or Connect
AppleInsider › Forums › General › General Discussion › Adobe security breach compromises 2.9M customer accounts, encrypted credit card data stolen
New Posts  All Forums:Forum Nav:

Adobe security breach compromises 2.9M customer accounts, encrypted credit card data stolen

post #1 of 38
Thread Starter 
Adobe on Thursday confirmed that malicious parties had compromised its networks and potentially gleaned credit card and other personal information from the accounts of nearly three million users.



The creative software company revealed the breach in a post to its official blog. Adobe's security team recently discovered a number of "sophisticated attacks" on its network, with some of those attacks targeting customer information and source code for several Adobe products.

In all, the attackers are believed to have stolen information on 2.9 million Adobe account holders. That data includes customer names, encrypted credit and debit card numbers, expiration dates, and other customer order information. Adobe does not believe that decrypted credit or debit card numbers were removed from the network.

Adobe has contacted federal law enforcement for help in the investigation and is resetting passwords for affected accounts in order to prevent further unauthorized access. Owners of affected Adobe ID accounts will receive an email notification from Adobe with information on how to change their passwords.

The company also recommends that account holders affected by the attack change their passwords on any website where they may have signed up with the same login credentials.

On its end, Adobe has spread news of the breach to banks that process its payments, and is coordinating with payment card companies and card-issuing institutions to help protect customers' accounts. In addition, the company is extending a free one-year credit monitoring membership to those customers whose information was compromised.
post #2 of 38

I love how when corporate sites get hacked they always say that the credit cards are encrypted so it should be fine. If the hackers were into your database they likely owned your whole server and surly would have found the encryption key. It is not like they are MD5 hashed because they need to decrypt them every time they show you the check out shopping cart page so you can use the card on record.

 

On our e-commerce site we don't store any credit cards, not even the last four digits. The last four get emailed to the client but not saved. The full credit card goes to the merchant gateway and we never see it. I feel a lot safer not being responsible for the customers' credit cards. All these big sites like Amazon, Apple, Adobe want to keep the cards on file to make it easier for people to buy stuff but it comes at a risk.

Life is too short to drink bad coffee.

Reply

Life is too short to drink bad coffee.

Reply
post #3 of 38

Glad that I'm not a customer.

 

Besides Apple, bank accounts, stock brokers etc., I try not to keep any profiles with online retailers that store my credit card info.

 

I do order a lot of things from the net, from a whole bunch of different sites, and I usually always check out as guest, it doesn't take long to do, and I feel safer, because I don't want to create a profile and I don't want my credit card info being stored. You simply can not trust most sites to keep your info secure.

 

As a matter of fact, I just remembered that Amazon has one of my cards on file, so I just went there and deleted it, took less than 1 minute. I don't mind entering my CC details again next time I shop for something. And imagine having all of your personal and financial info stored and managed by the incompetent baboons in the govt? I am so damn glad that I do not have to sign up for any govt healthcare crap. I was just reading today how it might be a haven for hackers. And with the incompetent people working there, I do not doubt it for a second. They can't even manage a simple website.


Edited by Apple ][ - 10/3/13 at 4:11pm
post #4 of 38

One more reason not to use Creative Cloud. If you buy software licenses, you buy them at random places, wherever you get the best discount at a time.

With these stupid "software-as-service-which-isn't-really-a-service-but-we-market-it-as-service-anyway-because-we-make-more-money-that-way" scams that are more and more popular, all the customer data gets hoarded by a few major vendors, and they are magnificent targets, particularly in the case of companies like Adobe which don't know how to write decent code in the first place.

 

(PS: No, deriving mathematical algorithms for image processing is not the same as knowing how to write decent code, Adobe knows the former, but not the latter).

post #5 of 38
Quote:
Originally Posted by rcfa View Post
 

One more reason not to use Creative Cloud. If you buy software licenses, you buy them at random places, wherever you get the best discount at a time.

So where did you buy that box of Final Cut Pro X or Aperture or iWork? Apple stores your card just like Adobe and they are not immune from being hacked either. Just last month the dev site was down for a couple weeks due to hacked user profiles which probably included credit card info. To address your rant on Adobe not knowing how to code, I'm sure you have built a billion dollar software enterprise which clearly legitimizes the validity of your remarks.

Life is too short to drink bad coffee.

Reply

Life is too short to drink bad coffee.

Reply
post #6 of 38
Quote:
Originally Posted by Apple ][ View Post

I usually always check out as guest, it doesn't take long to do, and I feel safer, because I don't want to create a profile and I don't want my credit card info being stored. You simply can not trust most sites to keep your info secure.

Guest accounts still create accounts. Even on big ecommerce platforms like magento. Unfortunately.
post #7 of 38
I just got done changing my password... This is going to be a terrible experience if they got my card #.
post #8 of 38

Thanks a lot, Adobe.  There is no longer any way to buy Lightroom upgrades except online, then you don't bother to properly secure that information.

  Google Maps: ("Directions may be inaccurate, incomplete, dangerous, or prohibited.")

 

  MA497LL/A FB463LL/A MC572LL/A FC060LL/A MD481LL/A MD388LL/A ME344LL/A

Reply

  Google Maps: ("Directions may be inaccurate, incomplete, dangerous, or prohibited.")

 

  MA497LL/A FB463LL/A MC572LL/A FC060LL/A MD481LL/A MD388LL/A ME344LL/A

Reply
post #9 of 38
Quote:
Originally Posted by mstone View Post
 
Quote:
Originally Posted by rcfa View Post
 

One more reason not to use Creative Cloud. If you buy software licenses, you buy them at random places, wherever you get the best discount at a time.

So where did you buy that box of Final Cut Pro X or Aperture or iWork? Apple stores your card just like Adobe and they are not immune from being hacked either. Just last month the dev site was down for a couple weeks due to hacked user profiles which probably included credit card info. 

 

According to Apple it didn't. Nothing is absolutely secure, and nowhere do I state that I like Apple's data hoarding.

As a matter of fact, besides the forced single-source software store, one of the main reason why I dislike the fact that Apple locks legitimate users out of their own devices, is that it's impossible to discern if an iOS device is hacked or is running spyware, unless the user has root access, which currently is only possible by jail-breaking.

I like iOS devices to be non-jailbreakable (i.e. be secure), but with the legitimate user/owner having full root access, just like on any other decent computing system. Just because the device is small and pocketable doesn't mean it's not a computer or users shouldn't be able to rule the device they bought.
 

Quote:

To address your rant on Adobe not knowing how to code, I'm sure you have built a billion dollar software enterprise which clearly legitimizes the validity of your remarks.

 

 

That's the same sort of asinine comment that ignoramuses throw e.g. at art critics: one doesn't have to be a successful author to be a literary critic; one doesn't have to be a successful musician to be a good music critic. Further, sales do not indicate anything about quality of the product, only about the quality of the marketing, otherwise, McDonalds were the best food in the world.

 

If you need to know my credentials: I have a Sc.M. in Computer Science from an Ivy League school, and I have been working with OSX and it's predecessors ever since that little black cube called NeXT was at my disposal, which was in 1989 with NeXTSTEP 0.8.

Without even trying, I ranked 10th, 2nd and 1st in the three bug-busting contests NeXT made, and ADC guys knew me by name due to the number and quality of bug reports I used to submit. (I gave up on that when Apple switched to a web based reporting tool that is a waste of my time, so I lost interest, given that I'm not getting paid for doing Apple software QA)

 

So I think I know a thing or two about writing code, debugging, bug reporting, knowing the symptoms of badly written code, and eliciting bugs in software.

One prime example of shoddy Adobe code: just about all Adobe software stops functioning when installed on a case-sensitive file system (if the installer doesn't already crash trying to install the software on a case-sensitive volume), because the Adobe programmers are incapable of #define-ing file names in one central place and then referring to these resource names by means of the corresponding macros; heck they seem to be even incapable of running a global regex search-replace to fix the case on all occurrences of resource names. Instead they refer to resources all over their code in a variety of case spellings, which means the moment the software is on a case-sensitive file system, it breaks. This is a horrendous coding practice.

There are other examples, like e.g. their own invention (PS and PDF) being rendered more slowly and with higher resource usage by their bloated rendering engines than by the optimized 3rd party/"copycat" implementations, such as NeXT's DisplayPostScript (which NeXT licensed from Adobe and then heavily optimized and improved on in-house) or Apple's Quartz PDF rendering engine.

There are plenty of other examples, e.g. their plug-in architecture, their ridiculously scattered software resources, their brain-dead installers, their proprietary GUI they don't even manage to get consistent across their own Creative Suite in decades, their laggard status migrating away from Carbon, etc.
The only company that could compete in the bad code department was Macromedia (who brought as such wonders in code and resource "efficiency and elegance" as Flash), which Adobe bought up. Perfect match made in hell.

Never mind that minor feature upgrades and various "transitions" they owe Apple (OS 9 to OS X, PPC to intel, 32-bit to 64-bit) allowed them to each time milk customers for more than the upgrades were worth and now that they see the end of the gravy train, they just turn the whole pile into a subscription-only product. If they can't innovate in software, they innovate in milking customers...

post #10 of 38
Quote:
Originally Posted by rcfa View Post
 

 

According to Apple it didn't. Nothing is absolutely secure, and nowhere do I state that I like Apple's data hoarding.

Unlike you seem to be, I'm not a blind fanboy where Apple can do no wrong. As a matter of fact, besides the forced single-source software store, one of the main reason why I dislike the fact that Apple locks legitimate users out of their own devices, is that it's impossible to discern if an iOS device is hacked or is running spyware, unless the user has root access, which currently is only possible by jail-breaking.

I like iOS devices to be non-jailbreakable (i.e. be secure), but with the legitimate user/owner having full root access, just like on any other decent computing system. Just because the device is small and pocketable doesn't mean it's not a computer or users shouldn't be able to rule the device they bought.
 

 

That's the same sort of asinine comment that ignoramuses throw e.g. at art critics: one doesn't have to be a successful author to be a literary critic; one doesn't have to be a successful musician to be a good music critic. Further, sales do not indicate anything about quality of the product, only about the quality of the marketing, otherwise, McDonalds were the best food in the world.

 

If you need to know my credentials: I have a Sc.M. in Computer Science from an Ivy League school, and I have been working with OSX and it's predecessors ever since that little black cube called NeXT was at my disposal, which was in 1989 with NeXTSTEP 0.8.

Without even trying, I ranked 10th, 2nd and 1st in the three bug-busting contests NeXT made, and ADC guys knew me by name due to the number and quality of bug reports I used to submit. (I gave up on that when Apple switched to a web based reporting tool that is a waste of my time, so I lost interest, given that I'm not getting paid for doing Apple software QA)

 

So I think I know a thing or two about writing code, debugging, bug reporting, knowing the symptoms of badly written code, and eliciting bugs in software.

One prime example of shoddy Adobe code: just about all Adobe software stops functioning when installed on a case-sensitive file system (if the installer doesn't already crash trying to install the software on a case-sensitive volume), because the Adobe programmers are incapable of #define-ing file names in one central place and then referring to these resource names by means of the corresponding macros; heck they seem to be even incapable of running a global regex search-replace to fix the case on all occurrences of resource names. Instead they refer to resources all over their code in a variety of case spellings, which means the moment the software is on a case-sensitive file system, it breaks. This is a horrendous coding practice.

There are other examples, like e.g. their own invention (PS and PDF) being rendered more slowly and with higher resource usage by their bloated rendering engines than by the optimized 3rd party/"copycat" implementations, such as NeXT's DisplayPostScript (which NeXT licensed from Adobe and then heavily optimized and improved on in-house) or Apple's Quartz PDF rendering engine.

There are plenty of other examples, e.g. their plug-in architecture, their ridiculously scattered software resources, their brain-dead installers, their proprietary GUI they don't even manage to get consistent across their own Creative Suite in decades, their laggard status migrating away from Carbon, etc.
The only company that could compete in the bad code department was Macromedia (who brought as such wonders in code and resource "efficiency and elegance" as Flash), which Adobe bought up. Perfect match made in hell.

Never mind that minor feature upgrades and various "transitions" they owe Apple (OS 9 to OS X, PPC to intel, 32-bit to 64-bit) allowed them to each time milk customers for more than the upgrades were worth and now that they see the end of the gravy train, they just turn the whole pile into a subscription-only product. If they can't innovate in software, they innovate in milking customers...

 

mstone just got nuked. Nice work rcfa!

Help! I'm trapped in a white dungeon of amazing precision and impeccable tolerances!

Reply

Help! I'm trapped in a white dungeon of amazing precision and impeccable tolerances!

Reply
post #11 of 38
Brought to you by Creative Cloud.
post #12 of 38
Quote:
Originally Posted by rcfa View Post
 
 which means the moment the software is on a case-sensitive file system, it breaks. This is a horrendous coding practice.

Although one could format a volume with HFS + and choose to make it case sensitive no one ever does this and no Mac OS has ever been case sensitive by default since the very beginning with 400K floppies. Windows can also be formatted to be case sensitive but no one ever does that either.

 

The only two platforms that Adobe software currently runs on are both case insensitive so where's the problem? But I also know for a fact that Adobe Illustrator, at least in 1994, ran just fine on Solaris which is case sensitive, as I used it for awhile. I would like to see some links that support your allegation to the contrary.

 

PS: Adobe software also runs satisfactorily in WINE on Linux which also has a case sensitive file system.


Edited by mstone - 10/3/13 at 6:25pm

Life is too short to drink bad coffee.

Reply

Life is too short to drink bad coffee.

Reply
post #13 of 38
Originally Posted by rcfa View Post

its impossible to discern if an iOS device is hacked or is running spyware, unless the user has root access, which currently is only possible by jail-breaking.

 

Uh… correct me if I’m wrong, but that means you instantaneously know if it is hacked or running spyware, because the only way for that to have happened is via jailbreaking. Therefore SINCE you can check (or can’t), you CAN know, either by checking (and finding out yes or no) or by being unable to check (which equals no).

 
I like iOS devices to be non-jailbreakable (i.e. be secure), but with the legitimate user/owner having full root access, just like on any other decent computing system.

 

Contradiction in phrases, and you should know that. Full access, all the time, means not secure.

 
That's the same sort of asinine comment that ignoramuses throw e.g. at art critics: one doesn't have to be a successful author to be a literary critic; one doesn't have to be a successful musician to be a good music critic.
 

 

Absolutely correct, BUT “Tim Cook should have done x because I know better than Apple” helps no one.

Originally Posted by asdasd

This is Appleinsider. It's all there for you but we can't do it for you.
Reply

Originally Posted by asdasd

This is Appleinsider. It's all there for you but we can't do it for you.
Reply
post #14 of 38

This is why it pays to just permanently borrow it. They're stupid subscription service sucks anyways. 

post #15 of 38
Quote:
Originally Posted by mstone View Post
 

Although one could format a volume with HFS + and choose to make it case sensitive no one ever does this and no Mac OS has ever been case sensitive by default since the very beginning with 400K floppies. Windows can also be formatted to be case sensitive but no one ever does that either.

 

The only two platforms that Adobe software currently runs on are both case insensitive so where's the problem? But I also know for a fact that Adobe Illustrator, at least in 1994, ran just fine on Solaris which is case sensitive, as I used it for awhile. I would like to see some links that support your allegation to the contrary.

