Slashdot Mirror

← Back to Stories (view on slashdot.org)

Lingering Questions On the Extent of the Adobe Hack

Posted by Soulskill on from the known-unknowns-and-unknown-unknowns dept.

chicksdaddy writes "In the wake of Adobe's warning on Thursday about a high profile compromise on its network, security experts say the incident raises troubling questions about the extent of the breach at a company that makes software running on hundreds of millions of computers. Writing on Thursday, Brad Arkin, Adobe's Senior Director of Product Security And Privacy, reassured customers that the company's source code wasn't stolen, nor did the hackers have access to code for any of Adobe's core products like Adobe Reader or Flash. However, those with expertise in breaking into networks and cleaning up after hacks said the nature of the attack – which Adobe has described as having the characteristics of an 'APT' – or advanced persistent threat – make it difficult to know what attackers did or did not have access to and whether or not the threat has been removed. 'If you put yourself in the hacker's position you realize how much they must have known about Adobe internals to perform the hack they performed,' said Dave Aitel of Immunity Inc. 'If they had that kind of access it's very hard to say that they were limited in their access and are completely removed from the network.'"

8 of 97 comments (clear)

  1. Why the fuck by Anonymous Coward · · Score: 2, Insightful

    would you have ANY machine with access to the source code, connected in any way whatsoever to the outside world?

    Easiest way not to get compromised (from the outside at least) - don't connect *everything* to the fucking Internet.

    1. Re:Why the fuck by muon-catalyzed · · Score: 3, Insightful

      Source code? I want them to immediately and clearly state whether my credit card info is safe. If they can't tell then we must assume all CC data have been compromised.

    2. Re:Why the fuck by EdIII · · Score: 4, Insightful

      Not having Internet access to every site you want is not cubicle prison. Sometimes security is quite necessary, because as you can see, shit like this happens.

      While you sit there and complain about cubicle prisons are you also thinking about the risks to the customers? How would they be impacted if your company lost their private data? Security is about cooperation. You're not there to surf the Internet. You're there to work.

      How many horror stories and tanked companies do you need to hear about before it sinks in that security, especially when dealing with business data, is paramount?

      You would not be downloading source to your laptop at my company. In fact, your laptop could not even connect to the corporate network at all. Fuck that BYOD hippie utopia shit. USB is even disabled to prevent data leakage. Not just from you either. You know that the majority of the day you are not actually sitting in front of those computers right?

      All this may make me sound like a tyrant, but I am huge proponent of breaks. I provide guest wireless everywhere in the company, and as long as it a personal device, you can go nuts doing whatever you want.

      I still think people have become far too addicted to online communications to the point where it is unhealthy. You don't need to be running a full check on the Internet every 5 minutes to see if somebody twittered something new and interesting. Hey, as long as you are meeting your deadlines and getting stuff done, it's not my business where and when you take your breaks.

      Anon does have a point about a sense of entitlement. It really does seem like all the new workers coming into companies these days believe that if they can't have full control over the system and access anything in the world they want, when they want it, that it is all of the sudden "fascism" and "cubicle prisons". When you try to calmly explain why security is important to protect business data, invariably, they roll their eyes and exclaim that you are too uptight and paranoid.

      One of the side affects of all of the loss of privacy. None of those sadly naive little children will understand when the company goes out of business after being sued by customers. Ironically, I am sure they will ask why IT was not doing its job to protect them....

      Bless your little hearts...

    3. Re:Why the fuck by EdIII · · Score: 2, Insightful

      Sorry, I just don't buy into the "the only way to guarantee software developers don't screw up is to lock down every single thing they do". I've worekd there. Bosses that monitor every URL visited by their employees, Companies that don't trust their developers to work, and instead make them fill out time cards for every 15 mintues spent on a task throughout the day (not for billing purposes), Internet firewalls that only let through a whitelist of sites, Full Disk Encryption on Desktop PCs so that build times go up by 4x but we can check the box with some IT blowhard, IT departments that control every single piece of software that goes on your computer, Threats of firing unless you comply with some silly IT regulation (really, you threaten to FIRE HIGHLY PAYED EMPLOYEES as a matter of general procedure??). Man, the list goes on and sounds whiny, I guess. But it sucks, it's an awful atmosphere to work in.

      It's not about you screwing up. I paid you to develop software, not be a security expert. Machines are locked down to an extent, but some developers may not have some restrictions.

      White list and Internet firewalls? Absolutely. Not going to change anytime soon. You don't need Facebook to do your job, or Twitter, or CNN, or Slashdot, etc. StackOverFlow? Sure. Any reasonable site, that is trustworthy enough, can get on the white list if it is beneficial to the job.

      Threats of firing? Only if you are persistent in violating or circumventing the security policies. I don't care what software you install, as long as it is relevant to the job. Actual termination would only occur in extreme circumstances. In the few times that is happened, quite frankly, there were laundry lists of other actions and character flaws. IT related stuff was minor.

      If I'm going to write software for you for a living, there is a better way. It's called trust.

      I work for a company that trusts its employees. However, you're not all security experts, nor do you have an expert grasp on what is and is not a threat. The security policies exist not because I don't trust you, but that I need to protect the company.

      Do remember that people can use your credentials to access data and systems too. While I trust you, that does not mean I can give you root access to everything. You don't need to be insulted just because your access is limited. That's like being mad at your operating system because it wants you to run as a user most of the time instead of God Mode.

      Sometimes thieves steal things. No IT policy prevents it 100%

      Of course not. However, good security policies can greatly mitigate the damage and in quite a number of cases catch people before they can harm the company fatally. For instance, if you are logging all access to customer files, and heavily restrict direct access to any systems that have customer data, you can see that Bob in customer service attempted to access 6000 customer files when the average customer service agent only accesses maybe 50 per day. Stuff like that.

      Some security can prevent you from doing your job. Lack of unfettered access to the Internet is not one of them. Restricting developers to exactly what programs they can install and run is pretty stupid though. Depending on what you are developing, you might even need root access to do it.

      The OP (AC) said "would you have ANY machine with access to the source code, connected in any way whatsoever to the outside world?". I would not work at that company. If I can't get to the internet while I work (and access the source code), I won't work for you. Call that entitled, call it childish, but I call it normal business in 2012

      It's not normal business for anyone that is serious about staying in business. Quite frankly, it is entitled.

      Question. If I refuse to give you access to the Internet on your computer to check Facebook, Twitter, etc. but provided separate access for you

  2. Fire this guy by RonVNX · · Score: 4, Insightful

    Their director of security "reassured" customers Adboe's source code wasn't stolen? You want to know why Adobe's got problems that never end, that tells you everything you need to know about Adobe's attitude about security right there. The guy in charge of security doesn't even know what that word means.

    1. Re:Fire this guy by Anonymous Coward · · Score: 5, Insightful

      It's actually too bad. If Adobe's source code got stolen, maybe a few bugs would actually get fixed instead of them just constantly punting the problems down the road until they become zero-day security exploits.

    2. Re:Fire this guy by Black+Parrot · · Score: 4, Insightful

      Their director of security "reassured" customers Adboe's source code wasn't stolen? You want to know why Adobe's got problems that never end, that tells you everything you need to know about Adobe's attitude about security right there. The guy in charge of security doesn't even know what that word means.

      It sounded like the reassurance was for shareholders, not customers.

      --
      Sheesh, evil *and* a jerk. -- Jade
  3. Re:Wouldn't it be just if ... by EdIII · · Score: 3, Insightful

    most pdfs you can download from the internet anyway.

    Except all the ones used by businesses like insurance companies, financial companies, banks, etc. So many of them actually require Acrobat to open and run. More than a couple of the websites used for employees and 3rd party companies use embedded PDF to exchange documents relating to customers.

    Adobe is not making any money on the majority of PDFs freely available for download. It's the corporations actually purchasing Acrobat and its related products that are creating revenue. You won't see any of that stuff on a public site.