Stories
Slash Boxes
Comments

SoylentNews is people

Adobe Accidentally Publishes One of its Private PGP Keys

posted by martyb on Saturday September 23 2017, @04:10PM   Printer-friendly
from the information-wants-to-be-free? dept.

takyon writes:

Adobe is showing that it can be transparent about its security practices:

Having some transparency about security problems with software is great, but Adobe's Product Security Incident Response Team (PSIRT) took that transparency a little too far today when a member of the team posted the PGP keys for PSIRT's e-mail account—both the public and the private keys. The keys have since been taken down, and a new public key has been posted in its stead.

The faux pas was spotted at 1:49pm ET by security researcher Juho Nurminen:

Oh shit Adobe pic.twitter.com/7rDL3LWVVz
— Juho Nurminen (@jupenur) September 22, 2017

Nurminen was able to confirm that the key was associated with the psirt@adobe.com e-mail account.

Also at The Register and Wccftech.

[How many here have done something like this? Perhaps an extra file accidentally uploaded to GitHub? --Ed.]

Original Submission

 
This discussion has been archived. No new comments can be posted.
Adobe Accidentally Publishes One of its Private PGP Keys | Log In/Create an Account | Top | 16 comments | Search Discussion
Display Options Threshold/Breakthrough Mark All as Read Mark All as Unread
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.

  • (Score: 0) by Anonymous Coward on Saturday September 23 2017, @06:03PM (3 children)

    by Anonymous Coward on Saturday September 23 2017, @06:03PM (#572139)

    This also shows how public/private key cryptography is just too impractical for most people to use. Even those with some technical knowledge find it difficult to work with, and it's far too easy to make catastrophic mistakes with. It's far beyond what normal people can manage to handle. That's why it has been a dead end for so long. Unless it's done completely transparently to the end user, like in the case of HTTPS, it's doomed to be a failure.

  • (Score: 1, Insightful) by Anonymous Coward on Saturday September 23 2017, @06:09PM (1 child)

    by Anonymous Coward on Saturday September 23 2017, @06:09PM (#572140)

    > Even those with some technical knowledge

    Given the decline in quality from Adobe (their early stuff like Postscript language and programming manuals were great), you may be giving them too much credit??

    • (Score: 2) by stretch611 on Saturday September 23 2017, @06:47PM

      by stretch611 (6199) on Saturday September 23 2017, @06:47PM (#572150)

      Given the decline in quality from Adobe...

      Thats what happens when you outsource everything to the lowest bidder.

      --
      Now with 5 covid vaccine shots/boosters altering my DNA :P

  • (Score: 5, Interesting) by frojack on Saturday September 23 2017, @06:40PM

    by frojack (1554) on Saturday September 23 2017, @06:40PM (#572148) Journal

    public/private key cryptography is just too impractical for most people to use.

    PGP was written as a back end process meant to be included in emailers, security systems, signing keys, and such.

    Because proper integration (just now becoming common) was long in coming, (i speculate due to government pressure), PGP ended up as a stand alone product, and jury rigged into emailers (the main common man-in-the-street use) in such a way that only the geeks could survive.

    Now emailers, at least, are starting to automate the whole process, including the key generation, publishing, and use.

    So, yes, its a hornets nest, but only because it was half done, and thrown to the userbase in a state far too primitive for users to integrate.
    Just getting your private key to all your devices is something of a bitch.

    --
    No, you are mistaken. I've always had this sig.