Exactly, spot on. I need full details on whether this has anything to do with Linode's control panel. I don't want a Vaserv scenario.

I agree with this. I would like to get this kind of notifications in the same way I get the notifications when I don't pay (i guess they have my email address)

I really love linode but I don't have a better place to go.

But what I really need is the removal of the root password change from the interface and api's.
If I lose it or forget it... Shame on me. Nobody should be able to change it...period.

We need to be sure that nobody can change that not even linode.
If I can do it from an interface then any will (authorize/unauthorized).

I agree with this 100%.

_________________
Got Escher? | @artagesw

This is why I store my coinbits in an old Canopic jar hidden behind the washer in the basement. Lets see Linode (authorized or not) find them there.

Really ? Wow. Personal attacks for simply being critical that loyal Linode customers should have been better notified about a major security incident that directly affects them.

This is officially the worst forum I've been to in years.

A few months ago a similar thing happened at Hetzner, and even though I wasn't directly affected, all customers were advised to change their passwords etc. as a precaution.

Just connecting a computer to the internet is a security risk.

If succesful hacking happens to the bods as NASA, then why do some people assume that Linode, or any other hoster is immune?

You understand that this is just a "nice" feature right? if someone has access to your linode manager account, they can just reboot the node into single user mode, open lish, reset the password and reboot.

Or boot into finnix and do the same thing.

Yes this feature makes it convenient and easier, but its not a security issue.

_________________
ServerAdmin - www.our-lan.com
"Diplomacy is the art of saying nice doggy whilst looking for a really big stick"
"In my experiece, any attempt to make any system idiot proof will only challenge God to make a better idiot"

+1

Being rash is one thing, but attacking another person personally shouldn't be accepted (and definitely not endorsed!) by the Linode community. Making wild and potentially hurtful speculations about one's personal life or social status is unacceptable behavior (more so if all he did was demand being informed about security breaches that could easily have compromised his own Linodes.)

Think of them as rabid apple fanboys. You attack the product, you get attacked.

In any case, what happened to Linode is SEVERE. I agree an email should have been sent out to ALL clients notifying us of the breach instead of those affected.

Why? It DOES affect ALL of us, not only the 8 that was breached. They had master root access, who knows what they could've done to the rest they didn't have time to dig through?

They didn't have root access.
They had "support representative" access.
If your linode hasn't been rebooted, if your linode's root password hasn't been changed, you haven't been affected.

_________________
rsk, providing useless advice on the Internet since 2005.

Hence, if they emailed us explaining in more detail what happened and what did not happen. We would be more informed and less likely to be upset.

I think for such a critical issue, an email notification, even if only pointing to the official "Linode Status Updates" entry, would be in order.

I would much prefer to hear that my provider has had a security breach directly by email from the provider themselves. Or who knows, maybe we'll get that email after the audit has been done.

One also has to consider the unnecessary panic such an announcement might cause among customers.

_________________
If all else fails, reboot...
PHP Tutorials and MySQL Tutorials

The Chinese have reportedly hacked the JPL. Everyone is vulnerable. I heard about the breech on Slashdot. That is ok, evidently the staff was already working on the situation.

I'm sure they will do as well as they have in the past.

fos

I love Linode. I really do. I've been a personal customer for many years. I no longer have my own Linode, but still manage about a dozen or so for clients.

I find the above statement confusing. How does 'support representative' access allow access to 8 unrelated accounts (ie - different account holders, different accounts, probably different datacenters), yet not allow access to all other accounts?

To me, and probably to others, if the intruder(s) can attack 8 independent Linodes, then they can attack them all.

Perhaps the Linode team can clarify this?

Also - rumor has it that it was an inside job. Was this the case?

I agree with the sentiment that more information on exactly what happened is needed.

As far as I can tell from the information given, normal support level login credentials were used. In other words, no exploit of any kind (Except the human kind) was used, which means they are able to see exactly who was affected through the logs. Yes, the person could in theory have attacked all the nodes, but he or she didn't. There's nothing that needs clarifying about this part specifically, there's no risk of repeat with the same credentials, and nobody else was affected or can be affected in the future as a result of this specific hack.

While a more comprehensive report certainly will be interesting to read, there's no more immediate information that Linode needs to give, the question you asked has already been answered by the official information given. (Or an answer is possible to infer easily).

As far as inside job goes, that would be interesting to know but ultimately doesn't matter that much right now. It's the kind of thing that will be interesting to read in a more comprehensive report of the incident.