Under-attack Linode resets passwords after logins leak onto web Linode's woes continue: the server hosting biz has just run a system-wide password reset on customer accounts after two Linode.com user credentials were discovered “on an external machine.” The advisory, posted here, says the leak “implies user credentials could have been read from our database, either offline or on, at some …
2 or 3 from their database. Suggests to me that either the passwords were floating around somewhere less secure (Support maybe) or the attackers tried a dictionary attack with the usernames they had. Or, possibly, the account owners subbed it out to people that don't care very much and the username and password were the same. I've seen two of these this year...fucking design agencies.
Hope Linode ride it out - they were nice chaps last time I spoke to them.
What ongoing trust in Linode?
* Suffering a DDOS is one thing
* Not contacting your customers to explain what's going on is another
* Being unable to mitigate said DDOS in over a week is yet another
But, finding out that, in addition, Linode has been leaking customer account data, is starting to look like incompetence.
@Quortney Fortensplibe, they did try to mitigated the DDoS attacks, every time they mitigated the attack the vector being abused changed. This then requires additional time to analyse the attack and put in counter measures. Maybe it could have been done quicker, unless you had full visibility of it the answer to that is hard to give.
With all the DDoS attacks currently going on maybe people should turn their anger/frustration onto the people that are not securing their infrastructure. You know, the ones that are actually having their systems abused and are being used to DDoS a target...
The attacks are only going to get bigger and bigger.
> turn their anger/frustration onto the people that are not securing their infrastructure
Recent history has shown that its often not home PC bot nets any more doing this, as they have realised they just don't have the power to take down modern anti DDoS solutions. What they have moved on to is renting dedicated servers and VPS's which they purchase via stolen credit cards & bitcoin. They also try and compromise machines in large DC's. Its the reason why many of the bigger operators have started to restrict who and how they rent machines to e.g. most will not rent to China at all.
The example of compromised machines in large DC's is the type of scenario I was referring to. It still amazed me to see the amount of devices running weak/default credentials, no authentication, bad configuration such as services allowing amplification attacks, out of date software with vulnerabilities? I'm not talking about the average home user on a botnet (although they can be used to abuse the above).
Linode is a solid company. I was their satisfied customer for several years until we had to switch to another host (for non-technical reasons).
Their support was top-notch, we always got a reply within an hour, day or night.
You (and I) do not know all the facts and what was happening. It is true that they were late a bit in explaining what happened, but - from what we know - it was a well organized and massive DDOS attack, and I suppose they were *very* busy defending themselves.
And, if you read this article, only two or three passwords were found. Linode says their passwords were hashed in the database, so these two were most likely leaked in some other way, maybe from the users themselves (you know, the ol' "password on a post-it note on a monitor").
The fact that Linode is open about this and is doing all that is necessary to mitigate the disaster, speaks about their competence.
TL;DR; Don't be so fast in judging before you see all the facts and think about them
"....And, if you read this article, only two or three passwords were found..."
Sez Linode. In which case, it's strange that they're requiring everyone to set a new password —unless the reality [or the fear] is that many more passwords than "2 or 3" were leaked.
Well clearly someone's out to get them, so it's not paranoia. The 2 or 3 passwords from (how many customers?) is more indicative of very lax security on the part of a couple of customers rather than any fault on the part of Linode. Resetting the passwords maybe seems a little over the top but until you know exactly what is going on -and remember this is a developing situation- it's the sensible thing to do and I'd do exactly the same. It's a precaution. A successful hack would have exposed considerably more than 2 or 3 passwords but you close the potential hole off anyway (if it were me, I'd enforce some standards on the new password to eliminate the 'lax security' bit at the same time...new passwords to be over a certain length etc).
And earlier, you berated Linode for "Being unable to mitigate said DDOS in over a week"; which tells me definitively that you don't know much about DDoS attacks. You can screen against known amplification attack strings; but -basically- until the attacker runs out of IP addresses there's bugger-all you can do to stop it totally. And if your attacker cares to burn some money renting botnets then that could take years.
Basically you're pissing me off with the unfounded and demonstrably untrue accusations, to the point where I'm seriously considering a downvote (haven't decided yet). It sounds like they have quite enough crap to deal with as it is. Possibly you're a current customer and are annoyed at the service stuttering during the attack; but I'm pretty sure that Linode wish things were otherwise too. To me, they seem to be doing everything right in a difficult situation...over Xmas too.
Disclaimer: I am not being paid by Linode; nor am I a current customer. When I was with them they treated me very well. I left because of the pricing and my general Linux incompetence rather than through any fault of the company. Of course, they're a US company and Safe harbour has messed things up somewhat; but I wouldn't hesitate to recommend them to anyone in the US.
"...Basically you're pissing me off with the unfounded and demonstrably untrue accusations, to the point where I'm seriously considering a downvote (haven't decided yet)..."
No! Please! Have mercy! Not a... a... "downvote"! How will i ever live down the shame? My life will be ruined.
"...Disclaimer: I am not being paid by Linode; nor am I a current customer..."
Well, I am a current customer and have been since 2009. Which I'd say gives me every right to complain about how they've dealt with this.
No problems at all with Linode, fortunately the part of their infrastructure I use has not been affected. As others have said there is zero evidence of a mass data breach although that could well have been what the ddos was about, hiding a sustained attack and diverting all resouses to trying to cope with the ddos whilst trying multiple attacks to gain access. A handful of accounts points to weak passwords and a dictonary attack which could easily have been disguised by the DDOS.
All those throwing accusations at Linode should think themselves lucky they were not the target this time and pray they never are, then they might realise what they are up against and how less than perfect their own systems are. I feel sorry for their staff who must have been working all ours on this over christmas and new year whilst all the crititcs were enjoying their holiday season.
About time the big players on the internet got together and enforced measures against spoofing. Get lobbying!
"...There is lots of details about the issues on their status page..."
Yes. That's great, once you know there's a crisis. However, when you're wrestling with your VPS, wondering why it's behaving like a slug on mogadon and naturally assuming it's because of something daft you've done yourself, because Linode haven't bothered to tell their customers what's going on —it's not such an obvious source of help.
It's not the first time either: a couple of months back, I got an email from them saying they were about to take all my VPSs offline as I had an outstanding payment. This was odd as I have my account set up to pay by direct debit every month. I emailed support to ask how I could be in arrears and, a few days later got a reply, basically saying "Ignore that previous email. It was a mistake in the payment processing system at our end". The point being that, as with the current crisis, they didn't bother to tell anyone their systems were playing up. You only found out by opening a support ticket.
I don't mean to come across as a complete Linode basher in this thread. Present crisis aside, I have no complaints as to the technical quality of the service I've received from them. However, when I choose to give my custom to a company where my only contract with them is via the intarwebs, I do expect that communication to be reliable, for those inevitable times when things go wrong. Of late, with Linode, I'm starting to have doubts.
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2024
