

Security Notice: Linode Manager Password Reset - jbraithwaite
http://blog.linode.com/2013/04/12/security-notice-linode-manager-password-reset/

======
mrb
I have said it before: I have a hard time trusting Linode after the major
March 2012 security incident (HN thread:
<https://news.ycombinator.com/item?id=3654110> ; my comment:
<https://news.ycombinator.com/item?id=5339799>)

At the time they did not give much information. They did not do a follow up.
They did not discuss plans to prevent the same type of breach. I am not
surprised that today, they got breached again! _sigh_

And again, they are making the same mistakes. They are not giving much
information. They are not going to do a follow up. Etc.

~~~
flebron
Why do you think in both cases this was the result of some sort of mistake on
Linode's part, versus an oversight on the part of the target?

That is, you use the expression 'they {linode} got breached', versus the more
correct 'they {the customers} got breached'. How do you know that in both
cases this was the case?

~~~
raquo
If it was one customer's fault, why reset all Linode users' passwords?

~~~
flebron
If you knew there was a cracker actively using your network, would you not
take any other precautions other than changing the one password you know he
used?

One could argue Linode was overzealous in resetting all passwords. Reasonable
minds can differ.

~~~
JshWright
That depends completely on the method of compromise...

If the compromise was due to a weak password that was brute forced, or
obtained from the end user in some other way, then there is absolutely no need
to reset every user's password.

The only time a 'reasonable mind' would think to reset everyone's password is
if the attacker exploited some flaw in the underlying system, which could have
given them access to arbitrary passwords.

~~~
StavrosK
Yeah, it does sound like there's something to the story that they aren't
disclosing, and it doesn't inspire confidence.

------
mh-
so every time someone tries to make unauthorized attempts to access a single
customer's account.. _all_ customers are to be required to reset their
passwords?

~~~
noarchy
That's the part that makes me wonder. The email that I received said, "We have
found no evidence that any Linode data of any other customer was accessed."

I suspect that they aren't 100% sure, and that this is a precaution. I can
live with it, but I hope that they keep their customers in the loop on things,
where possible.

~~~
tvon
Can you ever be 100% sure of such a thing?

~~~
noarchy
Probably not. I do think that an effort can be made to follow the trail (logs,
etc), and come to the best guess possible. I'm not saying they haven't done
this, though.

------
datadrew
The Visa I was using for billing with Linode had an authorized "test charge"
earlier this week, and I had the card number replaced. Now I see this, and it
makes me wonder.

~~~
citricsquid
My Visa (that I use for Linode) was compromised this week too, someone tried
to order ~$100 of stuff from Amazon but my bank rejected the charge and now I
have to wait another week before I can make payments again (killed my
card...). Probably a coincidence but it makes me wonder too...

~~~
stevelaz
Oh! This is kind of a scary coincidence. Got to go check my credit card
statement.

EDIT: All is good with my account.

------
cliffbean
On one hand, I love Linode. It's a sweet Linux box in the cloud.

On the other hand, I have a hard time using it for anything sensitive. Quotes
like "We have implemented all appropriate measures to provide the maximum
amount of protection to our customers." somehow don't reassure me.

~~~
will_work4tears
This is how it should be, IMO. Never trust a service entirely. I also use
Linode, fwiw.

------
jeffpalmer
I wonder if this is another attempt at hacking an account containing bitcoins?
Last time the thieves made out with close to 50k BTC if I recall correctly.

~~~
cygwin98
That's lots of money nowadays.

~~~
tuananh
It's a lots less money, today!

~~~
w-ll
but still more that yester-month

------
mwcampbell
This incident has got me seriously thinking about switching VPS providers.
Does anyone know of a VPS provider that offers two-factor authentication for
its management interface?

~~~
lgbr
AWS provides multi-factor authentication, which I've always used quite
successfully. <https://aws.amazon.com/mfa/>

------
qqqqqq
It's good that Linode is taking security seriously, but the pessimist in me
wonders; if all it takes to get a password reset site-wide is an attack on a
single user, wouldn't that open up a whole new, rather aggravating attack
aimed solely at making users fed up with having their password reset all the
time?

~~~
JshWright
I'm not sure I'd describe Linode's security stance as 'serious.'

Last I knew, they were running a seriously deprecated OS version for their
hosts, and their configuration management systems left a lot to be desired in
terms of security.

Perhaps more worrying is how opaque they are about everything. Nevermind the
security issues, they won't even provide explanations for 'normal' service
outages.

------
plam
so what's a good alternative that offers all of security, reliability, good
service, about $40 for 2GB/8-cores, multi-locations, etc?

------
ballard
Linode security notice sent to customers.

<https://gist.github.com/5376298>

~~~
davidradcliffe
Not all customers. I didn't receive any notice.

------
jebblue
I'm glad to see Linode is keeping an eye out for its customers, nothing wrong
with that.

------
spdy
Now the question is who got hacked? If they take actions like this.

~~~
mh-
I thought this seemed familiar..

[http://status.linode.com/2012/03/manager-security-
incident.h...](http://status.linode.com/2012/03/manager-security-
incident.html)

------
oybektoirov
nice job linode!

------
bluetooth
Welp, it looks like it's time to move to Amazon EC2. It's cheaper and hasn't
(to my knowledge) been hacked yet.

~~~
whalesalad
Not sure why HN is full of so many fair-weather friends these days. Then again
your account is only a few days old. I don't wanna sound like an old geezer
telling you to get off my lawn, but you should really read the guidelines for
posting on HN. For the sake of genuine discussion and just better social
behavior in general. Could you say this out loud to a bunch of other hackers
with a straight face?

~~~
bluetooth
What did I say wrong? I'm just stating my plans after hearing about another
security blunder on Linode's part. Did what I say come off as sarcastic?