 

PS: Adobe software also runs satisfactorily in WINE on Linux which also has a case sensitive file system.

 

What a non reply. Nuked is nuked.

post #16 of 38
Quote:
Originally Posted by AdamC View Post
 
 

What a non reply. Nuked is nuked.

His rant is pure BS angry Linux geek. Yeah Adobe doesn't run natively on Linux. For people like me who use Adobe CC all day long every day and make a good living at it know the power of the tools. People who bitch about Adobe CC as being a terrible product do not use it to make money. It is a fantastic suite, always has been and nothing comes close for professional work. All sour grapes because they can't pirate it now.

Life is too short to drink bad coffee.

Reply

Life is too short to drink bad coffee.

Reply
post #17 of 38

I'm (not so) secretly thanking the hackers, but then again, this won't bring back retail software, not going to be non-subscription download only, nor even per app subscription. This is what happens when you have a monopoly and all your biggest competitors can only limp along.

post #18 of 38

As much as they pushed, pushed and pushed for me to purchase the cloud, I'm glad I went with the disc with CS suite on it.  Fortunately, credit card used has expired.

Ten years ago, we had Steve Jobs, Bob Hope and Johnny Cash.  Today we have no Jobs, no Hope and no Cash.

Reply

Ten years ago, we had Steve Jobs, Bob Hope and Johnny Cash.  Today we have no Jobs, no Hope and no Cash.

Reply
post #19 of 38
Quote:
Originally Posted by rcfa View Post


...The only company that could compete in the bad code department was Macromedia (who brought as such wonders in code and resource "efficiency and elegance" as Flash), which Adobe bought up. Perfect match made in hell.
Never mind that minor feature upgrades and various "transitions" they owe Apple (OS 9 to OS X, PPC to intel, 32-bit to 64-bit) allowed them to each time milk customers for more than the upgrades were worth and now that they see the end of the gravy train, they just turn the whole pile into a subscription-only product. If they can't innovate in software, they innovate in milking customers...

Great job! Thank you for the intelligent analysis and summary of what we all know but are unable to articulate from a technology point of view... That Adobe products are overly complicated, bloated crap, and that the company is no better than an extortionist! If only Apple would acquire this bag of shit and re-engineer it for us! Now there would be a good use of funds, rather than lining Carl Icahn's pockets.
post #20 of 38
(Claps slowly and deliberately) Bravo, Adobe. Bravo. You screwed up royally. I want a two-year free Creative Cloud subscription.

"Apple should pull the plug on the iPhone."

John C. Dvorak, 2007
Reply

"Apple should pull the plug on the iPhone."

John C. Dvorak, 2007
Reply
post #21 of 38
Quote:
Originally Posted by FreeRange View Post
 
 If only Apple would acquire this bag of shit and re-engineer it for us! 

Worst possible outcome for professionals. Apple would release version one and then wait three years to completely redesign it for amateur consumers. Wrong. It would be akin to Apple buying Autodesk and making AutoCAD user friendly for soccer moms.

Life is too short to drink bad coffee.

Reply

Life is too short to drink bad coffee.

Reply
post #22 of 38
Quote:
Originally Posted by Suddenly Newton View Post

 I want a two-year free Creative Cloud subscription.

Doesn't everyone?  Screw up or not that is the biggest complaint, that no one has cracked the subscription model to be able pirate the software.

Life is too short to drink bad coffee.

Reply

Life is too short to drink bad coffee.

Reply
post #23 of 38
New Adobe Survey. If you are not happy with CC being the only choice, let them know. http://deploy.ztelligence.com/start/survey/survey_taking.jsp?PIN=16BNF7XXXKLNX%uFEFF
post #24 of 38
Quote:
Originally Posted by lasvideo View Post

New Adobe Survey. If you are not happy with CC being the only choice, let them know. http://deploy.ztelligence.com/start/survey/survey_taking.jsp?PIN=16BNF7XXXKLNX%uFEFF

 

Check your url. It doesn't work for me.

Life is too short to drink bad coffee.

Reply

Life is too short to drink bad coffee.

Reply
post #25 of 38
Quote:
Originally Posted by mstone View Post
 
Quote:
Originally Posted by rcfa View Post
 
 which means the moment the software is on a case-sensitive file system, it breaks. This is a horrendous coding practice.

Although one could format a volume with HFS + and choose to make it case sensitive no one ever does this and no Mac OS has ever been case sensitive by default since the very beginning with 400K floppies. Windows can also be formatted to be case sensitive but no one ever does that either.

 

Security conscious people format their drive in case-sensitive mode: there were (and likely still are) a bunch of exploits that use case-insensitive file systems to the detriment of users. The thing is, OS X is UNIX, and just about all underlying FreeBSD, Linux, etc. tools that OS X is based on, assume a case-sensitive file system. Since they are written properly, most work just fine even on a case-insensitive file system, but there are boundary cases that have been exploited in the past (e.g. in regards to .htaccess files, etc.)

 

Further, lots of open source software uses build systems that are designed for case-sensitive file systems, e.g. differentiating between Makefile and makefile, which results in file name collisions under OS X. So if you need certain open source software on your Mac and need to compile it, or if you try to port it to the Mac, you need to run on a case-sensitive HFS+.

