Adobe security breach compromises 2.9M customer accounts, encrypted credit card data stolen

2»

Comments

  • Reply 21 of 39
    mstonemstone Posts: 11,510member
    Quote:
    Originally Posted by Suddenly Newton View Post



     I want a two-year free Creative Cloud subscription.

    Doesn't everyone?  Screw up or not that is the biggest complaint, that no one has cracked the subscription model to be able pirate the software.

  • Reply 22 of 39
    New Adobe Survey. If you are not happy with CC being the only choice, let them know. http://deploy.ztelligence.com/start/survey/survey_taking.jsp?PIN=16BNF7XXXKLNX%uFEFF
  • Reply 23 of 39
    mstonemstone Posts: 11,510member
    Quote:

    Originally Posted by lasvideo View Post



    New Adobe Survey. If you are not happy with CC being the only choice, let them know. http://deploy.ztelligence.com/start/survey/survey_taking.jsp?PIN=16BNF7XXXKLNX%uFEFF

     

    Check your url. It doesn't work for me.

  • Reply 24 of 39
    rcfarcfa Posts: 1,124member
    Quote:

    Originally Posted by mstone View Post

     
    Quote:
    Originally Posted by rcfa View Post

     
     which means the moment the software is on a case-sensitive file system, it breaks. This is a horrendous coding practice.


    Although one could format a volume with HFS + and choose to make it case sensitive no one ever does this and no Mac OS has ever been case sensitive by default since the very beginning with 400K floppies. Windows can also be formatted to be case sensitive but no one ever does that either.


     

    Security conscious people format their drive in case-sensitive mode: there were (and likely still are) a bunch of exploits that use case-insensitive file systems to the detriment of users. The thing is, OS X is UNIX, and just about all underlying FreeBSD, Linux, etc. tools that OS X is based on, assume a case-sensitive file system. Since they are written properly, most work just fine even on a case-insensitive file system, but there are boundary cases that have been exploited in the past (e.g. in regards to .htaccess files, etc.)

     

    Further, lots of open source software uses build systems that are designed for case-sensitive file systems, e.g. differentiating between Makefile and makefile, which results in file name collisions under OS X. So if you need certain open source software on your Mac and need to compile it, or if you try to port it to the Mac, you need to run on a case-sensitive HFS+.

     

    I've been doing that routinely. Further, language is case-sensitive, except where morons are at work.

    Mr. DeSisto and Mr. Desisto are not the same person, and if I have a ~/Documents/Correspondence/<someLastName> folder hierarchy, I want to be able to have a folder named DeSisto and one named Desisto and be able to differentiate between the two.

     

    case-insensitivy is one of these moronic oversimplifications Apple is unfortunately known for. The fact that early systems were case-less because they were using TTY code (meaning essentially EVERYTHING WAS UPPERCASE) doesn't mean that that was a good thing. When Unix came as a more modern OS, it was well capable of distinguishing case, and it did so.

     

    Just as Unicode is better than using code-tables where a whole bunch of characters are "the same" unless you know which code table is applicable in a certain context. Nobody would argue going back to code tables, yet people still argue for case-insensitivity simply because they can't admit, that this is legacy cruft that finally needs to be done away with.

     

    Oh, and in case you don't know (because you didn't jail-break your iOS device): iOS devices use a case-sensitive version of HFS+

    So much for nobody using a case-sensitive version of HFS+...

  • Reply 25 of 39
    rcfarcfa Posts: 1,124member
    Quote:

    Originally Posted by mstone View Post

     
    For people like me who use Adobe CC all day long every day and make a good living at it know the power of the tools. People who bitch about Adobe CC as being a terrible product do not use it to make money. It is a fantastic suite, always has been and nothing comes close for professional work. All sour grapes because they can't pirate it now.


     

    Horrendous reasoning. Look, just because someone makes a lot of money using a Chevy Astrovan doesn't mean it's a good van. A Freighliner Sprinter (i.e. a Mercedes Sprinter), beats its it in just about every aspect (except price).

     

    The fact that Photoshop works doesn't mean it's great software, just like Windows "working" doesn't mean it's great software.

    It does the job and it didn't have enough competition and thus it became the entrenched standard that is difficult to pass by when working in certain fields that's pretty much all that's going for Adobe's junk, just like Windows does the job and is entrenched in the business computing, which makes it hard to get past using it in many fields. But none of that makes Windows or Adobe software any better in terms of quality from a software engineering point of view.

     

    To try to deflect the discussion towards software piracy is total lunacy and is pretty much admission of defeat, because when all other reasoning fails, then the last resort of any scoundrel is to try to besmirch the opponent with some unrelated allegation and innuendo.

