Adobe Hack - Important points
Eye catching pieces of info from the Krebonsecurity link:
...Adobe confirmed that the company believes that hackers accessed a source code repository sometime in mid-August 2013,...
...Arkin said Adobe is still in the process of determining what source code for other products may have been accessed by the attackers, and conceded that Adobe Acrobat may have been among the products the bad guys touched.....
...“We’re still at the brainstorming phase to come up with ways to provide higher level of assurance for the integrity of our products, and that’s going to be a key part of our response,”
...While Adobe many months ago issued security updates to plug all of the ColdFusion vulnerabilities used by the attackers, many networks apparently run outdated versions of the software, leaving them vulnerable to compromise. This indeed may have also been the vector that attackers used to infiltrate Adobe’s own networks; Arkin said the company has not yet determined whether the servers that were breached were running ColdFusion, but acknowledged that the attackers appear to have gotten their foot in the door through “some type of out-of-date” software...
This is a choice piece of narrative, coming from Adobe CSO:
...Arkin said the company has undertaken a rigorous review of the ColdFusion code shipped since the code archive was compromised, and that it is confident that the source code for ColdFusion code that shipped following the incident “maintained its integrity.”
I believe, as has been mentioned before, this is not really about credit cards so much(although that's pretty bad). It's about application security. And while that's a challenge that all software companies face, only Adobe (so far) is insisting that we subscribe with an online confirmation process to use their tools, require constant and current credit card presence to use their products and access our work, and then regularly open up our computers and our businesses to rapid updates to the applications all in the name of "staying current". And all while we "trust" that Adobe will not create even more risk than we already face because of the nature of the internet and the connected nature of things already.
How is this not an argument to ask tough questions regarding the entire CC line of thinking? Unless I'm mistaken, installing software every 1.5 years opens me up to a certain degree of risk. How does installing software upgrades every 2 months not open me up to even more risk, particularly when they control the updates, and have a huge incentive to rush the updates out the door to convince all of us it's worth it to continue to subscribe? And doesn't it seem like Adobe should have done just a little better at shoring up it's security BEFORE mandating that we all jump on this risky roller coaster?
I'm sorry, but while this type of thing happens to other companies (heck, the federal government cant even stop cyber attacks) this is, at least in part, directly related to mandatory CC and the additional risks that it represents.
This is further demonstration of why users are not well-served by cloud-centric models. In fact users are utterly threatened by the cloud.
Meanwhile in other recent news, a myriad of people "enjoyed" inaccessible files on Apple's cloud.
"Oops we don't know where your files are, folks!"
Life is full of funny particles.
Adobe, to say nothing of many, many other software developers in the same boat, may not want to acknowedge a simple fact: it is almost impossible to hack installation disks that are in the user's possession.
Many developers may soon need to weigh the benefits of web-based software distribution against the security of their software itself. If the software can be sabotaged by hackers, what good is it to users?
If everyone on the planet were fine, upstanding citizens, this wouldn't be an issue. Unfortunately, developers seem to take the Pollyana-like stance that everything will work out just fine when incidents like this demonstrate otherwise.
Former Sr. Promotion Producer
KCRG-TV (ABC) Cedar Rapids, IA