 

I've been doing that routinely. Further, language is case-sensitive, except where morons are at work.

Mr. DeSisto and Mr. Desisto are not the same person, and if I have a ~/Documents/Correspondence/<someLastName> folder hierarchy, I want to be able to have a folder named DeSisto and one named Desisto and be able to differentiate between the two.

 

case-insensitivy is one of these moronic oversimplifications Apple is unfortunately known for. The fact that early systems were case-less because they were using TTY code (meaning essentially EVERYTHING WAS UPPERCASE) doesn't mean that that was a good thing. When Unix came as a more modern OS, it was well capable of distinguishing case, and it did so.

 

Just as Unicode is better than using code-tables where a whole bunch of characters are "the same" unless you know which code table is applicable in a certain context. Nobody would argue going back to code tables, yet people still argue for case-insensitivity simply because they can't admit, that this is legacy cruft that finally needs to be done away with.

 

Oh, and in case you don't know (because you didn't jail-break your iOS device): iOS devices use a case-sensitive version of HFS+

So much for nobody using a case-sensitive version of HFS+...

post #26 of 38
Quote:
Originally Posted by mstone View Post
 
For people like me who use Adobe CC all day long every day and make a good living at it know the power of the tools. People who bitch about Adobe CC as being a terrible product do not use it to make money. It is a fantastic suite, always has been and nothing comes close for professional work. All sour grapes because they can't pirate it now.

 

Horrendous reasoning. Look, just because someone makes a lot of money using a Chevy Astrovan doesn't mean it's a good van. A Freighliner Sprinter (i.e. a Mercedes Sprinter), beats its it in just about every aspect (except price).

 

The fact that Photoshop works doesn't mean it's great software, just like Windows "working" doesn't mean it's great software.

It does the job and it didn't have enough competition and thus it became the entrenched standard that is difficult to pass by when working in certain fields that's pretty much all that's going for Adobe's junk, just like Windows does the job and is entrenched in the business computing, which makes it hard to get past using it in many fields. But none of that makes Windows or Adobe software any better in terms of quality from a software engineering point of view.

 

To try to deflect the discussion towards software piracy is total lunacy and is pretty much admission of defeat, because when all other reasoning fails, then the last resort of any scoundrel is to try to besmirch the opponent with some unrelated allegation and innuendo.

 

Please go away and don't come back until you did your home work on software engineering and history of computing. We'll all thank you!

post #27 of 38
Quote:
Originally Posted by rcfa View Post

To try to deflect the discussion towards software piracy is total lunacy and is pretty much admission of defeat, because when all other reasoning fails, then the last resort of any scoundrel is to try to besmirch the opponent with some unrelated allegation and innuendo.

 

I think that Adobe's decision to go subscription was greatly influenced by the extreme prevalence of pirating of their titles. Thanks for your insight into the world of uber geekdom that almost no one cares about. Fortunately, no one needs to concern themselves with case sensitivity except to make sure they understand that their files for their website might be case sensitive if they are on Linux, which I am fully aware of since 90% of my websites are on Linux. I've been working on NIX-like OSs since the early 90's so case sensitivity is nothing new to me. I'm just not affected by the issue in any Adobe software.

Life is too short to drink bad coffee.

Reply

Life is too short to drink bad coffee.

Reply
post #28 of 38
Quote:
Originally Posted by Tallest Skil View Post
 
Originally Posted by rcfa View Post

its impossible to discern if an iOS device is hacked or is running spyware, unless the user has root access, which currently is only possible by jail-breaking.

 

Uh… correct me if I’m wrong, but that means you instantaneously know if it is hacked or running spyware, because the only way for that to have happened is via jailbreaking. Therefore SINCE you can check (or can’t), you CAN know, either by checking (and finding out yes or no) or by being unable to check (which equals no).

 

 

No, it's not the only way. e.g. Apple could have a secret agreement with the NSA or some law enforcement agency to install a spyware software on iOS devices that could be turned on at will. With root access, the device is open to scrutiny, without root access all you have is blind trust in a company that according to the infamous PATRIOT act could be coerced into cooperation and force to remain silent about such a cooperation. A non-root access device is security through obscurity of the worst sort.

 
I like iOS devices to be non-jailbreakable (i.e. be secure), but with the legitimate user/owner having full root access, just like on any other decent computing system.

 

Contradiction in phrases, and you should know that. Full access, all the time, means not secure.

 

No contradiction at all. Just because the owner of a device can sudo to root doesn't mean the device is insecure. e.g. I have full root access to my Mac, but that doesn't mean that I'm permanently logged in as root nor does it mean that my application software or anything I do regularly is running with root privileges or outside the sandbox.

 

The question is not how software runs most of the time or by default, but whether or not the legitimate user and owner of the device is locked out of the machine he bought with his hard earned money, or whether he has the right and ability to open up a shell, inspect running processes, su to root, and inspect the kernel, etc. for various traces of suspicious behavior and code.

The question is, among other things, whether you can use your old (or new) iOS device for whatever purpose you like to use it for (e.g. to control a robot with custom software and custom device drivers) or if you're stuck to use what belongs to you for whatever purpose Apple sees fit and approves through various expensive "made for iPhone" programs and the like.

