I'm surprised there is no mention anywhere on Linode's website about this fact after so many hours.

For more details please head to this pastebin with the email exchange and the hackernews thread.

I'm sure Linode' staff is busy sorting this out and I have all confidence until proven wrong but a little timely update to your customers would be appreciated.

Thanks

first official statement's just released http://status.linode.com/2012/03/manager-security-incident.html

On twitter:

https://twitter.com/#!/rootwyrm/status/ ... 1262474242



Is this true? Linode says otherwise, however if they admit to something of this extent, they would fear losing their customer base.

as skeptic as I am I'm keen NOT to follow random people's rants on twitter, especially when they are based on 140 chars written by someone else they themselves don't know

My interpretation is that the Linode-side access was limited to what's available via the management UI (and probably a subset at that), but not the hosts themselves. This whole thing could be done with access to the shutdown, change-lish-password, change-root-password, and boot buttons, without having to break into a bunch of different hosts.

By the time anyone notices the reboot, it's done, and the only evidence consists of a Tor exit node IP and a Bitcoin address. Heck of a heist, that's for sure.

_________________

/* TODO: need to add signature to posts */

That tweet is just moronic.

Linode will probably post a full postmortem report in a few day's time, not in that obscure status site, but in their official blog this time. Security breaches can happen to anyone. What sets responsible companies apart from the rest of the herd is how they handle emergencies like this. I trust that Linode will respond professionally.

About 3 years ago, a budget OpenVZ virtual hosting company with thousands of customers got completely destroyed, all data lost, allegedly because of an unpatched bug in the then-popular HyperVM customer portal. The Indian guy who sold HyperVM committed suicide the next day. What followed was one hell of a mess. But Linode ain't like that, is it?

> Linode will probably post a full postmortem report in a few day's time

Nope.

They just told me they have nothing else to report at this time.

So I will be moving off of Linode and telling everyone I know to do the same. The complete lack of transparency is unacceptable.

People who have nothing else to report "at this time" often have something new to report after a few days.

"We do not have any plans of releasing any additional information at this time."

That is the exact quote. So I would not be holding your breath.

So where will Aunt Betty and your 3 D&D pals be moving to?

Knee jerk reactions with ZERO evidence that there is some big cover up is childish to the extreme.

I'm sure you and your tinfoil hat will have a great time moving to somewhere 100% safe.

I'd believe that quote, after ~7 years of running a node, it gets compromised at the end of february?

Coincidence? Probably not.

An email to customers or at least something on the main page would have been nice. But I certainly wont be leaving it seems Linode responded with those directly affected as fast as they could.

What more can we ask?

At least they have an audit trail!

Eh ? At what point did I ever suggest there was a cover up.

I just wish that more information was provided much, much earlier. The same behaviour was exhibited when there was a power outage at Fremont.

This is in no way a reflection of the engineers/admins at Linode who are always quick to respond to questions and supremely helpful.

It's just unacceptable that I should have to read about this on Reddit before hearing from Linode.

are independent security audits worth the money? I mean plenty of IT security companies have been owned.

What bothers me most about this is, assuming the perpetrator was not a Linode employee, Linode's backend customer support interface apparently is accessible over the Internet when it should be locked down and accessible only from designated internal hosts. That's a huge backdoor to every Linode just begging to be opened.

_________________
Got Escher? | @artagesw