Rackspace BlueFlood Breach

Discuss the exposure of Rackspace's global logging/metrics system. Talk about their unusual response and behavior afterwards, which led to this post.

Rackspace BlueFlood Breach

A Sad Story:

Rackspace could have had it all. It was founded in 1998 in a small Texas town that years later would be home to a "second NSA", Air Force Cyber Command, and the 7th largest city in the United States.

I don't think anyone knows exactly what went wrong.

The cloud came and passed Rackspace by. A few, then half a dozen, and then a dozen plus vendor jumped in to invest billions of dollars of capital. What was poised to always be an enormous return suddenly became something bigger than the desktop computer, or the mobile computer, or the IOT computers. Indeed it was "all of the computers".

Deal after deal with private equity was struck after the core organization that had built it all out was hollowed out. Managed support deals that should have been a sure when struggled. Executives came and went. What remains is a company that doesn't seem capable of defending itself technically, composed of employees with low morale who cannot even will themselves to make execuses for what they see. .

The Rackspace Breach Reporting Experience:

  • I briefly mentioned somewhere online a Rackspace data breach / issue. I wasn't sure at the time.
  • Several Rackspace cyber analysts reached out...nicely but repeatedly.
  • They keep reaching out (this is fine).
  • There were several other breaches we were triaging at the time. We get back to them 10 days later.
  • Hear nothing. Ghosts. We assume the breach was insignificant and compose an apology letter.
  • We take a second look at the breach. WOW.
  • We call and follow up the next few weeks with Rackspace. The cyber analysts are scared to come to the phone and have the junior sales reps call us back.
  • 11 different Rackspace employees view my LinkedIn. None ever respond to messages though.
"The Rackspace 11"

Production, API, Rackspace Cloud:

This breach relates to production data.
"Global.metrics" can be seen on the left and the string "Blueflood" is visible on the right.


I don't blame the Rackspace employees much at all. Something must have scared them very much internally. Perhaps they were threatened with dismissal unless they looked the other way on this? Maybe they were just really scared at such a large breach? I wish them the best nonetheless. Security is a tough job.


Administering and securing internet architecture is a serious job. Things, people, security, safety, privacy, power, it is all on the line. "If you see fraud and don't say it is a fraud you are fraud" is a quote I think about sometimes from Nicholas Taleb.

As I was finishing researching this post, I noticed that blueflood.io didn't auto forward to TLS from Google. In fact, if you do try to go to the TLS endpoint, you will get an invalid certificate error in Google. This is laziness. This is incompetence. Down with Rackspace.