)

"would you have ANY machine with access to the source code, connected in any way whatsoever to the outside world?"

There are several reasons, but they all boil down to because it is 2012, and people want to actually be able to get work done. For example, much of the information you need to get the job done is on the internet, and manually typing commands that you find with google searches by reading them from one computer connected to the internet into another that is not is just slow and stupid. How do you propose the guys in New Zealand share their code base with the developers in California and vice versa? Snail mail? It is entirely possible to have a computer safely connected to the internet*.

Re:* unless you use Windows (1)

HiThere (15173) | more than 2 years ago | (#41507595)

"Because it's 2012" is not a valid reason. Sorry.

OTOH, it is quite reasonable that machines should have libraries of the code to link, and the source code that the developer is working on. But you NEED air-breaks in your network for security. Where you put them is optional. If you have all the code on a machine, then that machine can't be connected to the internet, sorry. But if you only need one specific chunk, and the rest can be a library, then there's much less problem. So only the code that's being worked on needs to be exposed to a virus attack, or crack of the system.

Even GPL projects need to ensure that the master copies aren't writable by anyone not trusted, and that those people leave an audit trail. Pretending otherwise is silly. When it's commercial software the difference is that the source code is commercially valuable (as opposed to just valuable). And just try to guess how carefully that audit trail needs to be guarded.

So for a FOSS project, you don't expose the master copy of the source to the internet. For a commercial project you don't expose the source to the internet. Pieces of the source are a different matter.

Careful analysis of the problem shows that proper handling of this part of the security needn't be onerous. Improper handling is either dangerous, or overly restrictive. (However, commercial endeavors often have other reasons for limiting access to the internet. Sometimes they confuse these with the problem of securing the source code. This is improper. If they want to ensure that employees don't waste time on irrelevant activities, they shouldn't blur the problem of access to the source code to justify it. Doesn't mean they shouldn't limit the access, but confusing the reasons will lead to problems in the future. Often the quite near future.

And NOBODY is immune to penetration attacks. Some systems are more resistant than others, but that's a very different statement. And pretending otherwise is either foolish or ... malicious isn't quite the word I want, but I can't think of a closer one.

Riddle me this ... (1)

Zero__Kelvin (151819) | more than 2 years ago | (#41508025)

If you must have air gaps between the internet and data that must be secured, how do hundreds of thousands of companies process online credit card purchases again? Do you think there are a bunch of drones reading the input and manually typing it into another machine, and if so, how do they guarantee those people don't steal the numbers? You need to learn about Defense in Depth [wikipedia.org] . You also need to learn that if your security measures are an unreasonable hassle, people will circumvent it and nullify it.

"If you have all the code on a machine, then that machine can't be connected to the internet, sorry."

You need to tell that to the rest of the world, who have been doing it that way for decades.

"So for a FOSS project, you don't expose the master copy of the source to the internet."

Really [kernel.org] ? Again, you don't know how best practices work.

"When it's commercial software the difference is that the source code is commercially valuable (as opposed to just valuable). And just try to guess how carefully that audit trail needs to be guarded."

If only there was a way [git-scm.com] to do it right! You are missing the whole point, which is that if you make it impossible for people to get and build the code they are working on without jumping through a million hoops, they will simply work around it by grabbing a local copy on their poorly secured machines, including laptops. This is security 101, actually.

Also, there is no commercial viability to stolen proprietary code. Anyone who tries to package it and sell it as their own will be caught. It is also more costly to try to reuse a code base when nobody has any experience with it than it is to simply do it yourself. Only a complete moron would try to steal proprietary and try to leverage it commercially. The only place where an air gap makes sense is between the code signing infrastructure and the rest of the world. An air gap between your code base and your developers is the absolute last thing you want.

Re:Riddle me this ... (1)

HiThere (15173) | about 2 years ago | (#41514793)

I think you are misunderstanding how the kernel development works. Yes, there is, indeed, a public copy. But there are also several complete private copies at all times. Off-line. They may be in DVDs, or hard disks, but they aren't accessible to the internet.

So a couple of years ago when Debian got their archives on-line penetrated, they were able to restore from known good copies. There was a bit of work required to re-mirror everything, and to bring things back up to date...the off-line copies weren't totally up to date. This is to be expected. But there was a good journal up updates, and when they knew how the break in happened (a developer got hacked, and his password was used) they could replay the journal avoiding the changes that came from his account. Even if they hadn't been able to, their off-line backup was current to within a week.

