Adobe Breach Compromised Over 38 Million Users, Photoshop Source Code 145
rjmarvin writes "Adobe's investigation into the massive data breach they were hit with this past August has revealed that over 38 million active users, not to mention inactive accounts, had their user IDs and passwords pilfered by hackers. An Adobe spokesperson confirmed the number, along with the theft of Adobe Photoshop source code. The initial report earlier this month put the extent of the breach at only 3 million credit card accounts, plus stolen Adobe Acrobat, Reader and ColdFusion source code."
We can always hope (Score:5, Insightful)
The breach was made possible by a bug in Adobe Acrobat Reader I hope.
That would be Karma.
Re: (Score:2)
Re:We can always hope (Score:5, Insightful)
I think we can all agree that there's no need for an NSA-specific backdoor in that piece of crap...
Re:We can always hope (Score:5, Insightful)
In my experience, it's a safe bet that any company that cuts as many corners as Adobe does in one area probably cuts corners in almost every other area. This leads to the obvious question of whether the crackers will find any serious security holes in Photoshop and exploit them. Given how much they seem to resist fixing even the most trivial bugs in Photoshop, I'd be willing to bet that the entire codebase is an unholy cesspool, which means it is probably rife with security holes, too.
Re:We can always hope (Score:5, Insightful)
Adobe fixes bugs! They save up all the fixes then charge for them in the next release.
Re: (Score:3, Insightful)
Re: (Score:3)
Is there a version of Photoshop with both perpetual licensing and content-aware fill? I'm not throwing rocks at resynthesizer, but...
Re: (Score:3)
Re: (Score:2)
"probably cuts corners in almost every other area" uh let's make that 'always cuts corners ...'
Re: (Score:2)
Considering that their "encryption" which they had a Russian imprisoned for "cracking" was a cipher written about by Julius Caeser and has been used as code wheel toys printed on the back of cereal boxes I'd say that is a very safe bet.
Re: We can always hope (Score:2)
Re: (Score:2)
Or why PS takes minutes just to launch.
Re: (Score:1)
I don't know, a flaw in Flash or CodeFusion would also be just deserts. The real question isn't even how they got in, but what took them so long.
Re: (Score:2)
Re: (Score:3)
have you tried Foxit? I've been using it instead of adobe for years now. Lighter, faster, more stable, less annoying.
Re: (Score:2)
Yeah that is annoying, but I kept it for the performance boost.
With Photoshop "open sourced" (Score:3)
I can finally write that lens flair javascript library
-- Jim
Weekly feedback [weeklyfeedback.com] for your website.
Re: (Score:1)
Lens flair?
Re:With Photoshop "open sourced" (Score:5, Funny)
It's a very stylish lens.
Re: (Score:1)
As my high school art teacher put it, "lens flare == bad; lens flair == good"
Re: (Score:2)
It has to have flair... it works at Tchotchkes. It needs at least 15 pieces of flair!!!!
Re: (Score:2)
Re: (Score:3)
Re:With Photoshop "open sourced" (Score:5, Funny)
Is that what they implemented in the recent Star Trek movies?
Lens Flair: Using lens flares to add flair.
Re: (Score:2)
I you're allergic to Retnox 5...
Re:With Photoshop "open sourced" (Score:4, Funny)
Oops. I think you just a word there.
Re: (Score:1)
He accidentaly the whole thing.
Re: (Score:2)
For Photoshop? Why? There is already a lens flair filter included
http://www.youtube.com/watch?v=eG9fRbZLqEs [youtube.com]
The untold story (Score:5, Funny)
Re: (Score:2)
Re:The untold story (Score:5, Funny)
Given the level of bloat in Photoshop and Acrobat, I'm amazed the hackers had enough disk space and time to download it.
Re:The untold story (Score:5, Funny)
95% of the codebase is the secret bug-generator. They just made sure not to pull down that external repository.
Re:The untold story (Score:5, Funny)
Given the level of bloat in Photoshop and Acrobat, I'm amazed the hackers had enough disk space and time to download it.
The source is actually only 370 KB. The rest comes from C++ template instantiation.
Re: (Score:2, Funny)
Oh come on, they probably accelerated their download with the Adobe Download Manager.
No News Is Good News (Score:5, Funny)
Adobe hasn't notified me of anything so my data must be safe. Right?
Right?
Re:No News Is Good News (Score:5, Funny)
Adobe hasn't notified me of anything so my data must be safe. Right?