     

    Please go away and don't come back until you did your home work on software engineering and history of computing. We'll all thank you!

  • Reply 26 of 39
    mstonemstone Posts: 11,510member
    Quote:
    Originally Posted by rcfa View Post



    To try to deflect the discussion towards software piracy is total lunacy and is pretty much admission of defeat, because when all other reasoning fails, then the last resort of any scoundrel is to try to besmirch the opponent with some unrelated allegation and innuendo.

     


    I think that Adobe's decision to go subscription was greatly influenced by the extreme prevalence of pirating of their titles. Thanks for your insight into the world of uber geekdom that almost no one cares about. Fortunately, no one needs to concern themselves with case sensitivity except to make sure they understand that their files for their website might be case sensitive if they are on Linux, which I am fully aware of since 90% of my websites are on Linux. I've been working on NIX-like OSs since the early 90's so case sensitivity is nothing new to me. I'm just not affected by the issue in any Adobe software.

  • Reply 27 of 39
    rcfarcfa Posts: 1,124member
    Quote:

    Originally Posted by Tallest Skil View Post

     
    Originally Posted by rcfa View Post

    its impossible to discern if an iOS device is hacked or is running spyware, unless the user has root access, which currently is only possible by jail-breaking.


     

    Uh… correct me if I’m wrong, but that means you instantaneously know if it is hacked or running spyware, because the only way for that to have happened is via jailbreaking. Therefore SINCE you can check (or can’t), you CAN know, either by checking (and finding out yes or no) or by being unable to check (which equals no).

     


     

    No, it's not the only way. e.g. Apple could have a secret agreement with the NSA or some law enforcement agency to install a spyware software on iOS devices that could be turned on at will. With root access, the device is open to scrutiny, without root access all you have is blind trust in a company that according to the infamous PATRIOT act could be coerced into cooperation and force to remain silent about such a cooperation. A non-root access device is security through obscurity of the worst sort.

     






    I like iOS devices to be non-jailbreakable (i.e. be secure), but with the legitimate user/owner having full root access, just like on any other decent computing system.

     

    Contradiction in phrases, and you should know that. Full access, all the time, means not secure.



     

    No contradiction at all. Just because the owner of a device can sudo to root doesn't mean the device is insecure. e.g. I have full root access to my Mac, but that doesn't mean that I'm permanently logged in as root nor does it mean that my application software or anything I do regularly is running with root privileges or outside the sandbox.

     

    The question is not how software runs most of the time or by default, but whether or not the legitimate user and owner of the device is locked out of the machine he bought with his hard earned money, or whether he has the right and ability to open up a shell, inspect running processes, su to root, and inspect the kernel, etc. for various traces of suspicious behavior and code.

    The question is, among other things, whether you can use your old (or new) iOS device for whatever purpose you like to use it for (e.g. to control a robot with custom software and custom device drivers) or if you're stuck to use what belongs to you for whatever purpose Apple sees fit and approves through various expensive "made for iPhone" programs and the like.

     








    That's the same sort of asinine comment that ignoramuses throw e.g. at art critics: one doesn't have to be a successful author to be a literary critic; one doesn't have to be a successful musician to be a good music critic.


    Absolutely correct, BUT “Tim Cook should have done x because I know better than Apple” helps no one.


     


    No, Tim Cook shouldn't have done X because I know better, but Tim Cook should not prevent me from exercising my rights to fully own and control a device for which I paid. If Apple gives away iPhones for free e.g. in some ad-sponsored scheme like is rumored Amazon might use for a potential kindle-phone, then they have the right to restrict the phone. But if I buy the device at full cost, then I shouldn't be locked out of my own device.

     

    The idea that a device that the owner can access as root is an insecure device is bogus. Insecure is a device that someone other than the user can access as root, not a device that gives the owner root access.

     

    The Mac model is just fine: Apple can decide what's simple and safe, and that's what's available in the Mac AppStore. But, and here's the difference to the iOS devices, on the Mac I have the liberty to install other software and access the device as root. My Macs contain more and more sensitive data than my iOS devices, and they are equally permanently connected to the internet, likely at a higher bandwidth and likely less often changing IP addresses, and they need to remain secure, too.

     

    Unless Apple wants to start advertising that Macs and OS X are insecure, it's bogus to say that an iOS device that would grant the rightful owner root access upon request would be any less secure than iOS devices are now.

     

    The lack of root access is simply a matter of Apple being better able to monetize the device and ecosystem because it makes alternatives to what Apple offers more difficult and completely subject to Apple's approval (e.g. the 30% cut Apple wants for all sales made through iOS apps). These 30% are OK in the case where Apple provides infrastructure and marketing (e.g. AppStore, iTunes store), but it's completely outrageous for purchases that are independently marketed and sold, where Apple essentially gets a 30% cut for being a payment service. Merchants (rightfully) bitch about the percentages Visa, MasterCard and Amex charge for CC transactions, because the cost of these transactions is minimal and the percentages are huge. But 30% is an order of magnitude more than any of these three companies charge for transactions and enough to make many business models impossible, because the margins just don't allow for transaction costs that high.

  • Reply 28 of 39
    Quote:
    Originally Posted by rcfa View Post

     

     

    Security conscious people format their drive in case-sensitive mode: there were (and likely still are) a bunch of exploits that use case-insensitive file systems to the detriment of users. The thing is, OS X is UNIX, and just about all underlying FreeBSD, Linux, etc. tools that OS X is based on, assume a case-sensitive file system. Since they are written properly, most work just fine even on a case-insensitive file system, but there are boundary cases that have been exploited in the past (e.g. in regards to .htaccess files, etc.)

     

    Further, lots of open source software uses build systems that are designed for case-sensitive file systems, e.g. differentiating between Makefile and makefile, which results in file name collisions under OS X. So if you need certain open source software on your Mac and need to compile it, or if you try to port it to the Mac, you need to run on a case-sensitive HFS+.

     

    I've been doing that routinely. Further, language is case-sensitive, except where morons are at work.

    Mr. DeSisto and Mr. Desisto are not the same person, and if I have a ~/Documents/Correspondence/<someLastName> folder hierarchy, I want to be able to have a folder named DeSisto and one named Desisto and be able to differentiate between the two.

     

    case-insensitivy is one of these moronic oversimplifications Apple is unfortunately known for. The fact that early systems were case-less because they were using TTY code (meaning essentially EVERYTHING WAS UPPERCASE) doesn't mean that that was a good thing. When Unix came as a more modern OS, it was well capable of distinguishing case, and it did so.

     

    Just as Unicode is better than using code-tables where a whole bunch of characters are "the same" unless you know which code table is applicable in a certain context. Nobody would argue going back to code tables, yet people still argue for case-insensitivity simply because they can't admit, that this is legacy cruft that finally needs to be done away with.

     

    Oh, and in case you don't know (because you didn't jail-break your iOS device): iOS devices use a case-sensitive version of HFS+

    So much for nobody using a case-sensitive version of HFS+...


     

     

    Relying on case-sensitivity of the file system as a security precaution is like worrying if the burglar is going to break into your house by sneaking down the chimney.  Fact is, there are sooo many other open windows to worry about and lock down, that the chimney becomes insignificant.  Not to mention, a real hacker isn't going to be fooled or slowed-down or bothered whether the FS is case-sensitive or not.  And any exploit that breaks because it hits a case-sensitive FS is a comically badly written exploit.

     

    All case-sensitivity does is be a pain, and just causes confusion for non-technical folks.

  • Reply 29 of 39
    Quote:
    Originally Posted by rcfa View Post

     

     

    No, it's not the only way. e.g. Apple could have a secret agreement with the NSA or some law enforcement agency to install a spyware software on iOS devices that could be turned on at will. With root access, the device is open to scrutiny, without root access all you have is blind trust in a company that according to the infamous PATRIOT act could be coerced into cooperation and force to remain silent about such a cooperation. A non-root access device is security through obscurity of the worst sort.

     


     

     

    No contradiction at all. Just because the owner of a device can sudo to root doesn't mean the device is insecure. e.g. I have full root access to my Mac, but that doesn't mean that I'm permanently logged in as root nor does it mean that my application software or anything I do regularly is running with root privileges or outside the sandbox.

     

    The question is not how software runs most of the time or by default, but whether or not the legitimate user and owner of the device is locked out of the machine he bought with his hard earned money, or whether he has the right and ability to open up a shell, inspect running processes, su to root, and inspect the kernel, etc. for various traces of suspicious behavior and code.

    The question is, among other things, whether you can use your old (or new) iOS device for whatever purpose you like to use it for (e.g. to control a robot with custom software and custom device drivers) or if you're stuck to use what belongs to you for whatever purpose Apple sees fit and approves through various expensive "made for iPhone" programs and the like.

     



     


    No, Tim Cook shouldn't have done X because I know better, but Tim Cook should not prevent me from exercising my rights to fully own and control a device for which I paid. If Apple gives away iPhones for free e.g. in some ad-sponsored scheme like is rumored Amazon might use for a potential kindle-phone, then they have the right to restrict the phone. But if I buy the device at full cost, then I shouldn't be locked out of my own device.

     

    The idea that a device that the owner can access as root is an insecure device is bogus. Insecure is a device that someone other than the user can access as root, not a device that gives the owner root access.

     

    The Mac model is just fine: Apple can decide what's simple and safe, and that's what's available in the Mac AppStore. But, and here's the difference to the iOS devices, on the Mac I have the liberty to install other software and access the device as root. My Macs contain more and more sensitive data than my iOS devices, and they are equally permanently connected to the internet, likely at a higher bandwidth and likely less often changing IP addresses, and they need to remain secure, too.

     

    Unless Apple wants to start advertising that Macs and OS X are insecure, it's bogus to say that an iOS device that would grant the rightful owner root access upon request would be any less secure than iOS devices are now.

     

    The lack of root access is simply a matter of Apple being better able to monetize the device and ecosystem because it makes alternatives to what Apple offers more difficult and completely subject to Apple's approval (e.g. the 30% cut Apple wants for all sales made through iOS apps). These 30% are OK in the case where Apple provides infrastructure and marketing (e.g. AppStore, iTunes store), but it's completely outrageous for purchases that are independently marketed and sold, where Apple essentially gets a 30% cut for being a payment service. Merchants (rightfully) bitch about the percentages Visa, MasterCard and Amex charge for CC transactions, because the cost of these transactions is minimal and the percentages are huge. But 30% is an order of magnitude more than any of these three companies charge for transactions and enough to make many business models impossible, because the margins just don't allow for transaction costs that high.


     

     

    Yes, your argument mirrors exactly what's happening to the real world. Let's see...

     


    • Android = open : and we have rampant viruses and malware.

    • iOS = closed : no known malware, beyond a couple proof-of-concept things like from Charlie Miller.

     

    Open source wins!  Yup, sounds like you should get an Android, where you can get your root access... ;) 

     

    Kidding aside, if you're truly worried about something like the NSA, then you really shouldn't have any smartphone at all. OR a phone at all. OR a credit card.  OR a computer.  Because having root access to your smartphone or computer ain't gonna protect you, period. 

  • Reply 30 of 39
    Quote:

    Originally Posted by mstone View Post

     

     

    Check your url. It doesn't work for me.


     

    LOL. His URL has unique PIN number. Of course it won't work for you. It's probably one-time-use PIN number.

  • Reply 31 of 39
    mstone wrote: »
    Doesn't everyone?  Screw up or not that is the biggest complaint, that no one has cracked the subscription model to be able pirate the software.

    I used Photoshop a lot and after working with it for quite sometime using trial versions, I decided to finally take the plunge and buy it.

    However, along came Pixelmator and it did everything I needed. I didn't use Photoshop for my day-job (or night job for that matter), so what Pixelmator offered was enough for me and I am pretty satisfied with it. So whether it is subscription model that nobody has been able to crack yet, or the previous model, where it was really expensive, I am not all that bothered.

    But I can say that I didn't face any problems with Photoshop. For a while it was my favourite software - beating out anything that Corel had or any of the other photo editing software back then.
  • Reply 32 of 39
    Yeah, I was super stoked when I got this email. Card expires in november, anyway, but I'd rather not have to deal with it.

    Shrug?

    I doubt it was a lack of effort on adobe's part, but still annoying.
  • Reply 33 of 39
    MacProMacPro Posts: 19,426member
    mstone wrote: »
    His rant is pure BS angry Linux geek. Yeah Adobe doesn't run natively on Linux. For people like me who use Adobe CC all day long every day and make a good living at it know the power of the tools. People who bitch about Adobe CC as being a terrible product do not use it to make money. It is a fantastic suite, always has been and nothing comes close for professional work. All sour grapes because they can't pirate it now.

    I think the truth lies mid way between this extremes of this discussion. Adobe's code is probably desperately in need of a total rewrite. Just speaking for myself, I hate the Windows style interfaces they use ... but there is nothing else out there as an option to most of their software. That I wish were not true but it is.

    BTW Just so you know ... Pirates of the cloud version that run locally are out there in the wild already I hear so 'sour grapes' probably doesn't come into the discussion.
  • Reply 34 of 39
    jragostajragosta Posts: 10,473member
    rcfa wrote: »
    No, Tim Cook shouldn't have done X because I know better, but Tim Cook should not prevent me from exercising my rights to fully own and control a device for which I paid. If Apple gives away iPhones for free e.g. in some ad-sponsored scheme like is rumored Amazon might use for a potential kindle-phone, then they have the right to restrict the phone. But if I buy the device at full cost, then I shouldn't be locked out of my own device.