Re:Riddle me this ... (1)

Zero__Kelvin (151819) | about 2 years ago | (#41514945)

"I think you are misunderstanding how the kernel development works. "

I have been doing kernel development for years. No shit there are backups, but that isn't how it works either. You clearly have no concept of how git works. Never the less, the master copy where anyone and everyone can go to get everything from the kernel source and git source to pcitools and more is on the Internet. Of course, you are trying to change the subject, but then again If I were you, I'd try to change the subject too.

Why don't you just admit that you were spouting nonesense based on a limited understanding of computer security, learn something, and move on with your life a better man for it?

Re:Riddle me this ... (1)

HiThere (15173) | about 2 years ago | (#41521109)

I know I have a limited understanding, and I do understand that git allows everyone to have a complete copy of the software. This, however, isn't the same as a master copy (though it does facilitate reconstruction of the master copy if necessary from several independant copies). But I don't believe that the master copy is accessible on the web. A complete copy, that is the "working master", yes. But that's not the same thing.

I don't believe that I'm "spouting nonsense". The approach of having the accessible copy being the actual master, as opposed to the working master, is much too dangerous. One can always have a developer whose machiine is penetrated. It's true that if the accession logs are trustworthy, you can always recover from that, but that's a pretty big if. It's much safer and simpler to just have periodic backups of the full system, which are the actual masters.

I'm not, however, actually certain exactly where we differ. Perhaps you are calling the thing that I am calling the "working master" the master, and have a different name for the things I am calling "actual master". I don't think you're denying that they exist.

As you said, I am not fully conversant with git. For this reason I have avoided saying things like "trunk", "head", etc., and used the terminology that makes sense to me. I still, however, can't conceive that you are denying the process to be that which I am asserting.

Re:Riddle me this ... (1)

Zero__Kelvin (151819) | about 2 years ago | (#41523691)

"I know I have a limited understanding, and I do understand that git allows everyone to have a complete copy of the software."

This is where you should have stopped. You have no understanding of git. You need to learn the difference between distributed SCM and the old centralized approach [betterexplained.com] .

Re:Why the fuck (1)

aztracker1 (702135) | more than 2 years ago | (#41503945)

what, like github?

Fire this guy (4, Insightful)

RonVNX (55322) | more than 2 years ago | (#41502793)

Their director of security "reassured" customers Adboe's source code wasn't stolen? You want to know why Adobe's got problems that never end, that tells you everything you need to know about Adobe's attitude about security right there. The guy in charge of security doesn't even know what that word means.

Re:Fire this guy (5, Insightful)

Anonymous Coward | more than 2 years ago | (#41502891)

It's actually too bad. If Adobe's source code got stolen, maybe a few bugs would actually get fixed instead of them just constantly punting the problems down the road until they become zero-day security exploits.

Re:Fire this guy (-1)

Anonymous Coward | more than 2 years ago | (#41503081)

This. This this this. Mod up.

Re:Fire this guy (0)

Anonymous Coward | more than 2 years ago | (#41503345)

Right on... Would love to see their code released a-la the Steam / HL2 hack back in the day :)

Would suck at first (probably hundreds of new zero day exploits created since they can see the code and know what to target), but at the same time it would createa huge incentive for Adobe to fix all those holes as fast as possible.

Re:Fire this guy (4, Insightful)

Black Parrot (19622) | more than 2 years ago | (#41503239)

Their director of security "reassured" customers Adboe's source code wasn't stolen? You want to know why Adobe's got problems that never end, that tells you everything you need to know about Adobe's attitude about security right there. The guy in charge of security doesn't even know what that word means.

It sounded like the reassurance was for shareholders, not customers.

Re:Fire this guy (0)

Anonymous Coward | more than 2 years ago | (#41503297)

The shareholders ARE the customers, the users are the product.

Re:Fire this guy (0)

Anonymous Coward | more than 2 years ago | (#41504071)

No, the shareholders are the product, and the customers get used

Re:Fire this guy (1)

sjames (1099) | more than 2 years ago | (#41504015)

I just can't tell you how happy for Adobe I am that their sacred source code wasn't stolen. Now, perhaps they'd care to talk about things the outside world has reason to care about? Things like how many downloads had a poison pill inside? We know the answer isn't zero based on previous reports and them revoking their signing cert. How about what customer info leaked?

But yes, by all means thank God their sacred source code is safe! We wouldn't want any of the mess to get on THEIR shoes, now would we?