 
That's the same sort of asinine comment that ignoramuses throw e.g. at art critics: one doesn't have to be a successful author to be a literary critic; one doesn't have to be a successful musician to be a good music critic.

Absolutely correct, BUT “Tim Cook should have done x because I know better than Apple” helps no one.

 

No, Tim Cook shouldn't have done X because I know better, but Tim Cook should not prevent me from exercising my rights to fully own and control a device for which I paid. If Apple gives away iPhones for free e.g. in some ad-sponsored scheme like is rumored Amazon might use for a potential kindle-phone, then they have the right to restrict the phone. But if I buy the device at full cost, then I shouldn't be locked out of my own device.

 

The idea that a device that the owner can access as root is an insecure device is bogus. Insecure is a device that someone other than the user can access as root, not a device that gives the owner root access.

 

The Mac model is just fine: Apple can decide what's simple and safe, and that's what's available in the Mac AppStore. But, and here's the difference to the iOS devices, on the Mac I have the liberty to install other software and access the device as root. My Macs contain more and more sensitive data than my iOS devices, and they are equally permanently connected to the internet, likely at a higher bandwidth and likely less often changing IP addresses, and they need to remain secure, too.

 

Unless Apple wants to start advertising that Macs and OS X are insecure, it's bogus to say that an iOS device that would grant the rightful owner root access upon request would be any less secure than iOS devices are now.

 

The lack of root access is simply a matter of Apple being better able to monetize the device and ecosystem because it makes alternatives to what Apple offers more difficult and completely subject to Apple's approval (e.g. the 30% cut Apple wants for all sales made through iOS apps). These 30% are OK in the case where Apple provides infrastructure and marketing (e.g. AppStore, iTunes store), but it's completely outrageous for purchases that are independently marketed and sold, where Apple essentially gets a 30% cut for being a payment service. Merchants (rightfully) bitch about the percentages Visa, MasterCard and Amex charge for CC transactions, because the cost of these transactions is minimal and the percentages are huge. But 30% is an order of magnitude more than any of these three companies charge for transactions and enough to make many business models impossible, because the margins just don't allow for transaction costs that high.

post #29 of 38
Quote:
Originally Posted by rcfa View Post
 

 

Security conscious people format their drive in case-sensitive mode: there were (and likely still are) a bunch of exploits that use case-insensitive file systems to the detriment of users. The thing is, OS X is UNIX, and just about all underlying FreeBSD, Linux, etc. tools that OS X is based on, assume a case-sensitive file system. Since they are written properly, most work just fine even on a case-insensitive file system, but there are boundary cases that have been exploited in the past (e.g. in regards to .htaccess files, etc.)

 

Further, lots of open source software uses build systems that are designed for case-sensitive file systems, e.g. differentiating between Makefile and makefile, which results in file name collisions under OS X. So if you need certain open source software on your Mac and need to compile it, or if you try to port it to the Mac, you need to run on a case-sensitive HFS+.

 

I've been doing that routinely. Further, language is case-sensitive, except where morons are at work.

Mr. DeSisto and Mr. Desisto are not the same person, and if I have a ~/Documents/Correspondence/<someLastName> folder hierarchy, I want to be able to have a folder named DeSisto and one named Desisto and be able to differentiate between the two.

 

case-insensitivy is one of these moronic oversimplifications Apple is unfortunately known for. The fact that early systems were case-less because they were using TTY code (meaning essentially EVERYTHING WAS UPPERCASE) doesn't mean that that was a good thing. When Unix came as a more modern OS, it was well capable of distinguishing case, and it did so.

 

Just as Unicode is better than using code-tables where a whole bunch of characters are "the same" unless you know which code table is applicable in a certain context. Nobody would argue going back to code tables, yet people still argue for case-insensitivity simply because they can't admit, that this is legacy cruft that finally needs to be done away with.

 

Oh, and in case you don't know (because you didn't jail-break your iOS device): iOS devices use a case-sensitive version of HFS+

So much for nobody using a case-sensitive version of HFS+...

 

 

Relying on case-sensitivity of the file system as a security precaution is like worrying if the burglar is going to break into your house by sneaking down the chimney.  Fact is, there are sooo many other open windows to worry about and lock down, that the chimney becomes insignificant.  Not to mention, a real hacker isn't going to be fooled or slowed-down or bothered whether the FS is case-sensitive or not.  And any exploit that breaks because it hits a case-sensitive FS is a comically badly written exploit.

 

All case-sensitivity does is be a pain, and just causes confusion for non-technical folks.


Edited by _Rick_V_ - 10/3/13 at 9:23pm
post #30 of 38
Quote:
Originally Posted by rcfa View Post
 

 

No, it's not the only way. e.g. Apple could have a secret agreement with the NSA or some law enforcement agency to install a spyware software on iOS devices that could be turned on at will. With root access, the device is open to scrutiny, without root access all you have is blind trust in a company that according to the infamous PATRIOT act could be coerced into cooperation and force to remain silent about such a cooperation. A non-root access device is security through obscurity of the worst sort.

