[videoappeal]

All this talk about banks being safe yada yada and cloud hosting not safe for US50k. Real banking companies (with billions of dollars on hand) do use commodity cloud hosting including Linode, for even sensitive parts. Take for example Natwest online banking login. On initial login page they load a cookie via an image from www.advanced-web-analytics.com and then once you enter a customer number the next page loads a ...drum roll... javascript file from www.omni-traffic.com. Now who can tell me what one can do when you have control over the Javascript on a banking login page?

Ah crap. It looks they have been moved to Amazon EC2, ~8 months ago they were hosted on conventional Linode VPSs. Points still stands though.

[tomg]

In my experience working on a US financial website, a bank would never consider using a VPS like Linode to store actual banking and customer data. It's not even close to Level 1 PCI compliant.

[videoappeal]

Not sure about this PCI complaint stuff, but perhaps this is why major banking companies jumped from Linode to EC2? Much improvement? Although I must say I have friends working on banking websites in the UK that dont know the whole picture, its not unreasonable to assume that these things are fucked up.

[tomg]

From what I know, PCI compliance is firstly, just a guideline. It's not like OSHA, but IANAL.

I also know there are "levels" of PCI compliance. The highest one, which reputable banks should be following, is very strict AFAIK, and includes provisions for controlling who has access to the physical hardware, encryption levels, etc. The fact that a Linode VPS can be 'rooted' via their management software by a sysadmin working for Linode would, from what I can tell, make them unqualified to be used to store banking transaction & customer data, though perhaps I am wrong.

[res0nat0r]

EC2 is now PCI DSS 2.0 compliant which is probably why: http://aws.amazon.com/security/pci-dss-level-1-compliance-fa...

[videoappeal]

Well tomg, when I researched this ~8 months ago there were at least 2 US financial websites that were using the same specialized analytic company that injected JS into banking login pages that were hosted on Linode VPSes.

[tomg]

Oh I don't doubt you. I'm not an expert on this, heck, I wasn't even allowed on to the actual servers (because of said compliance). I don't know the guidelines for login pages or what kind of security third party JS libs are supposed to have (also PCI is not a law, afaik).

What I'm asserting is that the servers that store the actual banking and customer data have very high security standards. It's one thing to store front end website code on a VPS, it's a totally other thing to store your database with customer & bank data on Linode.

The bitcoin breach seems analogous to Bank of America storing your account information on Linode and trusting it as the Real Data. Does that make sense?

[videoappeal]

[quote] The bitcoin breach seems analogous to Bank of America storing your account information on Linode and trusting it as the Real Data. Does that make sense? [/quote]

//reply to tomg, but seem HN stops nested replies beyond a certain level

At the end of day you can have millions of dollar of security, auditing, PCI compliance tests passing, developers that celebrate every Friday that everything is secure, data is hosted on premise etc... But if you leave the login page javascript to a third party hosted on Linode then you might as well be BoA storing your data on a mySQL linode instance. So in a nutshell it kind of undermines the work you guys do.

[tomg]

That's very true, and TBH I'm a bit surprised these banks are allowing that. IME doing frontend code for banks is that they're very strict on third party libs, even ones hosted by the bank itself, right down to only approving certain versions of the lib.