Please create an account to participate in the Slashdot moderation system

 



Forgot your password?
typodupeerror
×
Security Encryption Privacy Software The Internet

Adobe Security Team Accidentally Posts Private PGP Key On Blog (arstechnica.com) 60

A member of Adobe's Product Security Incident Response Team (PSIRT) accidentally posted the PGP keys for PSIRT's email account -- both the public and the private keys. According to Ars Technica, "the keys have since been taken down, and a new public key has been posted in its stead." From the report: The faux pas was spotted at 1:49pm ET by security researcher Juho Nurminen. Nurminen was able to confirm that the key was associated with the psirt@adobe.com e-mail account. To be fair to Adobe, PGP security is harder than it should be. What obviously happened is that a PSIRT team member exported a text file from PSIRT's shared webmail account using Mailvelope, the Chrome and Firefox browser extension, to add to the team's blog. But instead of clicking on the "public" button, the person responsible clicked on "all" and exported both keys into a text file. Then, without realizing the error, the text file was cut/pasted directly to Adobe's PSIRT blog.
This discussion has been archived. No new comments can be posted.

Adobe Security Team Accidentally Posts Private PGP Key On Blog

Comments Filter:
  • And the hits just keep on coming from our A-list blisters
    The team that brought us Flash, to inspire full employment for browser designers, to keep them busy writing disability check boxes.
    Oh, so NOW it's going away? After all the breaches, hacks, and violations?
    Took their sweet time owning up to the horridity.
    Still, better Nate than Clever.

  • Impossible! (Score:5, Funny)

    by fuzzyfuzzyfungus ( 1223518 ) on Friday September 22, 2017 @05:08PM (#55247497) Journal
    This article is clearly a lie. How can a mythological entity have a PGP key?
  • But they can revoke it, can't they? An embarrassing screw-up, but no harm done. It's not as if the Adobe security team's credibility was particularly stellar to begin with... :)
    • by gwolf ( 26339 )

      Of course - You can revoke it as well. Everybody that holds both the private and the public parts can issue a revocation certificate!
      (and somebody has... Lets assume it was Adobe!)

  • How the hell did their PGP key even end up on their webserver?!?!?
  • We will stop seeing these kinds of articles, since it is a daily occurrence, and just assume someone somewhere was hacked in a major data breach.

    • At some point I hope there will be major fines against companies that got hacked in a preventable way. And also hopefully more effort to track down the hackers who do the harm and give them 1 volt shock for every mega byte they had stolen.

      • give them 1 volt shock for every mega byte they had stolen.

        I agree with your sentiment, but you've got the wrong idea which is bad for making laws. Even the dictionary only hints at it -- take (another person's property) without permission or legal right and without intending to return it.

        Now they don't intend to return it, but that's because it hasn't gone anywhere. The bits are still located exactly where they're supposed to be.

        "Return it" indicates a uniqueness, to wit a physical item that the owner is deprived of and needs for it to be returned to make t

  • ...humanities majors keep getting IT security jobs. No such thing as foolproof if a fool does the proofing.
  • That's a key point and a key contributor to Internet insecurity. One could argue that, to make it 'perfect', the designers of PKI have made it unusable by the average user. And the OS vendors (Microsoft, Apple and Linux community) have not helped. Nor have the purveyors of PKI credentials, again to make trust "absolute", the cost and 'annoyance overhead' makes getting your own key too difficult for anyone short of a fully qualified IT department with PKI expertise.

    • by gweihir ( 88907 ) on Friday September 22, 2017 @06:18PM (#55247775)

      Actually, it is not. Just as with the functioning of a house-key, there is a minimal understanding that is required for public-key crypto, or security will not be provided. Yes, that means many people cannot have secure encryption. That is just the way things are. Wishing things to be different does not change them.

  • UI failure (Score:4, Insightful)

    by Anonymous Coward on Friday September 22, 2017 @05:37PM (#55247637)

    As much as I hate Adobe and most of their shitware, I don't think it's fair to totally fault the poor person who did this.

    But instead of clicking on the "public" button, the person responsible clicked on "all" and exported both keys into a text file.

    If a mistake of this magnitude is a single misclick away from happening - something that's really easy to do in a moment's careless mistake of the type EVERYONE has - something is broken with that UI.

    There should be warnings in red you have to override with an explicit and nontrivial action.

    • by dgatwood ( 11270 )

      There shouldn't even be UI for such a risky action. If you need the private key, you should have to hunt for the file on the hard drive, double-click it, and open it in a text editor. Doing the right thing should be easy, and doing the wrong thing should be hard.

      • by gweihir ( 88907 )

        Actually, if the private key is protected by a good passphrase, this operation is not risky at all.

        • by dgatwood ( 11270 )

          If by "not risky", you mean "able to survive local brute-forcing by a massive botnet", then you have more faith in passphrases—even good passphrases—than I do.

          • by gweihir ( 88907 )

            No, I just do understand how this works.

            • by Khyber ( 864651 )

              Son, your understanding is laughed at by todays technology.

              • by gweihir ( 88907 )

                I find it fascinating how anybody that does not have a solid grounding in crypto feels competent to comment on what crypto can do and what it cannot do. Of course, the statements made by such people are routinely wayyyyy off. That is one reason why people like me charge a high consulting fee when making such statements professionally, because it makes it more likely that the customer (who does not understand what is going on, just like you) actually listens.

                • by dgatwood ( 11270 )

                  The funny thing is that I've implemented crypto algorithms. I'm intimately familiar with what they can and can't do. The largest botnet to date was a couple of million devices. Within five years, we'll likely have at least one that crests the ten-million-device mark. Depending on the speed of those devices (and whether they have hardware-assisted crypto support), that could easily mean on the order of a trillion cracking attempts per second or more.

                  Assuming a passphrase contains only the 95 printable A

  • Adobe has such a long history of putting security first and demonstrating security best practices! How could this sort of thing happen? Or is it because a typical Adobe employee doesn't know the difference between private key and a hole in the ground.

  • by gweihir ( 88907 ) on Friday September 22, 2017 @06:15PM (#55247755)

    Because if a good passphrase is used, then this is a complete non-issue.

    • by Khyber ( 864651 )

      My passphrase SUPPOSEDLY would take a few billion years to crack.

      It took less than 20 minutes for a server farm to crack my password.

      Try again when you aren't 30 years behind the times in terms of technology.

      • by gweihir ( 88907 )

        The security of your "passphrase" is pretty irrelevant when attacking your "password". Are you sure you do understand what happened there?

    • by kriston ( 7886 )

      If the key is old enough, and if it were properly encrypted, that private key was encrypted using IDEA. Arguably it would still be secure with negligible risk according to https://en.wikipedia.org/wiki/International_Data_Encryption_Algorithm#Security [wikipedia.org]

      • by gweihir ( 88907 )

        IDEA is not supported by modern PGP implementations anymore, AFAIK. Maybe some commercial ones still do it though.

        • gpg --version
          gpg (GnuPG) 1.4.22
          Copyright (C) 2015 Free Software Foundation, Inc.
          License GPLv3+: GNU GPL version 3 or later
          This is free software: you are free to change and redistribute it.
          There is NO WARRANTY, to the extent permitted by law.

          Home: ~/.gnupg
          Supported algorithms:
          Pubkey: RSA, RSA-E, RSA-S, ELG-E, DSA
          Cipher: IDEA, 3DES, CAST5, BLOWFISH, AES, AES192, AES256, TWOFISH,
          CAMELLIA128, CAMELLIA192, CAMELLIA256
          Hash: MD5, SHA1, RIPEMD160, SHA256, SH

          • by gweihir ( 88907 )

            I see. So they put it back in. The patent has probably expired by now. Using it is not a good idea though.

  • Poof (Score:4, Insightful)

    by jonnythan ( 79727 ) on Friday September 22, 2017 @06:39PM (#55247859)

    And just like that, all email ever encrypted with that key is subject to decryption.

  • by higuita ( 129722 )

    gpg is not that hard, the true is that mailvelop is shit ... export public key is a common task... exporting the private key do not, so it should be in a totally different place with a proper warning

    also google, yahoo, ms, etc should include support for gpg in their webmail ... gpg looks hard because most tools do not support it. integrate then and things will be easier

    • also google, yahoo, ms, etc should include support for gpg in their webmail ..

      You can already use gpg with webmail if you use a proper mail client over IMAP. I've done it for years.

      • by higuita ( 129722 )

        that is what i do.. but most people that uses gmail and friends only use the webmail or in worst case, the phone app ... neither have gpg support

As you will see, I told them, in no uncertain terms, to see Figure one. -- Dave "First Strike" Pare

Working...