REQUEST: Here's how you can help support Quarter to Three!


#300

Welp, have overcome my fear of heights. Now I have a fear of widths.


#301

As well you should… as well you should.


#302

Is me of the website looks different today?

Like the content is forced to be into a column.


#303

Is you. Website of fine.


#304

Holy chit, we added likes! I thought I was outvoted! Thanks!


#305

#307

Cool, thanks for the heads up. I don’t venture out of the games forum often enough.

I responded:


#308

Linode has a super bad reputation on security.

I think this Glassdoor review sums it up pretty well:

https://i.imgur.com/sJd56AT.png

Linode has been hacked at least 5 times¹ in the past decade, and EVERY TIME they try their hardest to downplay the incident and distract attention from it. Avoiding any public communications at all if possible.

and

I’ve been with them since 2009. I know the current recommendation from security-focused people is not to use them, due to their mishandling of past events.

and

Obligatory Linode warning. Linode has a history of putting their customers in very uncomfortable situations.
Here’s a few HN threads on the previous disasters:
https://news.ycombinator.com/item?id=3654110 Compromised Linode, thousands of BitCoins stolen (2012)
https://news.ycombinator.com/item?id=3655137 Linode Manager Security Incident (2012)
https://news.ycombinator.com/item?id=5552756 Linode hacked, CCs and passwords leaked (2013)
https://news.ycombinator.com/item?id=7086921 An old system and a SWAT team (2014)
https://news.ycombinator.com/item?id=10825425 Linode DDoS continues – Atlanta down for 16+ hours (2016)
https://news.ycombinator.com/item?id=10998661 The Twelve Days of Crisis – A Retrospective on Linode’s Holiday DDoS Attacks (2016)
https://news.ycombinator.com/item?id=10845170 Security Notification and Linode Manager Password Reset (2016)
https://news.ycombinator.com/item?id=10806686 Linode is suffering on-going DDoS attacks (2016)

and

Around November in 2015 the IRC network I host was hacked due to a breach Linode had already been informed of (https://news.ycombinator.com/item?id=10845985) - I had a completely unique username, password, and I even had 2FA enabled. Linode support refused to work with me, advising me to “secure my 2fa device better next time”. Longevity of a company like Linode clearly isn’t indicative of good business practices, only that they are the cheapest option.

This is the meat of the PagerDuty complaint

We also have evidence from access logs provided by Linode that the attackers tried to authenticate as an ex-employee, whose username ONLY existed in the Linode database. It was absolutely unique and was not used elsewhere by the employee making the username an accidental honeypot. This was another piece of data supporting that Linode was the source of our compromise.

We immediately reached out to them not only to inform them of their compromise, but to assist them in investigating it. We were confident that the Linode database had been breached, and that the secret key used to encrypt information in the database had been compromised as well.

In addition to reaching out to Linode, we also worked with a third-party security firm to audit our work done during the incident. Likewise, around the same time we reached out to law enforcement to assist in investigating the attack. I believe our public disclosure includes this information[1]. This was in the middle of July 2015.

We did not get confirmation in July that there was a breach of the Linode Manager or any associated credentials.

In the end, we migrated away from Linode because of this breach (even before it was publicly disclosed) in Aug 2015. We also never were able to confidently disclose that Linode was the vector due to lack of confirmation from their end. While all of us who responded to the incident were confident they were the source, we now thankfully have the data to confirm it.

It’s probably a pain to switch, but definitely don’t pick Linode if you are starting out.


#309

They’ve been great for us. Anyway if we’re hacked the attackers will get nothing of any value at all.


#310

In the circles I run in, you can’t click 10 links online without someone telling you not to use Linode, for the above reasons. Just make sure you never, ever put any information on Linode that you would be unhappy with a random hacker obtaining.


#311

Thank you @wumpus. Do you still recommend digital ocean?


#312

Most other “brand name” cloud choices are fine. The weird thing about Linode is they are “brand name” but not in a good way any more…


#313

Do you have any opinions on Google compute engine or app engine?


#314

Not really, but I can tell you Azure tends to be expensive and over-complicated.


#315

If you support Tom on Patreon or you are thinking about doing so, you might want to check out his campaign at https://www.patreon.com/tomchick tonight and everyday for about the next two weeks or so.


#316

Is it worth installing a Patreon app just to get updates or the mobile web is suffice?

Edit: yikes, the icon is the new fugly logo, no thanks.


#317

I find the e-mail updates sufficing.


#318

@habibi, I would agree with @Left_Empty that e-mail updates are good enough.


#319

Thanks… I think I must have turned off email notification when I first signed up. No wonder I am not seeing stuff like this… FIXED.


#320

I switched from using AWS to using Google Compute Engine for everything cloud that I do for work. Honestly, the main reason was because I find the AWS dashboard/interface freaking impossible to navigate and they keep changing it. I also find it easier to select and change instance sizes on Google than AWS. The Service Accounts available make authentication between Google services easy.

Anecdotally, I also get better performance using the Google services. Since we use BigQuery as one of our analytic tools, it made more sense to have everything living on Google.

For personal projects, I usually go with Digital Ocean.