Gig, You missed the point there somewhat. I can accept downtime because I expect it but DNS slaves and backup mail exchangers are not built to recover from a situation where their primary is misbehaving because the machine got p0wned and is stealing my email or giving out incorrect DNS records.

Obviously a power failure or network outage will only cause downtime, not a compromise of my systems.

That would that be the same vonskippy who was insulting people asking for ipv6 back when Linode didn't have it but other providers did.

He is so far in the pro-linode camp as to have lost all objective judgement.

If you don't think that anything that you can access in linode manager can't be accessed in some fashion by a sysadmin, then I just don't know what to say. You signed up for a VPS product, you're putting some faith in the owner and admins.

I am putting faith in them to behave legally. It would be strongly against their interests to do otherwise. Whatever happened to Linode is unlikely to be a result of linode itself behaving illegally. However as they won't give me any information whatsoever I can't be 100% sure.

I want clear information from people who know what happened. Argument and opinion from people that know no more than I do doesn't get anyone anywhere.

If that's the case then I'd love if they told us that. Hell, if that's not the case, they might as well tell us the same thing anyway, it would get us off their backs.

Either that or just don't say that you intend to communicate openly.

_________________
If all else fails, reboot...
PHP Tutorials and MySQL Tutorials

I'd accept that as a perfectly valid reason for not telling us any more. Caker didn't even say that much though.

Chicken/egg problem there. If a lawyer advised them to shut up, they lawyer isn't going to tell them to say that.

I'm not sure I've weighed in on this thread, yet. I've previously criticised linode for the IPv6 policy (indeed, I'm still not happy with it). I eventually got sufficiently annoyed with Fremont that I moved the service to Dallas.

I'm not a "fan boy" by any means.



Which is an unreasonable request. In my day job (security professional at a Fortune "small-num" company) I do have the clout to beat up vendors. If they fuck up then I do get to get details. I currently have around 50 outstanding action items with one vendor. Thursday was shouting at IBM day. However, even my company doesn't really get to shout at the likes of Microsoft, simply because we have no leverage (what we gonna do, turn off 200,000+ desktops?). (personally, yes please... )

However, me as an individual customer of linode... I have no such leverage. Being a security professional I note that linode have gone above and beyond the minimal requirements needed by law. They have provided a level of detail that explains the attack vector. They have not provided a "root cause analysis" (who fucked up, and how). And I don't expect one.

I'm dealing with a small company; the risks and consequences of an individual staff member screwing up are that much higher. (I know small technical service companies; I've work for them, run technology for them; my girlfriend used to work for a linode competitor. I know how they can fuck up).

And this is how you should perform your risk analysis; small companies have a risk profile that is pretty consistent. Even it caker said "we've told our staff not to drunk remote into the admin systems using open access points", what have you learned? One potential attack vector might be mitigated, but the rest remain.

Would I like to know how linode was broken into? Sure! I'd love to know! I'd love to know how Global Payments was breached, as well! (They've been less forth-coming than linode have.)

Finally I'll note that linode staff (and caker, personally) monitor or is aware of each and every post made to these forums. That they haven't responded is telling; either they can't, or they won't. If you don't like it then take your money and leave. In the "can't" case, maybe linode will be able to get some recompense for lost income; if it's a "won't" case then this is a business cost they've chosen to take.

Either way, I don't expect any more information from linode. My risk analysis takes this into account.



Ah. Well, OK then. Maybe linode needs a "flame" sub-forum.

_________________
Rgds
Stephen
(Linux user since kernel version 0.11)

You have those too, eh?

I am amazed at times how pervasive the "we know better than you, Mr Customer, we're IBM!" attitude can be there.

If this was they case then they probably _can't_ reveal this information and may have been advised by lawyers to not say _anything_; anything they do say might be considered prejudicial to the case.

_________________
Rgds

Stephen

(Linux user since kernel version 0.11)

No, but they'll tell them to say that they can't comment on an ongoing criminal investigation.

_________________
If all else fails, reboot...

PHP Tutorials and MySQL Tutorials

Which would reveal that there _is_ an ongoing investigation; something that they may have been requested (or ordered; such orders to exist) not to reveal.

_________________
Rgds

Stephen

(Linux user since kernel version 0.11)

Can they say: "trust us, we just can't tell you anymore"?

_________________
If all else fails, reboot...

PHP Tutorials and MySQL Tutorials

My mind just went through a tonne of confidence tricksters and even the snake from Disney's Jungle Book saying 'Trust me'....

Either ya do or ya don't. I doubt you're gonna get more information in the near future.

_________________
Rgds

Stephen

(Linux user since kernel version 0.11)

Well, since this thread has long ago jumped the shark, lets discuss IPv6.

Care to share your ginormous IPv6 traffic charts for the last 6 months?

Boy, I can't imagine how you would have survived if Linode took longer then they did to roll it out.

So post away, I can't wait to see those IPv6 traffic numbers.

As to a Linode fanboy (although as VPS hosts go, Linode was in our top 3 list when we vetted vendors) - bwahahahahahahaha - not even close, I'm a huge fan of co-location (in big shiny locked cages with video surveliance and two-factor authentication to get in), and think VPS's are toys to be played with, not host serious work (but YMMV).