Linode Hacked, Credit Cards and Passwords Leaked

An anonymous reader writes "On Friday Linode announced a precautionary password reset due to an attack despite claiming that they were not compromised. The attacker has claimed otherwise, claiming to have obtained card numbers and password hashes. Password hashes, source code fragments and directory listings have been released as proof. Linode has yet to comment on or deny these claims."

Oh FFS

[kernelpanicked]

Linode hacked again!? Seriously, for the premium they're charging, beefing up security might do well to be added to their todo list.

Re:Oh FFS

There isn't a service on the internet that is un-hackable. You're a moron to think otherwise. Besides it looks like the breach was beyond their direct control and was a flaw in cold fusion.

Re:Oh FFS

There isn't a service on the internet that is un-hackable. You're a moron to think otherwise. Besides it looks like the breach was beyond their direct control and was a flaw in cold fusion.

Shut up M$ shill. Linux can't be hacked. Only Windows has the swiss-cheese security model that you talk about.
Linux is inherently secure due to its Unix and POSIX heritage.

Re:Oh FFS

[Dunbal]

Actually Windows is a tough nut to crack also, nowadays. Most patches nowadays are for exploits that require local access to the machine. Of course Flash is another issue entirely...

Re:Oh FFS

The fact that Flash can open kernel exploits is facepalm fail. Your spin doesn't work here, shill. Go tell Ballmer to go fuck himself.

Re:Oh FFS

Besides it looks like the breach was beyond their direct control and was a flaw in cold fusion.

Except ryan_ in the chatlogs (which you obviously didn't bother to read) stated that Linode has set up their ColdFusion environment in a very insecure way. They apparently don't follow best practices. Not saying ColdFusion isn't shit, but it's still Linode's fault.

Re:Oh FFS

[gl4ss]

There isn't a service on the internet that is un-hackable. You're a moron to think otherwise. Besides it looks like the breach was beyond their direct control and was a flaw in cold fusion.

it wasn't their fault for using cold fusion? "Get a server running in seconds with your choice of Linux distro, resources, and node location.
Servers on demand. Support that cares." for all the LINUX YEEHAA!!! you'd think that they could have gone with something else..

Re:Oh FFS

*FACEPALM*

Re:Oh FFS

Well looks like Anonymous or the Russian youth is at it again....,

Re:Oh FFS

[SteveSommers]

Based on the limited information released, I'm not sure how anyone could make the claim "was beyond their direct control and was a flaw in cold fusion." I use ColdFusion everyday and most of the "vulnerabilities" reported can be avoided by using best practices -- the biggest being to remap the CFIDE directory to an empty directory and then add a virtual SCRIPTS directory under it pointing it back to the original CFIDE/SCRIPTS location. This one best practice prevents 99+% or the ColdFusion vulnerabilities. Most likely, preventing the breach was in their control.

Re:Oh FFS

[SteveSommers]

...Linux can't be hacked.

@Anonymous Coward, With this statement alone you lost any and all credibility you might have had.

Re:Oh FFS

Shut the fuck up, Micro$hill.

Re:Oh FFS

Shut the fuck up, Micro$hill.

@Anonymous Coward, With this $ alone you lost any and all credibility you might have had.

Re:Oh FFS

Here's the post from the 2010 Linode hacking.

Re:Oh FFS

Is it a crappily-written web app that was hacked, or are they using a widely-adopted web app framework? Seriously, I'm concerned about this since I'm planning my own web app and I have no idea how hacker-resistant it is or needs to be.

Re:Oh FFS

LAWL COLDFUSION... noobs.

Re:Oh FFS

If you "have no idea how hacker-resistant it is or needs to be" then GTFO.

You are qualified to be writing anything. Get a job at walmart where you can't do any damage.

I bet your dumb ass is planning to use PHP lawl

Nonsense

But Linux is impenetrable to hacking. This sounds like M$ FUD to me.

Re:Nonsense

[cheater512]

ColdFusion got exploited which is made by our friends at Adobe who just love riddling their products with security flaws.

Re:Nonsense

ColdFusion got exploited which is made by our friends at Adobe who just love riddling their products with security flaws.

Your friends at Adobe published a lockdown guide that Linode ignored and patched this exploit months ago (also ignored by Linode) Adobe has done their part, but they can't force admins to secure their servers properly and install patches.