 
 

 

No contradiction at all. Just because the owner of a device can sudo to root doesn't mean the device is insecure. e.g. I have full root access to my Mac, but that doesn't mean that I'm permanently logged in as root nor does it mean that my application software or anything I do regularly is running with root privileges or outside the sandbox.

 

The question is not how software runs most of the time or by default, but whether or not the legitimate user and owner of the device is locked out of the machine he bought with his hard earned money, or whether he has the right and ability to open up a shell, inspect running processes, su to root, and inspect the kernel, etc. for various traces of suspicious behavior and code.

The question is, among other things, whether you can use your old (or new) iOS device for whatever purpose you like to use it for (e.g. to control a robot with custom software and custom device drivers) or if you're stuck to use what belongs to you for whatever purpose Apple sees fit and approves through various expensive "made for iPhone" programs and the like.

 

 

No, Tim Cook shouldn't have done X because I know better, but Tim Cook should not prevent me from exercising my rights to fully own and control a device for which I paid. If Apple gives away iPhones for free e.g. in some ad-sponsored scheme like is rumored Amazon might use for a potential kindle-phone, then they have the right to restrict the phone. But if I buy the device at full cost, then I shouldn't be locked out of my own device.

 

The idea that a device that the owner can access as root is an insecure device is bogus. Insecure is a device that someone other than the user can access as root, not a device that gives the owner root access.

 

The Mac model is just fine: Apple can decide what's simple and safe, and that's what's available in the Mac AppStore. But, and here's the difference to the iOS devices, on the Mac I have the liberty to install other software and access the device as root. My Macs contain more and more sensitive data than my iOS devices, and they are equally permanently connected to the internet, likely at a higher bandwidth and likely less often changing IP addresses, and they need to remain secure, too.

 

Unless Apple wants to start advertising that Macs and OS X are insecure, it's bogus to say that an iOS device that would grant the rightful owner root access upon request would be any less secure than iOS devices are now.

 

The lack of root access is simply a matter of Apple being better able to monetize the device and ecosystem because it makes alternatives to what Apple offers more difficult and completely subject to Apple's approval (e.g. the 30% cut Apple wants for all sales made through iOS apps). These 30% are OK in the case where Apple provides infrastructure and marketing (e.g. AppStore, iTunes store), but it's completely outrageous for purchases that are independently marketed and sold, where Apple essentially gets a 30% cut for being a payment service. Merchants (rightfully) bitch about the percentages Visa, MasterCard and Amex charge for CC transactions, because the cost of these transactions is minimal and the percentages are huge. But 30% is an order of magnitude more than any of these three companies charge for transactions and enough to make many business models impossible, because the margins just don't allow for transaction costs that high.

 

 

Yes, your argument mirrors exactly what's happening to the real world. Let's see...

 

  • Android = open : and we have rampant viruses and malware.
  • iOS = closed : no known malware, beyond a couple proof-of-concept things like from Charlie Miller.

 

Open source wins!  Yup, sounds like you should get an Android, where you can get your root access... ;) 

 

Kidding aside, if you're truly worried about something like the NSA, then you really shouldn't have any smartphone at all. OR a phone at all. OR a credit card.  OR a computer.  Because having root access to your smartphone or computer ain't gonna protect you, period. 

post #31 of 38
Quote:
Originally Posted by mstone View Post
 

 

Check your url. It doesn't work for me.

 

LOL. His URL has unique PIN number. Of course it won't work for you. It's probably one-time-use PIN number.

"Apple should pull the plug on the iPhone."

John C. Dvorak, 2007
Reply

"Apple should pull the plug on the iPhone."

John C. Dvorak, 2007
Reply
post #32 of 38
Quote:
Originally Posted by mstone View Post

Doesn't everyone?  Screw up or not that is the biggest complaint, that no one has cracked the subscription model to be able pirate the software.

I used Photoshop a lot and after working with it for quite sometime using trial versions, I decided to finally take the plunge and buy it.

However, along came Pixelmator and it did everything I needed. I didn't use Photoshop for my day-job (or night job for that matter), so what Pixelmator offered was enough for me and I am pretty satisfied with it. So whether it is subscription model that nobody has been able to crack yet, or the previous model, where it was really expensive, I am not all that bothered.

But I can say that I didn't face any problems with Photoshop. For a while it was my favourite software - beating out anything that Corel had or any of the other photo editing software back then.
post #33 of 38
Yeah, I was super stoked when I got this email. Card expires in november, anyway, but I'd rather not have to deal with it.

Shrug?

I doubt it was a lack of effort on adobe's part, but still annoying.
post #34 of 38
Quote:
Originally Posted by mstone View Post

His rant is pure BS angry Linux geek. Yeah Adobe doesn't run natively on Linux. For people like me who use Adobe CC all day long every day and make a good living at it know the power of the tools. People who bitch about Adobe CC as being a terrible product do not use it to make money. It is a fantastic suite, always has been and nothing comes close for professional work. All sour grapes because they can't pirate it now.

I think the truth lies mid way between this extremes of this discussion. Adobe's code is probably desperately in need of a total rewrite. Just speaking for myself, I hate the Windows style interfaces they use ... but there is nothing else out there as an option to most of their software. That I wish were not true but it is.