Re:Fire this guy (1)

Anonymous Coward | more than 2 years ago | (#41507481)

Adobe's private keys floating around aren't a poison pill.

They're the master key to 99% of desktops on the internet.

Fire the Adobe CEO. (0)

Anonymous Coward | more than 2 years ago | (#41508641)

Don't just fire the director of security. Fire the Adobe CEO. Adobe is TERRIBLY managed.

Good thing... (0)

Anonymous Coward | more than 2 years ago | (#41502807)

...that I stopped using Adobe products a long time ago.

Re:Good thing... (2)

hoboroadie (1726896) | more than 2 years ago | (#41503187)

Amen.
It was actually the weirdo updates that ended it for me, but I find I still get plenty of useful data from the web without enabling any Adobe security breaches on my machine.

As General Beringer Would Say (0)

Anonymous Coward | more than 2 years ago | (#41502863)

Just unplug the goddamn thing...

If hacker cat iz in yoor netwirkz, stealin' yer codez, UNPLUG IT.

Reassured? (1)

Anonymous Coward | more than 2 years ago | (#41502897)

"Reassured customers?"

Huh?
Surely customers would rather have the source code, no?

Re:Reassured? (1)

HiThere (15173) | more than 2 years ago | (#41507609)

No. Most of Adobe's customers would see no use in having the source code. Even most for most FOSS packages I use, I don't bother to even download, much less study, the source code. Usually only if I have a problem installing it. (And since it's usually a deb, that's quite rarely.)

Being able to study the source code and wanting to have it are really two different things.

Thank goodness Adobe is all about the cloud (1)

jsepeta (412566) | more than 2 years ago | (#41502981)

Now that Adobe's pushing customers to run the cloud-linked Adobe Creative Suite, this means hackers have a better likelihood of hacking Adobe's customers. Great job.

Security is NOT an issue with The Cloud. (5, Funny)

Anonymous Coward | more than 2 years ago | (#41503245)

Wait a minute. I'm a manager, and I've been reading a lot of case studies and watching a lot of webcasts about The Cloud. Based on all of this glorious marketing literature, I, as a manager, have absolutely no reason to doubt the safety of any data put in The Cloud.

The case studies all use words like "secure", "MD5", "RSS feeds" and "encryption" to describe the security of The Cloud. I don't know about you, but that sounds damn secure to me! Some Clouds even use SSL and HTTP. That's rock solid in my book.

And don't forget that you have to use Web Services to access The Cloud. Nothing is more secure than SOA and Web Services, with the exception of perhaps SaaS. But I think that Cloud Services 2.0 will combine the tiers into an MVC-compliant stack that uses SaaS to increase the security and partitioning of the data.

My main concern isn't with the security of The Cloud, but rather with getting my Indian team to learn all about it so we can deploy some first-generation The Cloud applications and Web Services to provide the ultimate platform upon which we can layer our business intelligence and reporting, because there are still a few verticals that we need to leverage before we can move to The Cloud 2.0.

Re:Security is NOT an issue with The Cloud. (0)

Anonymous Coward | more than 2 years ago | (#41503281)

I assume you're taking the piss ?

Re:Security is NOT an issue with The Cloud. (0)

Anonymous Coward | more than 2 years ago | (#41503323)

Honestly, I can't tell if your serious or being a troll. Nothing is more secure than web services... SERIOUSLY? MD5? You've GOT to be kidding me. Just because of they use the word "encryption" doesn't make it safe. Cloud computing, like all things, is only as safe as the implementation. Adobe doesn't have the best track record secure implementations...

On second thought "glorious marketing literature" ROFL... thanks for the laugh!!

Re:Security is NOT an issue with The Cloud. (0)

Anonymous Coward | more than 2 years ago | (#41503449)

Well obviously just "encryption" does not make it safe. That is why they add "RSS feeds" and "HTTP" to it.

Re:Security is NOT an issue with The Cloud. (0)

Anonymous Coward | more than 2 years ago | (#41504077)

I just download all of my files to a http encrypted rss feed, bypassing the hackers entirely

Re:Security is NOT an issue with The Cloud. (1)

EdIII (1114411) | more than 2 years ago | (#41503405)

The truly sad part is that you really might be a manager. Plenty of executives walk around talking like this all day long.... and get paid for it.

