Much more interesting than the customer data: "We are also investigating the illegal access to source code of numerous Adobe products". In the linked blog post they say: "Adobe is investigating the illegal access of source code for Adobe Acrobat, ColdFusion, ColdFusion Builder and other Adobe products by an unauthorized third party"
It's about time. I hate to be one to advocate piracy, but this massive leak of source was something that we needed desperately.
It's illicit, but it will help free software and reverse engineering in a huge way. Adobe doesn't deserve to manipulate its users with CC like it's doing right now.
Good. Let it die. If anything, this will encourage people to move off of that horrid platform and onto something different. There's no excuse to be using Acrobat anymore; there are dozens of better solutions for PDF doctoring and creation.
And for those who are using Reader, well, they were in for it.
Wait, so Adobe doesn't deserve to make decisions about how it wants to sell its products? I'm confused here - are you advocating that companies give up control over their own delivery mechanisms?
We can argue as to whether or not we like their products, value their products, or receive in return for payment value greater than or less than the price of their products, but it seems to odd to say they shouldn't be able to make a decision about how they choose to sell them?
Manipulate? They're a business who is making big boy business decisions. If you don't like their products don't purchase them. They don't have a monopoly, they simply have good products.
This is pretty debatable considering the options which are currently available to consumers. Yes, they have some competition, but it's hardly putting a dent in their bottom line.
It's comparable to the New York Yankees playing in a Juco league. Sure they have "Competition" in the form of other teams, but are those teams really in their league? No.
No its comparable to saying Apple has a monopoly because Android et. al are hardly putting a dent in Apple's bottom line.
Is your argument for Adobe monopoly really that "they make really good products and no one comes close to them in quality?" Because if so, then good on Adobe for making good products.
Macromedia were the last decent competitor in the 2D design space, then Adobe bought them. I was sad to see it happen, and I can see Photoshop has only gotten more bloated and nonsensical as time goes on.
I hope some bold entrepreneur brings out some software to seriously compete with Creative Suite because the market sorely needs it.
Anything made resembling reimplementation of Adobe's stuff by anyone who sees this will be tainted. It would most likely leave not the individual developer open to legal actions but the entire group and project they were working with would be at risk.
You would have to be something of an idiot to look at this if you intend to have anyone ever look at anything you code in the future.
"KrebsOnSecurity first became aware of the source code leak roughly one week ago...with fellow researcher Alex Holden...discovered a massive 40 GB source code trove stashed on a server used by the same cyber criminals believed to have hacked into major data aggregators earlier this year, including LexisNexis, Dun & Bradstreet and Kroll."
"The hacking team’s server contained huge repositories of uncompiled and compiled code that appeared to be source code for ColdFusion and Adobe Acrobat."
Well, it might finally shed some light in the Mayan/Inkan/Aboriginal, or just plain out cryptic and esoteric secrets of why the hell the PSD format is so inconsistent and annoying to work with!
Start using LastPass and generate random unique passwords for everything you do online. They are now as good as encrypted even if the vendor stores them in plaintext.
This quote from the Krebs post is both laughable and horribly saddening. Even Adobe can't manage to keep Adobe software installs up to date
>Arkin said the company has not yet determined whether the servers that were breached were running ColdFusion, but acknowledged that the attackers appear to have gotten their foot in the door through “some type of out-of-date” software.
Less than 1 year into forcing their users to 'The Cloud' for future updates, Adobe has proven incompetent at protecting our data (and even their own).
I feel particularly bad for the design houses that have entrusted Adobe with their intellectual property because it was supposed to be safe who now have to rethink how safe their assets really are.
We need some technology that makes our Credit Card numbers change every few days.
I am shocked that most people think it's OK these days to drop the "Oops, nasty baddies bad bad got in and there goes your details, so so sorry, come again."
If this happens to some small startup with the one PHP nerd that doesn't really know what he's doing (and is underpaid anyway) - that's fine. Or at least acceptable. You're living on the edge.
Some credit card companies let you generate expiring CC numbers for specific purchases, but that's a lot of work, and wouldn't work for recurring purchases (like Adobe Creative Cloud)
>Some credit card companies let you generate expiring CC numbers.
I know Citi Credit card lets you do that.
> and wouldn't work for recurring purchases (like Adobe Creative Cloud)
It could. If I remember correctly, Citi card lets generate three types of Virtual Cards. One based on the expiration (less than a month), another based on the maximum amount/balance (where expiration is about a year) and finally a combination of both.
Virtual credit-cards are real handy especially when trying those 30 day trial services.
Yeah, AMEX used to allow one-time use numbers with its Platinum Corporate Card (maybe other cards as well). But, they stopped years ago. Don't know if it was hard to manage or if I was just the only one using it, but I loved it.
Seems that another way to solve this for recurring payments would be to likewise issue a virtual number. But, only the merchant with a particular Merchant ID could apply a charge to that number.
In general, it's actually a strange concept that we walk around with these wide open payment methods that only require that a dishonest person acquire a few bits of information to abuse with impunity.
> Yeah, AMEX used to allow one-time use numbers with its Platinum Corporate Card (maybe other cards as well). But, they stopped years ago. Don't know if it was hard to manage or if I was just the only one using it, but I loved it.