Re:Nonsense

Yeah, and there's nothing stopping Linode from dropping a product that insecure. It hasn't stopped any of us.

Try and apologize it away all you want but they're at fault here as well.

Re:Nonsense

ColdFusion got exploited which is made by our friends at Adobe who just love riddling their products with security flaws.

But this is still all microsoft's fault yeah? I mean come on, this is slashdot, it's always microsoft's fault, they probably did this through some shell company that contracted adobe to put a security hole in there so they could hack linode and then get their thousands of paid shills on forums to tell everyone how bad linux is...so yeah it must be microsoft.

Re:Nonsense

Oh, I'm not defending Linode. I'm simply pointing out that ColdFusion is not an inherently insecure product. I've used it for over a decade with no issue. Linode neglected to follow best practices and they also failed to stay patched. You can't blame Adobe for either of those. Why drop a productive platform when all you need is to configure correctly and stay patched? Of course, their crypto snafus are also equally damning. If this is how they wrote their CFML, imagine what they'd do with PHP.

Re: Nonsense

Eric Raymond, please go.

Re:Nonsense

[drinkypoo]

Why drop a productive platform when all you need is to configure correctly and stay patched?

Good question. What does it have to do with this case? They're using ColdFusion.

Re:Nonsense

> I've used it for over a decade with no issue.

Yeah, it's so secure several security firms won't even vouch for a machine running it AFTER it's been installed with best practices and gone over by their best people.

You don't know you've been hacked or your sites are so low profile no one cares.

Almost signed up Friday morning, too...

[NitzJaaron]

I'd just finished doing a week of research for a VPS and was literally going to sign up for Linode Friday AM when Dreamhost woo'ed me with a better deal. Geez.

Re:Almost signed up Friday morning, too...

Dreamhost

Out of the frying pan...

Well, at least Dreamhost is pretty open about when they fuck up.

Re:Almost signed up Friday morning, too...

As if Dreamhost has never been 'hacked'.

I have my minor gripes about Linode although I can't really complain about the service and I'm doubtful the security is any worse than any other large company. Linode is HUGE. It's the place to get VPS. They are fairly reasonable even if it is like talking to a brick wall where issues like DMCA notices are concerned. They don't just shut down your Linode if they receive a notice. They actually give you time to respond.

Re:Almost signed up Friday morning, too...

Just remember that just because a provider is quiet doesn't mean they're not getting pwned three ways from Sunday.

Re:Almost signed up Friday morning, too...

[NitzJaaron]

I've used them for shared hosting for years, and it's been a hell of a frustration. That said, however, their VPS service actually has a good record. For the discounted price they offered me (based on the absolutely horrific service for the last few months) I couldn't refuse. It was a really good deal.

Re:Almost signed up Friday morning, too...

Yeah, yeah, every hosting service on the planet is teh worstest host evar, we know, we know...

Re:Almost signed up Friday morning, too...

I've used dreamhost for over 7 year and aside from some random down time maybe once or twice a year, I have no real complaints considering how little I pay them.

Re:Almost signed up Friday morning, too...

[vegge]

I'd just finished doing a week of research for a VPS and was literally going to sign up for Linode Friday AM when Dreamhost woo'ed me with a better deal. Geez.

I you don't mind my asking, who were your top candidates, besides Linode? Did any service really impress, in terms of security and stability?

Re:Almost signed up Friday morning, too...

[cheater512]

Wait you'd continue using a host that gives you horrific service?
I hope guaranteed support times were in the deal.

Re:Almost signed up Friday morning, too...

Random downtime once or twice a year. Must be a real serious business web site. What a recommendation!

Re:Almost signed up Friday morning, too...

[petermgreen]

Dunno about their VPS service but for a few months* we were using a dedicated server from them for raspbian and we had "fun" with it. It seems they have some management crap installed and if you try and customise the server (specifically in our case we wanted nginx rather than apache) it's easy to break it and render the machine unable to boot and bring up networking. Dreamhost support were able to bring the machine up manually but the only fix they could offer was a reimage (which we declined).

Amusingly we managed to fix it ourselves, turned out the only thing missing that their management software needed to successfully boot the system was one symlink.

* Between when we opened the repository to the public and when we got donated hosting from bytemark.

Re:Almost signed up Friday morning, too...

i hear godaddy has a nice sitebuilder!

Happy Tax Day!

