Adobe Tries to One-Up Equifax...Fails

FrgMstr

FrgMstr

Just Plain Mean
Staff member
Joined
May 18, 1997
Messages
55,634
So, Adobe has made a feeble attempt to one-up Equifax' lunicy, and while Adobe gets points for trying, it still falls short...like Adobe usually does. But it is still not a good idea to leak your PRIVATE PGP key to the world.


It goes without saying that the disclosure of a private security key would, to put it mildly, ruin a few employees' Friday. Armed with the private key, an attacker could spoof PGP-signed messages as coming from Adobe. Additionally, someone (cough, cough the NSA) with the ability to intercept emails – such as those detailing exploitable Flash security vulnerability reports intended for Adobe's eyes only – could use the exposed key to decrypt messages that could contain things like, say, zero-day vulnerability disclosures.
 
What in the actual fuck is going on lately? Are these people completely retarded?
 
These things aren't zero day exploits or anything. They are just sheer stupidity. They are very preventable human error mistakes. Someone wasn't doing their job.
 
public_key_2x.png
 
Security is so shit these days, nearly every week something gets leaked or hacked.
 
About 10-12 years ago, I was working for a large software company that made a security product for Unix and Windows. Our QA team opened an issue - if you didn't get your password correct, they wanted it to give you a hint (I guess this was ok - but we are talking enterprise security, not really end users). If you didn't understand the hint, they wanted it to print the actual password on the screen! Naturally, we closed the issue out. QA opened it back up and raised the severity level. Long story short, we had to escalate the issue to a goddamn VP in the development org to get this issue closed. Hell, we used a one way encryption process so we didn't even know your password in the first place. (It was comical to watch the managers fight over this one - one of the development managers had us write up why we closed it out without fixing it - wow!)
So yes, there are some stupid people out there. The QA team at the former company were tards. I wish I was making this story up. (And sadly, the QA-tard that opened this eventually became a director in the company when I worked there.) We should have fired a few people over that. At least our product never shipped with that feature.
 
steakman1971 said:
About 10-12 years ago, I was working for a large software company that made a security product for Unix and Windows. Our QA team opened an issue - if you didn't get your password correct, they wanted it to give you a hint (I guess this was ok - but we are talking enterprise security, not really end users). If you didn't understand the hint, they wanted it to print the actual password on the screen! Naturally, we closed the issue out. QA opened it back up and raised the severity level. Long story short, we had to escalate the issue to a goddamn VP in the development org to get this issue closed. Hell, we used a one way encryption process so we didn't even know your password in the first place. (It was comical to watch the managers fight over this one - one of the development managers had us write up why we closed it out without fixing it - wow!)
So yes, there are some stupid people out there. The QA team at the former company were tards. I wish I was making this story up. (And sadly, the QA-tard that opened this eventually became a director in the company when I worked there.) We should have fired a few people over that. At least our product never shipped with that feature.
Click to expand...

Not so long ago Windows let you reset your password after typing it wrong three times.
 
Meeho said:
What in the actual fuck is going on lately? Are these people completely retarded?
Click to expand...

Its Adobe. In 2012 or 2013 their credit card database was hacked and the source code stolen for some products.
 
steakman1971 said:
About 10-12 years ago, I was working for a large software company that made a security product for Unix and Windows. Our QA team opened an issue - if you didn't get your password correct, they wanted it to give you a hint (I guess this was ok - but we are talking enterprise security, not really end users). If you didn't understand the hint, they wanted it to print the actual password on the screen! Naturally, we closed the issue out. QA opened it back up and raised the severity level. Long story short, we had to escalate the issue to a goddamn VP in the development org to get this issue closed. Hell, we used a one way encryption process so we didn't even know your password in the first place. (It was comical to watch the managers fight over this one - one of the development managers had us write up why we closed it out without fixing it - wow!)
So yes, there are some stupid people out there. The QA team at the former company were tards. I wish I was making this story up. (And sadly, the QA-tard that opened this eventually became a director in the company when I worked there.) We should have fired a few people over that. At least our product never shipped with that feature.
Click to expand...

I have a lot of friends that work IT security jobs. This kind of story is all too common. And hearing about people who actually DO this kind of thing either staying employed long term or even getting promoted. Or sometimes they are upper management who are in positions over the IT department.

I know that the whole old joke about getting promoted to your level of incompetence is actually somewhat true, but when your job requires basic levels of understanding... or at least COMMON SENSE about the steps of security how is it that so many companies all operate in exactly the same screwed up fashion? You'll get called into diversity meetings every month but when something like this story happens... meetings should be called and people should be shamed at the table over this level of stupidity. I'd be making a list starting with the QA employee, his/her supervisor in QA and the idiots who hired the idiots in HR. They all go. Because if you let stupid like that fester long enough and you let the stupid ones protect themselves and their friends ------------------------ YOU END UP WITH SOMEONE POSTING YOUR PRIVATE PGP KEY! Suddenly those severance packages don't seem so expensive anymore.
 
Advil said:
I have a lot of friends that work IT security jobs. This kind of story is all too common. And hearing about people who actually DO this kind of thing either staying employed long term or even getting promoted. Or sometimes they are upper management who are in positions over the IT department.

I know that the whole old joke about getting promoted to your level of incompetence is actually somewhat true, but when your job requires basic levels of understanding... or at least COMMON SENSE about the steps of security how is it that so many companies all operate in exactly the same screwed up fashion? You'll get called into diversity meetings every month but when something like this story happens... meetings should be called and people should be shamed at the table over this level of stupidity. I'd be making a list starting with the QA employee, his/her supervisor in QA and the idiots who hired the idiots in HR. They all go. Because if you let stupid like that fester long enough and you let the stupid ones protect themselves and their friends ------------------------ YOU END UP WITH SOMEONE POSTING YOUR PRIVATE PGP KEY! Suddenly those severance packages don't seem so expensive anymore.
Click to expand...
I agree totally. The problem - the idiots have been in control for a while. They protect each other. They make us go to "training" classes so we know what pronoun we are supposed to call someone (dear lord - I just want to start urinating on people when they ask me - my pronoun is Pister!).
The same company also had a major customer (bank) figure out our original "encryption" scheme for storing passwords. If anyone is familiar with C, we basically just took the string and it got shifted to the right 7-10 places, then back to the left 7-10 to decrypt the password (a >> 9, a <<9). Needless to say, the bank was pissed and tried to get away from the company. I think we gave them a few years of support for a discount or other nonsense. We also bought another security company and switched to their security model (which seemed to be legit). I could go on and on...I hope I can make it to retirement without really pissing on someone.
 
You must log in or register to reply here.
Back
Top