back to article Linode probe into 2015 crack finds fake 2FA creds flaw

Hosting outfit Linode has announced a slew of changes to its user procedures after a long analysis of the attack that led to a system-wide password reset in January. It's also determined that the breach was the result of customer credential theft. The company's post-mortem of the issue, published here, notes that the December …

  1. Pascal Monett Silver badge

    Security Fail once again

    "It's also created an “authentication microservice” that completely separates customer applications from customer credentials"

    The question is : why didn't they start by that in the first place ? it cannot be because they just didn't think of it, right ? I mean, I'm not an InfoSec guru by a long shot, but it seems to me that such a configuration is a basic when talking about secure authentication, no ? You want a minimum of internet interaction until you're sure of who it is you're talking with.

    In any case, good on them to have made the change. Shame that it had to be following a breach, and that they didn't put the money there in the first place.

    1. Hans 1

      Re: Security Fail once again

      Hindsight etc ...

      1. Dabooka

        Re: Security Fail once again

        You're right of course, but a part credit for fessing up and highlighting what they plan to do in the future.

        TalkTalk could learn a thing or two.

    2. Anonymous Coward
      Anonymous Coward

      Re: Security Fail once again

      Pascal, désolé mon grand mais là tu viens de dire une très grosse connerie.

      Comme on t'a déjà expliqué, les mesures qu'on prend doivent être en proportion aux risques appréciés et d'ailleurs jusqu'à là, ils étaient en ligne avec la plupart de fournisseurs de hosting virtuel. Dis-moi s'il te plaît, *un* fournisseur qui implémente le type de sécurité que Linode vient d'offrir à des prix moyennement compétitifs.

      Stones, glass houses, etc.

      1. Hans 1

        Re: Security Fail once again

        Anon ? Je pensais que les francophones etaient un peu plus ... couillu ... pardonnez l'expression, je vous prie. Je vous ai neanmoins mis +1.

        1. Destroy All Monsters Silver badge
          Paris Hilton

          Re: Security Fail once again

          Who is Pascal Monnet, who is behind Frenchanon and why are they having a conversation in french about Linode?

          Maybe Pascal Monnet and Frenchanon are coworkers?

          1. Pascal Monett Silver badge

            @Destroy All Monsters

            Well I'm me, obviously, but I have no idea why I was addressed to in French and no idea who the gentleman is. Welcome to the Internet :)

            We have a saying in French : le monde est modial.

      2. Pascal Monett Silver badge

        Re: Security Fail once again

        Les mesures sont certainement proportionnels aux risques, mais le tout est de savoir quels sont les risques que l'on determine acceptable. Il est evident que l'effort auquel Linode vient de consenter démontre que, jusqu'à maintenant, une sécurité moindre à l'authentication a été considéré comme acceptable. Maintenant qu'ils ont subi une attaque réussie, ils ont revalue le risqué et ont agi en consequence. C'est au moins ça.

        Quand à dire quels sont les fournisseurs qui implémentent la "bonne" sécurité, je pense que c'est impossible, vu que ce n'est pas le genre de chose qu'ils affichent sur leurs pages web.

        Pour ce qui est du prix de l'abonnement, je ne suis pas convaincu que l'architecture avec authentication isolée soit plus cher à mettre en place que celle qui fait l'amalgame avec le serveur d'accès. Ce qui coûte certainement plus cher, c'est de changer l'architecture.

        Autant faire bien dès le depart.

  2. Anonymous Coward
    Anonymous Coward

    credit for fessing up and highlighting what they plan to do in the future.

    Even more so for sharing the analysis. It's easy to shout "Fail", find fault and declare abject stupidity if you're not running the service yourself, but if there is one thing you should learn quickly in IT, it is not being too quick with throwing the first stone. We all make mistakes, and sometimes people just have to make do with the means available to them.

    Not that I'd pay attention to those shouting "fail", mind you. Karma is waiting.. :)

  3. Sir Alien

    Fine, I will say it then


    Just kidding... More to the point I have personally made some mistakes in the past and never attempt to palm them off. I have never had an issue with being wrong about something but if I am, why not help in pointing out where I went wrong. (this is just a generalisation).

    People make mistakes, people "normally" learn from mistakes. (well except TalkTalk).

    - S.A

    1. Trigonoceps occipitalis

      Re: Fine, I will say it then

      Wisdom comes from experience. Experience is often a result of lack of wisdom.

      Terry Pratchett

  4. Anonymous Coward
    Anonymous Coward

    Acording to this thread on HN PagerDuty have a different version of events:

    specific comment:

    It seems far more like Linode have no idea how their private keys ended up on a client's VPS and they have a hole in their system. They gloss over it in their blog and try and blame it on a client losing access to their phone, but that doesn't explain how Linode's own private encryption key was anywhere near a client.

    Linode were alerted to this by PagerDuty's own IDS, up until then things looked normal to them.

    Their response has been: no logs, no problem.

    Following down the discussion it seems like Linode has or at least had some pretty unpleasant working conditions which makes you wonder how many unhappy employees there have been. Oh and they had a massive DDoS over there's that.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like