What's the point of saying things like "assuming" and "apparently" and then making a conclusion.

I believe linode aren't transparent enough, they don't keep customers updated very well.

I will definitely think about moving away from Linode, too.

Fact is that I heard about the security breach on Slashdot and then couldn't find anything on Linode's site until browsing the forums – I would expect an e-mail to all of their customers whenever a security breach happens, a proper explanation of why it could happen, and how they are altering their system to prevent any future incidents.

Since they didn't address the last two issues, I would advise any business with valuable data to seriously reconsider Linode and get in touch with them. It's nice that they contacted all those affected, but not enough when security comes into play.

Since the problem was on Linode's side, it's funny that they didn't even tell if they will compensate for the damages.

Looks like Linode have dealt/are dealing with this swiftly enough for it not to be a problem, and you've had a response from one of the most senior people at Linode -- yes, it's happened, and that's bad, but they're dealing with it now and that's great.

from the pastebin logs this took about 6 hours to resolve

the question you have to ask yourself is how would every other hosting company/VPS deal with that situation? would it be fixed in that time? would you get a response from the senior management team at that company?

Since Linode's Terms of Service states that

"Subscriber further acknowledges that Linode.com's liability for its own negligence may not in any event exceed an amount equivalent to charges payable by subscriber for services during the period damages occurred."

I guess Linode should be a no-go for any serious business anyway.

Oh look at what the cat dragged in.

There will be a follow up post for sure. They don't have anything else to report for now, currently, at this moment, this very second. Is that clear enough for you?

Given this companies history I'm more than happy to give them the time they need to follow up and make any changes to policy needed. Finally, anyone taking advice from you is clearly in way over their head. So you taking them with you isn't really saying much.

Seriously ? Is this really necessary or appropriate ?



Care to explain how you know this ? I am just basing my actions from what Linode has told me directly. If you know something I don't then I am sure it would be useful for everyone here.

I don't think I am being unreasonable here. A rogue third party with the ability to instantly get root access to all my Linode servers is a serious issue, no ?

I certainly do. Your knee jerk reaction show's a lack of knowledge of the situation and the industry. Your threat to take customers with you just reinforces that.

Sure, I'll explain how I know. I know because I've been in the business for 17 years. From Floor grunt to Boardroom. If that's not good enough for you then so be it.

They will with 100% certainty create a follow post/article because they know people like me demand to know the details of their after action report. Not to mention the harm it would cause them within the industry as their name was blasted for not doing so. They may lie right thru their teeth about the findings but they will do so either way.

Your concern is not unreasonable. In any way. Yes, it's very unsettling that someone had access to your server that shouldn't have. The reasons why you are stating you are concerned are. Based off ignorance of the situation and knee jerking. It's not an uncommon reaction by some under such circumstances but doesn't make it reasonable or logical.

I'm no linode fanboy here and don't confuse my reasonability and logical approach for weakness of some kind. I'm just not idiot enough to draw my shotgun and start blasting people because I don't know what the whole deal is yet.

Again, if that's not good enough for you then so be it.

Completely agree with bcoker, it is too soon to expect a complete report from Linode on what happened.

I recently moved to Linode and it's a bit disturbing to see it compromised in such a way. They will have to improve their security after this incident, perhaps introduce additional security features on Linode manager.

I does sound like a simple case of slightly bad wording. They've informed people about exactly what has happened, and they did so quickly. More comprehensive information will probably take some time to gather, and doesn't really make sense to release in small bits. That they state they have nothing more to release at the moment shouldn't be read as that they will not do so ever.

Stuff like this happens to every provider now and then unfortunately, and the only thing that really separates the providers in this area is how they deal with it afterwards. At this stage, it seems Linode has done everything right. We know what was done, who was affected, etc, and we knew about it the same day that it happened.

What I want to know now is what steps Linode will take for ensuring this exact scenario will not happen again. It seems official login credentials were used to perform this attack which means that either a support-level employee was careless, or even part of the attack. A possible way to resolve this is adding a higher level person to sign off on stuff like changing root passwords, it would prevent a similar thing from happening again.

But I don't need to know this right this instant.

I think it is entirely appropriate - and in your case, necessary.

James

No they didn't, they put up a posting on status.linode.com. If there's a serious security breach, they should reach out to me, I shouldn't have to check that site every day to make sure somebody didn't hack in again.

According to their investigation, you were not affected by the breach; they did reach out to affected customers. As they say in that post.

Would you also expect to be notified when Billy Joe Bob's linode suffers from a host disk failure, even though you don't know him and don't have any linodes on his host?

Guys, rest assured, Linode executives have called their good friends at Dropbox for some good advice on handling a security lapse and Dropbox are duly advising..

<snip> forget it </snip>

First off, *all* customers were affected, but supposedly only 8 were tampered with further.

Second, no I wouldn't expect to be notifed of that because it doesn't affect me. Critical management infrastructure being broken into, does.