38 Million Lines of Code

Well, we don’t know if they are actually that many lines of code, but there sure are a lot that make up Acrobat, ColdFusion and Photoshop. We now have a casualty count on the recent Adobe security breach and while we don’t know the exact details on the code stuff, we know that 38 million user accounts have been affected. This could essentially mean that pretty much anyone who ever has legally bought Adobe software could be impacted, though of course this figure could still be only one third or half the number of overall users. We just don’t know, but the fact remains that it is a big number. It seriously costs Adobe money to fix it all, notify users and monitor their credit cards. You can imagine how this may not go down well with shareholders. This quarter probably isn’t going to be a good one.

If that wasn’t enough, there’s still the issue of the code theft. Nobody likes his code being stolen under his own nose and having source files out there that contain all your little secrets from patented algorithms to programmer Easter eggs that may never have been intended for the public. Should you as a normal everyday user be concerned about that part? If at all, only slightly. Here’s some points you might consider.

  • Adobe already have taken steps to revoke invalid signatures and provide updated security patches. This will continue for a while and if you are a good citizen and apply those updates, you should be safe.
  • That previous point of course assumes you don’t get your software from questionable sources and actually are on current versions so you are able to update.
  • At this point nobody really knows how complete the source code files are. If they are incomplete, even the smartest hacker won’t be able to compile his own version of e.g. Photoshop and distribute it as a malware carrier or some such thing – that is without writing all the missing code himself.
  • Assuming the code is complete, it’s still not a matter of just hitting a button and getting a working app. It could be a totally experimental development branch with incomplete parts. Likewise, whoever tries to compile it would still need to make sure the project structure is set up properly and he has all the necessary tools and libraries in place to produce a program with a valid signature and footprint. Some good example for how far this can go can be found here.
  • Partial code would probably be mostly useless because the same analysis methods explained in the link would allow Adobe to detect somebody else using their code. So any hopes of for instance the lens blur removal coming to apps from competing vendors are premature. Of course the programmers could rewrite it fully and give all functions, variables etc. different names and shuffle around bits of the code, then sell it under a fancy new name, but that’s not something you do over breakfast, either and you still may get into trouble over patents.
  • All of the above would hinge on you as a user actually having a chance encounter with that incriminated code. Unless you are the type who uses BitTorrent or similar to obtain his software for free (if you get my drift), that should be pretty unlikely.

So in summary what does this all mean? As far as the programs themselves are concerned, you can go about your business as usual. The real bummer in the whole affair really is the stolen customer data and that will be a stain on Adobe‘s reputation and business for a while.

%d bloggers like this: