Thursday, October 17, 2013

Adobe Creative Cloud: What You Worry?

Adobe Chief Marketing Officer Ann Lewnes (visual approximation)
Adobe Chief Marketing Officer Ann Lewnes is not a worrier.  And she doesn’t think you should be one, either.

Allow me to explain.

Adobe Get’s Hacked (and Maybe Into The Guinness Book of World Records)

Since I posted this story on October 17, 2013, it's gradually become clear that the fiasco that provoked it—a massive hack against software giant Adobe's web servers—was far, far greater than originally reported.  When Adobe Chief Security Office Brad Arkin confessed in a blog post on October 3 that attackers had compromised the names, encrypted credit or debit card numbers, expiration dates, and other customer-order information for some of its accounts it put the number at a mere 2.9 million.  Then, at the end of October it appeared that hackers had actually snagged 38 million accounts.  And now, in mid-November, the number has grown to 150 million and, since nature abhors a vacuum, web sites are sprouting up to allow you to enter your email address to see if you're one of the unlucky ones.

As Violet Blue reported on ZDNet on November 11, "As breaches go, you may very well see this one in the book of Guinness World Records next year, which would make it astonishing enough on its own."

And just as astonishing is this little tidbit from Mashable:
It was recently reported that the three most popular passwords among Adobe users are: "123456," "123456789," and "password" — a sign that users are picking easy-to-guess passwords.
But back to Adobe's Brad Arkin.  In announcing the breach he also stated that Adobe was resetting all relevant customer passwords and explained that “If your user ID and password were involved, you will receive an email notification from us with information on how to change your password.”

Sure enough, as a sometime Adobe user I have an Adobe ID.  (In fact, for reasons I can’t quite remember, I’ve got two.)  So a couple of days later I got the promised email:


(Aside: A couple of days seems like a long time for a company Adobe’s size—responding to a breach of 2.9 millions names—to alert me that attackers had illegally entered its network and possibly obtained my ID and password.  Perhaps I was deliberately placed at the tail end of the notifications because, thank God, I had no credit card information sitting on Adobe’s servers.  The last time I’d actually used my Adobe ID was to get some tech support for Adobe Digital Editions e-reader software—and luckily Digital Editions is a free download.)

What You Worry? Join the Adobe Creative Cloud!

So I was more than a little surprised when on October 15—less than a week and a half after Adobe had notified me to reset my password—I got an invitation from Adobe to join, explore, and create with its (recently revealed to be eminently hackable) Creative Cloud:


Yes, for only $49.99 per month—$599.88 per year—I, too, could download full versions of every Adobe app, get 20GB of cloud storage, create customized portfolios with a free Behance ProSite membership ... and spend my spare time wondering when MasterCard would call to ask if it really was me who just went on that outrageous shopping spree at Best Buy.

No thanks, Ms. Neu—I mean, Ms. Lewnes.  I’ll stand pat.

Oh, and Brad: I notice you haven't posted any updates to your original October 3 hacking alert on the Adobe website.  What, you worry?!?  Nah.

Postscript (12/12/13): Worried less than ever, Adobe continues to email those like me who have Adobe IDs but haven’t yet signed up for full-fledged Creative Cloud accounts.  Got another “Join. Explore. Create.” email today.  Seriously, Adobe: before you send out any more of these sunny promotions don’t you think you owe it to your prospects first to devote an email explaining all the industrial-strength security measures you’ve put in place to make sure a 150-million-account hack never happens again? After all, since you’ve decided to get out of the software-in-a-box business and get into the software-in-a-cloud business it’s sort of critical that your user base not be perpetually nervous about black hats hanging around jiggling your virtual doorknobs.