[brettfarrow]

I used to use Linode for some projects, and really appreciated their speed and server quality, which seemed better than Digital Ocean at the time.

But after using them for 12-18 months, and losing several days of data due to the 2015 DDoS, and reading about more and more security issues, I switched back to DO and haven't looked back. The performance differences aren't noticeable to me, and I'd rather have my hosting through a company with a better security record than Linode.

[Hello71]

DO isn't any better, just hasn't been targeted by any serious attackers yet.

until very recently, they didn't allow using a custom kernel (except via kexec hackaround) and were quite slow updating their kernel for security patches. they repeatedly gave random dates for implementation, then repeatedly pushed them back, then eventually just ignored users on this issue for years.

their images were also poorly sanitized, leading to the well-known problem of SSH host key duplication, which was the case for years.

[nacs]

> just hasn't been targeted by any serious attackers yet.

Source? Just because they haven't announced any successful security breaches, doesn't mean they haven't been seriously targeted.

In fact, considering the amount of times my random dedicated server instance (not hosted at DO) gets hit with random attacks, I'm sure a large provider like DO has had numerous serious, targeted attacks against their network/servers/control panel/etc.

[Hello71]

> Source? Just because they haven't announced any successful security breaches, doesn't mean they haven't been seriously targeted.

True, and in fact the only basis for my statement is that they have historically taken security so not-seriously that it would be surprising if they were in fact able to withstand advanced attacks, given that even the most secure organizations are often unable to do so. (see: every talk at Black Hat)

> In fact, considering the amount of times my random dedicated server instance (not hosted at DO) gets hit with random attacks, I'm sure a large provider like DO has had numerous serious, targeted attacks against their network/servers/control panel/etc.

this statement is just as baseless as mine. perhaps even moreso, since the two numbers seem to have nothing to do with each other. one could just as well say "my server gets lots of bogus SSH attempts, so banks get robbed a lot".

[dpacmittal]

In addition to that, they even had security issues where people could use testdisk or any other file recovery tools to recover files which would often belong to another customer.

http://venturebeat.com/2013/12/30/iaas-provider-digitalocean...

[ryanlol]

>DO isn't any better, just hasn't been targeted by any serious attackers yet.

As the official authority on serious attackers I can confirm that his is in fact not true.

[St-Clock]

We moved >1K$ hosting per month from them to StormOnDemand because of the lack of transparency on security issues, particularly the PagerDuty incident.

This was heartbreaking because Linode's value (performance, reliability, support, price) is almost impossible to match if your requirements fit their VM configurations.

But in the end, we did not want to risk another security or DDoS fiasco. We estimated that the risk was high that they would be targeted again, we could not believe their promises to get better at face value considering previous transparency issues, and we did not want to tell our customers that a company that had experienced security issues for the past three years had suffered from another attack[1].

They seem to have invested quite a lot in their networking infrastructure (kudos!), but I believe they still use their old coldfusion applications.

[1] Non-technical customers often ask us why we are not hosting on Amazon because they heard it's where serious companies host their servers (!). We used to explain why Linode was a more cost-effective choice, but Linode was not a nice name to google in early 2016.

[ryukafalz]

>but I believe they still use their old coldfusion applications.

For now, yeah. But the new Manager mentioned in the blog post is just a client for our new API, which is written in Python.[1]

You can even check out the new Manager now if you want: https://github.com/linode/manager

It's still in alpha (and separate from our regular service), but we're hoping to have it out in beta soon!

[1] https://engineering.linode.com/2016/04/12/Announcing-APIv4.h...