undefined | Better HN

0 pointseridius12y ago0 comments

Yes. Linode publicly stated that they were using public-key cryptography, that the private key was secured with some crazy-long passphrase, and that the passphrase wasn't stored digitally, meaning that once a month when they billed they had to manually enter the private key.

So for the hackers to get the decrypted private key, then either Linode must have royally screwed up and kept the decrypted key in-memory during the rest of the month (which seems rather unlikely), or the hackers must have had control of the machine during the time in which they did billing (which I don't think is true, because billing presumably happens either at the start or the end of the month, and didn't the hack take place a bit earlier than that?).

So yeah, I believe them when they said they got the private key. But nobody's said anything to convince me that they got the _decrypted_ private key. And if the passphrase really is as long and complex as Linode claims, then it should be reasonably secure (caveat: I am not a security researcher, or otherwise qualified to judge the security of anything).

0 comments

tiredofcareer12y ago

> So for the hackers to get the decrypted private key, then either Linode must have royally screwed up and kept the decrypted key in-memory during the rest of the month (which seems rather unlikely),

They bill you the moment you add a Linode, automatically, if your credit is not sufficient to cover the new Linode. Careful walking that assumption too far; I think it's safe to say the key was kept in memory.

MertsA12y ago

Well it's not like it originally comes in encrypted with the public key, it has to be on there for a short amount of time already, why would they keep the unencrypted version around longer than the initial billing?

marshray12y ago

OK, I remember reading that now.

Good move on their part.

j / k navigate · click thread line to collapse