Very few people used it
But there is an additional problem, from American Express's point of view. Virtual credit card numbers are patented by Orbiscom, which was acquired by MasterCard in 2009.
>Visa, MasterCard and American Express proposed new global standards to replace traditional account numbers with a digital payment “token” for online and mobile transactions.
So, either they are licensing it from Orbiscom, ignoring the patent, or it doesn't apply here.
In any case, it's good news. Looks like some semblance of virtual numbers will return on a standardized, more global basis.
Credit cards have been around in their present form since the 1960s. And magstripe credit cards have been around since the 1970s. So patents on the basic technology have long since expired. (Of course, there are all sorts of ancillaries that were developed later -- CVV2 numbers, AVS, fraud-detection, etc.)
The article talks about replacing 16-digit card numbers with a new payment infrastructure. The Orbiscom technology produces virtual card numbers that are backwards-compatible with existing 16-digit credit card numbers.
Why doesn't it work the other way around. That Adobe send your bank account a signed money request (with a verification code retained on the Adobe end so even if private keys were taken the abusers would need to currently own the server in order to maintain the pretense of having issued a request).
Then you go through the requests in your account and allow those you wish.
Like a sort of reverse Direct Debit/ Standing Order.
Indeed, we need a ticket system for custom tokens per merchant. So instead of actually putting in the credit card number, you put in a token (very similar to an oauth type token).
If say for instance the token you gave to Adobe gets stolen, you or they just disable all tokens or ask for new tokens.
So not only will fraud be more difficult but merchants also will be known who has been compromised. Right now banks won't always tell you what merchant was compromised and causing you to get a new number/card.
New payment systems have this, for instance stripe is built similar to this.
Why do people have to update all their cards with all their merchants after one fails? Getting multiple cards and internet cards sometimes helps compartmentalize but really we need this at least per merchant.
Some banks have this like Bank of America ShopSafe but it should be the new normal.
This is actually how a lot of merchants work -- they send CC info to a bank or processor, and get back a token they can use to charge that CC (without having to store CC information). Why Adobe didn't utilize this is beyond me.
And what do you do when the payment provider you use sucks, and you want to move to a new one?
Oh right! Every existing customer have to sign up again, and input the same info again.
That's the reason to aim for PCI compliance your self.
In Turkey, we have these things called virtual credit cards. You basically log in into internet banking, click a button to generate a new card, it shows up instantly, then you define how much limit it would have and you are ready to use it. For convenience you can use that card many times, just reset the limit or you can create new one if you wish. It's really good, I use it every time.
Seriously, I don't get it. At least in the US, card holders have zero liability in these instances.
If your card number got leaked and is used to make a fraudulent purchase, simply report it to your card issuer. They will reverse the charge and issue you a new card number.
The paranoia around card numbers for consumers is crazy. There's literally no risk. It makes sense for merchants because they bear risk, but I don't understand why cardholders get upset.
> We also believe the attackers removed from our systems certain information relating to 2.9 million Adobe customers, including customer names, encrypted credit or debit card numbers, expiration dates, and other information relating to customer orders. At this time, we do not believe the attackers removed decrypted credit or debit card numbers from our systems.
Well that's reassuring(!) If these hackers were so "sophisticated" then presumably they could have obtained Adobe's decryption keys too? If not, why not?
Guess I'll have to phone my bank tomorrow... hope they don't charge me for the new card. Oh Adobe...
Edit: It just occurs to me that people with pirated Adobe software aren't having any problems right now. The same argument could be made of any service, of course, but at least with the old way of purchasing Adobe software (vs. Creative Cloud) Adobe didn't have to store your credit card number for an extended period of time. I don't think this excuses piracy, but it's not going to do anything to discourage it.
> At this time, we do not believe the attackers removed decrypted credit or debit card numbers from our systems
That sentence is disinformation. It carefully leaves unanswered the question of whether the encryption keys were stored in a location accessible to the attackers. The only reason to use that kind of language is to try and confuse everybody into believing things are not as bad as they would otherwise look.
We also believe the attackers removed from our systems certain information relating to 2.9 million Adobe customers, including customer names, encrypted credit or debit card numbers, expiration dates, and other information relating to customer orders
On first reading I had a split-second where I thought the attackers did everyone a favor by deleting the data; e.g. "drop table customer_financial_data". Unfortunately they meant the ~other~ kind of "removal". I think "obtained" would have been a better word to use here (instead of "removed").
Fucked if they do, fucked if they don't. If it wasn't encrypted, why were they so stupid ? If it's encrypted, fuck them too.
This shit happens. To EVERYBODY, sooner or later. What makes a difference is how to handle it. I say Kudos to Adobe for storing encrypted data, being open and owning it up, and trying to fix what's been messed.
> certain information relating to 2.9 million Adobe customers
It would be nice to know how many user accounts Adobe manages, so that I can better estimate the likelihood of my accounts being affected. If they only have 2.9 million accounts, I should be worried; if they have 100 million accounts, I should still worry but perhaps a little less so.
I have not (yet) received an email from Adobe regarding this latest attack, but I have an Adobe Creative Cloud subscription as well as several Typekit accounts. I use 1Password to generate passwords, but of course that doesn’t protect my credit card information.
