My plan is to keep saying this on Linode threads, just in case there are people who have missed it. Take my advice or leave it:
Please don't use Linode. If you are using it now, make immediate plans to switch. If you have friends who have things built on Linode servers, tell them to switch.
My plan is to keep saying this on Starfighter threads, just in case there are people who have missed it. Take my advice or leave it:
Please don't use Starfighter. If you are using it now, make immediate plans to switch. If you have friends who have used Starfighter, tell them to switch.
Feel how dickish this sounds without giving any reason whatsoever?
For whatever it's worth, I decided to get linode oh so many years ago because hdm, the security guy, very warmly recommended it to me. Indeed, a lot of very high profile security folks love linode (nmap.org/sectools.org is a good example).
Anyway, personally, I choose to still stick to Linode because their customer support is extraordinarily good. I'm speaking about my experiences in the last 5 years.
Concerning their handling of ddos attacks - I think with this changes made things should be much better.
The fact that nmap/sectools is still in fact on Linode, right now, the fact that moxie still uses it, as well as jacob and other superstars are using it in 2016 isn't a testament to what they think? And, I think hdm still uses linode for a lot of things. So do many other security folks I hang out with.
I really think that if it was some other VPS, they could not have done much better. You remember the outages that Amazon had? It's just a matter of fact the way I see it, these attacks happen. We learn from it, resilience is built. Until a new type of attack takes place, and then the process repeats. I understand that uptime can't be 100% all the time -- the 1 or 2 days it was down in 2015 was an inconvenience, but not totally unacceptable. I also understand that if you're against very determined attackers, it's pretty tough. How will any of the other VPSs fare when the attacker happens to have an 0day or something?
By the way, I noticed a few years ago that bitcoin-related startups were likely to use Linode. That makes linode a huuuuuuge target. I really don't think that if it was some other VPS in the crosshairs, these determined attackers could have been stopped 3 or 4 years ago with the ferocity and resourcefulness they seemed to be equipped with.
Because it's trivial to figure out why he's saying that by simply typing "linode" into google, but as of right now googling starfighter doesn't immediately bring up any reasons to avoid them.
Edit: Didn't mean to imply that parent was a dick.
> Because it's trivial to figure out why he's saying that by simply typing "linode" into google, but as of right now googling starfighter doesn't immediately bring up any reasons to avoid them.
This doesn't mean anything. I could get horror stories about any cloud service provider via Google yet we're only being told not to use Linode. Providing some context makes all the difference.
I don't think it's appropriate to throw around insults and claim jfgi when someone asks for a mordicum of clarification.
If you can't even manage one small teensy link, what respect does that show for your audience?
The only value comes from the ptacek brand, and the trust I have in him through context. But that's generally not a strong foundation to build an argument on.
To be clear: I trust him, but it's not his best post. And op was not out of line for speaking up.
Edit: sorry ryanlol I didnt mean you, but tptacek. It was perhaps too strongly worded. Didn't mean to attack anyone, just wanted to show support for yomism's point.
I consider myself a HN regular, but I dont read everything. Linode posts I subconsciously skip, as they don't interest me. This was honestly news to me. "Incomplete information", I believe that's called ;)
I'm not sure what role spelling critique has in a conversation about technology providers, but to your second point I do think it's reasonable to expect that in public conversations claims be substantiated to a degree relative to their contentiousness. No one expects evidence or citations when you claim that good security is hard, but it's not so crazy to hope for even a respected member of the community to back up a stark claim. At the very least it's reasonable to ask for substantiation - whether or not the original commenter is comfortable discussing details.
I have read the horror stories thanks to ryanlol's posts but next time please post a link if you don't want to waste time re-explaining. Let's use the HTML powers!
To be honest, the number of "linode screwed up" posts on hacker news the last few years would be educational to you, and if I remember correctly, ryanlol even got a slap on the wrist due to one of those situations.
At this point, I am bored of people asking for citations on hacker news for things that are should be part of our tribal knowledge.
I meant it in the way of shared knowledge, just like we all know how to bypass a NYT filter, or that someone is going to complain about the lack of native scrolling in an article, especially on a Show HN.
I definitely agree that there is a huge amount of that type of thinking on HN (of course), reading the amount of people who used github but didnt know the different between it and git and were commenting today was a personal education.
Of course, you can judge it differently, but following that link convinced me that the claims are probably not "baseless smearing", that it's a well-intentioned advice. Just from the link itself I wouldn't know on what grounds tptacek came to his conclusion, and I wouldn't heed his advice without further research, BUT I'm 99% sure that if I researched I'd find many well-documented arguments in favour of tptacek opinion/advice. I'd even bet on this: you say it's baseless, I say I can easily find the reasoning and arguments behind what tptacek said. Want to bet?
Oh, by the way:
> Sincerely, it's too much to ask?
Let's turn it around: a person with a lot of experience offers an advice on the matter he's experienced with. Is it too much to ask the readers to first, at least, google a bit before commenting? Why do you think you are entitled to receive even more of that person's attention and time?
