Adobe is showing that it can be transparent about its security practices:
Having some transparency about security problems with software is great, but Adobe's Product Security Incident Response Team (PSIRT) took that transparency a little too far today when a member of the team posted the PGP keys for PSIRT's e-mail account—both the public and the private keys. The keys have since been taken down, and a new public key has been posted in its stead.
The faux pas was spotted at 1:49pm ET by security researcher Juho Nurminen:
Oh shit Adobe pic.twitter.com/7rDL3LWVVz
— Juho Nurminen (@jupenur) September 22, 2017Nurminen was able to confirm that the key was associated with the psirt@adobe.com e-mail account.
Also at The Register and Wccftech.
[How many here have done something like this? Perhaps an extra file accidentally uploaded to GitHub? --Ed.]
(Score: 0) by Anonymous Coward on Saturday September 23 2017, @06:03PM (3 children)
This also shows how public/private key cryptography is just too impractical for most people to use. Even those with some technical knowledge find it difficult to work with, and it's far too easy to make catastrophic mistakes with. It's far beyond what normal people can manage to handle. That's why it has been a dead end for so long. Unless it's done completely transparently to the end user, like in the case of HTTPS, it's doomed to be a failure.
(Score: 1, Insightful) by Anonymous Coward on Saturday September 23 2017, @06:09PM (1 child)
> Even those with some technical knowledge
Given the decline in quality from Adobe (their early stuff like Postscript language and programming manuals were great), you may be giving them too much credit??
(Score: 2) by stretch611 on Saturday September 23 2017, @06:47PM
Thats what happens when you outsource everything to the lowest bidder.
Now with 5 covid vaccine shots/boosters altering my DNA :P
(Score: 5, Interesting) by frojack on Saturday September 23 2017, @06:40PM
PGP was written as a back end process meant to be included in emailers, security systems, signing keys, and such.
Because proper integration (just now becoming common) was long in coming, (i speculate due to government pressure), PGP ended up as a stand alone product, and jury rigged into emailers (the main common man-in-the-street use) in such a way that only the geeks could survive.
Now emailers, at least, are starting to automate the whole process, including the key generation, publishing, and use.
So, yes, its a hornets nest, but only because it was half done, and thrown to the userbase in a state far too primitive for users to integrate.
Just getting your private key to all your devices is something of a bitch.
No, you are mistaken. I've always had this sig.