zeno_lee asks:
"How do people deal with situations like this? Recently, we were cracked because our ISP failed to patch known security holes. They now want us to pay for them to patch up the holes. We are a bunch of dedicated volunteers who run a community web site we are developing using Apache/PHP/MySQL. The volunteers have nothing to gain except the rewards of bringing a national community together. We were cracked twice within 1 week of going live on the site. We are getting service from CommuniTech, who rent us a Cobalt Raq3 server. Part of the reason to go with a dedicate server from an ISP is to outsource system administration. No one amongst us is a full time computer security officer." One would think that when you pay for system administration, that security would be part of the deal. Looking at their
FAQ, they give the impression that their servers are secure, so you'd think they would do something as simple as apply patches.
Also, there is no mention of any extra charges for security on their
pricing page, so does CommuniTech have any sensible reason for charging extra?
"We were cracked first within 5 days of our site going live. After paying communitech.net $62.50 for reinstalling the OS, it was cracked just 24 hours later. After speaking with Cobalt, they told us that our ISP, communitech.net, failed to patch up well publicized security holes on the Raq3. Acknowledging their failure, Communitech is not charging us for reinstalling the OS, but they are charging us $125 for someone to patch up the security hole. How blatantly unfair is that? I wanted the Slashdot community to be aware of the practices of such companies and see if others have had similar experiences and how they dealt with those situations.
We signed a 6 month contract, and we need options and strategies. What are the possible options we have? We just want a website running, we don't need to deal with all this bull."
Slashdot Mirror
I may have missed something, but I didn't see 1 word regarding that communitech is responsible for the server. What often happens is that the customer doesn't realize that they are responsible for the server, COMPLETELY responsible. I work for a webhosting company that uses the POS RaQx, and the dedicated customers are responsible for the machine, not us. We do offer Managed service also, for which we are completely responsible for. So, in the end, don't get a server if you don't know how to administer it AND DON'T USE THE RAQx, they are horrendous.
I had a shared account with them, and they advertised "unlimited bandwidth" - as soon as I got over 2GB a day, they cut me off. I asked them why, and they said because I had violated their terms of service by placing zip files on the server. This is a complete load of crud because that was NOT in their terms of service! After I pointed this out to them, that they were full of it and placing requirements that were not there originally, they added it to their terms of service and left me kicked off. I think they have full time forum moderators, as when I was with them, in their now "private" support forums, every other post was a technical problem and every OTHER post was a problem with communitech imposing restrictions that weren't there to begin with. It's a sorry hosting company where you're punished for having traffic.
Another thing I may mention is their supposedly "private" reseller plan. When I was with them, they basically disclosed to all their resold accounts (IE: accounts sold by their resellers w/out the end customer knowing it was through communitech) that their current "host" was just a reseller for communitech, and that they could get better prices dealing directly with communitech.
Unfortunately, most hosts I've dealt with have similar problems. I had a good experience with I-Interactive, but then one day they stopped responding to my technical requests, the server came down for a while, then came back up. Apparently they had sold their business and now it's a joke...
This is clearly a dedicated server, not a managed server. Communitech shouldn't be charging you for patches, that's supposed to be taken care of when you take posession of the machine. It's they're fault it was compromised again, and they need to get their head out into the open air before they lose a customer. However, if it's a dedicated server, you're on your own after that. If you want someone to manage the security of your box, you get to pay for that. It's called managed services and it likely results in you losing root access to the machine -- or in my case signing a form that says I have root, but if I screw the machine up, I pay. All these comments about "all hosting providers suck" is hogwash. There are *tons* of well run companies that ask "how high?" when you yell JUMP. I host with a smallish outfit in Detroit. (Developers Choice). They manage my machine and have paged me to let me know they're applying patches and inside the box. Sheepishly, I admit I installed a stupid postcard script for a virtual host I have and it was vulnerable and the box was compromised. They knew about it, shut the intruders out, called me on my cell phone to ask what I wanted to do about it. They had the box restored in a couple hours and fixed the script. They sent me a bill with a letter from their muckety muck explaining security precautions (even though it was a bit condescending, I appreciated the tips). If you want service, it's out there. You're just not going to find it for free.
In cobalt's defense they have done a lot of work on their GUI management tools. They don't just throw a pile of hardware and open source software together and resell it. They do add a lot of value to their systems, and don't seriously over charge for it.
Brad - the question is about RaQ 3 from Cobalt..
When did you hear last time that Cobalt is running on Windows? it's only running Linux and their new ones running on Solaris.
Of course - you can grab such a machine and slap Windows NT/2000 on it, but whats the point?
Hetz (Heunique)
From my experience - you'll find with Apache a MUCH more reponsive answer, instructions for workaround - and in most of the times - a patch WITHIN few hours...
...funny ("disable Java on your clients"), and most of the time the patches comes either after few days at minimum, and even when they issue a patch, they're not checking it well (service pack 6 on Win NT, anyone? or the latest security fix which won't apply on many machines...)
With MS stuff (and I had the "pleasure" to be in that situation) - first they argue with you that you are wrong, and it doesn't exist, then when they are convinced that there is something true in what you say - their workaround is
Sorry, but MS still doesn't "get it" on security in my book.
Hetz (Heunique)
A website is cracked.
A cipher is cryptanalyzed.
--
Xenu loves you!
Really? This must be something limited to the RaQ3's then. On my Cobalt RaQ4r, by default, the CGI's are run under CGIWrap and run get setuid to the person that owns the scripts.. i.e. the site owner usually.
Exodus is a fucking pain in the ass. Don't even bother. You'd think if you're building 1000 sqft of space you'd get some respect? Hardly. They screw up everything, refuse to fix it, tell you you ordered it wrong, and got to great lenghts to tell you how much better they are then the comptetion and how most of the people working there have their MCSE. I couldn't contain myself after that. I've got 3 other colo spaces with 3 other providers. Exodus is the wortst. Overpriced idiots.
kashani
- Why is the ninja... so deadly?
From what I've seen of Rackspace from talking to sales and support, they are very concerned about being the best at what they do. But they don't do what you want them to do; you wanted someone else to do administration and security for you.
I would probably just go with Debian and a managed hosting solution (like Rackspace) and then ask someone who is very knowledgable about security to lock down your site. You won't need new security administration until you upgrade to the next Debian version. Don't forget to subscribe to debian-security-announce, too.
I'm sorry, but it costs money to have someone maintain security. And this CT company ain't willing to give away what skills they have. Though it doesn't sound like they play a fair ball game.
Ciao!
The Doctor What (KF6VNC)
Disclaimer: I'm on Rackspace's payroll, I'm a Linux developer, and I really like it. I'm not speaking as a representative of Rackspace in anyway, shape, or form... just an employee who takes pride in his company.
Rackspace may be fine today, I don't know. But it wasn't that long ago that almost all of their servers were vulnerable to Bind NXT attacks.
I guess it's all relative, but I believe that was back in late January... and the bind NXT hole was eventually plugged up on every server where the customer allowed us to do the upgrade for him/her. Since this was a major remote exploit, we ended up with a bunch of folks working overtime to perform the upgrades. Any server you see vulnerable now (at least on the Linux side) has a customer that has been informed of the risks but chosen not to upgrade or let us upgrade for whatever reason.
I sent them email on it and got no response at all.
Where'd you send it? I'd be highly interested in finding out where the break down was... I certainly don't want us to get a rep for ignoring folks who are trying to be helpful.
Thanks for trying to give us a heads up, though.
Well, you're making an assumption that it isn't. In my experience contracts range all over the place, what's true for ISP A isn't necessarily true for ISP B.
They really need to seek legal counsel and have them review the contract. Their obligations should be spelled out in there, although the ramifications of the specific legalese requires a lawyer to interpret. (grumble)
Moof!
Since it seems like someone actually found this interesting, I thought I'd go ahead and post the actual link to the google service (AdWords.) Of course, clicking through, in their estimate of how much it would cost to attach your banner to the "communitech" keyword, it would appear that no one actually searches for communitech so maybe this isn't such a hot idea :) Still, especially if very few people search for communitech, this is a low-cost way to get your point across.