As a customer who just made a purchase from Adobe a few hours ago, I feel good and horrible at the same time. I feel good that their source code was stolen (I will explain why). I feel bad that my credit card was compromised.
Around November 2011, Apple screwed up one of it's premier softwares (Final cut pro) and Adobe jumped right in and offered a 50% discount to all of its Creative suites (version: 5.5). Their pitch then was - "Apple screwed up, try ours and hey, if you buy the suite, it's yours forever and you get peace of mind". And so I bought the Windows edition of one of their suites. A year later, CS6 was announced and I decided to wait for sometime before upgrading. Just to be clear, I shelled out almost $1000 on the CS 5.5 version.
In the last few months, I made the switch to a Mac and I found out that my license for Windows wouldn't work on a Mac. Fortunately, Adobe seemed to provide a "crossgrade" path, wherein I can just swap my platform at no additional cost. Sounds good? No. Except that you can't swap from an older version (CS 5.5) to a newer version (CS 6). You can only switch between platforms of the two same versions. Okay, that's in a way fair enough, since it's been over a year anyway and it's time to upgrade. So, let me just upgrade to CS6, I thought.
This is where it started to get messy. I searched for links to upgrade to CS6, and I did find a few. But they all re-directed to the stupid Creative Cloud edition. WTF?
I searched and searched and finally found a link that worked. I placed an order and 24 hours later, my order was cancelled for no reason. I had to search for that link I found earlier, again. After giving up finding the link, upon contacting customer support, I was tried to be pushed into the stupid Creative Cloud platform, again.
Support: Based on what we have discussed I highly recommend that you purchase Creative Cloud which includes Photoshop CC for images, Indesign CC for print design, Illustrator CC for graphics, Flash Pro CC for animations, After effects CC for adding effects and plus more.
Support: Plus you will get all the upgrades and updates for free of cost.
Support: You can install CC on 2 system both on mac/ Windows.
Support: I am sure CC will meet all your requirements.
you: Oh no thank you, please. It doesn't fit my budget. Once I stop paying, everything is gone, unlike in the case of a CS 6 install.
Support: I do understand your concern, however, going forward there is no upgrade path available since CC is replaced by CS6.
(WTF)?
you: Do you mean to say, that I can't upgrade from Cs 5.5 to 6?
Support: The upgrade path from CS6 to CS7 is not available, since CC is replaced by CS7.
you: Yes, I understand that.
you: I don't need CC ma'am, really.
you: It doesn't fit my needs.
Support: That's okay.
Support: Let me provide you with the link to upgrade to CS6 production premium, okay.
(Finally!)
It's funny I had to spend so much time with support to purchase CS6, since Adobe clearly conveys that it intends to sell CS6 indefinitely.
[2]http://www.adobe.com/products/cs6/faq.html
Even though the support person gave me the link to buy CS6, I thought it would be a good idea to probably re-consider CC again. So I checked on the Creative Cloud page to see if I could just pay $45 for say, about two months and later upgrade to CS6. But, again, Adobe tries to backstab its users. IF you cancel your CC subscription before 1 year, you will be billed 50% of the total amount (50% of ($45x12)) as a penalty. WTF?!! So, basically they want to beat their users to the ground as much as they can.
> Around November 2011, Apple screwed up one of it's premier softwares (Final cut pro)
I understand why you would say that, but I don’t agree. At the time, I used Final Cut Pro 7 daily and when Final Cut Pro X was released, I didn’t immediately switch to it. I waited for multicam editing and XML export, and Apple delivered. That’s when I switched to Final Cut Pro X and it was a great improvement over version 7. When Adobe came up with Creative Cloud, I signed up. That meant I got Adobe Premiere as part of the package, but after trying it, I still much preferred Final Cut Pro 7. Comparing Premiere and Final Cut Pro X, for me, it’s not even a contest. With Final Cut Pro X, I’m way more productive than I ever was in FCP 7, Avid, Premiere or Media100.
Apple could’ve done better by offering the first few releases of FCP X as a free beta, but right now, FCP X is a way better product than FCP 7 ever was.
My argument is not about which of the two companies' products are better. Probably Apple's is better, but the creative suite at a 50% off was a deal not to be missed for me at that time (It included Photoshop, Illustrator, After Effects, Premier and Audition)
Oh, I’m not disputing that, and I too took advantage of that offer. I’m still very happy with Creative Cloud, with its more frequent updates and lower pricing. Premiere just isn’t for me. (I did use Premiere extensively back in the 90s, but that was before FireWire, digital camcorders, and FCP.)
> there is no easy way to subscribe to CC for just a few months
Isn't that what the monthly plan does [0]? $75 / month rather than $50, but with the option to only pay for individual months. I think they said they were originally thinking of freelancers who might only take on work that involved using CC a few times a year.
$75 a month is pretty expensive for many freelancers and the only reason I considered CC in the first place was I got a 40$ discount of $30/mo, but again the penalty applied, so I didn't buy it. Sorry for not mentioning this in the parent post.
I challenge this. How much does a creative designer make as a freelancer? My company hires designers for $60 an hour minimum and often more. So in 75 minutes you make back a months worth of software fees? $75 is not a lot of money to a professional who has to create graphics.
For a teen who wants to edit their iPhone photos before uploading to Facebook, $75 per month would be a lot. But that's not Adobe's target market.
