[threeseed]

After being bitten the first time with Linode I don't care what technical measures they are taking. I want to know what process and policy changes have been made.

Do they still store public/private keys on the same server ? How often are they doing security audits (which clearly never happened before) ? Are they still going to be dodgy and withhold key information from their users ? Are users still going to find out hackings from IRC/Reddit rather than Linode itself ?

Two factor authentication would have done NOTHING to prevent both hacking attempts.

[fiatpandas]

I also find it really troubling they haven't released a "Here's what we're doing different" blog post in response to the attack. Their only blog post on the matter came a week (2 weeks?) after the intrusion, which they were of course pressured to release after everyone found out via a pastebin IRC transcript... By chance I happened to sign up for my first Linode account the day before that hit HN.

I hope their silence on the aftermath is due to an ongoing investigation with feds, or something, where they can't talk about it yet. Do they think their customers are stupid and will forget the incident?

Imagine if AWS had a security breach of that magnitude. They would release an initial 4000 word blog post in grave technical detail, and then follow up with a 25 page white paper, or whatever.

Oh, and to stay on topic, I tried Linode's 2-factor with Google Authenticator and it works well.

[threeseed]

   Do they think their customers are stupid and will forget the incident?

Yes. They have done it before and people on here still recommend them with a straight face. It honestly confuses me that people care so little about security.

[hkmurakami]

I'm one of those people who have a slight interest in the security but don't know enough about it to be properly informed about my own decisions.

For people like me who basically can't make my own decisions properly, where should I switch to? Is DigitalOcean better in this regard?

[Kudos]

Digital Ocean is largely untested in this regard.

[raverbashing]

And that's the real issue

Two factor auth addresses the user password as being a weak link, and this is a nice step

Oh and btw, yes, the private keys were on the server, with a passphrase

[dllthomas]

"Do they still store public/private keys on the same server?"

As phrased, this is not a problem - there's never any worry to including your public key wherever you have your private key; your attacker can be assumed to have your public key anyway if it'll do them any good.

The problem was private keys (encrypting important things!) on a web-accessible server, was my understanding.

[singlow]

Well - it is not likely you will need you public key on the non-web-accessible server. In this type of application the public key is needed in the place that encryption happens and the private key is needed where decryption happens. If the two are on the same machine it likely means you messed up.

[dllthomas]

Or it means you didn't bother to delete the public key (since, hey, free backup at the cost of not typing rm) when you generated the keypair.

[pyre]

You're assuming a single piece of information has a single key-pair. E.g.:

  1. Obtain sensitive information
  2. Generate a new key-pair
  3. Encrypt with public key
  4. Store encrypted info
  5. Delete public key
  6. Use private key to decrypt when reading the data

It's also likely they they were using one key-pair to encrypt all of their data (or all of a specific type, e.g. one key-pair to encrypt all passwords). In this case, the public key would be needed to encrypt new data coming in.

[dllthomas]

No, I was thinking the latter, but the data should in that case be encrypted with the public key, which can be copied to the web-facing servers.

[sendob]

This was exactly what I thought of as well.

Nice, but has nothing to do with the issues they experienced recently: Still runs on cold fusion, still they do not understand PKI( more tweets about how awesome the passphrase is on your private key, you know the one in adversarial hands...confidence + 10!....)

[jimktrains2]

FWIW they claim the private key was encrypted. Granted, having it air-gapped as much as possible is even better.

[xenophanes]

Sure Linode sucked at security and probably still sucks.

But what makes you think its competitors are any better?

[drivebyacct2]

Hope that there is some sanity in the world?

[pionar]

Of course the 2FA wouldn't prevent it from being hacked, but that's not the point of it. The point is that even if someone gets the password and cracks it, it's still useless as the attacker doesn't have the other factor.

[pyre]

If the attacker has open access to the network (from compromised machines), does the password to the admin console matter as much?