BTW Just so you know ... Pirates of the cloud version that run locally are out there in the wild already I hear so 'sour grapes' probably doesn't come into the discussion.
Use duckduckgo.com with Safari, not Google Search
Been using Apples since 1978 and Macs since 1984
Long on AAPL so biased. Strong advocate for separation of technology and politics on AI.
Reply
Use duckduckgo.com with Safari, not Google Search
Been using Apples since 1978 and Macs since 1984
Long on AAPL so biased. Strong advocate for separation of technology and politics on AI.
Reply
post #35 of 38
Quote:
Originally Posted by rcfa View Post

No, Tim Cook shouldn't have done X because I know better, but Tim Cook should not prevent me from exercising my rights to fully own and control a device for which I paid. If Apple gives away iPhones for free e.g. in some ad-sponsored scheme like is rumored Amazon might use for a potential kindle-phone, then they have the right to restrict the phone. But if I buy the device at full cost, then I shouldn't be locked out of my own device.

Absolute nonsense.

The Mac is a "closed" system (to use the terminology that is widely used, even though it's not really accurate). Always has been. Probably always will be. You knew that when you bought it. If you can't live with that, no one's making you buy a Mac or iPhone. Feel free to buy a Linux or Android device if you wish.

Apple's business model is clear. You don't get to change it after the fact simply because you don't like it.
"I'm way over my head when it comes to technical issues like this"
Gatorguy 5/31/13
Reply
"I'm way over my head when it comes to technical issues like this"
Gatorguy 5/31/13
Reply
post #36 of 38
Quote:
Originally Posted by GadgetCanadaV2 View Post
 

 

mstone just got nuked. Nice work rcfa!

 

:lol: [mushroom cloud]...

post #37 of 38
Quote:
Originally Posted by 9secondko View Post

Brought to you by Creative Cloud.

They only recently passed 1 million subscribers so 1.9m cards must have been for perpetual license products entered long before their new business model took effect.

Many big companies are being targeted:

http://dealbook.nytimes.com/2013/07/25/arrests-planned-in-hacking-of-financial-companies/?_r=0

This data shouldn't really need to be stored, even by banks. If they put out cards that used encryption key pairs, one of the keys would be store on the card along with an ID. When you need to use your card, it would send the ID number so the bank's server knows which public key to use and it would send a random encrypted message down, which the hardware would decode and send it back, verifying the card.

This card can be a USB stick or have some BLE tech and a battery + solar charging like a calculator. The time that it's in use is just to verify a purchase so it should last long between card renewals. It can have another verification mechanism on top like a pin code but wouldn't need buttons or a display, just a grid of touch sensors and the card would let you change this as long as you knew the previous one.

When you are in a store or on a computer, you just take out the card and enter the sequence to verify a purchase wirelessly. If the card is stolen, they just remove the key on the bank server and the card is useless. Unlike a magnetic strip card, nothing can scan the hardware so it's mostly useless if stolen.

No intermediates can ever store the private key as it can't leave the hardware. If any source database is hacked, they get public keys, which can't be used for anything. No more typing in card details either. They could also have an option to store multiple accounts on one card if the hardware they give out has a firmware and you'd use the interface to pick an account to use.
post #38 of 38

If you happen to be using my AppleInsider scriptlet, I have a minor update to address changes in the AI home page. As always consult your IT department before installing any JS from an unverified source.

 

javascript: (function() { 
document.getElementById('headline-module').style.display = 'none';
document.getElementById('top-promo').style.display = 'none';
document.getElementById('content').style.marginLeft = '-180px';
document.getElementById('content-home').style.backgroundColor = '#eaeaea';
document.getElementById('header').style.marginLeft = '0px'; 
document.getElementById('leaderboard').style.display = 'none';
document.getElementById('footer').style.display = 'none';
document.getElementById('content').style.width = '1100px';
document.getElementById('sidebar-left').style.display = 'none';
document.getElementById('sidebar-right').style.display = 'none'; 
document.getElementById('content-home').style.width = '1100px';
document.getElementById('wordmark').style.marginTop = '20px';
document.body.style.backgroundImage = 'url(none.jpg)';
document.body.style.backgroundColor = '#eaeaea';
document.body.style.fontSize = '14px';
document.body.style.letterSpacing = '.08em';
var theH1s = document.getElementsByTagName('h1');
    for (var i = 0; i < theH1s.length; i++) {
    document.getElementsByTagName('h1')[i].style.fontSize = '18px';
    } 
var divContent = document.getElementsByTagName('img');
    for (var i = 0; i < divContent.length; i++) { 
    divContent[i].setAttribute('style','display:none');
    }
var cn = document.getElementsByClassName('container');
    for (var i = 0; i < cn.length; i++) { 
    cn[i].style.backgroundColor = '#eaeaea';
    }
var cn2 = document.getElementsByClassName('river-img-wrap');
    for (var i = 0; i < cn2.length; i++) {
    cn2[i].style.display= 'none';
    }
})();

Life is too short to drink bad coffee.

Reply

Life is too short to drink bad coffee.

Reply
New Posts  All Forums:Forum Nav:
  Return Home
  Back to Forum: General Discussion
AppleInsider › Forums › General › General Discussion › Adobe security breach compromises 2.9M customer accounts, encrypted credit card data stolen