Gosh, 4/15 already. I hope you're one of the lucky 49% that gets to pay taxes. Me, I paid $20,000. What's your fair share?

Re:Happy Tax Day!

[ewieling]

Gosh, 4/15 already. I hope you're one of the lucky 49% that gets to pay taxes. Me, I paid $20,000. What's your fair share?

A raw amount doesn't mean much. What PERCENT of your income did you pay in taxes?

Re:Happy Tax Day!

[DocSavage64109]

Gosh, 4/15 already. I hope you're one of the lucky 49% that gets to pay taxes. Me, I paid $20,000. What's your fair share?

A raw amount doesn't mean much. What PERCENT of your income did you pay in taxes?

Or even better, how much cash does he have to live on after paying taxes?

Re:Happy Tax Day!

Gosh, 4/15 already. I hope you're one of the lucky 49% that gets to pay taxes. Me, I paid $20,000. What's your fair share?

15% of your mom.

Or, about a dollar fifty.

Sincerely,

Welfare Wrob

Re:Happy Tax Day!

Or even better: what fraction of the country's budget did you pay? More than total_expenses/population, or less? That's a lot more relevant and important than percentage of income, and as close as possible to any meaningful measurement of what everyone's fair share is.

If my buddy and I spend $36 at a bar, ideally we ought to just be paying for our individual drinks. If keeping track of that (did I have more beers, or did you?) is too much of a pain in the ass, then splitting it 50/50 is best. Or I get it this time, you get it next time (50/50 over time). But fair share is never computed with some kind of how-much-does-someone make term in it. Suppose I make $35k/yr and my buddy makes $70k. Does that mean I should pay 1/3? That would be insane. No? Am I wrong about what's fair?

I don't think fairness is something we want to talk about. We should talk about the law, which isn't intended to be fair; it's intended to generate sufficient revenue, based on what harm each person is able to sustain. And from that we get income tax, rather than some kind of fairness-based per-capita tax. The more income you have, the more harm you can unfairly sustain. That is reasonable. We agree the harm is bad, we just don't quite agree on how much there should be, to balance the harms of anarchy.

Re:Happy Tax Day!

Raw amounts mean everything. That's how we pay for stuff. No one gets paid in percentages.

Imagine the government giving a contractor a check that says "50% of John Doe's 2012 AGI" (When John Doe makes $100,000 a year) and pretending that it's better than a check for "20% of Mitt Romney's 2012 AGI"

I blame Adobe... again.

From the link:
05:05 Hey I can tell you
05:05 exact details of the attack
05:05 manager.linode.com was breached with a coldfusion exploit
05:05 it was compromised for a couple of weeks

Re:I blame Adobe... again.

If it's the exploit that was going around around the New Year and patched by Adobe in January, then I blame them. It was pretty big news in the CF community.

Some more details

[Necroman]

Some details that people have been able to find so far.

1) The guy claimed to have hacked ColdFusion using some 0-day exploit. He could have just been going off this recent Adobe bulletin. But this bulletin was before the Linode announcement, so who knows. http://www.adobe.com/support/security/bulletins/apsb13-10.html

This hotfix resolves a vulnerability that could be exploited to impersonate an authenticated user (CVE-2013-1387).
This hotfix resolves a vulnerability that could be exploited by an unauthorized user to gain access to the ColdFusion administrator console (CVE-2013-1388).

2) One of the files in the directory list that has a unique name is actually accessible on linode.com: http://www.linode.com/y_key_57284cb2de704e02.html

3) Looks like seclists (nmap people) were targeted by this hack: http://seclists.org/nmap-dev/2013/q2/3

4) It is not clear if credit cards were compromised or not. While this "ryan" guy claims they were, we won't know unless the list is published or Linode admits to it.

Re:Some more details

[nametaken]

4) It is not clear if credit cards were compromised or not. While this "ryan" guy claims they were, we won't know unless the list is published or Linode admits to it.

Yeah all I saw was this:

05:42 [that ryan guy] credit cards were encrypted, sadly both the private and public keys were stored on the webserver so that provides 0 additional security

Though I've been unable to find any specific proof regarding CC#'s. A directory listing for a management console doesn't worry me so much as being able to decrypt cc's.

I guess people will have to wait to hear from linode.