You maybe right that I can make up this $60 somehow. But the question isn't about the cost (sorry if my post was misleading). The question was about the ownership.
For example, assume, depending on where you live, your favorite manufacturer, who is also a monopoly, Volkswagen if you're in Europe, Ford/Chevy if you're in the States sells you cars for a fixed price and you're very happy.
So let's say the price of each car they sell you is $25,000. You pay once and forget and you own the car. Forever. Assume this car is very solid and you plan to own it for a good 5-7 years. For a span of 5 years, that translates to $5000 a year.
Now, suddenly, Volkswagen/Ford/Chevy decide that one time payments suck and you need to pay monthly, say $1000.
Their argument is that for $1000/mo for 2 years you spend $24,000 in total and that is less than what you would pay one time. Well, if you were the kind of person who would upgrade once in every two years, that is fine. It is really a $1000 cheaper. But for the average dude who upgrades his car once in 4-5 years, it's a disaster.
His current car's value reduces drastically because of this monthly scheme. And to access any sort of updates to his car, he needs to pay monthly, and this monthly payment includes a penalty as well, if you decide to cancel sometime in between.
That sucks right? I know people who are still on CS3, CS4, CS5 because it just works for them and fits their needs.Now these manufacturers tell you that you can still buy an older model from their store and make it extremely difficult and dodgy to buy one. That's cheated right? Especially considering the fact that there are a lot of car robbers who rob cars from their factory (but by cloning the car and leaving the original copy behind) and get away without paying anything. Now, how bad would you feel for paying for such a nasty corporation?
> Now, suddenly, Volkswagen/Ford/Chevy decide that one time payments suck and you need to pay monthly, say $1000.
Adobe would say that it might be more comparable to your car manufacturer upgrading your car every time they released a new model.
> His current car's value reduces drastically because of this monthly scheme.
The value of what his current car has reduced because they released a new model, not because of the new scheme (and CS6 hasn't depreciated in price that much!)
> And to access any sort of updates to his car, he needs to pay monthly, and this monthly payment includes a penalty as well, if you decide to cancel sometime in between.
Just like every other 12 month contract ever? It's pretty clearly labelled that it's an annual contract, and that there are recurring monthly contracts available for a higher cost.
> Now these manufacturers tell you that you can still buy an older model from their store and make it extremely difficult and dodgy to buy one.
As MarkMc said, it's not especially hard to buy CS6. All the top search results for "buy cs6" allow me to buy it pretty immediately.
Sure, they definitely upsell CC, but they also see that as their new and better product: is it really dishonest or nasty of them to do so?
If you're not earning at least the $75 a month doing the things Adobe's software suite is aimed at (graphical work, video work, etc) you probably need to up your rates. Bearing in mind there's only a cost in this scenario during months you're working with the software, if you've got just the 1 job for (for example) $50 in a month don't accept the job or charge more for it.
I understand you feel cheated Adobe, but I feel the need to present their side of the story.
> But, again, Adobe tries to backstab its users. IF you cancel your CC subscription before 1 year, you will be billed 50% of the total amount (50% of ($45x12)) as a penalty. WTF?!! So, basically they want to beat their users to the ground as much as they can.
What you call 'beat their users to the ground' I call 'charge fees which maximise their profit'. They are not being deceptive - their price list clearly states, "Requires annual commitment; billed monthly" [1]
> There is no easy way to buy CS6
If you Google "buy adobe cs6" the first result [2] allows you to buy a CS6 'Master Collection' licence for $2,599. Just click 'buy' then 'Add to cart'. Seems pretty easy to me.
> there is no easy way to subscribe to CC for just a few months
Not true - as pointed out by estel, you can easily subscribe for $75 per month. I think by 'easy' you mean 'cheap'
> the calculations they demonstrate are also deceptive at best
Can you provide a link to the deceptive calculations? Because to me the price list [1] seems to be fairly straightforward and honest
> CC is more expensive than the boxed product.
Doesn't that depend on how long you use the software for? You can buy a single month for $75 - I doubt that you can get the boxed product for cheaper than that.
> One thing that was common in most of these Adobe contacted bloggers' posts, was how their stress to explain how the CC version was effectively cheaper than their boxed version.
If it is true that Adobe implicitly says, "write good things about us and we'll give you free stuff" then I agree that this is pretty bad behaviour. (But if they say, "here is some free stuff, please write good things about us" then that would be OK as long as the blogger notes in their review that they had received the free stuff.) The fact that bloggers who received free stuff had previously wrote good things about Adobe is not sufficient to convict Adobe of indirect bribing. It could be that the bloggers who did not receive free stuff also wrote good things about Adobe (ie. their products are generally viewed positively)
> Backstab #1. I was a Flash developer previously. I was even jobless for a few days because I relied so much on this technology…Do you know how many Flex developers are jobless now? Backstab #2.
It sucks to lose your job, but is it really 'backstabbing' for Adobe to drop support for a platform they developed? For all software I expect the companies who develop it to say "this is a great product and we fully support it" right up until they day they drop that support. It's not like Adobe said, "we will support this product until at least 2015".
> [The CEO] is never straightforward...This guy is incompetent and needs to be replaced.