Yeah, unless you're willing to elaborate on the reasons behind this statement, it's hard to give it a lot of credence. In fact, your reputation is the only reason I'd give it any credence at all, without some explanation.
We've been happy Linode customers for a while now, and definitely prefer Linode to where we were before (Rackspace, via the Slicehost acquisition). I'm not opposed to moving to something like DigitalOcean or other but right now I'm seeing any compelling reason to make a move.
Sure, but who hasn't been hacked at some point in time? The @tptacek post has an air of suggesting Something Is Really Wrong, like "Linode is a front of the NSA" or something.
Would it be that much harder to say "Don't use Linode, they have a bad history security-wise and just got hacked again"?
Linode has not only been hacked countless times. So many times in fact that it's hard to blame it on just incompetence, but on gross negligence on their part.
Then there's the whole lying to cover up hacks, not investigating clear compromises when reported by customers and generally just avoiding any kind of negative press at all costs.
Just so I understand: his claim, which doesn't constitute advice of any kind and doesn't ask for any action on the part of the reader, requires substantiation? But your claim, which does have a suggested course of action for the reader, does not require further elucidation?
I do know who you are and I do have respect for your contributions, but my friend, it's seems like you're flaunting a sense of superiority when you issue a drive-by decree. It's only made worse when you choose to take the time you could have spent helping the readers whose opinions you're hoping to sway, and piss it away with grammar/spelling corrections and sarcasm. We routinely call out people in other public forums who give blatant non-answers, don't we?
I thought your comment was helpful. Until you decided that only those who would take it on faith or on fallible googling would be worthy of your help.
>Just so I understand: his claim, which doesn't constitute advice of any kind and doesn't ask for any action on the part of the reader, requires substantiation? But your claim, which does have a suggested course of action for the reader, does not require further elucidation?
I'm not sure if tptacek implied the claim requires substantiation, but IMO naming and shaming is just the ethical thing to do when someone is covering up hacks.
Yes, but not if you found out such from confidential information you agreed to keep confidential.
But in all seriousness, I don't know a single provider that sells cheap VPSs [e.g. At Linode's price point] and actually has something resembling security.
> You keep talking about how Linode is cheap, but when I look on their site their prices are absolutely insane. Am I missing something?
Its roughly the same as DO, etc. Yes, its more expensive than buying a dedicated server.
I define anything cheaper than AWS/Google Cloud/Azure/etc. as "cheap". I am assuming you are using a reasonable level of bandwidth [e.g. 100GB+] when making such statements.
Really the only places you can find even cheaper VMs is sites like lowendtalk.com and you really don't want to go that cheap if you can avoid it.
> Debatable
Let me put it this way, "contractually obligated to".
Meh... nothing about that is in the first page of Google results when I google Linode. I wasn't aware of the older hack incidents, because we weren't Linode customers then and so there was no particular reason to pay attention to Linode news.
Anyway, if anyone is going to make a blanket statement like "Don't use X", there's no harm in providing at least a high level explanation of why you're saying that. One shouldn't assume other people keep up with the exact same news that they do.
Their wikipedia page, the 3rd google result for me, should provide enough info by itself.
I do agree that some level of explanation would definitely be useful, but this comes up so often that I really don't find it surprising that people are too lazy to explain such statements.
Just a comment on my experience: the last time one of these threads appeared (after reading several prior), I followed tptacek's advice and shut down the few remaining Linode instances I had. Linode handled it professionally: I removed my nodes, canceled my account online in a couple clicks, and requested a refund of the credit on my account (I had pre-paid for a year, and Linode refunded the time remaining). The payment was issued quickly and without confrontation (though they did ask, by email, for the last six digits of my credit card for "verification") I then deleted my account.
For all those who want some sort of backup: There is a search function here. If you search for Linode, you'll find a long string of security blunders. You really won't have to try hard. (PS. I'm a current Linode customer)
Could you elaborate? We've been their happy customer for 4 years now and while this incident did hit us with several hours of downtime, we are definitively not gonna switch just because of this.
What are we supposed to use? How do I know the host I pick has any better security practices or that they just haven't been owned so far? Which other VPS providers have essential features like private networking?
Please don't say AWS, I have no interest in learning that overcomplicated mess.
I've been locked out of a droplet and had a friend lose one from a failure without warning. I've switched due to this and the attitude from customer service.
Was working fine for few years before this happened.
Linode Singapore data centers. Lowest latency for any cloud provider where I live. Been rock solid so far. One time I used Cloudflare for two weeks and had massive service degradation at random times, so not doing that again.
Hey, Thomas. I crossed swords with you when I worked at Linode and we had a brief HN argument about side-channel attacks in Xen (remember that?). I gained respect for your opinion and experience from that, and I think you should blog your perspective on this if you haven't. I, personally, would be very interested in reading it, especially if you've done any kind of security analysis on Linode.
Please don't use Linode. If you are using it now, make immediate plans to switch. If you have friends who have things built on Linode servers, tell them to switch.