[lelandbatey]

I give Linode a lot of slack. When people say "Oh, they should be more secure" I often say "Really?"

In an ideal world, yes, they should be more secure. However, as in this case, they got taken advantage of via a zero-day attack, with others planned well outside the scope of what Linode could have planned for. Which is insane. Can you even name something, anything that they could have done to protect themselves? Additionally, given the unique form of attack, figuring out what was going wrong was probably not possible. Thus, they knew as little as you did.

And then, everybody switches to some other provider. But do they switch to "super secure, we examine every byte of the software that we run to make sure we're bullet proof" hosting provider? NO, everyone just switches to another commodity VPS provider that is vulnerable to all the same super high level attacks that Linode is vulnerable (maybe even more attacks, given that Linode actually has a tremendous amount of experience).

In reality, you're only getting more security by switching to a less prominent hosting provider, A.K.A. security through obscurity. Which is the worst kind of security because it's not secure at all.

It's like getting mad at the mayor of your city when a meteor falls on your house: unproductive and misguided.

[tiredofcareer]

While what you say has merit, Linode's actions demonstrate an ambivalence toward security. Public key encryption for card numbers (yay!). The private key stored on the same machine and the key loaded in memory (boo!). ColdFusion was not properly secured (simply preventing access to /CFIDE would have neutralized this vector) and they focused first on preserving themselves. I've also been personally annoyed when there are sweeping outages and information is withheld for seemingly arbitrary reasons. Support is apparently instructed to be vague. It's overwhelmingly frustrating.

I'm just as annoyed at Amazon for this, to be honest, and in the large, annoyed at our industry for being so unnecessarily secretive. We need to stop thinking of our infrastructure as our competitive advantage; to pick on Google as an example, while Google are obviously masters of running systems at scale, their infrastructure efficiency is not the reason people choose Gmail. Obviously their platform gives them some competitive advantage but, for example, their policy of withholding even the innocuous names of internal systems is bizarre. I think the rest of the industry follows that lead.

It's weird that we embrace openness in the FLOSS communities but when it's time to build a revenue-making company, the details of the inner workings are immediately a hush-hush secret. If you're doing something simple enough that describing it means someone can replicate it, it's an idea that can be replicated trivially anyway. I bet everybody in hosting knows how Linode works, and I doubt there's any kind of espionage taking place.

In this case, it's fine to be secretive if you'd like, but at least tell me how you plan to prevent the problem from recurring. Linode always says "we're working diligently to prevent this from happening again" but provides no details whatever. The announcement from the founder of Linode[1] underlines this; the entire tone of the post is "here's how we band-aided the immediate problem," with no details on where they go from here as a business or culture.

[gingerlime]

I tend to agree with you. We don't see much transparency in the industry as a whole.

When a security incident happens, I believe most security professionals would advise to keep details to the minimum necessary. I can imagine how misleading info can cause panic and dire consequences (to both linode and its customers). In Linode's case this could have been mandated by the FBI even, giving Linode no choice.

For me, linode is still one of the more transparent providers out there. I doubt AWS or any other provider would be more forthcoming if something similar happens.

Of course, there's a lot of security improvements to be made. I hope Linode would shake-up and improve and signs are they're doing that.

I'm still curious to hear some brand names that are better in that respect (hence my question about). From what I read there really is no better alternative currently at this price range.