How is it that more people are not demanding to know more details on this? Did I just miss the newer post(s)?

It seems to me that all the responses from people saying "they need more time" have pretty much lost their weight.

I absolutely love Linode but the way they just ignore the forum posts about this, as if hoping it just goes away is VERY bothersome.

I hope others join me in continuing to pursue this subject.

I want to keep loving Linode and being a faithful customer for years to come but for that to happen I have to be able to trust them and for that to happen, they have to be open, good or bad, just like we all learned while growing up.

Please give us the details!

Linode is extremely secretive. It always has been. I lost a bet that they acknowledged the break in, in the first place, i didn't think they would. I'm very confident you won't hear anything else from them about the subject.

It's their MO.

That is disapointing to hear, for two reasons.

The first reason is obvious. I want information and they aren't sharing.

The second reason is that, if what you say is true, it also makes them liars.

In the statement they did release, they open by saying...



If you have a policy of openness, remain open about these things, otherwise just change the policy.

If you want to remain quiet in these situations, at least come out and say so. It would be much better to just tell us "Something happened, those affected have been notified, we will discuss nothing further on the matter.". But that isn't what they did, they made a public announcement basically claiming that they have an ongoing policy of openness.

I hope at some point someone high up just finally comes out and openly discusses this OR just tell us that they have no intentions of doing so. Ignoring something to make it go away is not the proper course of action.

A large part of it might be that there's nothing more to say: a customer service password was brute-forced, someone used it to "recover" access to a handful of accounts, and that's what happened. There were contributing factors that made this easier than it should have been (see 1 and 2, as well as the accountholders' failure to adequately compartmentalize sensitive data in their own systems).

Is there anything in specific beyond this that ought to be disclosed, and doesn't fall into the realm of Things That Would Jeopardize FBI Investigations or Things That Would Violate Privacy Policies And Laws?

I, too, would like to know more, but I don't know what practical use that knowledge would be. If Linode had more of my personal information, I'd probably demand credit reporting service or something, but they don't, and I already have it.

_________________

/* TODO: need to add signature to posts */

would any of this explain why I can't access either webmin or ftp?

_________________
Bill Gram-Reefer
WORLDVIEW

nope..

_________________
ServerAdmin - www.our-lan.com
"Diplomacy is the art of saying nice doggy whilst looking for a really big stick"
"In my experiece, any attempt to make any system idiot proof will only challenge God to make a better idiot"

The story on the register claims that Linode network equipment got p0wned. My guess is that network sniffers were then used to grab a customer support password or maybe an authentication cookie.

I don't like guessing. People that trust me have minor stuff on Linode because I recommended it. I also have some personal stuff on Linode. I can't estimate risk on guesswork alone.

So what do I do if I can't trust cloud stuff, virtual machines, or even dedicated machines that are plugged into someone else's remote management setup? Go to all the expense and hassle of setting up a server myself and getting it colocated?

</rant>

I opened a support ticket to asked about this. I was very politely told by Caker himself that they would not be giving out any more information.

If anyone else wants to open a support ticket to ask the same question feel free. Maybe they will cave if they get 100 of these things.

That just sucks. How is it that more people aren't demanding information, especially after it was promised by caker himself on page 10 of this post in reply to a request for more transparency.

I just cannot believe the policy is to just ignore it after that kind of public promise to give information.

Here is the conversation from the other post....

The following blog posts seem to cover "the results of these efforts":

http://blog.linode.com/2012/04/05/event ... rotection/
http://blog.linode.com/2012/04/05/linod ... rotection/

For one, no post I have seen has been made saying for sure what methods were used to gain access.

I am not going to just assume that a couple blog entries made like a month later about new features related to some of the most basic security features available to protect sensitive areas of a website are a response to what happened nor will I just assume that those two posts cleared everything up because I still don't even know the extent of what happened or if this is enough to make sure it cannot happen again.

I'm not sure how you came to the conclusion that those posts were anything even close to the promised announcement covering the results of the efforts they took to make sure this cannot happen. It wasn't even mentioned unless I missed it.

I'm not replying in defense of Linode, this post would be poor representation, but I can't help but to reply. What are you expecting them to post? A blow-by-blow or step guide to how the individual or group was able to accomplish the break in? Really? That's the last thing you should want them to post. Sure, I have an idle curiosity as well, but what it all boils down to is whether or not I have confidence in the fact it won't happen in the future. They've made a series of changes recently, presumably to prevent this from occurring again, its up to you to decide.

I know this falls in to the category of blaming the victim, but as far as the Bitcoin concept and operators go... 1) Maybe this is another example of why its not such a good idea. 2) If you're going to store sensitive data that is accesible via the Internet, you darn well better make sure its properly secured - and yes, that includes if someone has access to your Linode Manager account.

I simply want the announcement that caker said would be forthcoming.

I don't expect every single little detail but the basics of what happened and how they have ensured it won't happen again would be fantastic.

It is not an unusual request, especially considering the nature of the situation. This company uses a completely proprietary manager which can, if exploited, get around the other security measures which may be in place to protect our nodes. Some of the users here have very sensitive data and/or clients with sensitive data and everyone in that picture deserves peace of mind given back after this type of failure in security.

I want to make it clear that I love linode. I loved this place even before I was a client, I think the service and setup just rocks. I would just like to see a little more openness when a mistake is made.

I think even a post saying something along the lines of "We have finished investigating the matter and have ensured that this cannot happen any more, sorry again, here's a free beer".

Its not unusual, but you also have to have a realistic expectation and beating it to death does not help. They have been responding, you just don't seem satisfied.



What does proprietary have to do with anything here? However they gained access, once you have access through Linode's proprietary system or your favorite open source Xen manager - you have access.



Then those users (and I say that like that because you didn't include yourself in your own statement) should be implementing multiple measures to ensure that data remains secure. If you give me access to your Linode Manager account and you're worried about me accessing sensitive data rather than just deleting data, you are doing something wrong.

Security is a matter of multiple layers, and none of them are absolutely effective. You're only real hope is to make it more painful than the gain and/or slow them down enough until more direct measures can be implemented. I imagine this is why they implemented the e-mail alerts. Though, I'm not sure why it doesn't send an e-mail alert when you change the alert setting from enabled to disabled.

It has a lot to do with it, with "my favorite open source" app, everyone can see the code, if its unsafe, its usually discovered and reported and fixed. In this case, we just have to trust them.


I don't feel I've beaten anything to death. I voiced a concern in reply to a post (in 2 different threads granted) and have responded to replies to those posts. Also, nobody with any authority has responded to any of the posts regarding this, nor has any announcement relating to it been released since we were told to expect one. I fail to see where "they have been responding" unless your referring to the recent security enhancements which again would just be assumption.

I just personally think that this long after the incident, the situation should be resolved and the announcement should have been made.

I want to say again. I love this place and think its a great service and I am in no way trying to start an argument or troll.