    Absolute nonsense.

    The Mac is a "closed" system (to use the terminology that is widely used, even though it's not really accurate). Always has been. Probably always will be. You knew that when you bought it. If you can't live with that, no one's making you buy a Mac or iPhone. Feel free to buy a Linux or Android device if you wish.

    Apple's business model is clear. You don't get to change it after the fact simply because you don't like it.
  • Reply 35 of 39

    .

  • Reply 36 of 39
    Quote:

    Originally Posted by GadgetCanadaV2 View Post

     

     

    mstone just got nuked. Nice work rcfa!


     

    <img class=" src="http://forums-files.appleinsider.com/images/smilies//lol.gif" /> [mushroom cloud]...

  • Reply 37 of 39
    MarvinMarvin Posts: 14,611moderator
    9secondko wrote: »
    Brought to you by Creative Cloud.

    They only recently passed 1 million subscribers so 1.9m cards must have been for perpetual license products entered long before their new business model took effect.

    Many big companies are being targeted:

    http://dealbook.nytimes.com/2013/07/25/arrests-planned-in-hacking-of-financial-companies/?_r=0

    This data shouldn't really need to be stored, even by banks. If they put out cards that used encryption key pairs, one of the keys would be store on the card along with an ID. When you need to use your card, it would send the ID number so the bank's server knows which public key to use and it would send a random encrypted message down, which the hardware would decode and send it back, verifying the card.

    This card can be a USB stick or have some BLE tech and a battery + solar charging like a calculator. The time that it's in use is just to verify a purchase so it should last long between card renewals. It can have another verification mechanism on top like a pin code but wouldn't need buttons or a display, just a grid of touch sensors and the card would let you change this as long as you knew the previous one.

    When you are in a store or on a computer, you just take out the card and enter the sequence to verify a purchase wirelessly. If the card is stolen, they just remove the key on the bank server and the card is useless. Unlike a magnetic strip card, nothing can scan the hardware so it's mostly useless if stolen.

    No intermediates can ever store the private key as it can't leave the hardware. If any source database is hacked, they get public keys, which can't be used for anything. No more typing in card details either. They could also have an option to store multiple accounts on one card if the hardware they give out has a firmware and you'd use the interface to pick an account to use.
  • Reply 38 of 39
    mstonemstone Posts: 11,510member

    If you happen to be using my AppleInsider scriptlet, I have a minor update to address changes in the AI home page. As always consult your IT department before installing any JS from an unverified source.

     

    javascript: (function() { 

    document.getElementById('headline-module').style.display = 'none';

    document.getElementById('top-promo').style.display = 'none';

    document.getElementById('content').style.marginLeft = '-180px';

    document.getElementById('content-home').style.backgroundColor = '#eaeaea';

    document.getElementById('header').style.marginLeft = '0px'; 

    document.getElementById('leaderboard').style.display = 'none';

    document.getElementById('footer').style.display = 'none';

    document.getElementById('content').style.width = '1100px';

    document.getElementById('sidebar-left').style.display = 'none';

    document.getElementById('sidebar-right').style.display = 'none'; 

    document.getElementById('content-home').style.width = '1100px';

    document.getElementById('wordmark').style.marginTop = '20px';

    document.body.style.backgroundImage = 'url(none.jpg)';

    document.body.style.backgroundColor = '#eaeaea';

    document.body.style.fontSize = '14px';

    document.body.style.letterSpacing = '.08em';

    var theH1s = document.getElementsByTagName('h1');

        for (var i = 0; i < theH1s.length; i++) {

        document.getElementsByTagName('h1')[i].style.fontSize = '18px';

        } 

    var divContent = document.getElementsByTagName('img');

        for (var i = 0; i < divContent.length; i++) { 

        divContent[i].setAttribute('style','display:none');

        }

    var cn = document.getElementsByClassName('container');

        for (var i = 0; i < cn.length; i++) { 

        cn[i].style.backgroundColor = '#eaeaea';

        }

    var cn2 = document.getElementsByClassName('river-img-wrap');

        for (var i = 0; i < cn2.length; i++) {

        cn2[i].style.display= 'none';

        }

    })();

  • Reply 39 of 39

    My name is David Cohen.  I do investigative work for a plaintiff firm in NYC.  We are looking to bring an action against Adobe Systems for failure to adequately notify customers about the breach.  Please advise anybody who may be affected.  I can be contacted at Work: 917/301-0430.

Sign In or Register to comment.