Personally I think it is very straightforward to say, "I refuse to discuss our pricing strategy with you". But in any case the CEO's job is to maximise profits - and using the strength of Adobe's market position to charge nosebleed prices sounds to me like he is doing just that. Not at all incompetent.
> At least someone should file a class action suit for abusing their monopoly.
It's not necessarily illegal to have a monopoly and charge a very high price for your products.
Some naive questions from someone who genuinely doesn't know: how is it that a company cannot detect when someone downloads a giant database of sensitive personal information from their servers? Surely, there are ways to monitor access to this data and immediately flag suspicious behaviour? How do the intruders even find the location of this data and then download it? Isn't there some best practice security measures that can prevent of all of these things? I presume Adobe failed at all of them?
>how is it that a company cannot detect when someone downloads a giant database of sensitive personal information from their servers? Surely, there are ways to monitor access to this data and immediately flag suspicious behaviour
There are classes of products related to this specific task, generally we call them "DLP" or Data [Leak|Loss] Prevention.
What we don't know, is how the information was transferred from the servers, and how much different that traffic looked compared to normal activity. It's easy enough to catch a credit card number flying through a plain HTTP packet over the network in the wrong direction, but it gets much harder when the party trying to transfer that data is intentionally attempting to avoid detection.
> Isn't there some best practice security measures that can prevent of all of these things
Yes, but none of them are perfect, and even if they were, they would require perfection from human operators. (Perfectly configure, maintain, monitor, etc.) And, of course, they assume you can identify a threat before it leads to compromise.
Could this result in a huge fine or penalty, not least due to potential PCI DSS violation? Here in the EU, it'd be a big data protection issue as well.
That's kind of a scary part to it. Large organisations don't colocate code and credit card numbers. They carefully segment things and isolate them to completely separate silos in completely unconnected systems.
So I would infer that the attackers obviously had access at a very high level, probably compromising the credentials of someone very senior with very high privileges. Which in turn means they could almost certainly have compromised the encryption keys and would be most likely to do so before downloading the actual CC data.
I was told repeatedly that I was a sucker for buying Adobe products (I own CS3 and never found it necessary to upgrade) instead of pirating. Well, I'm conflictingly feeling like a sucker.
Conflictingly because my CC info has since expired, but other personal data would still be in their records. I wonder how far back they keep those, but I guess I'll find out soon enough if I'm in the lot.
Edit: If anyone is worried about the source getting leaked giving rise to 0-day exploits and the like, you can at least move away from Reader into something like Sumatra PDF (open source). If all you need is a reader, it's a very handy alternative and far more nimble with resources (no I'm not part of their project. I'm just a very happy user)
I wonder if this is why my university IT dept just broadcast an email saying that Adobe is "auditing" every computer on campus for the university's site license. They want to come into everyone's office and labs and run some "script" on every machine that does who knows what. Needless to say I said "no thank you".
Well, pretty happy I bought Lightroom through Amazon right about now.
Reason: Adobe charges basically double the US price in Australia/NZ if you buy from them directly, and I refuse to pay a location tax since it costs them zero dollars extra to send me bytes through CDNs.
Support staff and localised service centres still need to be paid for somehow. Also, sales staff, business liaisons, legal staff to deal with local laws and regulations, all the managers to manage them, etc. With a smaller potential userbase in Aus, they can't subsidise the support costs across as many people, so maybe that's why they charge more.
Just another reason for me to continue to despise Adobe. Thankfully I bought my version of Acrobat Pro on Amazon so they did not have my credit card, but still Adobe handed all my other information over to the hackers due to poor security practices. Thankfully I also had used Lastpass to generate a unique password for their site.
I used to pay for Photoshop and Illustrator too, until I realized Adobe was more interested in adding clutter-ware (Adobe Updater, anyone?) than trimming down and speeding up their monstrosity of a code base.
The few times I got to play with Photoshop/Illustrator on Windows I felt the experience (performance, responsiveness etc) was overall better than on MacOS. Admittedly, I've owned mostly laptops since 2005.
107 comments
[ 4.6 ms ] story [ 190 ms ] threadIt's illicit, but it will help free software and reverse engineering in a huge way. Adobe doesn't deserve to manipulate its users with CC like it's doing right now.
And for those who are using Reader, well, they were in for it.
Wonderful.
We can argue as to whether or not we like their products, value their products, or receive in return for payment value greater than or less than the price of their products, but it seems to odd to say they shouldn't be able to make a decision about how they choose to sell them?
This is pretty debatable considering the options which are currently available to consumers. Yes, they have some competition, but it's hardly putting a dent in their bottom line.
It's comparable to the New York Yankees playing in a Juco league. Sure they have "Competition" in the form of other teams, but are those teams really in their league? No.
Is your argument for Adobe monopoly really that "they make really good products and no one comes close to them in quality?" Because if so, then good on Adobe for making good products.
I hope some bold entrepreneur brings out some software to seriously compete with Creative Suite because the market sorely needs it.
You would have to be something of an idiot to look at this if you intend to have anyone ever look at anything you code in the future.
I'd rather obtain minified javascript.
Somewhere, oclHashcat makes room temperature rise.
>Arkin said the company has not yet determined whether the servers that were breached were running ColdFusion, but acknowledged that the attackers appear to have gotten their foot in the door through “some type of out-of-date” software.
I feel particularly bad for the design houses that have entrusted Adobe with their intellectual property because it was supposed to be safe who now have to rethink how safe their assets really are.
I am shocked that most people think it's OK these days to drop the "Oops, nasty baddies bad bad got in and there goes your details, so so sorry, come again."
If this happens to some small startup with the one PHP nerd that doesn't really know what he's doing (and is underpaid anyway) - that's fine. Or at least acceptable. You're living on the edge.
But a Fortune 100 company... COM'ON.
This needs a ladder of shame. If we don't shine the light on this, things just won't get better.
I know Citi Credit card lets you do that.
> and wouldn't work for recurring purchases (like Adobe Creative Cloud)
It could. If I remember correctly, Citi card lets generate three types of Virtual Cards. One based on the expiration (less than a month), another based on the maximum amount/balance (where expiration is about a year) and finally a combination of both.
Virtual credit-cards are real handy especially when trying those 30 day trial services.
Seems that another way to solve this for recurring payments would be to likewise issue a virtual number. But, only the merchant with a particular Merchant ID could apply a charge to that number.
In general, it's actually a strange concept that we walk around with these wide open payment methods that only require that a dishonest person acquire a few bits of information to abuse with impunity.
Very few people used it
But there is an additional problem, from American Express's point of view. Virtual credit card numbers are patented by Orbiscom, which was acquired by MasterCard in 2009.
Pretty ridiculous though.
On a related note, I just came across this:
http://storefrontbacktalk.com/securityfraud/the-big-three-cr...
>Visa, MasterCard and American Express proposed new global standards to replace traditional account numbers with a digital payment “token” for online and mobile transactions.
So, either they are licensing it from Orbiscom, ignoring the patent, or it doesn't apply here.
In any case, it's good news. Looks like some semblance of virtual numbers will return on a standardized, more global basis.
The article talks about replacing 16-digit card numbers with a new payment infrastructure. The Orbiscom technology produces virtual card numbers that are backwards-compatible with existing 16-digit credit card numbers.
Then you go through the requests in your account and allow those you wish.
Like a sort of reverse Direct Debit/ Standing Order.
If say for instance the token you gave to Adobe gets stolen, you or they just disable all tokens or ask for new tokens.
So not only will fraud be more difficult but merchants also will be known who has been compromised. Right now banks won't always tell you what merchant was compromised and causing you to get a new number/card.
New payment systems have this, for instance stripe is built similar to this.
Why do people have to update all their cards with all their merchants after one fails? Getting multiple cards and internet cards sometimes helps compartmentalize but really we need this at least per merchant.
Some banks have this like Bank of America ShopSafe but it should be the new normal.
That's the reason to aim for PCI compliance your self.
I'm sure they aren't happy about the idea, but most of them recognize that lock-in is a reason people don't use their services.
Seriously, I don't get it. At least in the US, card holders have zero liability in these instances.
If your card number got leaked and is used to make a fraudulent purchase, simply report it to your card issuer. They will reverse the charge and issue you a new card number.
The paranoia around card numbers for consumers is crazy. There's literally no risk. It makes sense for merchants because they bear risk, but I don't understand why cardholders get upset.
Well that's reassuring(!) If these hackers were so "sophisticated" then presumably they could have obtained Adobe's decryption keys too? If not, why not?
Guess I'll have to phone my bank tomorrow... hope they don't charge me for the new card. Oh Adobe...
Edit: It just occurs to me that people with pirated Adobe software aren't having any problems right now. The same argument could be made of any service, of course, but at least with the old way of purchasing Adobe software (vs. Creative Cloud) Adobe didn't have to store your credit card number for an extended period of time. I don't think this excuses piracy, but it's not going to do anything to discourage it.
That sentence is disinformation. It carefully leaves unanswered the question of whether the encryption keys were stored in a location accessible to the attackers. The only reason to use that kind of language is to try and confuse everybody into believing things are not as bad as they would otherwise look.
That sentence also suggests that Adobe DOSE store decrypted credit or debit card numbers, but the hackers did not get to that database... yet.
On first reading I had a split-second where I thought the attackers did everyone a favor by deleting the data; e.g. "drop table customer_financial_data". Unfortunately they meant the ~other~ kind of "removal". I think "obtained" would have been a better word to use here (instead of "removed").
This shit happens. To EVERYBODY, sooner or later. What makes a difference is how to handle it. I say Kudos to Adobe for storing encrypted data, being open and owning it up, and trying to fix what's been messed.
Hmm. Maybe the fraudsters literally took the data. As in, Adobe no longer has our email addresses with which to notify us.
It may as well be that ridiculous.
It would be nice to know how many user accounts Adobe manages, so that I can better estimate the likelihood of my accounts being affected. If they only have 2.9 million accounts, I should be worried; if they have 100 million accounts, I should still worry but perhaps a little less so.
I have not (yet) received an email from Adobe regarding this latest attack, but I have an Adobe Creative Cloud subscription as well as several Typekit accounts. I use 1Password to generate passwords, but of course that doesn’t protect my credit card information.
