JP Vossen on 30 Jan 2016 13:21:20 -0800

[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

Re: [PLUG] Time Warner and Linode report possible password breaches

Linode after action report:

On 01/07/2016 01:29 PM, JP Vossen wrote:
Yeah, what Brent said.  More inline.

On 01/07/2016 12:57 PM, brent timothy saner wrote:
Hash: SHA512

On 01/07/2016 12:18 PM, Doug Stewart wrote:
Based on what I've read, it's really bad. Looks like maybe a former
employee either is directly responsible or perhaps sold off login
credentials to malicious third parties who have been targeting the
Linode Manager in particular with the DDoS to make it even harder for
Linode customers to process their password resets.

We're looking to get any of our gear that's on Linode off.

HN thread, so take it with a grain of salt, but

Yeah, I don't trust a word from HackerNews. Everyone in InfoSec knows
they're a bunch of jokes. Trust their accuracy as much as you would The
Guardian, Daily World News, etc. (I'm still convinced it's secretly an
attempt at a security professional's The Onion, but I digress.)


I do, however, have a long-standing personal friendship with several
current Linode employees. The "PR-spun" post at
is as transparent as can be without revealing more information than
you'd need. To answer your specific question, the passwords are salted
and hashed well.

Personally, I love and support Linode. They try hard. I'm not bothered
by this notice. Why? Because *they caught it* and *are responding to it*
and *alerted customers to it*, and *are enforcing password rotations to
customers even though it's not necessary*. Why?

Yes, they try very hard and are as transparent as possible.


In other words, I'm infinitely more happy to find out about a compromise
from a blog post and/or email from my provider than finding out about it
via a pastebin dump.

I'm surprised any of this is "news" to this group, else I'd have said
something days ago.  They've been under DDoS since late December, and
that (and the password issue) have both been  on Slashdot.  The DDoS has
significantly affected my Linode server (in Atlanta), which affects my
web site, DNS and the only actually important part, my mail relay.  I've
had huge amounts of spam from my Nagios monitoring, and some of their
mitigation has affected that monitoring (I can't ping my node's upstream
default gateway anymore).  I know other PLUG-ers have Linodes so I
figured everyone who needed to know already knew.

Coincidentally, I had a FiOS DHCP change and when I updated DNS the
change only propagated to some of their servers.  That led to even more
mail relay problems that were tricky to track down until I noticed the
IPA discrepancy (some new, some old).

Does all of this bug me?  Yes.  Is it Linode's fault?  I don't think so,
because *everything* else that I've seen that I have any kind of clue
about they have done Right.  I have no reason to think they did
*everything* else right *except*' the magical things that led to these
current problems.  And as noted they have always been very transparent
about everything else.

So they are getting screwed by some bad actor, (former) employee or not,
and they are taking all kinds of steps to mitigate it now and for the
future.  (It is an arms race, after all.)  I'm not going to leave, but I
admit I have more flexibility and tolerance for issues than other folks,
so no judgment.

- From what I've heard from actual current Linode employees, it really
isn't all that bad and the accounts that were compromised were not
practicing good security measures. And I trust them, because these are
people I've gotten drunk with before and know fairly well. But of
course, let's all buy into media frenzy, by all means.

I also feel sorry for all the Linode folks that have been working 24x7
on all of this since mid-late December and missed the holidays.

--  -------------------------------------------------------------------
JP Vossen, CISSP | |
Philadelphia Linux Users Group         --
Announcements -
General Discussion  --