from the information-wants-to-be-free? dept.
Adobe is showing that it can be transparent about its security practices:
Having some transparency about security problems with software is great, but Adobe's Product Security Incident Response Team (PSIRT) took that transparency a little too far today when a member of the team posted the PGP keys for PSIRT's e-mail account—both the public and the private keys. The keys have since been taken down, and a new public key has been posted in its stead.
The faux pas was spotted at 1:49pm ET by security researcher Juho Nurminen:
Oh shit Adobe pic.twitter.com/7rDL3LWVVz
— Juho Nurminen (@jupenur) September 22, 2017Nurminen was able to confirm that the key was associated with the psirt@adobe.com e-mail account.
Also at The Register and Wccftech.
[How many here have done something like this? Perhaps an extra file accidentally uploaded to GitHub? --Ed.]
(Score: 3, Funny) by looorg on Saturday September 23 2017, @05:29PM (4 children)
Sounds more like incompetence, they didn't know how this public key "magic" was/is supposed to work with a public key and a private key so they just included everything.
I guess the other members of the PSIRT had a bit of a laugh and it will be a constant reminder for year and years, "Hey remember when you posted the private PGP key on the Internet?" or "At least it wasn't as bad as when gave out the private PGP key" for when some future mistake happens.
(Score: 0) by Anonymous Coward on Saturday September 23 2017, @06:03PM (3 children)
This also shows how public/private key cryptography is just too impractical for most people to use. Even those with some technical knowledge find it difficult to work with, and it's far too easy to make catastrophic mistakes with. It's far beyond what normal people can manage to handle. That's why it has been a dead end for so long. Unless it's done completely transparently to the end user, like in the case of HTTPS, it's doomed to be a failure.
(Score: 1, Insightful) by Anonymous Coward on Saturday September 23 2017, @06:09PM (1 child)
> Even those with some technical knowledge
Given the decline in quality from Adobe (their early stuff like Postscript language and programming manuals were great), you may be giving them too much credit??
(Score: 2) by stretch611 on Saturday September 23 2017, @06:47PM
Thats what happens when you outsource everything to the lowest bidder.
Now with 5 covid vaccine shots/boosters altering my DNA :P
(Score: 5, Interesting) by frojack on Saturday September 23 2017, @06:40PM
PGP was written as a back end process meant to be included in emailers, security systems, signing keys, and such.
Because proper integration (just now becoming common) was long in coming, (i speculate due to government pressure), PGP ended up as a stand alone product, and jury rigged into emailers (the main common man-in-the-street use) in such a way that only the geeks could survive.
Now emailers, at least, are starting to automate the whole process, including the key generation, publishing, and use.
So, yes, its a hornets nest, but only because it was half done, and thrown to the userbase in a state far too primitive for users to integrate.
Just getting your private key to all your devices is something of a bitch.
No, you are mistaken. I've always had this sig.
(Score: 2) by Chromium_One on Saturday September 23 2017, @06:14PM
Like I said before, incompetent people at Adobe.
https://soylentnews.org/comments.pl?sid=21627&cid=570246 [soylentnews.org]
You can argue about PGP and associated tools being user-unfriendly or whatnot, but at the end of it, you have to acknowledge that this was a user not reading what was in front of them.
When you live in a sick society, everything you do is wrong.
(Score: 0) by Anonymous Coward on Saturday September 23 2017, @06:21PM (2 children)
It is my understanding that private keys have passphrase protection. This makes me wonder if there are any public efforts, in addition to goodness knows how many private ones, to figure out the passphrase for the key. I would be interested to see if they at least took the advice of having a strong one.
(Score: 4, Informative) by stretch611 on Saturday September 23 2017, @06:43PM (1 child)
Private keys *can* have passphrase protection. However it is not a requirement and many times people avoid the extra step of adding a passphrase when generating a key.
Now with 5 covid vaccine shots/boosters altering my DNA :P
(Score: 2) by frojack on Saturday September 23 2017, @09:35PM
I'd say most times people don't put passwords on their private keys.
It makes automated use of these signatures complex or impossible. Unattended things will fail or halt when you are not around to deal with it.
You can use/add/change your passphrase any time you want, and it can be different on each machine holding your private key. The pgp private key is encrypted only locally, and the key itself is not affected.
Ultimately, its not wise to put your un-encrypted private key on any machine you don't have sole control over. But I'd bet most people don't encrypt their private key at all.
No, you are mistaken. I've always had this sig.
(Score: 1, Funny) by Anonymous Coward on Saturday September 23 2017, @08:41PM
Cuz then instead of the lovely *** you get the actual chars visible!
What a stupid thing to do but has happened to me more than once.
(Score: 4, Touché) by darkfeline on Saturday September 23 2017, @09:39PM
This was clearly intentional. Adobe was outsourcing the revocation of its private key to the public.
Join the SDF Public Access UNIX System today!
(Score: 1, Insightful) by Anonymous Coward on Saturday September 23 2017, @10:26PM (3 children)
It seems nobody checks before going ahead, not even a single, less so double check. Say you run "blah > foo.txt". Some people upload foo.txt, others first do "less foo.txt" and check it really looks like it should, and even download back to confirm it works. Maybe something failed and you would send nothing, or permissions are wrong, or URL is wrong... wasting receiver's time. "Measure twice, cut once" old guys told us.
Same with code, some people commit and push, then realize it doesn't compile or that a file was not in the commit. Others run the tests first, check the diff, maybe merge/split commits, and when 99% sure, push and cross fingers. Bonus: things like git bisect keep working as intended. Also it means you care enough to not throw random crap to other coders. But it doesn't show, as most of the times it will work smoothly. Sometimes you wonder if some coders are dumb or think "more, faster commits and pushes" is so important, or just want to be noticed at all costs, even by the trail of crap left. Maybe stat tools should do a "-12 commits" (1 for original, 1 for fix, 10 as extra penalty) to punish such behaviour, as it seems to regularly happen with those "proud" of their commit count.
But some projects are beyond hope, not long ago I saw a thread with full (top) quoting (back and forth reading!), every new message just requesting some new commits to be added to a release branch, or confirming inclusion, or discussing small details. The final straw was when near the end someone posted a pastebin of commits to be used and I noticed the email was bigger than such list (of course, every signature was there, including the list one, multiple times... commit hashes are OK-ish because most users are unable to pick a good email reader to see past exchanges, but signatures? FFS!). So the result of the clean up was sent to a third party that will go down at random, and the chaotic exchange was generating more net traffic than a properly trimmed thread.
(Score: 2) by frojack on Sunday September 24 2017, @03:49AM (2 children)
Similar to your post.
No, you are mistaken. I've always had this sig.
(Score: 0) by Anonymous Coward on Sunday September 24 2017, @04:11AM (1 child)
frojack, the one that vents at
the barSN with perfect order.(Score: 0) by Anonymous Coward on Sunday September 24 2017, @04:34AM
Another round for everyone, frojack pays. Not enough drunk grandpa rants for a Saturday.
(Score: -1, Flamebait) by Anonymous Coward on Sunday September 24 2017, @03:46PM
"How many here have done something like this?"
zero. only stupid windows using slaveware peddlers at Adobe and other Shit Factories (or government agencies) do stupid shit like this.