| brent timothy saner on 7 Jan 2016 10:04:37 -0800 |
[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]
| Re: [PLUG] Time Warner and Linode report possible password breaches |
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 On 01/07/2016 12:18 PM, Doug Stewart wrote: > Based on what I've read, it's really bad. Looks like maybe a former > employee either is directly responsible or perhaps sold off login > credentials to malicious third parties who have been targeting the > Linode Manager in particular with the DDoS to make it even harder for > Linode customers to process their password resets. > > We're looking to get any of our gear that's on Linode off. > > HN thread, so take it with a grain of salt, but > Yeah, I don't trust a word from HackerNews. Everyone in InfoSec knows they're a bunch of jokes. Trust their accuracy as much as you would The Guardian, Daily World News, etc. (I'm still convinced it's secretly an attempt at a security professional's The Onion, but I digress.) I do, however, have a long-standing personal friendship with several current Linode employees. The "PR-spun" post at https://blog.linode.com/2016/01/05/security-notification-and-linode-manager-password-reset/ is as transparent as can be without revealing more information than you'd need. To answer your specific question, the passwords are salted and hashed well. Personally, I love and support Linode. They try hard. I'm not bothered by this notice. Why? Becuase *they caught it* and *are responding to it* and *alerted customers to it*, and *are enforcing password rotations to customers even though it's not necessary*. Why? Because all those items I list above 90+% of providers *don't even do*. You'll be incredibly hard-pressed to find another provider that does ALL of those things. No company is bulletproof; to assume otherwise is pure foolhardiness. (Granted, that doesn't mean one ought to not try, and like I said- Linode certainly does.) What matters more is your post-compromise plan, and Linode has one. I'd much rather my provider catch an intrusion, announce it, and take measures ensuring further damage isn't done and perform detailed incident analysis than a company that tried to maintain a false image. In other words, I'm infinitely more happy to find out about a compromise from a blog post and/or email from my provider than finding out about it via a pastebin dump. - From what I've heard from actual current Linode employees, it really isn't all that bad and the accounts that were compromised were not practicing good security measures. And I trust them, because these are people I've gotten drunk with before and know fairly well. But of course, let's all buy into media frenzy, by all means. -----BEGIN PGP SIGNATURE----- Version: GnuPG v2 Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iQIcBAEBCgAGBQJWjqb7AAoJEIwATC+TSB9rc2AP/AlMgUsXihxygPODfbOt6BLH YfGZVobugr0U9wPaOAvdI7NZCMqUW1GZTqRthJzbWThvMzzM0Wg11yZoi2nnef6G Rfa7ZfIyNtqhs0Xx9eBEpzN3/kWUwq8WznQV4kaBXJQjG4ktq6//9sbx4nazGWM0 urtnj42TV/TlCX6Wgzf7nUmRnP0Xdx0tHly/DqnNzCec7yNwmCDtpItipXaMAr+/ M8G+t1GI1lTt15tpOqbhd3epw7RZ34CtolKyaSwVv2+LaeuKibKXIQ27lDVy3le9 +1ff04IO7k8581e7va+aVbQPQsuAkjA89D8HaBQ7E3qn5L/5ln9Q4H64qBf82b/g CY/KfvYKFOGGo7fYx1QpHr+Jz42DqAtMOUgHt1AcN/9XM8izsGCc+2y7uO1sCeEG yIPVXOPizzh1PEvEf2XcfwK4IZctrdRfRuU/++k9Xp8DYE2xvcOjuilxa7hDRcuH ugUCR7yMxTj/xaPDa6OJSeGz5Fz5h7cW9jX8LnSs5Brzvi0YOa2DmPT+9TsDZJG8 M97eqd7rfiQmYDhMfA20Kgd/YA5VtoeuH4+7L0wMtCQO5v72iomFtDvAJJ+0kB7o yL12ArIZF9Axu8mdun6ppLDGyLVPKwU+UDG2NfjbZlNdy6BXRTzdxf+uFTuXZyot a+HBDlwl0BNkOyw6XWme =+5SK -----END PGP SIGNATURE----- ___________________________________________________________________________ Philadelphia Linux Users Group -- http://www.phillylinux.org Announcements - http://lists.phillylinux.org/mailman/listinfo/plug-announce General Discussion -- http://lists.phillylinux.org/mailman/listinfo/plug