teoruiz · April 23, 2012 16:14
diff --git a/security_notice_rackspace_cloud_servers.txt b/security_notice_rackspace_cloud_servers.txt
 We are writing to close communication on the migration notice previously sent
 to you, and to provide you more information about the reasons it was necessary.
 We know that migrations can be inconvenient, and we thank you for your
 patience. Now that the migrations are complete, there is nothing more that you
 need to do regarding this issue.

 When we announced the recent migrations, we explained that such measures are
 periodically required to promote the stability, performance, security, and
 feature-richness of our Cloud Servers platform. We were not able to share more
 information at the time, without putting you and other customers at risk. Now
 that the migrations have been completed, however, we want to provide you with
 the transparency that you expect from Rackspace. We now can tell you the timing
 of the migrations was driven by the need to fix a potential security issue.

 We discovered the issue in collaboration with an independent I.T. security
 consulting firm, which conducted penetration testing on our Cloud Servers
 product. After spinning up several servers, the security consultants used
 forensic techniques to examine the underlying physical disk. They discovered
 that, in certain use cases, random fragments of temporarily stored data could
 be left behind on the physical disk.

 This potential vulnerability applied only to Cloud Servers customers using our
 implementation of the XenClassic hypervisor. Not affected were Linux customers
 using our XenServer platform, or Windows Cloud Server customers. Also not
 affected were customers using our Cloud Files, Cloud Sites, or email products.

 In repairing this vulnerability, we have ensured that all data is wiped
 effectively whenever a customer vacates hard-drive space on a host machine. And
 through the migration that you and other customers have completed, we have
 cleaned up all fragments of remnant data. The security consulting firm that
 discovered this issue has performed follow-up testing and has found no remnant
 data on either our legacy Cloud Servers environment or our new Next Generation
 Cloud, powered by OpenStack.

 We know of no case of customer data being seen or exploited in any way by any
 unauthorized party.

 One reason is that the remnant data could not have been seen through normal use
 of cloud servers, but would have had to be sought, using forensic techniques.
 It was not possible for anyone to specifically target a particular customer
 through this vulnerability, given the random and fragmented nature of the
 remnant data. Customers who encrypted sensitive data on their cloud servers
 would have faced no risk of exposure.

 If we had made this issue public earlier, we could have opened the door for a
 malicious user to exploit the vulnerability. For that reason, we decided to
 keep information about the vulnerability on a need-to-know basis within our
 company ? until now, when the issue has been fully resolved.

 Dealing with security issues is a constant in any type of computing, whether at
 a government agency like the Pentagon, in a corporate data center, or at a
 cloud-hosting provider. At Rackspace, we work to provide you with the safest,
 most-stable environment possible. We regularly consult with independent
 security consultants. We employ a large and growing staff of security
 specialists and IT engineers. We are proud of their work in repairing this
 vulnerability, and grateful for your patience.

 Now that the migrations are complete, there is nothing more that you need to do
 regarding this issue. But if you have questions, please reach out to your
 support team. We are here to serve you.
	We are writing to close communication on the migration notice previously sent
	to you, and to provide you more information about the reasons it was necessary.
	We know that migrations can be inconvenient, and we thank you for your
	patience. Now that the migrations are complete, there is nothing more that you
	need to do regarding this issue.

	When we announced the recent migrations, we explained that such measures are
	periodically required to promote the stability, performance, security, and
	feature-richness of our Cloud Servers platform. We were not able to share more
	information at the time, without putting you and other customers at risk. Now
	that the migrations have been completed, however, we want to provide you with
	the transparency that you expect from Rackspace. We now can tell you the timing
	of the migrations was driven by the need to fix a potential security issue.

	We discovered the issue in collaboration with an independent I.T. security
	consulting firm, which conducted penetration testing on our Cloud Servers
	product. After spinning up several servers, the security consultants used
	forensic techniques to examine the underlying physical disk. They discovered
	that, in certain use cases, random fragments of temporarily stored data could
	be left behind on the physical disk.

	This potential vulnerability applied only to Cloud Servers customers using our
	implementation of the XenClassic hypervisor. Not affected were Linux customers
	using our XenServer platform, or Windows Cloud Server customers. Also not
	affected were customers using our Cloud Files, Cloud Sites, or email products.

	In repairing this vulnerability, we have ensured that all data is wiped
	effectively whenever a customer vacates hard-drive space on a host machine. And
	through the migration that you and other customers have completed, we have
	cleaned up all fragments of remnant data. The security consulting firm that
	discovered this issue has performed follow-up testing and has found no remnant
	data on either our legacy Cloud Servers environment or our new Next Generation
	Cloud, powered by OpenStack.

	We know of no case of customer data being seen or exploited in any way by any
	unauthorized party.

	One reason is that the remnant data could not have been seen through normal use
	of cloud servers, but would have had to be sought, using forensic techniques.
	It was not possible for anyone to specifically target a particular customer
	through this vulnerability, given the random and fragmented nature of the
	remnant data. Customers who encrypted sensitive data on their cloud servers
	would have faced no risk of exposure.

	If we had made this issue public earlier, we could have opened the door for a
	malicious user to exploit the vulnerability. For that reason, we decided to
	keep information about the vulnerability on a need-to-know basis within our
	company ? until now, when the issue has been fully resolved.

	Dealing with security issues is a constant in any type of computing, whether at
	a government agency like the Pentagon, in a corporate data center, or at a
	cloud-hosting provider. At Rackspace, we work to provide you with the safest,
	most-stable environment possible. We regularly consult with independent
	security consultants. We employ a large and growing staff of security
	specialists and IT engineers. We are proud of their work in repairing this
	vulnerability, and grateful for your patience.

	Now that the migrations are complete, there is nothing more that you need to do
	regarding this issue. But if you have questions, please reach out to your
	support team. We are here to serve you.