48 times dupe... (2)

xded (1046894) | more than 2 years ago | (#41505847)

Plenty of slashdot posters keep copy/pasting talks like this... and get +5 Funny for it.

http://www.google.com/search?q="I+don't+know+about+you+but+that+sounds+damn+secure+to+me"+site%3Aslashdot.org [google.com]

Re:Security is NOT an issue with The Cloud. (1)

cheros (223479) | more than 2 years ago | (#41505173)

I like the sarcasm and pseudo management speak, thanks :)

Re:Thank goodness Adobe is all about the cloud (1)

Anonymous Coward | more than 2 years ago | (#41503599)

You should read up to what Adobe's cloud service encompasses before making comments like this, so you know how ridiculous that sounds. Why would a different payment model (subscription instead of up front) expose customers to hacks? Because that is the only difference between the regular Adobe products and the cloud "service"

Re:Thank goodness Adobe is all about the cloud (1)

fa2k (881632) | more than 2 years ago | (#41504947)

Adobe already has an updater that can install code on all users' computers at will, so they don't need a Cloud service for that/

Normal provisioning build server OS? (0)

Anonymous Coward | more than 2 years ago | (#41503229)

What OS did this normal provisioning build server run on, Windows, Linux, Apple or what?

Re:Normal provisioning build server OS? (0)

Anonymous Coward | more than 2 years ago | (#41503415)

What OS did this normal provisioning build server run on, Windows, Linux, Apple or what?

It runs on the famous OrWhat OS

Re:Normal provisioning build server OS? (1)

HiThere (15173) | more than 2 years ago | (#41507651)

It probably doesn't matter. No OS secures the user directories if you have crackable applications installed. Like just about any web browser. And since this is Adobe, you can probably count on Flash, and probably some Flash development tools being installed.

One word Omniture (1)

Anonymous Coward | more than 2 years ago | (#41503307)

They own an analytic suite that is used by large corporations (including some banks). So I wonder if they got access to that as the information on there has a much higher resell value then something like the photoshop sourcecode.

And yes they host all the data as it is a SaaS.

Adobe has a Senior Director of Product Security? (1)

Anonymous Coward | more than 2 years ago | (#41503395)

Really?

What has he been doing for the last 10 years or so?

Apparently nothing. Flash & Acrobat probably have the worst security record in history. Not sure if Java or IE ranks higher.

Re:Adobe has a Senior Director of Product Security (1)

petsounds (593538) | more than 2 years ago | (#41504735)

Oh please, Flash just has the worst PUBLISHED security record because its incredible pervasiveness made it a highly attractive attack vector. There's plenty of software out there that makes Flash look like a digital Fort Knox by comparison.

Re:Adobe has a Senior Director of Product Security (1)

cheros (223479) | more than 2 years ago | (#41505159)

There's plenty of software out there that makes Flash look like a digital Fort Knox by comparison.

Windows? /me tiptoes away..

Re:Adobe has a Senior Director of Product Security (1)

gweihir (88907) | more than 2 years ago | (#41507389)

Yea, keep telling you that. And when you pull your head out of the sand, maybe look at the facts.

What makes is a highly attractive attack vector is its pervasiveness _combined_ with the incredible ease it can be attacked with. If it were hard to attack, nobody (except maybe TLAs with no economic accountability) would attack it. Remember that writing exploit code for well secured systems can take man-years of qualified experts. Flash can be attacked on the cheap with a small budget.

Re:Adobe has a Senior Director of Product Security (1)

petsounds (593538) | more than 2 years ago | (#41507479)

I think you missed my point, which was: Flash may be historically easy to exploit, but then so is most of the software out there. However, most software is not subjected its constant proddings.

Re:Adobe has a Senior Director of Product Security (1)

gweihir (88907) | more than 2 years ago | (#41507695)

I did not miss the point. The point is just plain wrong, however often repeated. The number of deployed systems is just one factor among many.

For one thing, the probability of a compromise does not depend on the intensity of prodding, but the attacker competence vs. the level of software security. This is not a randomized process except in some details (fuzzing). To build the actual exploit once you have fuzzed a vulnerability is not randomized at all, but solid engineering work. Now, fuzzing is easy and can be done automatically. Building the exploit code is not. The level of effort and skill needed directly depends on the security level of the target. For things like Flash, it is very, very easy, i.e. weeks of effort and many people can do it. For things like, say, the Linux kernel or Apache (not its modules), it is very, very hard, i.e. not many people can do it in the first place and it takes many months to years (a figure of 6-12 expert engineer months was floating around a few years back in security circles). The overall effort is not dominated by the fuzzing, but by the exploit creation.

