
Edited version of the Linode log file for April 15th - ZeroCoin
http://turtle.dereferenced.org/~nenolod/linode/linode-abridged.txt
======
ZeroCoin
If you're wondering, I stumbled upon that text file while reading the official
company response to the recent hack here:
<http://blog.linode.com/2013/04/16/security-incident-update/>

I was interested in setting up a Linode account but I think it's best to wait
for some more information at this point. Thoughts?

~~~
magic_haze
> 06:00 < AlexC_> ryann: So, are you saying CC details have also been
> compromised?

> 06:00 < ryann> Yep

> 06:00 < AlexC_> ryann: And you plan on releasing these?

> 06:00 < ryann> They did try to encrypt them, but using public key encryption
> doesn't work if you have the public and private key in the same directory

Jesus Christ. I agree, there is something very wrong with how Linode is
treating this situation. Cperciva's comment a couple of days back about the
doubletalk in the official statement seems especially precinct, and the new
claim about both the private and public keys for the credit card info being
stored in the same place... appallingly incompetent if true.

~~~
scraplab
The CEO has already stated that the private key had passphrase encryption,
which is strong, and only stored in their heads. You have to take their word
on that, but I don't see any proof of CCs being decrypted.

~~~
leeoniya
i cannot imagine that a remembered passphrase would take too long to brute-
force on a few multi-GPU setups. unless they did something meaningful like
making it a long sentence rather than some short-but-complex-for-humans 15
char string. <http://xkcd.com/936/>

~~~
eridius
Specifically what they said is it isn't stored digitally. So maybe they have
it written down on a piece of paper.

------
threeseed
Wow. I didn't realise just how incompetent Linode actually is. Not only
terrible security at a coding level but completely non existent audits.

I wonder what they were after if not money. What are people hosting ?

~~~
err_badprocrast
Notably seclists/nmap is (was?) hosted on Linode and was tampered with in this
attack.

Apparently, the hackers looked up a Quora list of notable sites hosted on
Linode and went after those [2], suggesting that the attackers wanted to burn
a 0day for some notoriety or to damage Linode/Coldfusion reputation.

1\. Technical info: [http://arstechnica.com/security/2013/04/coldfusion-hack-
used...](http://arstechnica.com/security/2013/04/coldfusion-hack-used-to-
steal-hosting-providers-customer-data/)

2\. <http://seclists.org/nmap-dev/2013/q2/40>

------
TikiTDO
05:21 -!- mode/#linode [+b _!_ ryan@54.228.197.*] by akerl

05:24 -!- ryan| [~violator@37.235.49.168] has joined #linode

05:24 < ryan|> quite rude of you

05:25 -!- ryan| was kicked from #linode by akerl [ryan|]

05:27 -!- root__ [~h@vmx13318.hosting24.com.au] has joined #linode

05:27 -!- root__ is now known as ryan||

05:27 < ryan||> Quite rude out of you

05:27 < ryan||> To ban me like that

Really puts into perspective the difference in the levels of skill involved.

When dealing with someone of this level, they really should have just notified
everyone immediately. There's no telling what info these people have now.

~~~
InclinedPlane
Uh, why? Because they have access to different IPs? That's trivial.

~~~
TikiTDO
The speed at which he switches hosts implies he's got quite a sophisticated
tool chain set up for this. The level of skill really becomes parent if you
read the rest of the log though.

~~~
InclinedPlane
There are several minutes of delay in there. I could just about set up a brand
new VPS, ssh to it, install irssi and connect within that amount of time. Let
alone logging into a system I already had set up.

It does not impress me in the slightest bit.

~~~
D9u
I agree... Then the skid chose the nick "root_" in an attempt at appearing to
have "rooted" some box... It's no difficult task to ssh into another server
and reconnect, and if "ryan" is who I think it is, he's a bot herder who
enjoys DDoS attacks on those who upset his false sense of superiority. He's
well versed in server management, but exploiting other's servers is what he's
working towards, and he failed to crack a server belonging to some friends of
mine, so his only recourse was a DDoS.

