Linode's recent upgrades are awesome, but people are very quick to forget the period where they were being hacked left and right and didn't communicate with their customers until a defensive blog post weeks after the fact. No matter how good the servers may be, Linode should be a non-starter for anybody who cares about the security of their droplet; and, if you don't, why would you pay Linode's premium fee?
It's amazing how short people's memories are. They behaved in a very scummy way back when that all happened. I was sure they would have to close their doors within 6 month.
But it's exactly one year since the hack and everyone is back to talking about how amazing Linode is
Ask DigitalOcean if they're wiping data on droplet cancellation and snapshot deletion yet. They've fucked that one up several times since the inception of the company and each time get a little more defensive about it. For a while there, I could spin up a droplet and get database passwords, keys, data, all day long from the previous owner. Then they told the guy that reported it that he was mistaken, and basically lied in a blog post and said no user data was at risk.
I'm told that's just the beginning of security faults in their platform, attributable to being a younger company and discovering these things for the first time; I have been personally shown evidence that DigitalOcean's platform initially trusted a hidden field called "userid" and allowed a user to operate on any other user without authorization, including restoring images, shutting down droplets, and so on. Their system at first had no protection against spoofed packets exiting a droplet, either, so ARP poisoning the gateway was (and possibly remains) a viable attack.
Linode is far more mature, obviously.
Every provider has security issues. It's how they rectify and move forward that should concern you. Watching DigitalOcean react to being informed that the issue they got burned on once had reappeared basically told me to never use their services.
Also, and I actually consider this very important and not a grammatical nit, Linode doesn't sell droplets. They sell virtual servers. You're asking for a Pepsi from Coca-Cola. You might consider this a minor nit, but it's actually a serious confusion issue that I already see happening.
Allow me to promise you -- not predict, promise -- that DigitalOcean will be compromised just as badly. It's going to happen. It's a matter of when and how they react.
I don't see why your (agreeable) sentiment about Digital Ocean affects the fact that Linode is bad at security and customer interaction. We can always avoid both.
I didn't mean to use the word "droplet," so I'm sorry for the confusion.
That's certainly your prerogative, but avoiding a provider simply based on security issues will eventually leave you with nobody to host your services. Nature of the game. You simply mitigate and plan accordingly.
Sure you can claim that getting hacked is "nature of the game" - but that's not the real issue.
The issue was with how they handled the public disclosure of the hack. Instead of immediately alerting their clients that there has been an issue (so that - as you say - people could take mitigating actions) they stalled on giving information and tried to cover up the whole fiasco. This should give people ZERO confidence in their moral integrity.
If you run a service like Linode or DO, you need to provide certain guarantees on disclosure of security failures and maybe get an externally audit from time to time.
