Recently signed up, but wanted to ask about security, especially given recently enjoyable highlights like LifeHacker etc..

For Linode manager, are you doing something a bit more than a salt and md5 (are you even doing a salt?).

And onto social engineering:

If I email in saying crap forgot my password and cant reset via email because the account is lost/hacked/closed etc.. what do you do to verify?

What if someone calls with the id etc.. asking for special support? How do you verify the person is legit?

What if you received a forged email from me - easy to fake email headers?

(Note: I'm just a happy customer)

Linode seems to take security pretty seriously. Exhibit A: When Firesheep made waves a couple months back, several major VPS providers were vulnerable. Linode, however, has had SSL enabled across 100% of the manager for as long as I can remember.

As far as account verification goes... Based on some conversations "overheard" in IRC, it seems they want (at least) some portion of the credit card number on the account (more than just the last 4, which is pretty easy to figure out), and the billing address. That seems pretty reasonable to me...

Have you checked out the Account Security options in the Linode Manager? It lets you set up a whitelist of IP addresses that are allowed to access the manager. If an IP that's not on that list tries to log in, you can either block them entirely, or have a warning e-mail sent. That way, even if someone compromises your password, you will know about it.

I have no idea how passwords (or representations of passwords) are stored, but given the examples above, I assume they take that just as seriously.

Sounds incredibly weak. So basically any of the 132 merchants that I use, if any were hacked (if ==> when) that have billing and part of the CC (most respectables wont store CVS), but regardless enough for a hacker to sabotage a linode infrastructure. How do I know I run a linode? well maybe i got me@mydomain.com, not too much digging.

In terms of corporations, just look up the registered address - whois.sc, or company registrar (freely available), or here is an idea any contact us page and/or most footer disclose registered address. Now any of the merchants we used, or any of the suppliers that have our CC on card, can in theory take down our infrastructure.

Okay Im a cynic, and you might concern these far fetched but Ive seen both happen.

We have no control over the security of information stored at other merchants. First, for what you've described to be a genuine concern with respect to gaining unauthorized access to your Linode Manager account, someone would most likely already have to have a sincere interest in targeting you. There are probably easier ways to gain authorized access to your server resources, starting with targeted attacks on the specific services you're operating on your servers.

However, to directly address your concern that it's theoretically possible, you can simply use a separate credit/debit card to purchase Linode services. If no other merchant has that billing information, you don't have to worry about it anywhere else, unless of course your financial institution were to suffer some sort of catastrophic compromise. In that event, you probably have bigger problems.

I find a 49% Baking Soda, 49% Black Beach Sand, and 2% triple distilled water mixture works great at cleaning the tarnish off tinfoil hats (without making the dangerous wave concentrating scratches that other cleaners do), and we all know (wink wink nudge nudge) that it's the tarnish that makes tinfoil hats ineffective against the Mark IV or higher thought control waves.

Thanks for the response.

Yes, it probably does sound paranoid, but I've seen some pretty easy attacks before, in space of social engineering, for no other reason than I suspect competitor sabotage. I'd rather play it out in speculation on the cautious side than be shocked when scenarios become a reality.

I like the approach Google Apps takes where by you have a separate support PIN for when support is requested via phone/snail mail. This additional piece of information is unique to that vendor, so you lock it safely away. Unfortunately it not always possible for most people to use a different card, either due to number of cards (in terms corporate cards), or the lack of one-time number (these are minority bear in mind). or Amazon EC2 where you have to paste PEM.

But glad to see stuff like XSS are prevent in Linode Manager with the form based anti-forgery tokens, unlike another VPS provider I recently tried.

Now that most "tinfoil" is actually manufactured using the element aluminium it only blocks Mark III or lower. Use real tin, 1/2 inch thick or more, for the best results. See my avatar for an example diagram of how this is best done - and I'm not the only one that wears this design.

Snorting large amounts of powdered tin daily helps protect against leakage from the bottom of the brain out through the sinuses as well. Tarnish actually has very little to do with it, that would be silly.

James

Tin is not sufficiently dense to protect against the latest generation of attacks. My hat is made out of alternating layers of depleted uranium and tungsten.

_________________
/ Peter

Ah, but what are you snorting?

James

and let me tell you, it can be annoying when you're at a hotel, need access to the manager, and the stupid hotel internet keeps changing your IP!

Turn it off when you're in a hotel then

_________________
Paid support
How to ask for help
1. Give details of your problem
2. Post any errors
3. Post relevant logs.
4. Don't hide details i.e. your domain, it just makes things harder
5. Be polite or you'll be eaten by a grue

Whoa! Where is this? I just clicked around the account manager for a while and didn't see an "Account Security Options" page. Let alone anything where I could configure restricted access. This is definitely something that looks like a great idea.

Scott--

Click "my profile" near the logout link, top right. Then it's at the bottom of the screen.

_________________
Paid support
How to ask for help
1. Give details of your problem
2. Post any errors
3. Post relevant logs.
4. Don't hide details i.e. your domain, it just makes things harder
5. Be polite or you'll be eaten by a grue

I have one server configured as a Squid proxy (via ssh), so all of my traffic comes from my server IP. This defeats the whole IP changing problem.

Found it, thanks!