Re:Some more details

[TheRealMindChild]

One reason I like using my credit card... I am not liable for fraudulent charges

Re:Some more details

What? Calm, reasonable analysis of the FACTS?!? What the hell is WRONG with you? There's a lot of really desperate loners out there with axes to grind against this company yet no motivation to do anything about it, and they've been waiting a really long time to jump on to a ragefest like this! There's no time for any of this "logic" or "reason" bullshit of yours, basement dwellers need their EGOS STROKED , and they need them stroked RIGHT NOW!!!!!1!

Re:Some more details

[VeryBest52]

That y_key_ file is a yahoo verification file. It's likely included in some page somewhere. Doesn't mean that they were hacked. Give me an hour to write a web crawler and I can come up with a similar listing. Notice he didn't post any actual proof that linode was hacked.

Re:Some more details

You forgot an obvious one. The were using a fast hash. Had the passwords been bcrypted, or used some other slow hash, a reset would be entirely unnecessary. The most worrying claim to me is that Linode was contacted, knew their was a problem, and sat on it for two weeks.

So-called "Cloud" still not trustworthy

There has to come a point in time where the law holds responsible online providers. Security is a process, not a product. It should be law that ALL companies must audit their code and processes at least twice a year. Look at OpenBSD, for example. Yes, it's an operating system, but they have the almost perfect record they have because of audits. Banks have audits. Companies fall under audit regulations. NIST 800-53 needs to be required of every company doing business on the Internet that holds or processes personal data.

Linode /lin-O-d/ adj.

1. hacked, owned. "My server was linode."
2. predictably incompetent, esp. when at a level that causes laughter.

OVH.ca

[future+assassin]

Fuck VPS when you can get a i3/8GB server for 39 Canadain.

Re:OVH.ca

Sounded promising, until I noticed they do something very suspicious with their IP routing where ICMP (and UDP-based too!) traceroute, as well as classic ICMP ping, get dropped even before making it to the border of their network. I tested this from two different connections: a Comcast residential connection in northern California (gets to San Jose California then gets dropped), and an ARP Networks VPS in southern California (doesn't even get to hop 2). Neither of the two providers I listed off filter ICMP, so this is something OVH is doing (and it's not the first time I've seen someone do it). The destination I was trying to reach was 213.186.33.5. They announce a /19, as tested from route-views:

route-views>show ip route 213.186.33.5
Routing entry for 213.186.32.0/19, supernet
    Known via "bgp 6447", distance 20, metric 0
    Tag 4826, type external
    Last update from 114.31.199.1 1w0d ago
    Routing Descriptor Blocks:
    * 114.31.199.1, from 114.31.199.1, 1w0d ago
            Route metric is 0, traffic share count is 1
            AS Hops 2
            Route tag 4826

Given that when it comes to servers/hosting of any kind, monitoring over the Internet is a necessity, I sure as hell would not trust a "dedicated server" provider who filters ICMP like this.

Re:OVH.ca

With poor pipes

Re:OVH.ca

[philip.paradis]

Lots of providers block ICMP these days. I think it's a dumb practice, because nobody even tries to use ICMP for DDoS attacks anymore, and there are much more effective ways of taking out a host. Some hosts block ICMP because they actually believe doing so is equivalent to some kind of "cloaking" practice, which is worse from the perspective of trusting the host to know the first thing about security.

All this said, trusting ICMP for server monitoring over anything more than a LAN is a questionable practice at best, especially given the lower priority such traffic may be assigned on networks that do permit it. Monitor the services you're hosting instead.

Re:OVH.ca

All this said, trusting ICMP for server monitoring over anything more than a LAN is a questionable practice at best, especially given the lower priority such traffic may be assigned on networks that do permit it. Monitor the services you're hosting instead.

This is awful, awful advice. Monitor a service all you want, it's not going to give you insights, ever, as to why the service became unreachable. This is why periodic mtrs or traceroutes to a destination (across the Internet), and logging that data, greatly helps. I speak from experience here (10 years of working in NOCs). Try explaining to management "why the 'service' was down": "so, all you know is that it became unreachable?" "Derp derp, yep, that's all I know, me simple caveman, know nothing else" "You're fired."

Re:OVH.ca

[philip.paradis]

No, it's not awful advice, but your advice is pretty bad. MTR is a great tool for certain situations, most notably internal troubleshooting as an initial sanity check, but it frequently fails to provide meaningful insights into issues beyond many local networks for exactly the reasons I outlined above. Attempting to appeal to your experience here fails, as mine exceeds yours.

