FOSS Week in Review
Adobe hacked
We’ve known for years that Adobe doesn’t seem to have a knack for keeping their products secure. New vulnerabilities are found almost daily in Reader and Flash, so much so that Windows users grow used to the constant updates required of them by the fine folks at Adobe. Now it appears as if the San Jose based company can’t keep their servers secure either.
Last Friday, The Australian reported that black hats had managed to steal source code and sensitive customer information:
“‘Very recently, Adobe’s security team discovered sophisticated attacks on our network, involving illegal access of customer information as well as source code for numerous Adobe products,’ Adobe chief security officer Brad Arkin said in a blog post.
“‘Our investigation currently indicates that the attackers accessed Adobe customer IDs and encrypted passwords on our systems.’
“Hackers are believed to have taken information relating to 2.9 million Adobe customers. The stolen data was said to include customer names, encrypted credit or debit card numbers, expiration dates and other information relating to people’s orders.”
If we’re reading a report Brian Krebs filed last Thursday on KrebsOnSecurity correctly, the Adobe folks have known about the break-in for three weeks or so:
KrebsOnSecurity first became aware of the source code leak roughly one week ago, when this author — working in conjunction with fellow researcher Alex Holden, CISO of Hold Security LLC — discovered a massive 40 GB source code trove stashed on a server used by the same cyber criminals believed to have hacked into major data aggregators earlier this year, including LexisNexis, Dun & Bradstreet and Kroll. The hacking team’s server contained huge repositories of uncompiled and compiled code that appeared to be source code for ColdFusion and Adobe Acrobat.
Shortly after that discovery, KrebsOnSecurity shared several screen shots of the code repositories with Adobe. Today, Adobe responded with confirmation that it has been working on an investigation into a potentially broad-ranging breach into its networks since Sept. 17, 2013.
From a report posted on PCWorld today, the actual break-in actually happened as long as two months ago, according to Alex Holden:
“Source code could make it easier for hackers to find vulnerabilities in Adobe’s products, Holden said. But so far, no new zero-day vulnerabilities—the term for a vulnerability that is already being exploited but doesn’t have a patch—have surfaced in the last couple of months since the source code was taken, Holden said. So far, the source code has not been publicly released.”
This doesn’t bode well for Adobe’s plans to push Photoshop as a cloud based service, does it?
More from our friends at the NSA
This week we were treated to the surprising news (not) that the NSA has been going after users of TOR. We also learned that the opening of the huge data center the agency is building in the Utah desert has been again delayed, this time due to power surges that have been burning out about $100,000 in equipment with each incident. Meanwhile, as more items revealed by Edward Snowdon are released, companies offering online anonymity find their business booming.
We’re not delving too deeply into this today as we plan to have a more in-depth article up early next week. Stay tuned…
PC sales decline continues
Tablets and smartphones continue to take the wind out of the sails of PCs and laptops, according Gartner and IDC. PCWorld reported on Wednesday that both research firms are reporting sales drops for the quarter that ended on September 30th. Gartner estimates a quarterly decline at 8.6% while IDC puts the figure at 7.6%. The later researcher had earlier predicted a loss for the quarter of 9.5%.
“‘Whether constrained by a weak economy or being selective in their tech investments, buyers continue to evaluate options and delay PC replacements,’ Loren Loverde, an analyst with IDC added. ‘Despite being a little ahead of forecast, and the work that’s being done on new designs and integration of features like touch, the third quarter results suggest that there’s still a high probability that we will see another decline in worldwide shipments in 2014.'”
Although the continued decline is certainly distressing to the likes of Lenovo, HP and Dell, it doesn’t put desktops and laptops on the endangered species list and never will. Those consumers who never had a need for a full-fledged computer, those we used to talk about who only used their PCs for email and surfing (and now, watching videos) are finding smartphones and tablets to be a better fit. Likewise, the enterprise is finding mobile devices a better choice for some tasks, especially where mobility is a plus.
However, there’s still a great need for traditional desktops and laptops, especially for tasks that require rigorous use of the keyboard, such as writing and working with spreadsheets. That need is not likely to go away anytime soon.
Windows as freeware?
Back before the iPhone came along, when netbooks running GNU/Linux were threatening Redmond’s monopoly, it was said the company was allowing OEMs to install XP on the economy devices for as little as seven dollars, which was practically giving the OS away in those days. That may soon seem like a king’s ransom. If the likes of Bloomberg are to be believed, now Microsoft might be offering Windows Phone to HTC for gratis.
“Terry Myerson, head of Microsoft’s operating systems unit, asked HTC last month to load Windows Phone as a second option on handsets with Google Inc. (GOOG)’s rival software, said the people, who asked not to be identified because the talks are private. Myerson discussed cutting or eliminating the license fee to make the idea more attractive, the people said. The talks are preliminary and no decision has been made, two people said.
“Its willingness to add Windows as a second operating system underscores the lengths to which Microsoft will go to get manufacturers to carry its software. HTC, the first company to make both Windows and Android phones, hasn’t unveiled a new Windows-based handset since June and has no current plans to release any more, said one person. Microsoft, with 3.7 percent of the market, is finding it necessary to make concessions after agreeing to acquire Nokia Oyj (NOK1V)’s handset unit, which competes with other smartphone makers.”
We have some advice for HTC. Don’t take the deal until Redmond also agrees to drop the extortion licensing fees you’re currently paying them for Android.
Register now for “All Things Open”
Those planning to attend the All Things Open conference to be held in Raleigh the week after next might want to go ahead and register now. We’ve just noticed that the Early Bird prices are scheduled to end Wednesday night. The Early Bird specials offer bargain basement prices for what promises to be a world class event: $149 for both days, or $99 to attend for just one day. Early Bird student rates are $49 per day.
Well, there we go, another week down the drain. Until next time, may the FOSS be with you…
With regard to extortion and licensing fees…I believe you crossed out the wrong term.
“We’ve known for years that Adobe doesn’t seem to have a knack for keeping their products secure. New vulnerabilities are found almost daily in Reader and Flash, so much so that Windows users grow used to the constant updates required of them by the fine folks at Adobe. Now it appears as if the San Jose based company can’t keep their servers secure either.”
Sigh. Honestly, this is perhaps the single biggest misunderstanding about Adobe.
Adobe is not in the security business. Nor is Google, Mozilla…..[insert third-party software vendor name here].
Really, the whole issue of underlying security blame is being placed on software vendors who write applications that run on top of the Windows operating system.
The fact is, the blame for security defects lies with Microsoft and only Microsoft.
Despite that, software writers are bolstering their own apps which is not going to make one bit of difference as long as the underlying O/S has security defects, and it does.
I’ve mentioned them to @Christine before and Google even have posted a ‘caveats’ on Chromium.org that effectively says: “Hey wrote a sandbox, but we can’t guarantee you won’t get infected using Windows” shrugs.
Microsoft can’t fix that a successful javascript DLL injection exploit can call a SYSTEM function without interference and ‘own’ the system.
This makes Windows x86 legacy a bad choice. It’s been that way since WinNT 2000.