back to article Linode SSH key blunder left virtual servers open to man-in-the-middle fiddles for months

Web hosting biz Linode broke the security in its customers' virtual machines, allowing attackers to eavesdrop on SSH connections and hijack them. Nodes that installed Linode's Ubuntu 15.10 image between November 10, 2015, and February 4, 2016, all use the same SSH server key. Usually, a unique key is generated during …

  1. Anonymous Coward
    Pirate

    Slippery when wet

    Looks like they put a great deal of time and effort into crafting that message to imply to the uninitiated that Canonical was to blame for releasing a defective Ubuntu image, rather than admitting their error.

    If only they'd been that meticulous about prepping their images.

    1. Anonymous Coward
      Anonymous Coward

      Re: Slippery when wet

      > If only they'd been that meticulous about prepping their images.

      Thus spoke Mr. Perfect?

      1. Anonymous Coward
        Anonymous Coward

        Re: Slippery when wet

        >> If only they'd been that meticulous about prepping their images.

        >Thus spoke Mr. Perfect?

        Errare humanum est.

        Then again... if Microsoft had made a similar blunder with any of their products (and they do flounder a lot) this board would already be packed with messages howling about the error.

        Just sayin'

  2. Ole Juul

    the way it goes

    I'm not a customer of theirs, but they might be a safer choice after all this "bad weather" since they'll likely be trying extra hard to do it right.

    1. Ali Um Bongo
      FAIL

      Re: the way it goes

      *"...they might be a safer choice after all this "bad weather" since they'll likely be trying extra hard to do it right..."*

      That's what people said after the last cock-up

      ... and the one before that.

      1. Anonymous Coward
        Coat

        Re: the way it goes

        Yeah... sinking ship. Can we get an icon for that? Should get a lot of use this year.

  3. frank ly Silver badge

    Finger trouble

    Why did they put the 'f' (force, no prompts, ignore nonexistent files and arguments) in 'rm -f /etc/ssh/ssh_host_*' ?

    A simple finger slip could give 'rm -f /etc /ssh/ssh_host_*'.

    For something so important, I'd have thought that 'rm -i ' (prompt before every removal) would be more sensible.

    1. DainB Bronze badge

      Re: Finger trouble

      Next time you need cut something use a plastic knife from child tea set. Because you know, with real knife you hand can slip and cut your throat.

      1. frank ly Silver badge

        Re: Finger trouble

        I knew that somebody would say something like that. I accept the principle but I was hoping for better grammar. I wonder if you type command lines with the same care as you type sentences.

        1. Anonymous Coward
          Anonymous Coward

          Re: Finger trouble

          > I accept the principle but I was hoping for better grammar.

          I am going to hazard that the previous poster is not a native speaker. Probably Polish, almost certainly Slavic. In any case his command of English is significantly better than my command of any Slavic language.

      2. Robert Carnegie Silver badge

        Re: Finger trouble

        You can stir your coffee with a box cutter knife, but most people do not. They use a more appropriately shaped metal tool. Or plastic, indeed.

    2. Anonymous Coward
      Anonymous Coward

      Re: Finger trouble

      > A simple finger slip could give 'rm -f /etc /ssh/ssh_host_*'.

      But that would not be a problem:

      # rm -f /etc

      rm: cannot remove ‘/etc’: Is a directory

      Their finger would have to slip onto the 'r' key as well for this to be dangerous.

      Having said that, I see no particular reason to use the '-f' flag here: it would silence the warning if ssh_host_* did not exist, but it would be better for the user to see that message.

      In any case, it's not good to get people in the habit of using a 'force' flag in situations where it's not needed. I see far too many people doing 'kill -9 <pid>' without understanding what they're doing (and why it's bad).

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2019