If you're not monitoring services and you don't have access to internal stats for the server (frequently VM these days) hosting the service, including at a minimum memory, disk IO, and CPU utilization, you're poorly equipped to explain most real world outages. When dealing with production environments more complicated than Bob's Blog that gets 100 hits a day, countless examples abound for cases where things in a given network path, including the destination, will happily respond to ICMP while the services you actually care about are flailing about while a server OOMs, runs out of disk on a critical volume, suffers from a badly executed code push from some half ass dev team that takes out a web app, poorly constructed SQL queries take minutes to return data, a marketing campaign succeeds but nobody bothered to tell IT that resources should be scaled up to support increased traffic, etc. Do you actually have any experience with that level of monitoring? Your post suggests you do not, and if I were your employer I'd can you as soon as I discovered that fact. You're espousing an overly simplistic and unreliable means of monitoring IT environments, but please feel free to continue your willful ignorance (read: stupidity) so long as you don't mislead others.

Hashes aren't passwords (unless they're DES)

[raymorris]

Title: "credit cards and pass"
TFS: "hashes of passwords leaked

That's a HUGE difference. Proper hashes of proper passwords may as well be public. It'd take billions of years to crack them. Unless of course Linode is still living in 1972 and using DES hashes, which may as well be plain text.

Linode, if you WERE using DES hashes, call me. We have some work to fo on your susyems. The people who designed your systems clearly aren't knowledgeable enough in security that they can be trusted to fix the problems they created.

Re:Hashes aren't passwords (unless they're DES)

Billions of years to crack sha1 or sha256 or even md5? Uhh, what year did you post this in and have you heard of GPUs? If they weren't salted, rainbow tables would make quick work of them. I'm not sure why you think DES based hashing is the only insecure way they could be storing hashed passwords, but I assure you the statement "proper hashes or proper passwords may as well be public" is beyond absurd.

Re:Hashes aren't passwords (unless they're DES)

[Minupla]

Yes, nobody ever cracks hashes.

http://contest-2012.korelogic.com/stats.html
http://threatpost.ca/en_us/blogs/anatomy-lulzsec-attack-singles-out-web-20-weakness-052312
http://franx47.wordpress.com/2013/01/31/using-hashcat-to-crack-hash-password/

Bottom line - people pick useless passwords. The time required to brute force a hash given that you have a significant number of hashes to play with is sadly trivial. The various defcon contests are proof of this.

Until users start using random passwords, you don't want the bad guys to get a hold of your hash database. Especially if you're not salting.

Min

Re:Hashes aren't passwords (unless they're DES)

[Algae_94]

rainbow tables are only of use if you can store the table on disk. A rainbow table gets quite large quite quickly as the password length increases.

Re:Hashes aren't passwords (unless they're DES)

Allegedly the lish (linode console shell thing I think) passwords were stored in plaintext

Re:Hashes aren't passwords (unless they're DES)

[raymorris]

Here's a "proper hash", as our customers use. have fun trying to crack it!
$5$NhJlA5yUIk62$CC6DlreELmUVwagQqpPsEcZQoihQTCYklQz8y1me/p6

Re:Hashes aren't passwords (unless they're DES)

[jriding]

Password123

Re:Hashes aren't passwords (unless they're DES)

People using simple/less secure passwords are not the fault of the provider/software, It is a problem with the user.

Source?

[jaygridley]

Seems light on proof and heavy on speculation.

Thank gawd

[GrBear]

I'm certainly glad when I was looking for a VPS, Linode was quite a bit more expensive than the one I was recommended. For the price they charge, I'd expect better security.

Re:Thank gawd

[Yosho]

Out of curiosity, who were you recommended? I've got a Linode (1 GB RAM, 8 cores, $20/month) that I use as a small personal server. It's more than powerful enough for my needs, but I shopped around a little bit, and EC2 and Rackspace's low-end offerings were both more expensive than Linode's.

Of course, I've also been pretty happy with Linode's security so far. Note that the summary is wrong; so far there's no reason to believe that any credit card info was leaked, and at worst password hashes were leaked, but not clear passwords.

Re:Thank gawd

hetzner.de

Re:Thank gawd

[Yosho]

Hm... their low-end prices are pretty good, although they only advertise "one CPU" with no indication of how fast that CPU is. And, to be fair, their data center is in Germany, which I've got a 133 ms ping to, as opposed to the 10 ms ping I have to Linode's data centers. I think I'll stick with Linode for now, but I'll keep them in mind to recommend to friends for whom $20/month is too expensive.

Re:Thank gawd

[GrBear]

Sorry for the late reply. I'm using DigitalOcean.

Re:Thank gawd

[GrBear]

I'm using the $40/mon plan, it's speedy enough that I'm running it as a private mail server, minecraft server, mumble server.. and occasionally as a TF2 server.

Re:Thank gawd

nosupportvpshosting.com

Dual Intel Xeon 5620 CPUs
2GB Guaranteed RAM (4GB Burst)
100GB RAID10 Disk Space
5000GB Monthly Bandwidth

$15.00

Of course you can't be a total idiot but if you can log in via SSH and run VirtualMin perl setup script it is easy as hell to configure and manage.

Re:So-called "Cloud" still not trustworthy

[Ambassador+Kosh]

Are you willing to pay higher fees to have that auditing done? What I have seen is that when given a choice a customer chooses the lowest cost option no matter what. They won't pay for security audits and that means if someone else is willing to give up on security they can charge less and you will lose the business.

Capital One - not in my wallet!

[dclozier]

I used to think the same thing until I ended up paying for some charges I didn't make. Capital One's team of investigators concluded that the charges were my responsibility. I've been running Linux on the desktop for over 10 years now so I know it wasn't a trojan or some other malware on my end giving up the card number - it had to be an online service somewere that was hacked. I never found out who or how. I only ended up owing money for iPower Web hosting (would never in a million years use their service to start with), various gourmet coffee that was delivered to my house (ok I do like coffee but still wouldn't have ordered it online), video professor videos on using Microsoft Office (you know, if I should ever go back to Windows this may be handy???) and colon cleanser. WTF? I don't think they really did any investigating - just waited for a bit and then said it was my fault. Capital One offers no protection.

Re:Capital One - not in my wallet!

My card was just compromised last night. For the second time. I'm fairly sure the culprit is the local sushi establishment's website. Both times I was compromised happened shortly after I used their site. And once when I had just gotten the new card I accidentally entered in the wrong information and they had to call. That time there was no compromise. (Also some of the charges were for businesses local to me.)

Mine was an AMEX card. The first time it happened Amazon called me to confirm and I found out that way. Checked and there were a handful of other charges. AMEX reversed them all (except one that was with a vendor with whom I have recurring payments which is still under investigation - but it's definitely not mine - doesn't match any of my bills and it's significantly more than even my highest bill).

The second time, AMEX called me immediately with the first fraudulent charge. That charge never went through.

I really think getting a credit card through your bank may be the way to go, though. At least if you have a reasonable amount of money. If they refuse to reverse charges, they face you packing up the rest of your money and going elsewhere.

Re:Capital One - not in my wallet!

[whoever57]

You need to dump your CC company and get a new one.

My CC has been compromised several times, once for over $3k (plus foreign transaction fees). Every time, my CC company has cancelled every penny of the charges.

I think the source of the compromise was a local gas station that has old pumps that I believe are vulnerable to skimmer installation. Haven't had a problem since I stopped using that gas station.

Re:Capital One - not in my wallet!

[MyHair]

Have to give props to AMEX here. While traveling for a living I apparently got my card skimmed shortly before a flight home Friday. They called me at my connecting airport, we discussed which charges were mine and which weren't. They canceled my card and had a replacement card ready to pick up within a few miles of my house on Saturday so when I flew out Sunday night I had my new card for the rent car and hotel. (It was a corporate card; I don't know if that makes a difference.) I was briefly concerned when the fraudulent charges showed up on my balance on the website, but they took them off again before I started getting antsy about the fraudulent-claim window.

I suppose it might have helped my case that my travel was on the East coast, I live in TX and the fraudulent charges were in CA.

(And btw...traveling for a living sucks!)

Re:Capital One - not in my wallet!

[MaineCoon]

Switch to Chase, they're very good about this. Recently, someone got hold of my CC# and was trying to buy gas with it several states away. They emailed me immediately, and I saw this notification within minutes and called them up. They went over recent charges with me, marked them as fraudulent, then asked me if I saw any other suspicious charges (I spotted one other from 2 weeks before), which they also immediately flagged. Then they closed out the card and sent me new cards via overnight courier, and informed me if when I check my statement if I see any other bad charges to let them know.

Re:Capital One - not in my wallet!

IMHO, that's more a symptom of doing business with a sleazy company than credit cards in general. I use a US Bank branded Visa card and I've been quite impressed with their fraud department. Anytime I make an unusual purchase (e.g. dollar amount, location) they give me a call. I get about one of those calls per year, so it's frequent enough to be comforting but not so common as to be an annoyance. When that payment processor got breached a year or two ago they actually called me a couple hours after a fraudulent charge was made, asked if I made it, reversed it, and issued me a new card within a week. Very low hassle for what could have been a terrible experience, and it was entirely taken care of before I got out of bed.

That said, anecdotes are anecdotes, so YMMV.

Seriously, whats Linode?

[Gothmolly]

What is Linode? Would it kill an editor to include that in TFS?

Re:Seriously, whats Linode?

Slashdot - News for nerds, stuff that matters

If you don't know that Linode is a VPS hosting company (they might call it "cloud" now), this isn't the site for you.

Re:Seriously, whats Linode?

Isn't knowing commercial entities more like News for business people?

Re:Seriously, whats Linode?

Based on TFA and comments here, it seems somewhat crappy. Why would I need to know about it?

Re:Seriously, whats Linode?

Give her a break; it's probably really, really laborious to search Wikipedia when one has bats flying out of ones asshole and around the room.

Take my hand, Gothic Molly... https://en.wikipedia.org/wiki/Linode

Re:Seriously, whats Linode?

Why does a VPS hosting company matter? Seems like entry-level IT stuff. Slashdot always struck me more as a site for engineers and people who do something useful.

Re:Seriously, whats Linode?

WTF is Slashdot coming to? People like "Gothmolly" posting a comment that a six letter google search would've answered with the first hit... Sheesh

point: example for Regulation

[bussdriver]

If you regulate an industry, ALL must do it. There is no cheap alternative because it is mandatory. The free market isn't going to do it because taking the risk is worth pennies to most consumers who are NOT thinking of all the potential risks involved if they even are aware of a couple of the long list of risks.

Making people do something across the board always raising BS opposition but when it is applied uniformly (it usually is) there is no impact on the market (because the added costs are usually too low to matter, especially for large markets.)

Obviously, there are issues of making it FAIR and uniform in this age of global markets and we are not properly addressing these issues because of the propaganda and the resulting dysfunction. Most states lose income from sales tax and regulations because of their interstate commerce limitations. Either fix that or give up and raise revenue by other means.

Oh, BTW, drug lords are "job creators" who are not deterred by a war being waged against their business (can you get more severe than regulating the business is illegal? yeah, you can wage an unconstitutional war against it.) Somebody will want the money bad enough to provide the service to those willing to pay. The only real factor is how many customers will pay what it costs to support the industry. The regulations can be far more severe.

Re:point: example for Regulation

[Etherwalk]

If you regulate an industry, ALL must do it.

Not very familiar with the services section of craigslist or the spousal-support taxless gray market cash economy, I see.

Re:point: example for Regulation

[bussdriver]

Simply because somebody breaks the law is not an argument for not having any law in the 1st place. Now for drugs... a HUGE number of people break the laws and if this were a democracy the representatives would reflect the citizens better.

Most transactions are within the regulated systems and it is not a big deal until a significant number of transactions happen. You do realize food labels were a heavily fought battle or pollution??

Re:point: example for Regulation

[Ambassador+Kosh]

That is what I actually like about engineering. It is a regulated field and you can't just go somewhere else to get something underbid. It is one of the many reasons I am getting out of regular programming. Customers will try to have one part of a project done very cheaply by someone in another country but then when it breaks or never works to begin with they want someone here to fix it but they also want it to be super cheap because that other company in india was able to do it for almost nothing. Programming has become a race to the bottom.

Programming skills though are highly useful in a number of fields. That is why I am moving into the nanotech and biotech markets.

Coincidence... or not.

[angst_ridden_hipster]

Over the weekend, I got a lot of spurious charges on the credit card I use for my Linode account. Charges from several different countries, for various amounts that looked like automated "is this card valid?" type probes. The bank shut it down, but not before I got paged a bunch of times.

Then again, the odds are just as good that a waiter at some restaurant uploaded my number to some IRC channel to get back at me for my guest's order being too complicated or something.

