Hacker News new | past | comments | ask | show | jobs | submit login

Would've been much easier to just actually hack Linode.


This has always been my concern with Linode and other cloud VPS providers. You can secure the server all you want, but you can always get in via a vulnerability in their API or out of band console access. 2FA helps a lot to prevent access to Lish/Glish/Rescue mode console but as shown the API is powerful enough to still be a potential problem if your key gets leaked somehow.

Oh, but last I checked lish was an INCREDIBLY (can't emphasise this enough) insecure hack around screen(1)[1] 2FA doesn't help you a bit.

Moral of the story is not to trust your provider. Don't use cloud if you don't need it, don't let your host have your ipmi crdentials, run FDE (this has saved several bitcoin exchanges from losing millions).

[1]. Here's one particularly funny thread from their support forum that perfectly captures exactly how much of a mess this setup was (is? I haven't hacked linode lately): https://forum.linode.com/viewtopic.php?t=3231%3E

"I put in a support ticket about this back in December 2007." (source: comment in mid-2008)

Usually a bad sign by itself lol...

My strategy was always going for whatever they trusted the most. Often security or admin-level systems. They usually sucked more than some of the battle-hardened apps they were looking out for. Hilarious that the same principle might have led me to go for Linode, too, instead of the app. Well, also the ROI factor of getting more for my time.

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact