I would like to know what steps they have taken to improve their security. They have had serious security breaches in the last couple of months, and I don't trust them any more.
How can I trust them to manage my server correctly if their security has been less than stellar? I am trusting them with my data. Something they have failed to keep secure in the past. It is the question they will not answer, because Linode is now akin to an used car dealership.
I get that some people don't trust Linode with their data and I think that's fair. But it doesn't really have much to do with managed vs unmanaged. Surely if you don't trust them with a managed server you should also not trust them with an unmanaged one.
Security, presumably, is a major motivation for using a managed service like this. If they can't keep their own house in order, why should I trust them to look after mine?
Not only that, if they are managing your systems, how sure can you be that they'll inform you of a compromise. They seemed pretty content not to discuss/reveal the previous security issues until they were forced to.
It's nice that AWS and GCE also have premium support offerings now. Seems like a good source of revenue as well as cost savings.
I'm pretty sure I'd never trust Linode even as just a bare VPS provider, let alone giving them more access to my machines to provide this support, though, given their long and horrible track record.
It's not the track record that is important. It's the fact that after their first major hacking attack they learnt absolutely nothing. Still hiding the truth from the customer. Still failing to do security audits. Still sticking with their ColdFusion front end.
Also their support is only good for minor incidents. When you have a data centre go down their support evaporates and you will be left with a multi-hour outage with no clue what is happening.
Well it came out with the latest one (the CF exploit) that they were gagged on it when the FBI got involved. They eventually came out about it when the gag was removed, but only so much. When the FBI gets involved, usually the transparency get tossed out the window, at least if the company is not one of the giants.
There were several incidents where it took leaks and third-party releases for the truth to come out, and if they'd done a big audit they'd have announced it for the "we're taking concrete steps" cred.
I believe the issue a lot of people have is that linode is not transparent when they are hacked. They have been hacked twice now and their communication in both cases has been fairly limited. It feels like their communication in this latest incident only happened because the hacker posted a lot of information
No, since then Google opened up Google Compute Engine for everyone. I'd consider AWS and GCE roughly comparable; I'm kind of tempted to run them head to head (vs. a baseline of a real server in a colo) and do perf/reliability/etc. testing.
AWS networking continues to kind of suck; Google probably does at least that part better.
I wouldn't say AWS is the only option, probably just the most popular one.
Other options might be Rackspace, Windows Azure (I think you can run Linux VMs, however I dont know how well that's working) or Google Compute Engine (rather new, so YMMV). Those are probably the biggest players in the cloud market.
Digital Ocean still has a lot to prove, but in my testing, they have comparable stability, and disk, CPU, and memory are all faster. I'm not going to start recommending them or putting anything mission critical there yet, but they're the closest thing to Linode, in my mind, in terms of 1:1 setup and management.
That depends if they can now live-migrate cloud servers from one physical host to another. We got burned because to do maintenance on the host they had to take down all 'cloud' servers, turn the server off, do it and switch it back on - and this was planned maintenance, not emergency.
This was before OpenStack, but trying to get information out of Rackspace about what's changed is like trying to get a Republican to vote Democrat.
I've been on Linode for a few months, after years on AWS, and I'm not nearly convinced to trust them with these "Managed Services".
Why? Too much "scheduled downtime" (few hours/month) vs. AWS's 99.999% uptime.
Why else? Well, it's a perverse incentive. If they have less reliable systems, the pain goes up, to where more people will sign up for "Linode Managed". We should all get good uptime, not have to pay extra.
Most importantly, their offering is not an SLA. I don't see anywhere in the "Linode Managed" where they are guaranteeing uptime %'s, or penalties for lower performance. And, how can they realistically handle even 50% of the 3AM panic problems, if some of those will be my website's inability to talk to 3rd party sites (which neither of us have control over).
If they really can fix 90% of the 3AM problems, then they are the root cause of most of those in the first place. There's not many good reasons why Linux will break at 3AM often if you've setup your stack correctly.
My EC2 hosts have had horrid uptimes. From the big event in VA last year or so to a bunch of random events. Support was useless as well.
My Linodes are rock solid. Yeah Linode got hit by a cold fusion vulnerability and had the bitcoin issue, but for company as old as it is, that's still a good track record imho.
Meanwhile we're leaving EC2. Don't need it really and certainly don't need the headaches. The CPU on those things are pretty weak as well.
