Linode probe into 2015 crack finds fake 2FA creds flaw Hosting outfit Linode has announced a slew of changes to its user procedures after a long analysis of the attack that led to a system-wide password reset in January. It's also determined that the breach was the result of customer credential theft. The company's post-mortem of the issue, published here, notes that the December …
"It's also created an “authentication microservice” that completely separates customer applications from customer credentials"
The question is : why didn't they start by that in the first place ? it cannot be because they just didn't think of it, right ? I mean, I'm not an InfoSec guru by a long shot, but it seems to me that such a configuration is a basic when talking about secure authentication, no ? You want a minimum of internet interaction until you're sure of who it is you're talking with.
In any case, good on them to have made the change. Shame that it had to be following a breach, and that they didn't put the money there in the first place.
Pascal, désolé mon grand mais là tu viens de dire une très grosse connerie.
Comme on t'a déjà expliqué, les mesures qu'on prend doivent être en proportion aux risques appréciés et d'ailleurs jusqu'à là, ils étaient en ligne avec la plupart de fournisseurs de hosting virtuel. Dis-moi s'il te plaît, *un* fournisseur qui implémente le type de sécurité que Linode vient d'offrir à des prix moyennement compétitifs.
Stones, glass houses, etc.
Les mesures sont certainement proportionnels aux risques, mais le tout est de savoir quels sont les risques que l'on determine acceptable. Il est evident que l'effort auquel Linode vient de consenter démontre que, jusqu'à maintenant, une sécurité moindre à l'authentication a été considéré comme acceptable. Maintenant qu'ils ont subi une attaque réussie, ils ont revalue le risqué et ont agi en consequence. C'est au moins ça.
Quand à dire quels sont les fournisseurs qui implémentent la "bonne" sécurité, je pense que c'est impossible, vu que ce n'est pas le genre de chose qu'ils affichent sur leurs pages web.
Pour ce qui est du prix de l'abonnement, je ne suis pas convaincu que l'architecture avec authentication isolée soit plus cher à mettre en place que celle qui fait l'amalgame avec le serveur d'accès. Ce qui coûte certainement plus cher, c'est de changer l'architecture.
Autant faire bien dès le depart.
credit for fessing up and highlighting what they plan to do in the future.
Even more so for sharing the analysis. It's easy to shout "Fail", find fault and declare abject stupidity if you're not running the service yourself, but if there is one thing you should learn quickly in IT, it is not being too quick with throwing the first stone. We all make mistakes, and sometimes people just have to make do with the means available to them.
Not that I'd pay attention to those shouting "fail", mind you. Karma is waiting.. :)
FAIL!
Just kidding... More to the point I have personally made some mistakes in the past and never attempt to palm them off. I have never had an issue with being wrong about something but if I am, why not help in pointing out where I went wrong. (this is just a generalisation).
People make mistakes, people "normally" learn from mistakes. (well except TalkTalk).
- S.A
Acording to this thread on HN PagerDuty have a different version of events:
https://news.ycombinator.com/item?id=11136399
specific comment: https://news.ycombinator.com/item?id=11136948
It seems far more like Linode have no idea how their private keys ended up on a client's VPS and they have a hole in their system. They gloss over it in their blog and try and blame it on a client losing access to their phone, but that doesn't explain how Linode's own private encryption key was anywhere near a client.
Linode were alerted to this by PagerDuty's own IDS, up until then things looked normal to them.
Their response has been: no logs, no problem.
Following down the discussion it seems like Linode has or at least had some pretty unpleasant working conditions which makes you wonder how many unhappy employees there have been. Oh and they had a massive DDoS over Christmas...so there's that.
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2024
