teoruiz/security_notice_rackspace_cloud_servers.txt

## security_notice_rackspace_cloud_servers.txt
We are writing to close communication on the migration notice previously sent
to you, and to provide you more information about the reasons it was necessary.
We know that migrations can be inconvenient, and we thank you for your
patience. Now that the migrations are complete, there is nothing more that you
need to do regarding this issue.

When we announced the recent migrations, we explained that such measures are
periodically required to promote the stability, performance, security, and
feature-richness of our Cloud Servers platform. We were not able to share more
information at the time, without putting you and other customers at risk. Now
that the migrations have been completed, however, we want to provide you with
the transparency that you expect from Rackspace. We now can tell you the timing
of the migrations was driven by the need to fix a potential security issue.

We discovered the issue in collaboration with an independent I.T. security
consulting firm, which conducted penetration testing on our Cloud Servers
product. After spinning up several servers, the security consultants used
forensic techniques to examine the underlying physical disk. They discovered
that, in certain use cases, random fragments of temporarily stored data could
be left behind on the physical disk.

This potential vulnerability applied only to Cloud Servers customers using our
implementation of the XenClassic hypervisor. Not affected were Linux customers
using our XenServer platform, or Windows Cloud Server customers. Also not
affected were customers using our Cloud Files, Cloud Sites, or email products.

In repairing this vulnerability, we have ensured that all data is wiped
effectively whenever a customer vacates hard-drive space on a host machine. And
through the migration that you and other customers have completed, we have
cleaned up all fragments of remnant data. The security consulting firm that
discovered this issue has performed follow-up testing and has found no remnant
data on either our legacy Cloud Servers environment or our new Next Generation
Cloud, powered by OpenStack.

We know of no case of customer data being seen or exploited in any way by any
unauthorized party.

One reason is that the remnant data could not have been seen through normal use
of cloud servers, but would have had to be sought, using forensic techniques.
It was not possible for anyone to specifically target a particular customer
through this vulnerability, given the random and fragmented nature of the
remnant data. Customers who encrypted sensitive data on their cloud servers
would have faced no risk of exposure.

If we had made this issue public earlier, we could have opened the door for a
malicious user to exploit the vulnerability. For that reason, we decided to
keep information about the vulnerability on a need-to-know basis within our
company ? until now, when the issue has been fully resolved.

Dealing with security issues is a constant in any type of computing, whether at
a government agency like the Pentagon, in a corporate data center, or at a
cloud-hosting provider. At Rackspace, we work to provide you with the safest,
most-stable environment possible. We regularly consult with independent
security consultants. We employ a large and growing staff of security
specialists and IT engineers. We are proud of their work in repairing this
vulnerability, and grateful for your patience.

Now that the migrations are complete, there is nothing more that you need to do
regarding this issue. But if you have questions, please reach out to your
support team. We are here to serve you.
	We are writing to close communication on the migration notice previously sent
	to you, and to provide you more information about the reasons it was necessary.
	We know that migrations can be inconvenient, and we thank you for your
	patience. Now that the migrations are complete, there is nothing more that you
	need to do regarding this issue.

	When we announced the recent migrations, we explained that such measures are
	periodically required to promote the stability, performance, security, and
	feature-richness of our Cloud Servers platform. We were not able to share more
	information at the time, without putting you and other customers at risk. Now
	that the migrations have been completed, however, we want to provide you with
	the transparency that you expect from Rackspace. We now can tell you the timing
	of the migrations was driven by the need to fix a potential security issue.

	We discovered the issue in collaboration with an independent I.T. security
	consulting firm, which conducted penetration testing on our Cloud Servers
	product. After spinning up several servers, the security consultants used
	forensic techniques to examine the underlying physical disk. They discovered
	that, in certain use cases, random fragments of temporarily stored data could
	be left behind on the physical disk.

	This potential vulnerability applied only to Cloud Servers customers using our
	implementation of the XenClassic hypervisor. Not affected were Linux customers
	using our XenServer platform, or Windows Cloud Server customers. Also not
	affected were customers using our Cloud Files, Cloud Sites, or email products.

	In repairing this vulnerability, we have ensured that all data is wiped
	effectively whenever a customer vacates hard-drive space on a host machine. And
	through the migration that you and other customers have completed, we have
	cleaned up all fragments of remnant data. The security consulting firm that
	discovered this issue has performed follow-up testing and has found no remnant
	data on either our legacy Cloud Servers environment or our new Next Generation
	Cloud, powered by OpenStack.

	We know of no case of customer data being seen or exploited in any way by any
	unauthorized party.

	One reason is that the remnant data could not have been seen through normal use
	of cloud servers, but would have had to be sought, using forensic techniques.
	It was not possible for anyone to specifically target a particular customer
	through this vulnerability, given the random and fragmented nature of the
	remnant data. Customers who encrypted sensitive data on their cloud servers
	would have faced no risk of exposure.

	If we had made this issue public earlier, we could have opened the door for a
	malicious user to exploit the vulnerability. For that reason, we decided to
	keep information about the vulnerability on a need-to-know basis within our
	company ? until now, when the issue has been fully resolved.

	Dealing with security issues is a constant in any type of computing, whether at
	a government agency like the Pentagon, in a corporate data center, or at a
	cloud-hosting provider. At Rackspace, we work to provide you with the safest,
	most-stable environment possible. We regularly consult with independent
	security consultants. We employ a large and growing staff of security
	specialists and IT engineers. We are proud of their work in repairing this
	vulnerability, and grateful for your patience.

	Now that the migrations are complete, there is nothing more that you need to do
	regarding this issue. But if you have questions, please reach out to your
	support team. We are here to serve you.