1. 25

Looks like Linode was (potentially) compromised after a DDoS attack. They are taking some percautions, as a result.


  2. 15

    The YC News comments are kind of incredible. Don’t miss a comment from ‘TheSwordsman’ about how PagerDuty believes this is how they were compromised all the way back in July. The commenter ‘ryanlol’, convicted of hacking Linode, also makes some entertaining reading.

    1. 4

      Similar thread on reddit also with customers & eager linode staff.

      I’m waiting to see how they handle the post mortem. I have a hunch I will be migrating 4 servers as soon as this ends

      1. 2

        “This is at least the fifth time I can count that linode has been hacked, really? Maybe it’s time to ditch that coldfusion stack?”

        1. 3

          And someone claiming to be an employee pipes up to say they’re rewriting the Linode admin site in Python, but it sure sounds like that’s the tip of the iceberg for security practices that need improvement.

        2. 0

          I wish I didn’t have to work :(

        3. 4

          I’m a Linode customer. I am definitely sticking with Linode after this incident; they’re going to be extra careful from now on - more careful than vendors without recent security incidents.

          1. 12

            That’s the fifth time this happened to them. How careful do you expect them to get? There is also a claim that the hack happened in July and was only now disclosed. DDoS is the least problem here.

          2. [Comment removed by author]

            1. 3

              I like Digital Ocean and RamNode for more consistent results.

              If you don’t mind rolling some dice on VPS providers, I’ve found http://lowendbox.com to be an excellent collection of sales. Some are newer companies (and part of the recent changes is highlighting them) and so are untested, but quite a few are from companies 5+ years old. The prices are usually pretty good, too, if you don’t mind the limitations from many providers choosing OpenVZ.

              1. 2

                I’ve had good experiences with both Amazon and Google.

                At the time I moved from Linode to EC2, the latter had more features related to volume management. Of course, Amazon also adds things a lot more slowly, so that isn’t a clear win. I do very much prefer the a-la-carte pricing model where resources are separated out instead of sold in bundles. Selling bandwidth, disk, RAM, and CPU as a single price plan is always more expensive because most workloads don’t need all of those…

                I’d like to check whether Linode still sells only bundles, since if they don’t that comment is irrelevant. But I guess they’re being DDoSed right now.

                The conversation seems to usually be about providers other than the two massive ones; I suppose that means most people have different priorities than I do. Perhaps customer service? But I can only offer my own perspective.

                  1. 2

                    Vultr’s network isn’t great - I tried hosting a Quake server and it was unplayable. It’s been fine other than that though.

                    1. 2

                      I can second Vultr. Using them for almost an year now for my private OpenBSD mail/blog/owncloud/fun server. They have amazingly responsive support staff (talking sub 10 m responses to all support tickets). So far I’m really happy and that’s where we will be moving our business after this linode event.

                      1. 2

                        I’ve been using Vultr for a year now. They’ve had a few outages in that time (some minutes of downtime for my VM). Right now my box is experiencing DHCP failure (the DHCP server gives it the wrong IP). This problem isn’t reported anywhere on Vultr’s status page or the VM status panel. I had to leave a support ticket to find out it’s not a problem on my end.

                      2. 2

                        Honestly, if you’re not expecting traffic, host it yourself - I built a server, (not even server grade HW - just a Pentium G3220) slapped ESXi on it, and have as many VPSes it can handle, right at home on your home internet.

                      3. 1

                        sigh Well, this was a good impetus to fully delete an account I’d forgotten I had until I got their email. I didn’t really expect anyone would have spun up resources on my account, or anything, given that the data held by large customers is a much more tempting target. But it was a relief to see nobody had.

                        I’m not sure there’s actually a lot to discuss about this, though. It’s disappointing.

                        1. 1

                          Well, about time I change my habits.

                          Don’t have 2FA enabled for manager. .

                          1. 1

                            2FA secret keys were allegedly compromised as well, so in this case that wouldn’t have helped.