Right?
I got dozens of different notices. They had links to places where I could change my password. Lots of different places.
I could forward you a few if you want.
Cloudy skies (Score:5, Insightful)
So how's that new "Cloud all the apps" thing working out for you guys so far? Ah. I see you leaked pretty much your whole database of people who had signed up for it. Well then, carry on.
In other news, I hope your new strategy crashes into the dirt so hard the only thing that'll be memorable about Adobe in 5 years will be is the case study on it in business classes around the world on how not to do it.
Re:Cloudy skies (Score:4, Insightful)
Would suck to be them (Score:5, Insightful)
Re:Would suck to be them (Score:4, Informative)
Allow me to introduce you to a new word... Schadenfreude [wikipedia.org].
Re: (Score:1)
You know, it serves them right.
After that whole Creative Cloud disaster, it's about time they start learning it the hard way. If only someone would come up with a competing line of products... It's kind of sad that this screw-up of a company is the leading provider of creative software...
Also, I started giving all those cloud services the finger. I'm fed up with my personal information being treated like open source.
Re: (Score:1)
Yeah, how horrible it would be if the source code was leaked everywhere and people were able to see how the software they (or others) run on their computers actually works.
Re:Would suck to be them (Score:4, Interesting)
I know we're gonna get all the "ha ha, it's an evil megacorp anyway", but damn it must be stressful moments to some of the folks at Adobe. :/ Especially if the source code leaks turn out to be true.
Leaking the source will be a big embarrassment for Adobe. I mean given the quality of the applications there will probably be lots of comments on top of functions that say:
We have no idea what this function does. The guy who wrote it left and it is used for backwards capability. It is also tied into main areas of the program and can't be removed.
Re:Would suck to be them (Score:5, Funny)
Oh no! (Score:1, Funny)
Oh no! Stolen!? I hope they get their source code back soon!
Re: (Score:3)
Re:Oh no! (Score:4)
I don't. Their source code would be better off in the hands of just about anybody else, including monkeys with typewriters.
I was under the impression that it was initially created by monkeys with typewriters.
Re: (Score:1)
Why are they the dominant leaders in their particular area of expertise?
Just because you don't like closed source software does not mean it is shit code.
I have seen plenty of shit code in open source code myself.
Re: (Score:2)
There isn't a single line of Shakespeare in there anywhere!
Re: (Score:1)
Re: (Score:3)
including monkeys with typewriters.
It's unfair to marginalize the support team like that. They work hard.
Is it time... (Score:3)
I keep hearing about this breach and that breach, but what I'd love to see are some seriously ambitious groups of skilled security engineers standing up to help encourage good security practices that are widely recognized and standardized. The networked computing eco-system is so intertwined and desperate that how can any Jack or Jill admin be expected to have a fair set of skills in their toolbox to tackle such a hurdle? To expect any or ALL admins to have enough competence to just know the depth and complexity of a highly enabled enterprise is very unlikely.
For a possible first step, lets consider blocking broadcasts by default. All computers fall into 255.255.255.254 and rely on tight enforcement of shared communication as a reasonable start.
A second may be for all communications channels to be flagged with security credentials of the communications user (or machines), or anonymous for completely un'authorized' communications and rely on block by default as a sane start. Allow 'users' to reach out to unsecured locations if you like, but make sure that their connection to secured resources are a lot harder to reach (and fully audited when performed)
Anyways, this is a huge problem which is at least in part to why this happens over and over again. I could say X, and 100 experts will give me 101 answers to why its the most stupid solution in the world, so.... enjoy!
Re: (Score:2)
I'm not really sure what network and OS security has to do with application security?
Re: (Score:3)
I keep hearing about this breach and that breach, but what I'd love to see are some seriously ambitious groups of skilled security engineers standing up to help encourage good security practices that are widely recognized and standardized.
According to the people with actual decision-making power, this would be too expensive. The end.
The Code was Photoshopped,,, (Score:2)
so it wasn't real anyway.
Hmm... Source Code... (Score:3)
Re: (Score:1)
Re: (Score:2)
Re: (Score:2)
Re:Hmm... Source Code... (Score:4, Informative)
According to their FAQ:
http://www.gimp.org/docs/userfaq.html#cmyk [gimp.org]
"It is clear from the product vision that GIMP eventually needs to support CMYK, but it is impossible to say when someone finds the free time and motivation to add it."
So they're not anti-CMYK, it just hasn't been done yet.
Re: (Score:2)
"It is clear from the product vision that GIMP eventually needs to support CMYK, but it is impossible to say when someone finds the free time and motivation to add it."
Sounds like another open source project with inappropriate funding. Sometimes it's nice to use commercial software just because of that: when the company can throw good cash at developers, they are motivated to work hard on new features.
Re:Hmm... Source Code... (Score:5, Insightful)
Sounds like another open source project with inappropriate funding.
They have much more important things to do. Like crippling the 'Save As' window so it can now only 'Save As' GIMP format, and you have to 'Export' to save a JPEG.
Re: (Score:1)
Nah, this is a great change. Export remembers your last used settings too.
Re:Hmm... Source Code... (Score:5, Interesting)
Re: (Score:2)
Correct, like 16-bit support, native RAW support, single-window GUI (that they fixed in the last version, after many years of discussion), and a name that makes sense.
It's not that the GIMP people will ever go and say "see, we told you that CMYK support is useless, who's laughing now?". Granted, almost nobody cares about CMYK support in GIMP, but the software still has a looong way to go and why shouldn't they want to have CMYK support?. I work with it almost daily as a hobbyist photographer and there are
Re: (Score:1)
The GIMP was finished after they put in the lens flare and beveled edge effects.
Re: (Score:3)
Alas, my bold ambers came out a kind of bilberry blue in the test run of the cards. It's my belief that until I've got end-to-end RAW/CMYK, all I will be able to do is tweak curves and pay for another test run (less than 5e for 36 cards, and the kinds of people I'm giving these to don't care abo
Re: (Score:2)
Re: (Score:2)
Did they ever fix the problem with layers not being unbounded? In photoshop, the size of a layer is effectively infinite. in the sense that it doesn't get clipped to the image extents. In GIMP, the layers are of a fixed size, and anything pasted into them is clipped to the image size.
Also, if I move a layer so that it's partially off the image, I now can't draw into parts of that layer.
Madenning.
Re: (Score:2)
Layers have their own size, potentially distinct from the image size. You can make the layer larger than the image boundaries.
Re: (Score:2)
I know that, it's just an unnecessary imposition of an implementation detail on my workflow. Why should I have to bother? Photoshop's layer's have never behaved like this, and neither have the layers in any image editing application I've ever used (Corel Paint, Paint.NET etc).
it's just another example of Gimp's problems, that it seems unlikely will ever be fixed. And I find it hard to imagine a scenario in which Gimp's fixed size layers would ever be anything other than annoying.
Re: (Score:3)
Yes, but now that the Photoshop source is leaked they could just copy-paste the CMYK code into their project and hit compile.
Re: (Score:1)
Re: (Score:1)
While I fully realize that it would be both wrong
Illegal perhaps, but there's nothing wrong about it.
In the "cloud", when it rains it pours (Score:2)
Linux port! (Score:2)
Why was the sourcecode even on the server? (Score:5, Insightful)
Anyone else wondering why the sourcecode was even able to be accessed? Seems like a stupid thing to have on a web server, or able to access from a web server.
That's like leaving a laptop sitting on a seat in car while you are out shopping/whatever.
Re: (Score:2)
Didn't the article say that they stole a ton off usernames and passwords?
You could try to use those username-password combinations as your dictionary and try to connect to a server that you believe provides access to the source... All it takes is one developer with source access who's sloppy with his passwords.
Re: (Score:2)
That would still leave tens of millions of usernames that do not have access. Any half-way decent security software should see failed login attempts from a certain range of IPs and blacklist it - or at least flag that server's admin and Adobe's Information Security team.Source code should also not be kept on a server in the DMZ. So either
1) Adobe was a complete idiot and had zero security
2) Adobe's VPN system got compromised and the internal network has little security (possible)
3) it was an inside job (my
Re:Why was the sourcecode even on the server? (Score:5, Funny)
You think that's bad? GIMP puts all of their source and even the bug tracker on publicly accessible web servers.
Re: (Score:2)
oftentimes admins use the same credentials across many different assets, so information gathered from penetrating their webserver can be used to gain access to other systems.
of course, this is what DMZs, ACLs, and other security measures are meant to mitigate.
Re: (Score:2)
Have we gotten a full accounting of what kind of breach it was or how it happened? They may have compromised an internal system.
