Do they still store public/private keys on the same server ? How often are they doing security audits (which clearly never happened before) ? Are they still going to be dodgy and withhold key information from their users ? Are users still going to find out hackings from IRC/Reddit rather than Linode itself ?
Two factor authentication would have done NOTHING to prevent both hacking attempts.
I hope their silence on the aftermath is due to an ongoing investigation with feds, or something, where they can't talk about it yet. Do they think their customers are stupid and will forget the incident?
Imagine if AWS had a security breach of that magnitude. They would release an initial 4000 word blog post in grave technical detail, and then follow up with a 25 page white paper, or whatever.
Oh, and to stay on topic, I tried Linode's 2-factor with Google Authenticator and it works well.
Do they think their customers are stupid and will forget the incident?
As phrased, this is not a problem - there's never any worry to including your public key wherever you have your private key; your attacker can be assumed to have your public key anyway if it'll do them any good.
The problem was private keys (encrypting important things!) on a web-accessible server, was my understanding.
Nice, but has nothing to do with the issues they experienced recently: Still runs on cold fusion, still they do not understand PKI( more tweets about how awesome the passphrase is on your private key, you know the one in adversarial hands...confidence + 10!....)
But what makes you think its competitors are any better?
Security issues will happen with any provider it is all in how a provider communicates and remediates those issues. Linode has shown it will not communicate thoroughly and does not talk about any remediation so why would you trust a company like that with your data?
The last incident was extremely sad for me because I thought I was using a company that I had a good relationship with. I could care less that CC details were lost as CCs are easily replaceable and protected against fraudulent use. What they lost was my trust which is far more valuable that my credit card number.
Ramnode's panel is SolusVM which isn't as good as Linode but their performance blows Linode out of the water. They have ipv4/ipv6, multiple locations (Atlanta and Seattle) and a good owner who seems very open/honest with customers. I expect we'll see feature enhancements as they grow bigger.
Gigenet Cloud has multiple locations (Chicago and Los Angeles), ipv4/ipv6, good performance, good custom panel and a company that has been around for a long time. They use a SAN for all their nodes. Overall one of the most underrated cloud providers out there. (Note: I got free credits for beta testing their cloud)
DigitalOcean has multiple locations (San Francisco, New York, Amsterdam), a decent custom panel (would like to see more statistics and it seems a good staff. They did have a security issues that they seemed very open about (https://www.digitalocean.com/blog_posts/resolved-lvm-data-is...)
Other hosts I have tested/used but did not choose:
Rackspace - Excellent panel, ho-hum support/performance. My biggest issue is they lock instance throughput and refuse to change that. If you have a 512 instance you are locked to 20 mbit which doesn't make sense as you are billed per GB. I asked to have this unlocked as my instances push more and they refused.
Amazon AWS - Great interface but the lack of ipv6 (unless you buy ELB) and poor performance had me look elsewhere.
Others tested/used:
Joyentcloud, Terremark, Zerigo (Was a long time customer but they went downhill when 8x8 bought them), Voxcloud, Cloudsigma , Azure, HP Cloud, Stormondemand (Another good cloud provider that just didn't fit with me), VPS.net, Gandi
To get some positive content out of this thread. Is there a VM provider with a provably better security record than Linode?
If you are going to stay with Linode then 2FA seems like a no brainer. So, is there a simple way to get the 2FA iDevice systems (Google, Duo) to work on multiple devices, say to allow an iPad or an iPhone to be used interchangeably?
It would be nice if they let you set up SSL cert + MFA + password. I am kind of angry that modern desktop browsers continue to make SSL certs suck so much, but they're decent on mobile. I hope a future version of OSX builds in great cert management and UI/UX with local biometrics or something.
I'll have to see if the Google Authenticator app shows up on all of my iDevices linked to my Apple account and whether the code from any of them will work (from the setup process, I don't see why not). Does anybody know?
If the app will work from any of iDevices, it would not be secure enough for a service storing bitcoins :) because the second factor should be hard to copy (which a real hardware token is, while a software token isn't).
it would not be secure enough for a service storing bitcoins
What you were doing is the equivalent of living your wallet in a public place unattended, and then shouting and screaming it got stolen. You are putting your bitcoin wallet on a public accessible server, you should know the risks of this by now.
Don't leave your wallet in a public place unattended, that includes your bitcoin wallet.
Let me guess, you didn't bother to encrypt your wallet either, didn't you?
Don't blame others for lack of security, if you can't even figure out your own security best practices...
It uses protected storage for the credential so it isn't backed up to iCloud, either. Sadly on Android they don't have the same security features available, due to limitations in the OS; it would be fun to talk to Samsung and make a "actually secure Google Authenticator" specific to the S3/S4 since they have a security element.
If you do want it on multiple iDevices, you need to do that at setup time, by copying the secret manually.
All they need to do is let users locally generate (i.e. in the token) seeds and then enter those into the web portal, vs. generating seeds internal to the portal, displaying them, and having the user enter them into the authenticator app or token (because the tokens don't allow you to enter a seed).
This also requires having role accounts which aren't able to reset authentication settings when logged in, though, to really be good (or else you just disable tokens on first successful login).
Also works well for paranoid people who don't trust their phone, or people who log in only from a phone/tablet and thus where MFA is really one-device-authentication.
I've had my non-smartphone for six years now. It still works, and while I'm sure I'll upgrade to a smartphone one day, I have no urgent desire to do so.
Is it really that hard to set up an SMS system as a fallback? I'm still able to use two-factor on my Google account because they offer this solution.
But if they would implement that, everybody will start screaming that they have to pay for a smartcard or rsa-token...
Be honest here, how many of you would actually want to pay for that?
yeah, thought so...
It's totally reasonable to believe linode is enough of a clusterfuck internally, based on past performance that this kind of thing is plausible. Yes, this protects you from one kind of attack if an attacker only gets limited access to linode's systems.
The other issue is it doesn't protect you from password reuse. If a user is dumb and uses his global password for his linode password, and linode is hacked again, and the password is recovered, the attacker uses that userid/password/email/etc. to attack other accounts of that user at other services.
For anyone installing the Linode's recommended Windows App "Authenticator", WARNING, it does not work! I was locked out! I then used the Microsoft's Authenticator app to find the right token.
Do not logout without verifying it works first in an incognito mode. Better yet, save the secret key temporarily to your PC.
AWS also has the best first and second derivative on everything related to product; they were essentially crippled crap in 2006, and have turned into a viable option over the past years, without slowing down. Compared to the level of innovation in colo/dedicated hosting (~zero per year) and openstack, AWS is amazing.
It's still inferior to a good on-premises or colocated environment (mainly due to technical limitations in the virtualized environment; AWS's policy is top-notch commercial standard), but that may not matter for you. AWS pricing and performance is also worse in a lot of ways than dedicated hardware, but may also not matter to you.
A lot of the big cloud/dedicated hosting companies have decent security (SoftLayer, Rackspace), but aren't as good at AWS at policy or technical security. The sketchy VPS providers are miles below the middling standard set by companies like Rackspace.
Linode is solidly in the "sketchy VPS provider" realm. A bit better for availability, and not likely to actually be attacking you themselves, but not a responsible choice for anyone who cares about security from everything I've seen.
PaaS, in practice, is also a good solution if you care about security but have no skills or budget. While Heroku has its own set of problems around price, performance, and availability, it's more secure out of the box than a badly configured/maintained AWS deployment of your own, or a badly configured on-premises/colocated cage or dedicated servers.
After posting, I realized 1 and 3 are a bit redundant. You have to be established to have a track-record, of course.
Or is this just a show? Either way, this question itself reflects the fact that they refuse to give proper information and postmortems.