I've literally never had my servers go down on Linode's account, having run 'em for years now. Maybe the management panel goes down from time to time, but that's a totally different number than AWS's 99.999%—is that what you were referring to? Or has Linode actually killed your servers?
Good points. Yes, these comments truly prove that "Your mileage may vary".
The grass isn't always greener, and with so many users, our personal experiences are simply "statistical anomalies / anecdotes" to the other guy, but are 100% our relevant personal experience to ourselves.
It kind of reminds me of my uncle who does surgery on backs. When a patient asks him, "What's the success % rate on this surgery?" He replies, "100% or 0% for YOU". It irked me to hear that from him, as an engineer, but he's so damn right when it comes to personal experiences & preparations (emotionally & otherwise)
Linode hasn't killed my servers, but just informed me that they'll be doing maintenance on my production box that will likely be a two-hour window, but could take up to 8 (!)
This is true, Linode's support is top notch responsive. I've been with them for several years, no issues, great uptime, they keep bumping up what they offer without touching the price. There's no per hour gotchas. What they say they offer, they deliver.
SLA numbers are not insurance. At best, they give you back some of your hosting costs... but if you are doing anything serious? that's a very small fraction of what you lost due to the downtime.
Also, 'uptime' means a different thing on a VPS than in a cloud. In a cloud? if a server goes bad, you shoot the server and the customer spins up nodes on another one. the local data is gone. This is not counted as downtime.
On a VPS? that's counted as downtime and as data loss.
There is no industry standard for what "managed" means.
On their page they describe some of the services as co-managed.
I suspect in reality "managed" consist of a comprehensive monitoring solution, along with "best effort" support.
They are either going to to provide a support level well bellow customers expectations (not making ANY changes unless they have specific written consent) or they are going to take risks on customers servers which will blow up in their face from time to time.
Apart from the hacking indecent they have a really good brand with a reputation for doing the right thing. They provide infrastructure as a service, the service is clearly defined and they deliver. Unless they are really sharp then a managed service is not going to be clean, It's full of grey areas and trade off's about whether the team gave correct advice or did the right thing. They should have spun this off to a separate company.
Yeah. 'managed' hosting is /way/ harder to provide (at least while maintaining a reasonable reputation) than unmanaged hosting, primarily because:
>There is no industry standard for what "managed" means.
Managing expectations here? really hard. Really, really hard. I mean, for $100/month, the provider is probably not going to be involved with the planning and day to day operation; this means you end up with setups where the customer builds a site, gets it working, starts depending on it, and then something horrible happens, and at that point, linode sysadmins will have to step in and fix it. I mean, yeah, a good sysadmin can usually pull it off, but it's "heroic" work, in my mind... You have to sit there and figure out all the weird hacks the last amateur the customer hired used to get the system working. if you ask me to do something like that, I'm going to set an expectation of failure. But that's the problem with managed services, the customer expectation is always success.
This will not be fun for the sysadmin involved. It's much harder to fix a system you are unfamiliar with than a system you are familiar with, and the customer is going to have expectations that the success rate will be as if the sysadmin was familiar with the system. (I mean, hell, I go way out of my way to tell people I sell completely unmanaged stuff, and I still get customers blaming me when their out of date php whatever gets compromised.)
The situations where I would be willing to offer a competing product would be if I could charge (and limit the customers per sysadmin) such that a member of my staff could have weekly or monthly meetings with the customer, going over their architecture and what change have happened, and what problems might happen. (I'm guessing this is going to be more in the $500-$1500/month range, so it's not really competing.)
Alternately, I would be willing to provide a manged service where the customer doesn't have root, except through my tools. Idea being that then all the systems I manage would be substantially similar. I could do this for dramatically less money, had I the time to dedicate to setting it up, and enough customers to make building the tools worth it.
I wish Linode much luck. As a competitor to their unmanaged product, I know I will be referring my customers who need more handholding to this service. There is a whole lot of need in the industry for managed services; VPSs are so cheap these days that people who have no ability or interest in systems administration want to buy them, and they need a lot of help.
My expectation? the customer will generally get a good deal for $100/month. But sometimes? it won't be enough, and that customer will go away very angry and (publicly) disappointed.
Reading about Linode Managed on their website [1] appears to be nothing more than (1) OS backups, and (2) a monitoring agent installed on the OS to report the server is up and running.
The article also mentions proactive response to issues they discover on your behalf. FTA: "If a check fails, our experts will take immediate steps to get your systems back online as quickly as possible"
There are a number of other services listed on that page, including "Longview Pro - the professional version of our system-level statistics collection and graphing service (currently in beta)."
I really don't see where all of the Linode hate comes from. That last hack was a pretty messy situation the way that I read it, but they seemed to do what was best for their customers when the shtf.
I've also had very few network outages or performance issues in Linode's Dallas datacenter, multiple uptimes of > 1 year on instances and I've only had one unscheduled reboot/failure in almost 7 years of being a customer.
From here [1] it seems that if sign up for Linode Managed, all your linodes are enrolled and you'll have to pay 100/month for each one i.e., there's no way to pay only for specific linodes.
While from the blogpost it isn't 100% clear to me how far their management goes (do they restart apache if needed? Do they do security updates?), I think this fills a huge need!
Fully managed servers are really expensive and often inflexible, while with VPS you are all on your own, which not every developer wants (or feels confident in). I was just discussing a week ago how there is a big market in doing this management.
To me the idea of doing security updates on someone else's VM running someone else's stack/application seems very impractical. It will probably work most of the time, but when it doesn't work then basically you get credit for shutting down their service. And you don't really have any clues about what might possibly cause an issue because you don't know details of their application or stack.
And then sometimes software might need to be restarted which means you have to tell them to restart it themselves or get them to explain enough about how it works so you can restart it.
So unless you are going to charge hourly and staff accordingly, it seems like a no-go.
In this case, $100 per month is really going to pay for maybe two or three hours of sysadmin or application development work max. I.E. helping with various issues that come up in ordinary dev ops or software configuration that are specific to that particular customer's setup. And you just have to count on the idea that most people won't take advantage of more than that average amount of help, like only when they are panicked. And then hope that it is something that you can actually fix in a short amount of time.
As with all things in this market, it really depends on the execution.
If the remote hands are awesome, this is well worth $100 per node. If they are anything but awesome, this wouldn't be worth it for any amount of money.
While my occasional experiences with their support team have been fantastic, this is being offered by the same people who had a CF vuln exploited in their management software and, it seems, would not have bothered to share any details with their customers if the perpetrators hadn't gotten on IRC to brag.
Their documentation in the Linode Library is also really great -- as a starting point. Assuming that they're using the same guides in recommending server configuration, there are some things that could be done better by a skilled admin. e.g., their LAMP server guide for Debian 6 doesn't include suexec or any variation of FastCGI, two must-haves for a public-facing web server IMO.
Worth noting it was a coldfusion 0day manufactured for that attack, and the story from the hackers (HTP) is that Linode was forced to announce it by the FBI despite being blackmailed with their customer credit card database.
Of course, they could have handled security internally better but I suspect other VPS providers appear more secure only because nobody has gone out of their way to target them.
Right; according to HTP (http://straylig.ht/zines/HTP5/0x02_Linode.txt), it sounds like Linode were willing to delay notifying their customers of a serious incident in exchange for a promise from the attackers that the data would be destroyed -- the supposedly totally secure data, according to a later blog post from Linode.
The takeaway is that now, while I don't know if I can trust other VPS providers or not, I know I can't trust Linode. (Hell, to some extent, I trust HTP more than Linode now -- I haven't seen a dump of the Linode data on pastebin or a .ru forum yet.)
How a business handles disclosure of a compromise is as important to me as the fact that they were compromised. Notably, this is the second time they screwed up disclosure, after being raked over the coals for it the first time. I was willing to let the first one slide since Linode is so awesome in every other regard, and hope that they would handle the next incident more gracefully. Unfortunately, they didn't.
And so why haven't we heard anything specific from Linode about what happened ? At minimum they can talk about the technology/security improvements they have made. And what about the first time this happened ?
People need to stop excusing this sort of behaviour from companies.
Realistically, $100 is $100, and software and dev ops are complicated. So I look at it as $100 worth of consulting. They can hire cheap people or outsource if they want, but you can only stretch that so far. So they can provide a maximum of a few hours of help per account on average or they will lose money. Which could easily be eaten up with one issue.
$100 per month isn't bad for the inevitable crisis when you really will need a good sysadmin's help.
For me, the biggest reason for paying for managed services like Heroku etc. is avoiding that risk. This sort of thing would make me far happier to ship some of the load back onto Linode. Can't fault their hardware. :)
Interesting. I think this could be particularly popular if Linode introduces some fully supported stacks for common configs. Although at that point they would really just become a managed provider, but perhaps that is the natural progression of at least part of the hosting business.