This also means attacking secure systems requires a significant up-front investment. Attacking insecure systems (like Flash) can be done by hobbyists over the weekend.

Another example is web-servers running Linux get a higher level of hacking attempts (more competent) than those running Windows. Why? Better network connectivity, better reliability, less risk some script-kiddy takes it away from you after you hacked it. Of course that never makes it into the press, but is well known in sysadmin circles. Still they get compromised less. Why? Better security architecture, default configurations and administrators. This does not seem to hold for the xBSDs though, likely because they are even harder to attack and there are really not a lot around of those. So in the end, number of deployed systems is one factor, but value of the target and difficulty level in building the exploit are at the same importance.

So stop defending bad software that everybody and their grandmother can hack by the "number of deployed systems" argument. It is just bogus.

Re:Adobe has a Senior Director of Product Security (1)

petsounds (593538) | more than 2 years ago | (#41507973)

From your reply it is obvious that you think I am defending Flash on its security record. I am not. Nor am I talking about your beloved Linux; most software is not as well-hardened as it is. What I'm saying is not that Adobe/Flash is good at security, but that most software is equally as bad. Card Maker 1-2-3, SuperCloud!, Fashionable DB, Hipster Web Stack 3.0, Robot Bunny Attack, and their ilk are just as full of holes. So, the statement "Flash has the worst security record of any software" is misleading at best simply because all the other shit software out there doesn't get equally attacked and doesn't attract attention from the press.

Re:Adobe has a Senior Director of Product Security (1)

gweihir (88907) | more than 2 years ago | (#41509073)

If you are saying that insecure software gets attacked more when it is more widespread, then I can agree to that.

And no, I do not "love" Linux at all. It sucks. It just sucks less than everything else.

Re:Adobe has a Senior Director of Product Security (0)

Anonymous Coward | more than 2 years ago | (#41507497)

Oh please, Flash just has the worst PUBLISHED security record because its incredible pervasiveness made it a highly attractive attack vector. There's plenty of software out there that makes Flash look like a digital Fort Knox by comparison.

Windows is a very large, very complex bit of software. Flash is TINY, around 10 megabytes.

It's entirely feasible with good software practices to write a very secure program of that size.

Adobe just doesn't give a shit.

There are other nasty implications for this (4, Interesting)

DarkOx (621550) | more than 2 years ago | (#41505189)

What I am about to describe is certainly a well know whole but when it happens to a big popular vendor it makes the problem a whole lot more significant.

We now have all these systems out there that make us safe :-P by only running signed code. We have all these policy mechanisms like Microsoft's Applocker that encourage admins to start white listing applications not by secure hash but by x.509 properties on a certificate. Its less work after all I want users to be able to run acrobat and flash, I don't want to have to update my GPOs every five hours when adobe releases a patch.

Guess what most of these devices don't do? Revocation checks, or at least its default permit when they can't do a revocation check. Leaks and other PKI fails like this are a very real threat to environments we otherwise think of as hardened.

Re:There are other nasty implications for this (1)

gweihir (88907) | more than 2 years ago | (#41507369)

Very, very true. When I studied PKI more than 20 years ago, revocation was already known as possibly the most difficult problem. And yet it is absolutely critical, as expiry does not cut it. But it is even worse: While many, many devices do not handle revocation at all, those that do often do not work correctly as well. For example, I have seen a PKI system where revocation fails because they managed to clutter-up their certificate space badly enough that the revocation lists are too long for the devices to load. These are systems from a "market leader" that anybody here would immediately recognize.

What this boils down to is: Security is hard. Get the best experts available and _listen_ to them. Then get another set of qualified external experts and have them _review_ what the first set did. Depending on criticality, repeat the last step with several different sets. Only if all agree the solution is secure, depend on it, but not before. And all risks accepted need to be clearly documented, and may make you liable if found to be negligent.

Adobe have always been jerks. (1)

Mister Liberty (769145) | more than 2 years ago | (#41506823)

Gleefully I don't wish them well.

Re:Adobe have always been jerks. (1)

gweihir (88907) | more than 2 years ago | (#41507327)

Time to regulate them into the ground. Terrorism is peanuts in comparison to the damage these idiots are doing.

You Must Have Acrobat (1)

ks*nut (985334) | more than 2 years ago | (#41506839)

And how long has Adobe been pushing Acrobat down peoples's throats with that damned "must have Acrobat to read PDFs" BS?

