[dave_sullivan]

It's certainly a grey area, but at what point is it safe to assume that if you get hacked, it's not going to be because your ISP got hacked? Say this happened to Amazon and it affected a company like Heroku or dropbox, both users of AWS? Regardless of what terms of service says, I'll bet there's some liability somewhere. And if there's a cut off, maybe linode should advertise that? "Hey, we're cheap, but you get what you pay for!" rather than "You're getting ripped off if you go with amazon over linode!"

If a bank gets robbed, I'm not liable for the cash they steal. But how about if I've got cash in a safe deposit box and someone uses a fake id to get into it, and the bank doesn't recognize the fraud? That's trickier. And if someone robs my house and I've got a bunch of cash under my mattress, that's another story too. I know the analogy doesn't quite hold up because it's kind of like a bank and a customer engineering a safe together (eg both could be at fault for a break in), but there's got to be some responsibility on Linode's part.

[tadfisher]

I'd say this is more akin to stashing a bunch of money in a self-storage unit instead of a bank account. One explicitly insures against theft, the other does not. The onus is on you as a customer to decide what to go with.

[tylermenezes]

> One explicitly insures against theft, the other does not.

I'd take issue with that summary. If I put things in a self-storage unit, and it gets robbed because some employee left his master key under the door mat, regardless of how bad of an idea it was to store my money there, that's still their issue.

Think about it this way. I could store my money under a table at McDonald's, in a self-storage unit, or in a bank. Clearly the self-storage unit should provide me some more security than McDonald's. So when an attacker gets access through some really trivial method that they really should be protected against, that's their fault; it doesn't matter that there was a better security option, because it's still below what I was paying for.

[larrys]

"So when an attacker gets access through some really trivial method that they really should be protected against, that's their fault"

A good point but keep in mind that courts don't have the level of expertise to judge what in terms of security is trivial and what is not.

The person trying the case and/or the jury may very well be someone who uses "football" as a password.

Also there are multiple cases of the very best companies with supposedly the highest levels of security getting hacked on a regular basis (might be a small percentage but it always makes the news). Consequently any company defending could make an argument that "this stuff happens even with the best and brightest" and it might be believed. (Well anyway that's what I would argue if I was a lawyer..)

So the public could easily be convinced in the case of a technology company something that would never fly as far as a screwup at the self storage - something physical that they can relate to (like leaving a door unlocked which is easy to understand).

[tripzilch]

A bank or safe deposit box business will most definitely have clear terms about how liable they are for if something gets stolen.

For a hosting company this is different. Especially because--it's hard to draw a line but I feel it's there--there's a difference between storing sensitive data and storing (what are practically) valuables/money.

I wonder though, I'm not clear on his set up (or business, even), but basically he was literally storing his bitcoin money on a Linode server? Since they're not a bank, nor a safe-deposit service, or are in the business of storing valuables (as opposed to sensitive data). I can't come up with a realworld analogy (they usually break down anyway), but wouldn't you want to wrap this data in an extra layer of encryption or something? It's not that hard to come up with some scheme so that people with root access to the Linode server can't do anything with it either. Since this is about (almost) real money, that's what I'd do.

[larrys]

"And if there's a cut off, maybe linode should advertise that? "Hey, we're cheap, but you get what you pay for!" rather than "You're getting ripped off if you go with amazon over linode!""

Well of course that's never going to happen and the truth is the contracts of the more expensive provider no doubt also limit liability. (And all of this is in the TOS/contract etc). So what we are really talking about is who will do a better job protecting what you have AND more importantly who has more to loose if they screw up. (Small linode has more to loose but they also don't have deep pockets to pay. Amazon has deep pockets but access to magnitudes greater legal help to prevent having to pay.)

[RLG_RLG]

> but at what point is it safe to assume that if you get hacked, it's not going to be because your ISP got hacked

If you co-locate your hardware at a data center and your staff competently secures your systems.

[spindritf]

Secure with what? A booby trap? There's always a level of trust you need to have for your provider. Even when you get a cage in their DC.

[RLG_RLG]

Set low level passwords and use filesystem encryption. eg: passwords on all networking devices, boot loaders, and BIOS.

Three letter agencies and foreign governments could attack your data if they took it off line, but you monitoring should detect that.