~luge
~luge
IAAL,BIANLY
buy one of those cheap ad banners on google and set it to come up every time someone searches "communitech." Have it link to a page where you've collected a list of your problems (and hopefully the problems of others, to give it more credibility.) Make it look very professional; avoid getting personal; etc., and pretty soon you'll have solutions.
IAAL,BIANLY
From http://www.communitech.net/hosting/virtual/plans/u nix.cgi:
These people are obviously ignorant of Sun's own history. Sun caught on in the 1980s--not because it was the most stable, not because it was the most secure, but because Sun's software was the most open. Sun's success in the 1980s and early 1990s can be mainly attributed to the fact that they opened up the code for NFS, the code for the XV windowing toolkit, and the code for the RPC library.
NFS was, and still is a joke, compared to better systems like AFS. However, the popularity of PC-compatible hardware shows that it is not the best that wins in the computing marketplace, but the cheapest and most open.
The statistics prove this: Linux is gaining market share. Solaris is losing market share.
- Sam
The secret to enjoying Slashdot is to realize that it should not be taken too seriously.
...is not due to Sun open sourcing their toolkits for NFS and XV and such; it's due to that fact that they all but give the OS away with their servers. And SUN servers, frankly, kick ass, which is why they sell so many of them.
This space for rent. Call 1-800-STEAK4U
When you lease a dedicated server, you're getting a box and the root password, on a network of some sort, plugged into some power.
As far as the rest, bail on the contract, tell your credit card company to stop payments to them, and go find someone else. Colocation services, really, are a dime a dozen, like dialup ISP's were a few years ago. Of course, that assumes you can move. You didn't set up your DNS so that they are responsible for yout domain, too, did you?
This space for rent. Call 1-800-STEAK4U
A few words of advice. Read your contract..... If you have any hope of getting it done for free, it's gonna be in the contract. Don't forget the ISP has to pay someone to patch your box as well... Personally I think that System/OS maintance is part of the dedicated services, but feelings play no role in business.....
-ZiN-
This is my biggest fear about Debian. I use it all the time (it's the only distro I'll use for pretty much anything), but there are easy, EASY pitfalls to fall into.
First of all, NEVER cron apt-get dist-upgrade. Cron apt-get update, if you want, but that's kind of a waste of bandwidth if you're not updating every day. I've had things like SSH break totally because the SSH maintainer f**cked up the packages (this is not, in fact, uncommon; ssh breaks more than any other package I've ever insatlled) - cronning it will pretty much ensure that if ssh goes to hell, no one is logged in to fix it, and you will need to talk to tech support and get them to log in via console (assuming, of course, they can do so), since you won't have telnet installed (I hope I hope).
Secondly, don't assume that just because you run dist-upgrade, you're secure. Go to the Debian Documentation Project and read the Securing Debian Manual. While you're there, read the Debian System Administrator's Manual and the Debian Network Administrator's Manual. Debian may be awesome in most respects, but Potato (2.2) comes with a general setup, not a secure one (though it could certainly be worse).
Debian's pitfall is users assuming that all is well in all cases. This is not true. You need to be just as vigilant with Debian as with other distributions; the difference, however, is that when something needs to be done in Debian, it's usually easier and faster to do. You still need to be on guard; check conf files after debconf creates them, make sure and set passwords on things like mysql, and be wary of the unstable branch (use testing instead), and things should work out for you.
Debian saves you time, but never think it does everything, or you will be rooted faster than RH5.2 on a default install.
~Sentry21~
Obviously you didn't read the last paragraph since "6 month contract" is pretty clear.
Because they were signed a contract for X months of service - and can't just back out without having to pay out that contract, most likely.
--Dg
While I agree that they're a bunch of incompetent idiots for not including security updates as part of the base service, both for customer goodwill and for the numerous problems that can arise from having hosts on your network that are script-kiddie-bait, I have to point out that people also should be free to sign contracts with incompetent idiots if they choose, and businesses should be free to contract to provide piss-poor service.
It's the nature of a free country and a free economy; people have to be free to pay other people to do stupid things, as long as those stupid things are what was agreed to.
The host didn't say in their contract that they would keep up the patches, so the customer's legitimate bitch is pretty narrow.
Next time, they should make sure this is included in the contract, and not do business with anybody who won't.
On other hand, you will *NOT* find a contract that assumes responsibility for keeping the systems secure; no company in their right mind would agree to that. What they will do is agree to keep up with the latest patches from the OS vendor in a timely manner. "In a timely manner" of course would be expected to be fought out in court after the fact.
Oh; and while I am a highly-paid information security professional with a Fortune 500 company, I am not now, nor have I ever been, an attorney.
-
I'm feeling generous today, so it's time to feed a lonely old troll...
/. very often anymore...
/. have occurred over it.
/. is so painful for you to read, leave. You're only wasting your time and ours posting mindless gripes. But then again, that's the only thing a good troll does anymore...
What APACHE cracked? How come when an apache server is cracked, the slashdot crowd says "who were these idiots who can't apply patches!" but when an IIS server is cracked and people say "they haven't applied the patches, cluess admins!" those folks get either flamed or modded into oblivion? The double standard is really getting old and the reason I don't read
1. There is no "Slashdot crowd". We all disagree, many times vehemently, on just about every topic you can imagine. Closed vs. open source, Linux vs. xBSD, KDE vs. GNOME, Perl vs. python, mySQL vs. postgreSQL; you nameit, at least half a dozen flamewars on
2. You can't even come up with a compelling rant; where is the double standard here? Using your own words...
Apache: when an apache server is cracked, the slashdot crowd says "who were these idiots who can't apply patches!"
IIS: when an IIS server is cracked and people say "they haven't applied the patches, cluess admins!"
It seems to me that your rhetorical "Slashdot crowd" is saying that it's the admin's fault in both cases.
3. If
Jay (=
I will be the first to say that that is NOT RH. It uses rpm, but that's about where it stops.
I've recently been doing a lot of sysadmin work on Raq 3's, and it is a completely different layout than I find on a RH box (still Unix, yes, but RH-like, you're really pushing it)
yes, but how many people in the world actually check with the better business bureau prior to making a purchase? .01%? .1%?
They're basically a useless bunch of people, attempting to keep themselves in business through collecting dues... "well, if you don't pay us our dues, we can't say that you're a member and if anyone calls asking we'll say that you refused membership"... it's almost blackmail, given their reputation...
The problem with having your remote box doing apt get updates via cron is you end up breaking shit all the time without realizing it. More than once the latest and greatest package has its own set of bugs you just unknowingly stuck on your box. Stick with an older heavily patched version of a deamon that is well documented. Switching to new code constantly is only going to open up security holes you don't know about.
I'm a loner Dottie, a Rebel.
It's been my experience that few webhosting providers will take any responsibility or initiative in protecting their customers. Managed hosting, however, seems to imply that the "manager" would be responsible for maintaining a secure server. Kind of like a Mailboxes, Etc. remaining responsible for theft of mail from a rented drop box...
The answer I have won't help if you're already stuck in a six-month contract - the contract needs to spell out who is responsible for applying patches, and what the timeline for applying those patches should be, among other things (turnaround time for a request to add an account to a server would be another sticky point for "managed hosting.")
If it's just a co-located box, you're SOL.
Specialization is for insects. - R.A.H.
Be that as it may, you also have to realize that this happened once before already. Is it so unreasonable for them to fix a security hole once the server has been hacked using it?
No, this sounds like a case of a business actually trying to screw the customer by double-charging--charging for reinstalling the OS and charging for applying a security patch, and one that really wouldn't take much time anyway.
But the main point is, even if they don't promise security or anything, I disagree with some of your statements. Maybe it is reasonable for them to reinstall the OS for a charge. But then on top of that demanding a charge to patch the security hole is absurd.
Don't go with 9netave.ca (or 9netweb.ca, or whatever they're calling themselves this week)
They moved my site to concentric networks, which makes me log in to www.xo.com so service my space.
When I wanted to cancel it, I sent email to them (xo), then had to send it to cnchost.com, then to 9netave, who then told me to call a local number. They told me to email w3corp.com. This was a month ago.
As of today,it's still all up and running. Morons.
Pope
Freedom is Slavery! Ignorance is Strength! Monopolies offer Choice!
It doesn't mean much now, it's built for the future.
They've got some great music on their sales line. Ask a sales rep some hard questions :)
Love to get some recommendations for larger co-lo/dedicated spots, cheap bandwidth is a must. Have also been following ttp://www.cogentco.com/, seems to cheap to be true... Anyone with experience? AZ
Found the same thing... Their bandwidth pricing alone is incredible...
Call (816) 300-4678 and ask to speak to dedicated support. You'll get a sense of their hold times. Then ask them a few innocent questions about how secure their stuff is, and be reasurred when they answer all is taken care of. Then stop and think, and then laugh like a maniac :)
Their quickserv pricing is a joke. Their overusage charge runs OVER $8 per GB. That is rediculous frankly, we push a couple thousand GBs a month and would be quickly broke at that rate. A good place should hit $3/gb or $2/gb, they are FOUR TIMES more expensive.
Take a look at any place like rackspace.com or dellhost.com, or maxim.net.
.coms never do any business planning in the first place, so don't have a clue what costs should be.
Maxim.net charges $250 mbit == 320GB a month or 10GB a day. Let's say we push above 4mbits. At maxim thats gonna cost $1000.
At pair that 1200GB is gonna be much more expensive. Reduce it to 1000GB/month because of the 60GB a month they give you. Then you have an overage of 33GB a day which costs $8250!
For us, this decision is trivial. I'll take that $7,000 a month or $84,000 a year any day.
Now, the hardware they give you doesn't even come close to the hardware dellhost would give you for the same price, and if you ARE lower bandwidth dellhost includes a gig or two free every day as well.
Then ask whether you have full access to your box including easy 24x7 reboot in 5 minutes or less. Dell provides that at a much lower cost.
In fact, I can see almost NO price point and NO usage pattern that makes pair quickserves a good deal. That is suprising for any hosting company, and especially pathetic at pair because we were with them for a long time.
Finally, when you call them up to get some quickservers setup, you'll find that instead of next day provisioning you get at a place like dellhost.com, you'll get a who knows, especially for an order of more than one server (we run 4 duel CPU's and a quad xeon with 2g of ram plus a single PIII for admin.)
I'm suprised they have any business whatsover, but I suspect most of the new
I'll respectifully disagree with your very very cheap description. More like incredible ripoffs to idiots silly enough to fall for it.
Unlimited bandwidth = joke. Call them, tell them you'll be hosting a huge file archive and expect to push 1,000GB a month per server minimum, for that $200 monthly cost. Laugh while they root around and discover the magic document that turns unlimited into super limited and we can cut you off without notice just as you become popular.
Uptime promises = joke, even if they are in writing. Usually they claim it was an outside problem even if THEIR router failed, and the amount you get if they break their SLA is pathetic.
Security is a joke. Our current Top 5 dedicated hosting provider allows easy access to all customer accounts, and I mean easy, no hacking, no passwords, nothing. It's so easy it's not even newsworthy. I like it because I never have to logon, passwords are a pain. And they have yet to patch a security hole either.
Don't sign super long contracts. Rackspace charges an arm and a leg and are doing great. Why? One reason is they go month by month, they've got an incentive to keep you, and I suspect it makes a difference.
Anyone find a really good and cheap dedicated hosting provider? I'd love a place where we could buy our own set of 10 servers, and just pay for the space and the bandwidth, and have it be cheap. With a proper telephone remote-reboot, we could do everything else ourselves, which we already have to do because the emergency support are basically script readers in Kajikastan I think.
Rackspace may be fine today, I don't know. But it wasn't that long ago that almost all of their servers were vulnerable to Bind NXT attacks.
:)
I sent them email on it and got no response at all.
So basically, because of that I wouldn't be surprised if they really are just as clueless as Communitech, just bigger
This is one for lawyers. It all boils down to the contract.
The best outcome would probably be for you to find out that they probably breached the contract by demanding more money for somethign that is part of 'administration' and simply get a pro-rated refund, and move your service elsewhere.
posting a very negative comment about them on Slashdot, where tons of sysadmins and web developers hang out? The negative publicity should more than make up for any profit they get from slacking off... Oh, wait...
