Linode Forum
Linode Community Forums
 FAQFAQ    SearchSearch    MembersMembers      Register Register 
 LoginLogin [ Anonymous ] 
Post new topic  Reply to topic
Author Message
PostPosted: Thu Mar 01, 2012 10:31 pm 
Offline
Senior Newbie

Joined: Thu Feb 23, 2012 12:51 pm
Posts: 12
I'm surprised there is no mention anywhere on Linode's website about this fact after so many hours.

For more details please head to this pastebin with the email exchange and the hackernews thread.

I'm sure Linode' staff is busy sorting this out and I have all confidence until proven wrong but a little timely update to your customers would be appreciated.

Thanks


Top
   
 Post subject:
PostPosted: Thu Mar 01, 2012 11:12 pm 
Offline
Senior Newbie

Joined: Thu Feb 23, 2012 12:51 pm
Posts: 12
first official statement's just released http://status.linode.com/2012/03/manager-security-incident.html


Top
   
 Post subject:
PostPosted: Thu Mar 01, 2012 11:31 pm 
Offline

Joined: Thu Mar 01, 2012 11:28 pm
Posts: 1
On twitter:

https://twitter.com/#!/rootwyrm/status/ ... 1262474242

Quote:
Pretty much, if you're a @Linode customer? Your system has almost definitely been hacked and rooted. Because they had a global superuser.


Is this true? Linode says otherwise, however if they admit to something of this extent, they would fear losing their customer base.


Top
   
 Post subject:
PostPosted: Thu Mar 01, 2012 11:32 pm 
Offline
Senior Newbie

Joined: Thu Feb 23, 2012 12:51 pm
Posts: 12
as skeptic as I am I'm keen NOT to follow random people's rants on twitter, especially when they are based on 140 chars written by someone else they themselves don't know :-)


Top
   
 Post subject:
PostPosted: Fri Mar 02, 2012 12:47 am 
Offline
Senior Member
User avatar

Joined: Sat Aug 30, 2008 1:55 pm
Posts: 1739
Location: Rochester, New York
My interpretation is that the Linode-side access was limited to what's available via the management UI (and probably a subset at that), but not the hosts themselves. This whole thing could be done with access to the shutdown, change-lish-password, change-root-password, and boot buttons, without having to break into a bunch of different hosts.

By the time anyone notices the reboot, it's done, and the only evidence consists of a Tor exit node IP and a Bitcoin address. Heck of a heist, that's for sure.

_________________
Code:
/* TODO: need to add signature to posts */


Top
   
 Post subject:
PostPosted: Fri Mar 02, 2012 12:47 am 
Offline
Senior Member

Joined: Fri May 02, 2008 8:44 pm
Posts: 1121
That tweet is just moronic.

Linode will probably post a full postmortem report in a few day's time, not in that obscure status site, but in their official blog this time. Security breaches can happen to anyone. What sets responsible companies apart from the rest of the herd is how they handle emergencies like this. I trust that Linode will respond professionally.

About 3 years ago, a budget OpenVZ virtual hosting company with thousands of customers got completely destroyed, all data lost, allegedly because of an unpatched bug in the then-popular HyperVM customer portal. The Indian guy who sold HyperVM committed suicide the next day. What followed was one hell of a mess. But Linode ain't like that, is it?


Top
   
 Post subject:
PostPosted: Fri Mar 02, 2012 1:08 am 
Offline
Senior Newbie

Joined: Mon Aug 15, 2011 12:58 am
Posts: 10
> Linode will probably post a full postmortem report in a few day's time

Nope.

They just told me they have nothing else to report at this time.

So I will be moving off of Linode and telling everyone I know to do the same. The complete lack of transparency is unacceptable.


Top
   
 Post subject:
PostPosted: Fri Mar 02, 2012 1:31 am 
Offline
Senior Member

Joined: Fri May 02, 2008 8:44 pm
Posts: 1121
taligent wrote:
Nope.

They just told me they have nothing else to report at this time.

People who have nothing else to report "at this time" often have something new to report after a few days.


Top
   
 Post subject:
PostPosted: Fri Mar 02, 2012 1:33 am 
Offline
Senior Newbie

Joined: Mon Aug 15, 2011 12:58 am
Posts: 10
"We do not have any plans of releasing any additional information at this time."

That is the exact quote. So I would not be holding your breath.


Top
   
 Post subject:
PostPosted: Fri Mar 02, 2012 1:56 am 
Offline
Senior Member
User avatar

Joined: Sun Dec 27, 2009 11:12 pm
Posts: 1038
Location: Colorado, USA
taligent wrote:
So I will be moving off of Linode and telling everyone I know to do the same. The complete lack of transparency is unacceptable.

So where will Aunt Betty and your 3 D&D pals be moving to?

Knee jerk reactions with ZERO evidence that there is some big cover up is childish to the extreme.

I'm sure you and your tinfoil hat will have a great time moving to somewhere 100% safe.


Top
   
 Post subject:
PostPosted: Fri Mar 02, 2012 2:06 am 
Offline
Senior Member

Joined: Sat Jun 05, 2004 12:49 am
Posts: 333
I'd believe that quote, after ~7 years of running a node, it gets compromised at the end of february?

Coincidence? Probably not.


Top
   
 Post subject:
PostPosted: Fri Mar 02, 2012 2:19 am 
Offline
Junior Member

Joined: Tue Jan 25, 2005 10:45 pm
Posts: 33
An email to customers or at least something on the main page would have been nice. But I certainly wont be leaving it seems Linode responded with those directly affected as fast as they could.

What more can we ask?

At least they have an audit trail!


Top
   
 Post subject:
PostPosted: Fri Mar 02, 2012 2:48 am 
Offline
Senior Newbie

Joined: Mon Aug 15, 2011 12:58 am
Posts: 10
vonskippy wrote:
Knee jerk reactions with ZERO evidence that there is some big cover up is childish to the extreme.

I'm sure you and your tinfoil hat will have a great time moving to somewhere 100% safe.


Eh ? At what point did I ever suggest there was a cover up.

I just wish that more information was provided much, much earlier. The same behaviour was exhibited when there was a power outage at Fremont.

This is in no way a reflection of the engineers/admins at Linode who are always quick to respond to questions and supremely helpful.

It's just unacceptable that I should have to read about this on Reddit before hearing from Linode.


Top
   
 Post subject:
PostPosted: Fri Mar 02, 2012 3:33 am 
Offline
Senior Member

Joined: Tue Feb 19, 2008 10:55 am
Posts: 164
are independent security audits worth the money? I mean plenty of IT security companies have been owned.


Top
   
 Post subject:
PostPosted: Fri Mar 02, 2012 3:43 am 
Offline
Junior Member

Joined: Wed Jul 27, 2011 8:34 pm
Posts: 31
Website: http://eschercms.org
What bothers me most about this is, assuming the perpetrator was not a Linode employee, Linode's backend customer support interface apparently is accessible over the Internet when it should be locked down and accessible only from designated internal hosts. That's a huge backdoor to every Linode just begging to be opened.

_________________
Got Escher? | @artagesw


Top
   
Display posts from previous:  Sort by  
Post new topic  Reply to topic


Who is online

Users browsing this forum: No registered users and 1 guest


You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum

Search for:
Jump to:  
RSS

Powered by phpBB® Forum Software © phpBB Group