Such is the beauty of the cloud to cybercrooks. (Score:3)
Re: (Score:2)
Not only that, but Adobe wants to move ALL their customers to the cloud!
Organisation-wide failure - /. hubris spot-on? (Score:3)
I know it's popular to rubbish Adobe here, but this report, if true, would seem to justify the Adobe-hate.
And I say this as someone who has happily used many of their products over the years, (although less so, lately).
Yes, we all know security is hard, but if you're a leading tech company with internal safeguards so lax that one breach can leak both user IDs and source code well, frankly, you're shit.
Re: (Score:2)
shocker (Score:2)
Why all the hate? (Score:2)
I understand this is /. but I don't understand why every "insightful" post is against Adobe. Adobe has marketed to to their users. Their market is not an opensource market. Their market is people who want something that works. Their IP is priceless and I believe their "Cloud" platform has been correctly. Up until they offered Creative Cloud I never had a licensed version of an Adobe product. I now have a licensed adobe product on my home and work computers. They are not evil by any means. My subscri
Re: (Score:1)
Your subscription can lapse and you can still work with it? I don't think you read the fine print. You can no longer buy it nor can you license it. You rent it. You stop paying, you stop playing.
Re: (Score:1)
By "lapse" I meant "failure to have funds to pay on time" And "still work with it" I meant, you don't instantly loose access to the product. You don't need to be connected to them 24/7 for access to the product. A common misconception because they call it a "Cloud".
It really isn't a "Cloud" based product. It is just a monthly licensed product. They do offer "Cloud" based storage, but you do not have to use it. It is merely a convenience for those that want it.
Yes you are "renting" but I believe in thei
Prometheus brings us fire (Score:2)
Re: (Score:2)
Work at home access?
There are plenty of reasons I am sure, that being one of them. Was it a good idea? Well no.
Re: (Score:2)
If development machines can access the internet, then the source code is online.
It's possible to really work offline but the cost is so high that it is usually only done with classified programs. And it won't prevent a cracker from simply convincing a developer to steal the code using an USB stick.
Re: (Score:2)
My Photoshop CS2 serves me very well and will continue to do so until Gimp catches up. (I realize I might be dead before that happens, but one can hope that that won't be the case).
And I'm on CS3. But you are correct about upgrading. Adobe and their business model of us having to spend thousands every 2 years on the new suites, and now wanting us to just install a pipeline from our wallets to their bank account, was getting creaky a few years back. Which of course is why you are still running CS2, and me CS3.
Software as a service is fatally flawed, Adobe has found that out. It will be interesting to see their astroturf project re this.
Re: (Score:2)
Getting creaky, "just" a few years back? It got old over a decade ago for me. And sorry, but demanding $650 for a fucking bitmap editor is just robbery. Which is why I never bothered to buy it, and years ago bought Paint Shop Pro (back when it was still by Jasc), and have long since switched to Paint.net and finally (after switching from Windows to Linux in 2006) the GIMP. I never did get the point behind Photoshop anyway... it's beyond slow, bloated and just a nightmare to find anything that you need. Its
Re: (Score:2)
"You're trolling and ill-informed."
If 'trolling' these days is speaking your own 100% honest opinion, then yes, I guess I must be trolling. I wasn't aware that you are a troll for having an opinion, though. Learn something new every day.
"You clearly have little experience actually using Photoshop and certainly not a recent version."
No shit, I'm pretty sure my first couple sentences made it obvious that I was never a fan of the program, its price, etc. I'll take almost *anything* over that overpriced crap.
It's a well designed program, which is why it costs what it does.
Sorry, I did not get that impression, and I felt it was a massive rip-off at twice the price of a fucking Windows licence. Does that m
Re: (Score:2)
Me too, especially since CS2 is effectively free now. Adobe shut down the activation servers earlier this year so they actually gave out activation-free CS2 installers AND their serials. It's the only non-douchebaggy thing Adobe has done in recent memory.
Re: (Score:1)
Gimp will never catch up (you will be dead). This isn't about humoring yourself. This isn't even about Adobe Creative Cloud. This is about a breach. They don't have that many Creative Cloud subscribers yet. They have approximately 30 full time programmers. If this were a Creative Cloud breach then 38,000,000 * 50 = $1.9 billion a month. Really? That comes to $6.3 million per developer. Take 90% out for expenses and you are still at $633,000 per developer. Not the case.
That being said. The only infor
Re: (Score:2)
Re: (Score:2)