I don't understand this thread.

http://status.linode.com/2012/03/manage ... ident.html


What else is needed? IP/name/photo of the attacker? Source code of the manager app? Detailed access logs? Names of the victim node owners? Firstborn babies?

I am not posting "just to start trouble".

I am posting to say that I do think we've gotten answers. I think we've gotten all the answers we're going to get. And I am satisfied with those answers.

Am I not allowed to hold those opinions?

For me, I want to know how the attacker accessed the web-based Linode customer service portal. Was it brute-force? Was it phishing? Was it a vulnerability in the portal itself? Was it an inside job? How did the attacker target the bitcoin people so quickly? I would like concrete answers to those questions without the speculation.




To me, it seems you are. You already posted:



And we get it. You are happy with the response you have gotten. Good for you. And you expressed that you are satisfied. If everytime someone who is not happy posts somethings, and you reply by saying you are happy, then yes, it does seem you are trying to start trouble.



Yes you are allowed to hold these opinions, but you do not have to keep expressing it and repeating yourself just because someone out there is not happy. How about we each express our opinions on the matter only once? Is that so hard?

_________________
If all else fails, reboot...
PHP Tutorials and MySQL Tutorials

@ericholtman: You have voiced your opinion, no problem. But you also made fun of someone else who has voiced theirs, only because they disagree with you.

For the record, I am never happy with "security through obscurity". But it's a matter of the level of risk I can manage/deal with when services are handed over to someone else. Which is why I still use and love Linode, with no plans to leave. I like and appreciate the measures they introduced, even though I would like clearer answers as to what really happened in the "incident." Was it a "hack" against this "customer service portal"? Was it mis-managed credentials? Was this "portal" world accessible, or accessed through someone's compromised machine?

If you are happy with the info Linode has provided, that's fine. Don't belittle someone because they want better answers.

And, yes, when you wote you were being just a little silly.

But the question was about some other provider, and some other platform. That's what I find ridiculous.

I would like to know how the attacker or attackers happened to get access to the customer management portal which allowed him/her/them to reset the root passwords of Linodes.

Either it was a flaw in the management interface, or a valid password was used. If a valid password was used how did the attackers get hold of it?

To anyone who thinks this was a minor attack affecting just a handful of Linodes you should remember we got off lightly because the attacker had very specific targets in mind. It appears it would have been easy enough for the attacker to reset the passwords of every Linode, and from every machine copy off /etc/passwd, /etc/shadow, scan for and copy off any wallet.dat's and .htpasswds, setup a root kit, collect a list of all email addresses the server has ever dealt with, scan for credit card numbers in emails and databases, scan though databases for anything else interesting, redirect any DNS servers to point at a fake drug site or wherever, setup DDOS tools and start attacks against anything.

The attacker could have pre-scripted a whole load of bad stuff and deployed it to every Linode. We could have all been screwed big time.

Exactly my point(s)! Nobody is bashing the company, just concerned customers questioning the company. We would really like to know:

Was it a hack against a "customer service portal" or was it mis-managed credentials? Both are bad...

Was this portal world accessible (instead of through VPN or other IP restricted access), or accessed through someone's compromised machine? Again, both things are less than optimal...

Just because the incident turned out to be minor, that doesn't equate to the vulnerability being minor.

What does it ultimately matter? What really matters is whether or not it can happen again. If it matters that much to you, pick the worst case scenario in your mind and run with it.



Same as above.



That vulnerability is almost certainly past tense, its your confidence level on how well they learned the lesson and have prepared for the unexpected in the future that matters now. I doubt they will release the gorey details of the prior incident, and in my opinion it would be highly irresponsible for them to do so.

If you've asked Linode directly (i.e. e-mail, support ticket) and they've declined to provide additional details, you are beating the issue to no avail.

I disagree. If I pick a worst case scenario of them using "password" for the customer service portal password, then I'd never use Linode again regardless of any claimed "improvements", because that would show that my web hosting company is silly.



I agree, but how shall we quantify this without knowing exactly what the problem was and what they have done to address it?

Just to add, for me it's not a big deal whether we get more information or not, though I'd like more information. I'm not leaving Linode either way.

_________________
If all else fails, reboot...

PHP Tutorials and MySQL Tutorials

... but, you're already there whether you want to be or not. You take the information you've been given, benefits / cons in general and make the best decision you can.



Same as above, its the past - just because today Linode is uber on the ball (or not) that is no guarantee 6 months or 2 years down the road it won't change - its a constant evaluation process. The incident occurred, they disclosed it to the affected customers (who I don't believe are the ones posting in this thread), they disclosed it publicly, they disclosed the compromised data impacts publicly and they seem to have taken steps to prevent a similar event from occurring in the future. There's nothing specific left for them to do.

I don't mean to sound cold, but it's time to move on in life. If you have a concern great enough to keep this going, you should probably change hosting providers if another gives you a better level of comfort whether it be through historical data to base an opinion on or just the fact they are new to you.

You've already received far more information about this event than you will about the Heartland or Global Payments breaches, and I am pretty sure those are far more impacting in both scope and damage.

[sigh]
The issue is not played out in my mind, I'm not asking for "gorey details", and I'm not asking for proprietary code to be openly posted. I am a professional, working in a business environment. They are professionals, working in a business environment. They have made improvements to the system, that is not in question. But without some level of detail about what happened, there is no way to judge how much the risk was mitigated.

It doesn't have to be a lot. See:
http://status.linode.com/2011/08/fremont-power-outage-rfo.html
(And yes, I already know how the incidents differ, that's not the point.)

I didn't set about to beat the issue repeatedly, but there were some who were implying that those who originally asked the questions were paranoid, being alarmists, or at least not thinking clearly. Essentially because they refused to agree with another point of view.

You have moved on, great. I have moved on and made decisions based on currently available data as well. That doesn't mean I can't chime in on a discussion, and agree with someone that doesn't agree with you, does it? I don't see value in continuing to ask the same questions in this thread. I never said I did. I only voiced an opinion, which you and others don't agree with.

I'm fine with that. I hope you are as well.

I never suggested otherwise, and I can say that without a "[sigh]" tag. This is a forum for Linode customers, primarily read by other Linode customers and especially after 7 pages of the same handful of people reiterating the same points other members such as myself may chime in as well - and may not agree. I would personally have a lot more sympathy even at this point if I thought any of those handful of people were actually a victim of the incident.

I know one guy that was affected. His loss did affect me actually on a financial and emotional level. If someone shot a gun at a crowd you happened to be in and you didn't get hurt would that be perfectly fine and nothing to worry about?

The incident was actually very minor. It could have taken every single Linode out. I don't want to run wreckless risks with my IT services, shutting my eyes, sticking my fingers in my ears, and going 'Lah Lah Lah, there is no risk' doesn't make the risk go away. People have real companies that depend on this stuff for critical business services like DNS and mail and don't try telling me I should have backup servers because I do and they protect against server failure not deliberate changes to my DNS or mail config by an attacker who gets onto one of my systems.

We need to know. Ignorance isn't the answer.

If you need to know that level of detail, then a VPS host is not the right solution for you.

That's exactly what I don't understand about this whole thing.

No matter what Linode says, does, promises, has, possesses or implements: at the end of the day, your 'server' is running on a VM on a physical machine you have absolutely no control over.

If that bothers you, the cloud isn't for you.