Hacker News new | comments | show | ask | jobs | submit login

While from the blogpost it isn't 100% clear to me how far their management goes (do they restart apache if needed? Do they do security updates?), I think this fills a huge need!

Fully managed servers are really expensive and often inflexible, while with VPS you are all on your own, which not every developer wants (or feels confident in). I was just discussing a week ago how there is a big market in doing this management.

> Do they do security updates?


To me the idea of doing security updates on someone else's VM running someone else's stack/application seems very impractical. It will probably work most of the time, but when it doesn't work then basically you get credit for shutting down their service. And you don't really have any clues about what might possibly cause an issue because you don't know details of their application or stack.

And then sometimes software might need to be restarted which means you have to tell them to restart it themselves or get them to explain enough about how it works so you can restart it.

So unless you are going to charge hourly and staff accordingly, it seems like a no-go.

In this case, $100 per month is really going to pay for maybe two or three hours of sysadmin or application development work max. I.E. helping with various issues that come up in ordinary dev ops or software configuration that are specific to that particular customer's setup. And you just have to count on the idea that most people won't take advantage of more than that average amount of help, like only when they are panicked. And then hope that it is something that you can actually fix in a short amount of time.

As with all things in this market, it really depends on the execution.

If the remote hands are awesome, this is well worth $100 per node. If they are anything but awesome, this wouldn't be worth it for any amount of money.

While my occasional experiences with their support team have been fantastic, this is being offered by the same people who had a CF vuln exploited in their management software and, it seems, would not have bothered to share any details with their customers if the perpetrators hadn't gotten on IRC to brag.

Their documentation in the Linode Library is also really great -- as a starting point. Assuming that they're using the same guides in recommending server configuration, there are some things that could be done better by a skilled admin. e.g., their LAMP server guide for Debian 6 doesn't include suexec or any variation of FastCGI, two must-haves for a public-facing web server IMO.

Worth noting it was a coldfusion 0day manufactured for that attack, and the story from the hackers (HTP) is that Linode was forced to announce it by the FBI despite being blackmailed with their customer credit card database.

Of course, they could have handled security internally better but I suspect other VPS providers appear more secure only because nobody has gone out of their way to target them.

Right; according to HTP (http://straylig.ht/zines/HTP5/0x02_Linode.txt), it sounds like Linode were willing to delay notifying their customers of a serious incident in exchange for a promise from the attackers that the data would be destroyed -- the supposedly totally secure data, according to a later blog post from Linode.

The takeaway is that now, while I don't know if I can trust other VPS providers or not, I know I can't trust Linode. (Hell, to some extent, I trust HTP more than Linode now -- I haven't seen a dump of the Linode data on pastebin or a .ru forum yet.)

How a business handles disclosure of a compromise is as important to me as the fact that they were compromised. Notably, this is the second time they screwed up disclosure, after being raked over the coals for it the first time. I was willing to let the first one slide since Linode is so awesome in every other regard, and hope that they would handle the next incident more gracefully. Unfortunately, they didn't.

I agree, I just don't expect much from VPS hosts - although their handling of this was remarkably poor.

FWIW I'll be finding a new host, I just like to play devils advocate to balance discussions.

And so why haven't we heard anything specific from Linode about what happened ? At minimum they can talk about the technology/security improvements they have made. And what about the first time this happened ?

People need to stop excusing this sort of behaviour from companies.

Realistically, $100 is $100, and software and dev ops are complicated. So I look at it as $100 worth of consulting. They can hire cheap people or outsource if they want, but you can only stretch that so far. So they can provide a maximum of a few hours of help per account on average or they will lose money. Which could easily be eaten up with one issue.

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact