[3pt14159]

Simplest answer is probably the right one in this case:

Someone at Linode did it. Ran a script to see how many bitcoin files there were on all the machines (they probably do these types of queries for anti-virus/whatever anyways) and took a customer support password to log in and get the coins. If he did it right he still might be working there, as it is easy to get credentials from friends/coworkers (even though it should be really really hard).

[lawnchair_larry]

Sorry, there is just no way that this is the case. Please don't throw such a serious allegation out there without any evidence. To even suggest that this is technically possible for an employee to do is a serious allegation, let alone suggesting that someone did it maliciously. This spreads all kinds of FUD.

I'll happily eat my words if that turns out to be what happened, but it is definitely not the simplest answer.

[RLG_RLG]

Inside job is usually the answer for targeted attacks against inside systems. Inside collusion at a minimum.

I wonder how anyone can trust their linode systems after an admin account being compromised.

It would likely ruin their business to re-install everything, but that is the only way to know root kits have not been installed.

[lawnchair_larry]

Or just check if your instance was restarted and your root password was changed. If it wasn't, you were not exploited this way.

[shadowmint]

Up-vote to the original comment because it's not stupid or impossible, just unlikely.

We can only speculate at this point.

The simplest answer is probably that one of the staff was subject to a targeted hack and a 3rd party gained external access to the CSR tools.

Possibly for an extended period of time. <-- This is the concerning part.

It's relatively unlikely an internal staff member would do something this dumb (but, not impossible. we've had this happen _here_ where I work, with credit card numbers, but obviously the person responsible was caught almost immediately).

[ohgodthecat]

> To even suggest that this is technically possible for an employee to do is a serious allegation

It is technically possible for an employee to do it because it seems (from the linked pastebin above) that is how it was compromised, an elevated account for linode manage was compromised.

As for an employee being the one that did it, that is probably the least likely cause.

[showerst]

I believe he's referring to the part about employees (at least the ones that have access to the customer dashboards) being able to run a script to scan for bitcoins.

[nknight]

You can't secure against God. Of course it's technically possible for a Linode employee to do.

[trotsky]

Pretty sure there is a default port that accepts connections as part of bitcoind, so you can just portscan for it.

[ajross]

I'd be very surprised (and suspicious) if they were running any kind of diangostics over their customer's data without an explicit signed contract. The liability worry there alone is scary.

[gravitronic]

you do realize that in this theory, the same person then went and stole thousands of dollars in bitcoins, right? I don't think they were worrying about liability...

[ajross]

You misunderstand. Not the thief's liability, Linodes. If someone, say, engages in insider trading because of something they saw in Linode's own analysis system, Linode can be sued for failing to protect that information. If they have a policy of never reading customer data (and can prove it) that becomes much harder. The posited "anti virus checker" would throw that promise out the window.

[Drbble]

How so? Google credibly claims (somehow) that they don't "read" customer email, even though they run the largest-scale automated email reading system on the planet.