Re:You Must Have Acrobat (1)

gweihir (88907) | more than 2 years ago | (#41507339)

Fortunately, xpdf works just as well and starts way faster. And there are alternatives on Windows.

The issue is not the extend of the breach (3, Informative)

gweihir (88907) | more than 2 years ago | (#41507323)

The issue is that it was possible in this way in the first place. Only absolute incompetents place signing certificates of this importance on systems connected to the network. Adobe either does not care about security at all, or worse, does not understand even the basics. Now, _that_ is a cause for worry.

If you even have basic understanding, the code signing certificate goes onto an isolated system (e.g. laptop, stored in a safe) which is never connected to the network and does one thing: Signing. If you are a bit more careful, the signing system never sees the distribution packages, but just the hashes, which are typed in and exported on media the system never reads, only writes. All this is _easy_ to do. A Linux or OpenBSD box with openssl and some scripting is enough. System updates are not necessary. A competent security expert could set this up in a day as a demo and in a week with documentation and risk analysis. The signing process would require maybe 10 minutes of manual work per signature. All not a problem and cheap to do, as long as you have that one competent security expert and follow his/her security advice.

So my guess is that Adobe actually has zero competent security experts. And that after public reports of CAs being compromised and SecureID being hacked. This actually seems to indicate that Adobe does not even have half-competent security experts or does not listen to them at all. Now, _that_ is grounds for very real worries.

The only way I see to fix this is personal criminal liability for the ones responsible for such cases of gross negligence by making it a regulatory requirement, i.e. send the incompetent bean-counters to jail for failing to hiting security experts or failing to let them do their job. The only way to get out of that should be that they can prove a) sound security architecture, design and implementation and b) independent review by competent experts and implementation of the expert recommendations. Of course, mistakes can happen. For those, the company should still be fined heavily, but no personal criminal liability, unless they pile up. Without something this strong, cretins with an MBA but no understanding of the subject or the world will always break security by trying to do it too cheap or not at all (or plain wrong). There need to be real and very unpleasant personal consequences for not using effective IT security measures.

Their MBA Friends At $Corporation (0)

Anonymous Coward | more than 2 years ago | (#41507531)

..still don't see a problem. They are too busy sending PDFs to Chinese "business partners", I assume. At the corpo I work, Adobe crap is forced on me, despite the fact that I removed it and want to use evince. It comes back like the Plague in a town without sanitation.

And... (0)

Anonymous Coward | more than 2 years ago | (#41507565)

if all the security problems were an issue to the "MBA elite", they would have voted with their money and Adobe would be bankrupt. What does that mean ? They are already selling out all the hard-won secrets of American and European corporations by other means. Just relax and wait until the unemployed masses hoist them up the lanterns. Most of security is a fucking show for the non-illuminated.

As long as our elite are traitors to their own people, there will not be proper security. The Chicoms are real patriots and they trick our Traitor Elite into handing them our secrets one way or the other. Ours are egotist scumbags and have 0% patriotism and loyalty to their respective people left. I'll applaud when the masses will rise. I am not a commie, but neither will I protect these scumbags.

Re:The issue is not the extend of the breach (1)

HiThere (15173) | more than 2 years ago | (#41507769)

If such a law were passed, you can bet it would be the security experts going to jail, not the bosses who overruled them. If necessary, the critical reports and memos would just disappear...but the law would probably be written so that even that was only needed to avoid lawsuits. And so that if there were suits, the company, and not the manager, was responsible. At the very most the CIO might be the fall-guy...and if that were the case, the official CIO would probably be a figurehead, with the real power and decisions made elsewhere.

Doesn't mean that I think that's how it should work, but that's how it appears to work in analogous areas. (OTOH, lots of engineers, who are liable, will quit rather than sign-off on something that they know is untrustworthy. So *maybe* it would still improve things.)

A question about signing keys (1)

Douglas Goodall (992917) | about 2 years ago | (#41523035)

This year I happened to be a paid up member of the Apple Developer program for Mac OS X. After I paid, I went to their web site and downloaded my signing keys, for the installer and for the application. It seems to me that sending the keys over the internet at all is a gross security violation. Off the top of my head, I don 't see a practical was of transporting these keys from Cupertino to a worldwide collection of developers. I agree that the signing keys should never be on a machine connected to the Internet. What is wrong with this picture, and how do we make this better?
Check for New Comments
Slashdot Login

Need an Account?

Forgot your password?