Doyle, this is life as usual in the IT Security world. Nothing that rampant malpractice can't explain.
Want to sign as Microsoft? Just ask Verisign whose sole job at the time (2001) was to ensure IDs and certificate matched.
http://news.cnet.com /2100-1001-254586.html
Want to steal a stealth fighter design? Ah, a bit more complex. Two steps...
1) hack RSA istelf to create ID tokens. Of course, RSA will first deny it, then confirm it in a limited way, which, of course, should have no impact.
http://gcn.com/articles/2011/06/07/rsa-confirms-tokens-used-to-hack-lockheed.aspxthen, it becomes obvious it is not that limited
http://dankaminsky.com/2011/06/09/securid/http://arstechnica.com/security/2011/06/rsa-finally-comes-clean-securid-is-compromised/2) send a fishing e-mail with a compromised PDF to Lockheed Martin to executives and HR, gain a foothold in the network, then use the token to access the secure part (the fundamental mistake here was that there was a bridge between HR and R&D)
I could go on for pages and pages.
Adobe, also in 2001, managed to sell an expensive document security suite that encrypted documents and stored the encryption key and decryption routine in them. They then got the guy who revealed that slight (cough, cough) issue in jail (and backtracked when they realize they couldn't defend their position)
http://www.zdnet.com/news/dimitry-sklyarov-enemy-or-friend/116424So, in that sense, the attack on Adobe is nothing out of the ordinary. While it may seem extraordinarily hard to pull off, it is not the case and it's not necessary to have insider collaboration.
