Adobe Security Team Accidentally Posts Private PGP Key On Blog

A member of Adobe's Product Security Incident Response Team (PSIRT) accidentally posted the PGP keys for PSIRT's email account -- both the public and the private keys. According to Ars Technica, "the keys have since been taken down, and a new public key has been posted in its stead." From the report: The faux pas was spotted at 1:49pm ET by security researcher Juho Nurminen. Nurminen was able to confirm that the key was associated with the psirt@adobe.com e-mail account. To be fair to Adobe, PGP security is harder than it should be. What obviously happened is that a PSIRT team member exported a text file from PSIRT's shared webmail account using Mailvelope, the Chrome and Firefox browser extension, to add to the team's blog. But instead of clicking on the "public" button, the person responsible clicked on "all" and exported both keys into a text file. Then, without realizing the error, the text file was cut/pasted directly to Adobe's PSIRT blog.

Impossible!

[fuzzyfuzzyfungus]

This article is clearly a lie. How can a mythological entity have a PGP key?

Revocation

[jimprdx]

But they can revoke it, can't they? An embarrassing screw-up, but no harm done. It's not as if the Adobe security team's credibility was particularly stellar to begin with... :)

Re:Revocation

[thsths]

Yes, but even then, people can decrypt emails previous send to Adobe, right?

Re:How the hell?!?!?

[vux984]

How the hell did their PGP key even end up on their webserver?!?!?

The summary was all of 7 sentences; 3 of them were dedicated to the answer to this very question.

In the Near Future ...

[Archangel+Michael]

We will stop seeing these kinds of articles, since it is a daily occurrence, and just assume someone somewhere was hacked in a major data breach.

Re:In the Near Future ...

[jellomizer]

At some point I hope there will be major fines against companies that got hacked in a preventable way. And also hopefully more effort to track down the hackers who do the harm and give them 1 volt shock for every mega byte they had stolen.

There is no security so long as...

[TheZeitgeist]

...humanities majors keep getting IT security jobs. No such thing as foolproof if a fool does the proofing.

UI failure

As much as I hate Adobe and most of their shitware, I don't think it's fair to totally fault the poor person who did this.

But instead of clicking on the "public" button, the person responsible clicked on "all" and exported both keys into a text file.

If a mistake of this magnitude is a single misclick away from happening - something that's really easy to do in a moment's careless mistake of the type EVERYONE has - something is broken with that UI.

There should be warnings in red you have to override with an explicit and nontrivial action.

With or without good passphrase protection?

[gweihir]

Because if a good passphrase is used, then this is a complete non-issue.

Re:"PGP security is harder than it should be."

[gweihir]

Actually, it is not. Just as with the functioning of a house-key, there is a minimal understanding that is required for public-key crypto, or security will not be provided. Yes, that means many people cannot have secure encryption. That is just the way things are. Wishing things to be different does not change them.

Poof

[jonnythan]

And just like that, all email ever encrypted with that key is subject to decryption.