Re:Coincidence... or not.

Yeah, it's probably the Linode leak. Same thing happened to me.

Re:Coincidence... or not.

[Aurix]

My card doesn't appear to have any charges on it. I've sought a new card number anyway. Linode hasn't responded squarely to the allegations in the IRC logs that the decryption/encryption keys to credit cards were stored insecurely.

I said "proper passwords"

I said "proper hashes of proper passwords". You replied "people pick useless passwords". Yeah, if you let them use "password" as their password it'll be cracked. More news at 11:00. That's why I said "proper passwords".

where is it

So where is this so called leak? He claims he was going to post the cc details? Has he?

#linode is now +m

A bit of comment would be nice...

Re:#linode is now +m

Current response (from a chat op, not an official response):

[20:28] <array> i know everyone is frustrated; we're in the exact same boat as you. Linode is the way we make our living -- the same way that you guys invest in our services to make yours. why would we want to jeopardise that by being untruthful/dishonest and risk losing the trust and reputation that we've worked so hard to gain? as soon as that we're in the position to release more information, we will.

Elsewhere in the chat:

[20:35] <HTP> you know, if you all accept my offer, linode won't get repeatedly exploited via the source and 4.7GB of misc traversal.
[20:35] <mercutio> HTP: how much are you charging?
[20:36] <HTP> charging? nothing
[20:36] <mercutio> what's in it for you?
[20:36] <don_> HTP is playing games, not profiting
[20:36] <HTP> we are requesting 'We got owned by HTP' in Linode's blog post

Re:#linode is now +m

Oops, meant to quote this part:

[20:26] <array> to put the speculation to rest: we're not intentionally holding information from you guys in order to hide the fact that there was a breach (let's be honest, we've already made an admission of the intrusion and the evidence provided earlier speaks for itself), it's simply because we're not in the position to release more information at this time.

Re:#linode is now +m

[20:36] we are requesting 'We got owned by HTP' in Linode's blog post

Linode hasn't complied with this modest request. I guess they want to roll the dice again with customer data at stake.

We need a better statement from Linode

I got the email. It's not enough.

I realize that nobody can or should waste their breath every time someone runs their mouth off on IRC. But for better or worse, this guy is indirectly being quoted on Slashdot. Someone called you out, and it's IN PUBLIC now. Linode needs to either admit or rebut some of the claims "ryan" made, above and beyond the mere fact that a Lish compromise happened.

My monthly emails of the bills only go back to 2007 but I think I've been using Linode since 2004. Not sure. But as much as I want to give them the benefit of the doubt, the lack of comments on specifics, reads like an admission that this "ryan" guy is telling it like it is. Linode, really, you don't want me thinking that. It's been a reliable monthly payment for an almost wastefully-underused VPS, going back literally so many years that I can't remember. Don't let it end like this, with your silence.

Re:We need a better statement from Linode

Even with the hack, I still feel giddy over Linode's recent upgrades. I have more bandwidth than I know what to do with.

No but the LISH passwords are stored in plain text

[Mr0bvious]

According to the linked chat log Linode is storing the lish passwords in plain text!!

I'd suggest you at least change your lish password...

This saddens me a lot, I had much more faith in Linode and make me look like a fool for recently recommending them to others.

I really wish Linode would come forward with the whole facts on this saga, and let us users know what has really been exposed/compromised.

Well it does say...

"Full ssh and root access" in the features list

Re:Well it does say...

You're so mean. :-)

Statement from Linode

[lbbros]

http://blog.linode.com/2013/04/16/security-incident-update/ However I'm not knowledgeable enough wrt security to say if it's just damage control or not.

Someone still uses ColdFusion?

I haven't seen ColdFusion mentioned since the early 2000s - people still use it? I thought it had joined CORBA and MicroFocus COBOL in the museum of obsolete technologies from the 90s.

Comments...

Looks like they've frozen the comments for the breach notification (http://blog.linode.com/2013/04/12/security-notice-linode-manager-password-reset/) -- still no updates from Linode -- Customer Service Fail -- Oh, how I miss Slicehost :(

Why?

Why is Linode storing credit card numbers anyway?

With FastSpring, Amazon, PayPal, and all the banks offering payment services rolling your own solution is just inviting trouble.

Linode is overpriced anyway.

Fuck them