brent timothy saner on 7 Jan 2016 10:04:37 -0800

[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

Re: [PLUG] Time Warner and Linode report possible password breaches

Hash: SHA512

On 01/07/2016 12:18 PM, Doug Stewart wrote:
> Based on what I've read, it's really bad. Looks like maybe a former
> employee either is directly responsible or perhaps sold off login
> credentials to malicious third parties who have been targeting the
> Linode Manager in particular with the DDoS to make it even harder for
> Linode customers to process their password resets.
> We're looking to get any of our gear that's on Linode off.
> HN thread, so take it with a grain of salt, but

Yeah, I don't trust a word from HackerNews. Everyone in InfoSec knows
they're a bunch of jokes. Trust their accuracy as much as you would The
Guardian, Daily World News, etc. (I'm still convinced it's secretly an
attempt at a security professional's The Onion, but I digress.)

I do, however, have a long-standing personal friendship with several
current Linode employees. The "PR-spun" post at
is as transparent as can be without revealing more information than
you'd need. To answer your specific question, the passwords are salted
and hashed well.

Personally, I love and support Linode. They try hard. I'm not bothered
by this notice. Why? Becuase *they caught it* and *are responding to it*
and *alerted customers to it*, and *are enforcing password rotations to
customers even though it's not necessary*. Why?

Because all those items I list above 90+% of providers *don't even do*.
You'll be incredibly hard-pressed to find another provider that does ALL
of those things. No company is bulletproof; to assume otherwise is pure
foolhardiness. (Granted, that doesn't mean one ought to not try, and
like I said- Linode certainly does.) What matters more is your
post-compromise plan, and Linode has one. I'd much rather my provider
catch an intrusion, announce it, and take measures ensuring further
damage isn't done and perform detailed incident analysis than a company
that tried to maintain a false image.

In other words, I'm infinitely more happy to find out about a compromise
from a blog post and/or email from my provider than finding out about it
via a pastebin dump.

- From what I've heard from actual current Linode employees, it really
isn't all that bad and the accounts that were compromised were not
practicing good security measures. And I trust them, because these are
people I've gotten drunk with before and know fairly well. But of
course, let's all buy into media frenzy, by all means.

Version: GnuPG v2
Comment: Using GnuPG with Thunderbird -

Philadelphia Linux Users Group         --
Announcements -
General Discussion  --