Around November 2011, Apple screwed up one of it's premier softwares (Final cut pro) and Adobe jumped right in and offered a 50% discount to all of its Creative suites (version: 5.5). Their pitch then was - "Apple screwed up, try ours and hey, if you buy the suite, it's yours forever and you get peace of mind". And so I bought the Windows edition of one of their suites. A year later, CS6 was announced and I decided to wait for sometime before upgrading. Just to be clear, I shelled out almost $1000 on the CS 5.5 version.
In the last few months, I made the switch to a Mac and I found out that my license for Windows wouldn't work on a Mac. Fortunately, Adobe seemed to provide a "crossgrade" path, wherein I can just swap my platform at no additional cost. Sounds good? No. Except that you can't swap from an older version (CS 5.5) to a newer version (CS 6). You can only switch between platforms of the two same versions. Okay, that's in a way fair enough, since it's been over a year anyway and it's time to upgrade. So, let me just upgrade to CS6, I thought.
This is where it started to get messy. I searched for links to upgrade to CS6, and I did find a few. But they all re-directed to the stupid Creative Cloud edition. WTF?
[1] http://www.adobe.com/mena_en/products/creativesuite.html
I searched and searched and finally found a link that worked. I placed an order and 24 hours later, my order was cancelled for no reason. I had to search for that link I found earlier, again. After giving up finding the link, upon contacting customer support, I was tried to be pushed into the stupid Creative Cloud platform, again.
(Finally!)It's funny I had to spend so much time with support to purchase CS6, since Adobe clearly conveys that it intends to sell CS6 indefinitely. [2]http://www.adobe.com/products/cs6/faq.html
Even though the support person gave me the link to buy CS6, I thought it would be a good idea to probably re-consider CC again. So I checked on the Creative Cloud page to see if I could just pay $45 for say, about two months and later upgrade to CS6. But, again, Adobe tries to backstab its users. IF you cancel your CC subscription before 1 year, you will be billed 50% of the total amount (50% of ($45x12)) as a penalty. WTF?!! So, basically they want to beat their users to the ground as much as they can.
I decided to try alternatives, because...
I understand why you would say that, but I don’t agree. At the time, I used Final Cut Pro 7 daily and when Final Cut Pro X was released, I didn’t immediately switch to it. I waited for multicam editing and XML export, and Apple delivered. That’s when I switched to Final Cut Pro X and it was a great improvement over version 7. When Adobe came up with Creative Cloud, I signed up. That meant I got Adobe Premiere as part of the package, but after trying it, I still much preferred Final Cut Pro 7. Comparing Premiere and Final Cut Pro X, for me, it’s not even a contest. With Final Cut Pro X, I’m way more productive than I ever was in FCP 7, Avid, Premiere or Media100.
Apple could’ve done better by offering the first few releases of FCP X as a free beta, but right now, FCP X is a way better product than FCP 7 ever was.
Isn't that what the monthly plan does [0]? $75 / month rather than $50, but with the option to only pay for individual months. I think they said they were originally thinking of freelancers who might only take on work that involved using CC a few times a year.
[0] http://www.adobe.com/products/creativecloud/buying-guide.htm...
For a teen who wants to edit their iPhone photos before uploading to Facebook, $75 per month would be a lot. But that's not Adobe's target market.
For example, assume, depending on where you live, your favorite manufacturer, who is also a monopoly, Volkswagen if you're in Europe, Ford/Chevy if you're in the States sells you cars for a fixed price and you're very happy.
So let's say the price of each car they sell you is $25,000. You pay once and forget and you own the car. Forever. Assume this car is very solid and you plan to own it for a good 5-7 years. For a span of 5 years, that translates to $5000 a year.
Now, suddenly, Volkswagen/Ford/Chevy decide that one time payments suck and you need to pay monthly, say $1000.
Their argument is that for $1000/mo for 2 years you spend $24,000 in total and that is less than what you would pay one time. Well, if you were the kind of person who would upgrade once in every two years, that is fine. It is really a $1000 cheaper. But for the average dude who upgrades his car once in 4-5 years, it's a disaster.
His current car's value reduces drastically because of this monthly scheme. And to access any sort of updates to his car, he needs to pay monthly, and this monthly payment includes a penalty as well, if you decide to cancel sometime in between.
That sucks right? I know people who are still on CS3, CS4, CS5 because it just works for them and fits their needs.Now these manufacturers tell you that you can still buy an older model from their store and make it extremely difficult and dodgy to buy one. That's cheated right? Especially considering the fact that there are a lot of car robbers who rob cars from their factory (but by cloning the car and leaving the original copy behind) and get away without paying anything. Now, how bad would you feel for paying for such a nasty corporation?
That's exactly how I feel right now.
Adobe would say that it might be more comparable to your car manufacturer upgrading your car every time they released a new model.
> His current car's value reduces drastically because of this monthly scheme.
The value of what his current car has reduced because they released a new model, not because of the new scheme (and CS6 hasn't depreciated in price that much!)
> And to access any sort of updates to his car, he needs to pay monthly, and this monthly payment includes a penalty as well, if you decide to cancel sometime in between.
Just like every other 12 month contract ever? It's pretty clearly labelled that it's an annual contract, and that there are recurring monthly contracts available for a higher cost.
> Now these manufacturers tell you that you can still buy an older model from their store and make it extremely difficult and dodgy to buy one.
