Hacker News new | past | comments | ask | show | jobs | submit login

These guys are looking totally incompetent at this point.

If you believe this Ryan guy, credit cards stored on the same server as the key to decrypt them, Lish passwords stored in plain text, they've known for some time and lied about what actually happened and now they're saying "we won't do anything about it" via email?

"You are of course free to take any steps you deem prudent or necessary to ensure the integrity of your online presence."


Edit: not to mention they "made a deal" with the hacker not to tell anyone? What the hell?

> If you believe this Ryan guy

That's a rather key assumption. If you don't believe him, then all you have is a trolling (or at least self-aggrandizing) hacker whose credentials consist solely of logging into an IRC channel, refusing to identify who he was working with, and offering no tangible proof of having compromised any CC info.

On the other hand, it's conceivable that if ryan managed to get into the files a customer was hosting on Linode, and that customer was improperly storing CC info, then their customers' info would have been vulnerable, and ryan's claims would be sort of half-true. Even so, that wouldn't directly affect other Linode customers or put liability in Linode's lap.

Regarding the "made a deal" assertion, I wouldn't take the IRC log hook-line-and-sinker. There's probably a mixture of truth and lies.

for the record, i am the person who started the WHT thread.

there is a mixture of truth and lies on both sides, to be honest.

i am annoyed with it, because i reached out to several linode employees privately to given them an opportunity to explain what was going on -- they either said 'no comment' or said my linode was fine.

based on the irc log, that is clearly not the case. which is why i decided to raise my concerns publically.

luckily for me, my linode was not doing anything mission-critical, just some secondary monitoring and running an ircd for a network i like using, but there are others who are using linode for mission-critical work, and they deserve more transparency than this.

what makes you think you are more special then anyone else? Why would they tell you more details, than the rest of the people?

Sorry if you get offended that they didn't tell you much more. But seriously? you are not special. This whole thread is a lynch mob.

Is he more special than other people, or should we ALL have been informed properly?

To be fair the hacker didn't say the keys were stored on the same server as the credit card numbers, he said they were stored on the web server. It's most likely the database containing the CC numbers resides on a separate set of boxes than the web servers.

The Cigital-recommended way to hash your passwords is to use an HMAC/scrypt combo, with the HMAC key stored on the app server (not the database).

What Linode did may, or may not, be dumb. They are being tight-lipped so we can only guess.

Why would you use an HMAC for password storage? It's not like length extension attacks are relevant in that application.

the database server is local, read the entire log...

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact