Which is an unreasonable request. In my day job (security professional at a Fortune "small-num" company) I do have the clout to beat up vendors. If they f*** up then I do get to get details. I currently have around 50 outstanding action items with one vendor. Thursday was shouting at IBM day. However, even my company doesn't really get to shout at the likes of Microsoft, simply because we have no leverage (what we gonna do, turn off 200,000+ desktops?). (personally, yes please... )

However, me as an individual customer of linode... I have no such leverage. Being a security professional I note that linode have gone above and beyond the minimal requirements needed by law. They have provided a level of detail that explains the attack vector. They have not provided a "root cause analysis" (who fucked up, and how). And I don't expect one.

I'm dealing with a small company; the risks and consequences of an individual staff member screwing up are that much higher. (I know small technical service companies; I've work for them, run technology for them; my girlfriend used to work for a linode competitor. I know how they can f*** up).

And this is how you should perform your risk analysis; small companies have a risk profile that is pretty consistent. Even it caker said "we've told our staff not to drunk remote into the admin systems using open access points", what have you learned? One potential attack vector might be mitigated, but the rest remain.

Would I like to know how linode was broken into? Sure! I'd love to know! I'd love to know how Global Payments was breached, as well! (They've been less forth-coming than linode have.)

Finally I'll note that linode staff (and caker, personally) monitor or is aware of each and every post made to these forums. That they haven't responded is telling; either they can't, or they won't. If you don't like it then take your money and leave. In the "can't" case, maybe linode will be able to get some recompense for lost income; if it's a "won't" case then this is a business cost they've chosen to take.

Either way, I don't expect any more information from linode. My risk analysis takes this into account.

I've been partisipating in these forums on and off for about 8 years now, I've had various numbers of Linodes on and off during that time starting with a 80Meg UML machine. I've had very few problems and the ones I have had were resolved quickly. However I have to say the above comment is spot on. There are 'contributers' on this board that will quickly shout down any perceived criticism of linode or it's service regardless of the validity of the criticism.

IPv6 support was a good example, before IPv6 was deployed at linode and after it was deployed at many other providers anyone that asked for it on these forums was told they didn't need it and they were insulted for asking.

There were a few examples of people who canceled their accounts and didn't get a refund for the unused part. These people were soundly mocked for no good reason.

There was one chinese guy who got all frustrated at Linode wanting copies of the front and back ( PCI rules anyone? ) of his credit card and his passport. He was told he must be a scammer or somesuch thing on this forum based on nothing but his country of origin. Sad, that was a potential customer.

In this latest incident Linode screwed up, there is no denying it. No doubt Linode are doing everything they can to fix the situation but it doesn't not distract from the point that they did screw up. Yet the fanboys deny it, they make excuses, they try to derail any criticism.

These people are just a minority of forum contributers but they are vocal. I don't believe these people are sockpuppets. I believe these people just have a flawed view of reality caused by some kind of cognitive bias. I would not trust these people with a root account on any machine running anything I care about.


TL;DR - Linode screwed up, fanboys are unable to accept this so keep trying to derail this thread.

I view the incident as extremely serious and I need some kind of meaningful assurance that it won't happen again.

You're talking about a VPS running on a host you have zero physical control over.

If anyone, anywhere from any company tells you "It won't happen again", they are lying to you. Full stop.

Also, if it was my company, I would be commissioning an independent security review with a company that had some degree of experience and respectability. Whilst we would not need to be privey to the nuts and bolts, the independent nature of the review would go some way to reassuring customers that things were under control. At the moment I am having a serious rethink on the part (notice the word PART) Linode plays in my business.

I assume they're incredible expensive and, well, run by people like this.

I, for one, would have no confidence in an "independent security review". I assume they're incredible expensive and, well, run bypeople like this.

I, for one, would have no confidence in an "independent security review". I assume they're incredible expensive and, well, run by people like this.

Which would reveal that there _is_ an ongoing investigation; something that they may have been requested (or ordered; such orders to exist) not to reveal.

...aaaand we're at 11 pages.

WITH NOTHING NEW SAID. AT ALL.

I am a lawyer and a former customer who left after the last security incident. They DO have the ability to mention if a case is forthcoming without needing to mention any specifics. Otherwise you wouldn't have media coverage of any cases.

It's just not true that nothing has been said, Taligent made a very good point a few posts ago. It's doesn't appear to be the case that Linode legally can't say anything.

It's very obvious from your posts that you have no clue on the US legal system. Since you're not from the US, I wouldn't expect you do, but do yourself a favor and just don't post about it. It just makes you look stupid.