As MarkMc said, it's not especially hard to buy CS6. All the top search results for "buy cs6" allow me to buy it pretty immediately.
Sure, they definitely upsell CC, but they also see that as their new and better product: is it really dishonest or nasty of them to do so?
> But, again, Adobe tries to backstab its users. IF you cancel your CC subscription before 1 year, you will be billed 50% of the total amount (50% of ($45x12)) as a penalty. WTF?!! So, basically they want to beat their users to the ground as much as they can.
What you call 'beat their users to the ground' I call 'charge fees which maximise their profit'. They are not being deceptive - their price list clearly states, "Requires annual commitment; billed monthly" [1]
> There is no easy way to buy CS6
If you Google "buy adobe cs6" the first result [2] allows you to buy a CS6 'Master Collection' licence for $2,599. Just click 'buy' then 'Add to cart'. Seems pretty easy to me.
> there is no easy way to subscribe to CC for just a few months
Not true - as pointed out by estel, you can easily subscribe for $75 per month. I think by 'easy' you mean 'cheap'
> the calculations they demonstrate are also deceptive at best
Can you provide a link to the deceptive calculations? Because to me the price list [1] seems to be fairly straightforward and honest
> CC is more expensive than the boxed product.
Doesn't that depend on how long you use the software for? You can buy a single month for $75 - I doubt that you can get the boxed product for cheaper than that.
> One thing that was common in most of these Adobe contacted bloggers' posts, was how their stress to explain how the CC version was effectively cheaper than their boxed version.
If it is true that Adobe implicitly says, "write good things about us and we'll give you free stuff" then I agree that this is pretty bad behaviour. (But if they say, "here is some free stuff, please write good things about us" then that would be OK as long as the blogger notes in their review that they had received the free stuff.) The fact that bloggers who received free stuff had previously wrote good things about Adobe is not sufficient to convict Adobe of indirect bribing. It could be that the bloggers who did not receive free stuff also wrote good things about Adobe (ie. their products are generally viewed positively)
> Backstab #1. I was a Flash developer previously. I was even jobless for a few days because I relied so much on this technology…Do you know how many Flex developers are jobless now? Backstab #2.
It sucks to lose your job, but is it really 'backstabbing' for Adobe to drop support for a platform they developed? For all software I expect the companies who develop it to say "this is a great product and we fully support it" right up until they day they drop that support. It's not like Adobe said, "we will support this product until at least 2015".
> [The CEO] is never straightforward...This guy is incompetent and needs to be replaced.
Personally I think it is very straightforward to say, "I refuse to discuss our pricing strategy with you". But in any case the CEO's job is to maximise profits - and using the strength of Adobe's market position to charge nosebleed prices sounds to me like he is doing just that. Not at all incompetent.
> At least someone should file a class action suit for abusing their monopoly.
It's not necessarily illegal to have a monopoly and charge a very high price for your products.
[1] http://www.adobe.com/products/creativecloud/buying-guide.htm...
[2] http://www.adobe.com/products/catalog/cs6._sl_id-contentfilt...
There are classes of products related to this specific task, generally we call them "DLP" or Data [Leak|Loss] Prevention.
What we don't know, is how the information was transferred from the servers, and how much different that traffic looked compared to normal activity. It's easy enough to catch a credit card number flying through a plain HTTP packet over the network in the wrong direction, but it gets much harder when the party trying to transfer that data is intentionally attempting to avoid detection.
> Isn't there some best practice security measures that can prevent of all of these things
Yes, but none of them are perfect, and even if they were, they would require perfection from human operators. (Perfectly configure, maintain, monitor, etc.) And, of course, they assume you can identify a threat before it leads to compromise.
So I would infer that the attackers obviously had access at a very high level, probably compromising the credentials of someone very senior with very high privileges. Which in turn means they could almost certainly have compromised the encryption keys and would be most likely to do so before downloading the actual CC data.
Conflictingly because my CC info has since expired, but other personal data would still be in their records. I wonder how far back they keep those, but I guess I'll find out soon enough if I'm in the lot.
Edit: If anyone is worried about the source getting leaked giving rise to 0-day exploits and the like, you can at least move away from Reader into something like Sumatra PDF (open source). If all you need is a reader, it's a very handy alternative and far more nimble with resources (no I'm not part of their project. I'm just a very happy user)
Reason: Adobe charges basically double the US price in Australia/NZ if you buy from them directly, and I refuse to pay a location tax since it costs them zero dollars extra to send me bytes through CDNs.
Not sure how much localisation is required since Australia, like New Zealand, is an English speaking Western democratic country.
Pretty sure we could understand US vernacular and cultural differences.
Call it what it is: Discriminatory pricing because they think that is what the market will bear. Fine, but I feel free to work around it as well.
Time to dust off the ol 'résumé, Brad.
After a while on Inkscape I am now running with:
- Sketch (http://www.bohemiancoding.com) as a replacement to Illustrator (vector drawing).
- Acorn (http://flyingmeat.com/acorn/) as an alternative to Photoshop for bitmap design (though it now supports vector drawing, much like Photoshop).
I am not affiliated in any way.
2) Sketch/Acorn are not available on Windows.
Not saying you're wrong; just saying I disagree :)
This is out of control. The bad guys are winning. Time for a new paradigm.