Slashdot Mirror
Linode Hacked, Credit Cards and Passwords Leaked
An anonymous reader writes "On Friday Linode announced a precautionary password reset due to an attack despite claiming that they were not compromised. The attacker has claimed otherwise, claiming to have obtained card numbers and password hashes. Password hashes, source code fragments and directory listings have been released as proof. Linode has yet to comment on or deny these claims."
Linode hacked again!? Seriously, for the premium they're charging, beefing up security might do well to be added to their todo list.
Ubuntu: If at first you don't succeed, blindly slap a sudo in front of it
I'd just finished doing a week of research for a VPS and was literally going to sign up for Linode Friday AM when Dreamhost woo'ed me with a better deal. Geez.
From the link:
05:05 Hey I can tell you
05:05 exact details of the attack
05:05 manager.linode.com was breached with a coldfusion exploit
05:05 it was compromised for a couple of weeks
Some details that people have been able to find so far.
1) The guy claimed to have hacked ColdFusion using some 0-day exploit. He could have just been going off this recent Adobe bulletin. But this bulletin was before the Linode announcement, so who knows. http://www.adobe.com/support/security/bulletins/apsb13-10.html
2) One of the files in the directory list that has a unique name is actually accessible on linode.com: http://www.linode.com/y_key_57284cb2de704e02.html
3) Looks like seclists (nmap people) were targeted by this hack: http://seclists.org/nmap-dev/2013/q2/3
4) It is not clear if credit cards were compromised or not. While this "ryan" guy claims they were, we won't know unless the list is published or Linode admits to it.
Its not what it is, its something else.
A raw amount doesn't mean much. What PERCENT of your income did you pay in taxes?
I really shouldn't have used someone else's email address for this account.
A raw amount doesn't mean much. What PERCENT of your income did you pay in taxes?
Or even better, how much cash does he have to live on after paying taxes?
There has to come a point in time where the law holds responsible online providers. Security is a process, not a product. It should be law that ALL companies must audit their code and processes at least twice a year. Look at OpenBSD, for example. Yes, it's an operating system, but they have the almost perfect record they have because of audits. Banks have audits. Companies fall under audit regulations. NIST 800-53 needs to be required of every company doing business on the Internet that holds or processes personal data.
ColdFusion got exploited which is made by our friends at Adobe who just love riddling their products with security flaws.
Fuck VPS when you can get a i3/8GB server for 39 Canadain.
by TheSpoom (715771) Uncaring Linux user here. I have nothing to add to this but please continue. *munches popcorn*
Title: "credit cards and pass"
TFS: "hashes of passwords leaked
That's a HUGE difference. Proper hashes of proper passwords may as well be public. It'd take billions of years to crack them. Unless of course Linode is still living in 1972 and using DES hashes, which may as well be plain text.
Linode, if you WERE using DES hashes, call me. We have some work to fo on your susyems. The people who designed your systems clearly aren't knowledgeable enough in security that they can be trusted to fix the problems they created.
ColdFusion got exploited which is made by our friends at Adobe who just love riddling their products with security flaws.
Your friends at Adobe published a lockdown guide that Linode ignored and patched this exploit months ago (also ignored by Linode) Adobe has done their part, but they can't force admins to secure their servers properly and install patches.
Seems light on proof and heavy on speculation.
I'm certainly glad when I was looking for a VPS, Linode was quite a bit more expensive than the one I was recommended. For the price they charge, I'd expect better security.
Yeah, and there's nothing stopping Linode from dropping a product that insecure. It hasn't stopped any of us.
Try and apologize it away all you want but they're at fault here as well.
Or even better: what fraction of the country's budget did you pay? More than total_expenses/population, or less? That's a lot more relevant and important than percentage of income, and as close as possible to any meaningful measurement of what everyone's fair share is.
If my buddy and I spend $36 at a bar, ideally we ought to just be paying for our individual drinks. If keeping track of that (did I have more beers, or did you?) is too much of a pain in the ass, then splitting it 50/50 is best. Or I get it this time, you get it next time (50/50 over time). But fair share is never computed with some kind of how-much-does-someone make term in it. Suppose I make $35k/yr and my buddy makes $70k. Does that mean I should pay 1/3? That would be insane. No? Am I wrong about what's fair?
I don't think fairness is something we want to talk about. We should talk about the law, which isn't intended to be fair; it's intended to generate sufficient revenue, based on what harm each person is able to sustain. And from that we get income tax, rather than some kind of fairness-based per-capita tax. The more income you have, the more harm you can unfairly sustain. That is reasonable. We agree the harm is bad, we just don't quite agree on how much there should be, to balance the harms of anarchy.
Are you willing to pay higher fees to have that auditing done? What I have seen is that when given a choice a customer chooses the lowest cost option no matter what. They won't pay for security audits and that means if someone else is willing to give up on security they can charge less and you will lose the business.
Computer modeling for biotech drug manufacturing is HARD!
ColdFusion got exploited which is made by our friends at Adobe who just love riddling their products with security flaws.
But this is still all microsoft's fault yeah? I mean come on, this is slashdot, it's always microsoft's fault, they probably did this through some shell company that contracted adobe to put a security hole in there so they could hack linode and then get their thousands of paid shills on forums to tell everyone how bad linux is...so yeah it must be microsoft.
I used to think the same thing until I ended up paying for some charges I didn't make. Capital One's team of investigators concluded that the charges were my responsibility. I've been running Linux on the desktop for over 10 years now so I know it wasn't a trojan or some other malware on my end giving up the card number - it had to be an online service somewere that was hacked. I never found out who or how. I only ended up owing money for iPower Web hosting (would never in a million years use their service to start with), various gourmet coffee that was delivered to my house (ok I do like coffee but still wouldn't have ordered it online), video professor videos on using Microsoft Office (you know, if I should ever go back to Windows this may be handy???) and colon cleanser. WTF? I don't think they really did any investigating - just waited for a bit and then said it was my fault. Capital One offers no protection.
Oh, I'm not defending Linode. I'm simply pointing out that ColdFusion is not an inherently insecure product. I've used it for over a decade with no issue. Linode neglected to follow best practices and they also failed to stay patched. You can't blame Adobe for either of those. Why drop a productive platform when all you need is to configure correctly and stay patched? Of course, their crypto snafus are also equally damning. If this is how they wrote their CFML, imagine what they'd do with PHP.
Eric Raymond, please go.
What is Linode? Would it kill an editor to include that in TFS?
I want to delete my account but Slashdot doesn't allow it.
Why drop a productive platform when all you need is to configure correctly and stay patched?
Good question. What does it have to do with this case? They're using ColdFusion.
"You're right," Fisheye says. "I should have set it on 'whip' or 'chop.'"
If you regulate an industry, ALL must do it. There is no cheap alternative because it is mandatory. The free market isn't going to do it because taking the risk is worth pennies to most consumers who are NOT thinking of all the potential risks involved if they even are aware of a couple of the long list of risks.
Making people do something across the board always raising BS opposition but when it is applied uniformly (it usually is) there is no impact on the market (because the added costs are usually too low to matter, especially for large markets.)
Obviously, there are issues of making it FAIR and uniform in this age of global markets and we are not properly addressing these issues because of the propaganda and the resulting dysfunction. Most states lose income from sales tax and regulations because of their interstate commerce limitations. Either fix that or give up and raise revenue by other means.
Oh, BTW, drug lords are "job creators" who are not deterred by a war being waged against their business (can you get more severe than regulating the business is illegal? yeah, you can wage an unconstitutional war against it.) Somebody will want the money bad enough to provide the service to those willing to pay. The only real factor is how many customers will pay what it costs to support the industry. The regulations can be far more severe.
Democracy Now! - uncensored, anti-establishment news
Over the weekend, I got a lot of spurious charges on the credit card I use for my Linode account. Charges from several different countries, for various amounts that looked like automated "is this card valid?" type probes. The bank shut it down, but not before I got paged a bunch of times.
Then again, the odds are just as good that a waiter at some restaurant uploaded my number to some IRC channel to get back at me for my guest's order being too complicated or something.
Eloi, Eloi, lema sabachtani?
www.fogbound.net
I said "proper hashes of proper passwords". You replied "people pick useless passwords". Yeah, if you let them use "password" as their password it'll be cracked. More news at 11:00. That's why I said "proper passwords".
So where is this so called leak? He claims he was going to post the cc details? Has he?
A bit of comment would be nice...
I got the email. It's not enough.
I realize that nobody can or should waste their breath every time someone runs their mouth off on IRC. But for better or worse, this guy is indirectly being quoted on Slashdot. Someone called you out, and it's IN PUBLIC now. Linode needs to either admit or rebut some of the claims "ryan" made, above and beyond the mere fact that a Lish compromise happened.
My monthly emails of the bills only go back to 2007 but I think I've been using Linode since 2004. Not sure. But as much as I want to give them the benefit of the doubt, the lack of comments on specifics, reads like an admission that this "ryan" guy is telling it like it is. Linode, really, you don't want me thinking that. It's been a reliable monthly payment for an almost wastefully-underused VPS, going back literally so many years that I can't remember. Don't let it end like this, with your silence.
According to the linked chat log Linode is storing the lish passwords in plain text!!
I'd suggest you at least change your lish password...
This saddens me a lot, I had much more faith in Linode and make me look like a fool for recently recommending them to others.
I really wish Linode would come forward with the whole facts on this saga, and let us users know what has really been exposed/compromised.
Never happened. True story.
"Full ssh and root access" in the features list
> I've used it for over a decade with no issue.
Yeah, it's so secure several security firms won't even vouch for a machine running it AFTER it's been installed with best practices and gone over by their best people.
You don't know you've been hacked or your sites are so low profile no one cares.
http://blog.linode.com/2013/04/16/security-incident-update/ However I'm not knowledgeable enough wrt security to say if it's just damage control or not.
A CC-licensed illustrated horror novel
Raw amounts mean everything. That's how we pay for stuff. No one gets paid in percentages.
Imagine the government giving a contractor a check that says "50% of John Doe's 2012 AGI" (When John Doe makes $100,000 a year) and pretending that it's better than a check for "20% of Mitt Romney's 2012 AGI"
I haven't seen ColdFusion mentioned since the early 2000s - people still use it? I thought it had joined CORBA and MicroFocus COBOL in the museum of obsolete technologies from the 90s.
Looks like they've frozen the comments for the breach notification (http://blog.linode.com/2013/04/12/security-notice-linode-manager-password-reset/) -- still no updates from Linode -- Customer Service Fail -- Oh, how I miss Slicehost :(
Why is Linode storing credit card numbers anyway?
With FastSpring, Amazon, PayPal, and all the banks offering payment services rolling your own solution is just inviting trouble.
Linode is overpriced anyway.
Fuck them