[I reconsidered this post, but the delete button was taken away.]

_________________
Disclaimer: I am no longer employed by Linode; opinions are my own alone.

If you're looking for perfection, go create your own hosting service and never ever suffer a compromise. You'll be happier, because at least when you do get compromised, you'll only have yourself to yell at.

It's fantastically easy to sit back and list off a thousand ways to "properly do security" in hindsight. You're not impressing anyone.



I don't disagree by any means. In fact, I'd emphatically agree. But let's keep things in perspective:
* It was a forum database that was compromised, not a credit card database.
* If you're sharing your forum account password with your linode account password (or any other account password), you're Doing It Wrong.
* I didn't sign up for Linode (and pay them for years) expecting everything to be run perfectly, and you shouldn't have either. I did sign up for the value, the expectation of outright amazing support and service availability. If you signed up expecting 100% security perfection then you signed up for the wrong service, to be frank, it's not something that you're going to get anywhere, no matter what the contract that you sign says.

I get your point. It was a stupid oversight that should never have happened in the first place. But it did. Shucks. It turns out that companies are run by people who aren't perfect...


Lastly, there's a line between "making an excuse" and "providing reasoning." Would you have preferred that they mention that there has been a compromise and nothing more? Or would you prefer to know that it was a backup from years ago on a VM that isn't (wasn't?) monitored as a core piece of infrastructure?

There's no way that Linode can respond and not have people yell at them and cancel service. Nothing about their post screams "we're making up excuses for our incompetence." But, if that's all you can see, there's not much anyone can say to you, is there...

Well that's the dumbest thing I've read in awhile.

Don't like your government, don't complain, create your own. Got a problem with your car, don't be a whiner, create your own.

People complain, it's called FEEDBACK and it's how people know when things are fucked up.

Linode has a track record for doing stupid things, and their customers are getting fed up with how they handle it.

Here's how it SHOULD be handled, it's straight from the first semester of any MBA program.

1) Announce the problem BEFORE the press does, and explain clearly what happened and what the scope of the problem is.

2) Detail what damage control measures were taken, and what the plans are to prevent such things in the future.

3) Apologize (and not some candy-ass "we've decided it's not important to you so don't be such a baby" type apology).

It's just that simple, yet Linode has fucked that simple process up from day one. You'd think with all their problems, they'd take a few minutes to Google how to do damage control PR.

_________________
Either provide enough details for people to help, or sit back and listen to the crickets chirp.
Security thru obscurity is a myth - and really really annoying.

With respect, whoever told you in your younger years (because you were like this on Slicehost's forum, as well, and I dreaded the day that you found Linode) that complaining is valuable feedback did you a gross disservice. Bitching is not feedback. Bitching makes the very decision makers that you want to pay attention to you ignore you. This is feedback:


This is bitching:


If even I remember your nickname as "oh, there goes vonskippy again," that means you've lost whatever hope you have of swaying the people that matter now. You have valuable insights and nobody would ever doubt that. Your method of delivery makes you easily ignorable. If you want these messages to hit home, stop condescending Linode with the "first semester MBA program" crap.

The reply I deleted above said something similar to sednet. We have all registered your disappointment and that you have a better idea of how to do things. Given that you do not run a successful hosting company, I'll take it that you are not up to execute on those ideas, so why not share those ideas in a constructive manner with the people that are executing? Let's move on from the bitching bandwagon into how to solve this for the future. How does Linode make this right?

_________________
Disclaimer: I am no longer employed by Linode; opinions are my own alone.

Blah blah blah, ex Linode staff whining about something, blah blah blah.

I don't need Linode, or ex Linode, telling me what I should think is important or not.

What we (i.e. Linode customers) need is a clear and timely announcement of the FACTS, and we'll decide for ourselves if we're concerned or not.

Linode is lucky that people are taking the time to bitch/complain/provide feedback instead of just taking their wallet across the street.

Ironically, I didn't really see that this breach was all that critical, until it was fumble fingered into the clueless zone.

_________________
Either provide enough details for people to help, or sit back and listen to the crickets chirp.
Security thru obscurity is a myth - and really really annoying.

You win a big fat smiley.

Excuse me. You don't have a clue what I or vonskippy do in our professional lives. You are rushing to judgment without the faintest clue who and what I manage and who's budget I do it on. No I don't run a hosting company, so what? There is not one single hosting company in the top 50 companies worldwide by revenue and yet every one of those companies depends on computers and networks as a fundamental part of their business. My personal Linode account might be pathetically small but I don't need a whole data center just for personal email and hobby projects.

You are out of your depth Jed. I'm not showing off when I mention 4 ways this data theft should have been prevented. I'm only repeating the same standard industry practice that anyone qualified to manage unix systems would have repeated. You claim to be a devops guy and have apparently worked for Linode, Google, and Apple yet you don't seem to appreciate the fundamentals of network security. Maybe that's why you job-hop so much.

The bottom line is Linode failed at something it should have actually been very, very, good at.

I'm searching for how you came to that conclusion when none of my involvement in the thread has remotely debated the specifics of the security incident, just reactions to it. I'm saying calm down and move forward. I'm not saying Linode didn't screw up, and have never said that, but I do think folks are overreacting to this specific incident.


Now you're just looking like an asshole, stalking someone who disagrees with you and picking apart his resume. Are you done yet? Can we get back to constructive conversation yet, or do you still have more dick waving to do?

_________________
Disclaimer: I am no longer employed by Linode; opinions are my own alone.

Locked this thread as it's devolved into something completely unrelated. If you'd like to start a new one that's on topic please feel free!

_________________