[ceejayoz]

> customer service can access your account only if you read them your hardware token's code

At the very least, I'd hope Linode implements two-factor authentication for their own logins. A customer-provided OTP would be great but you'd need a customer service reset tool for that when people forget, which would put you back where you started...

[ajross]

Not necessarily if the reset tool is manually driven and audited. The vulnerability we're worried about here is an automated attack against many customers of a single hosting provider.

There will always be ways to human-engineer your way into any single host. Having a hosting provider just increases the attack surface a little.

[ceejayoz]

> The vulnerability we're worried about here is an automated attack against many customers of a single hosting provider.

This was an attack against Linode's customer service systems, which allow their support reps to reset root passwords. There's no reason for that system not to be protected by two factor authentication on top of heavy logging.

[RLG_RLG]

You obviously have never worked for a retail ISP.