A friend of mine runs several personal websites. He does not charge users money for using his sites, and therefore only relies on ad revenue (and we know how that can be these days). He used to use Web2010.com until a couple of his sites got popular enough to warrant Web2010 to give him the "you're using too much bandwidth" excuse for asking him to move to another hosting plan. Even though his plan was advertised as "unlimited bandwidth". Web2010.com did a nice thing in retrospect to the fact that they "lied" in their advertisements. They provided him with 90 days to move the site to another hosting plan with them. He chose to move to a dedicated server...on another host. This is where Rackspace came in to play. They set his box up and contacted him to give him the info he needed. He tried to log in to it, nothing. They wanted to charge him to fix the problem! After a day of calls, they fixed it without charge. Then, they had set PERL up on the box, but had done something wrong and none of his PERL scripts would run. Again, they wanted to charge him! There were several other situation like this and he finally got things worked out and the sites are operating just fine. It's a shame he stayed with them, IMO, because it didn't drive home the point that the company was treating him badly. I can agree with some of the readers here that the website owners shouldn't expect too much, the FAQ and other info I read doesn't indicate any responsibility, but I am really aggravated by the number of companies that won't take the time to own up to some things. If they knew of the problem and offered to reinstall the OS for a charge, they should have at least patched those holes when they did that. To let them get hacked again, try to charge them for the OS installation again, and then try to charge them for fixing the security hole(s) is just plain wrong. I wish I could recommend another host/provider, but I can't even recommend the only one I've ever had experience with. Good luck!
Dump communitech and go with Rackspace.com. I was researching places like this awhile back for a little project I was working on, and I only heard good things about rackspace.com. Standard bandwidth is 10GB/mo, but for $120 more, you get 75GB/mo. Even their crappiest intel box is better than a Raq3 (they provide those also though).
Need Free Juniper/NetScreen Support? JuniperForum
"CommuniTech.Net extends a 30-day unconditional cancellation guarantee to all dedicated server clients, regardless of the contract term length."
You didn't say how long you have currently been with them, but you seem to imply that you're fairly new with them, so I hope this helps!Now, if you call the ISP and demand that they install a patch Immediately If Not Sooner, they probably charge you time & labor for this work which is essentially special attention to the box, as it breaks from the set patching schedule (which probably is part of your service agreement).
I dunno the Communitech patching and service scheme, but this seems a likely answer to the question, which is obviously coming from an upset and nervy customer.
--
Terrorists can attack freedom, but only Congress can destroy it.
I think we're missing some important info. Are the known security holes being referenced holes in the initial setup that the host is providing or are the security holes in the software that the webmasters installed on the box?
I'd absolutely expect a host to make sure whatever they provide is secure and to not charge extra to make sure their software is secure.
However if you install your own custom software onto the box, then it is your responsibility for any problems that software may cause.
That is unless the hosts somehow claimed something as stupid as "you install it, we support it!" in their contract. That is one hell of a lot of software to support.
Like many other people here I've been involved in colos for years with a few different providers. In every case that was how things worked.
-Steve Gibson
-Steve Gibson
Shacknews.com
Service levels come in three flavors.
:)
Managed server - Server is provided and maintained by the hosting company in question. You may or may not have root access.
Dedicated server - Server is provided, but the level of administration provided by the hosting company should be discussed. Unless requested, I would expect NO interference from the hosting company. You should always have root access.
Colocated server - Same as above, except the customer provides the server too.
Updates and patches are usually (maybe not usually? it's usual for where I work, Site5, atleast) by the hosting company anyway, without a charge.
Some things are charged for, and should be - But just keeping a system up to date (which will also keep 90% of the script kiddies at bay - I'm not implying an uptodate system is a secure system, however) should be standard practise at all hosting providers.
What happened with CommuniTech, under any other circumstances, I would put down to miscomunication - As in, the host thought that the client wanted to handle things themselves. But CommuniTech have what I wouldn't call the best reputation.
Search for CommuniTech at Webhosting talk, and you'll see what I mean.
I need a sig.
when you said
We were cracked twice within 1 week of going live on the site... and later One would think that when you pay for system administration, that security would be part of the deal.
Your provider has a duty of care. they demonstrate that this duty or obligation [under contract] is accepted by limiting
- phyiscal access to the servers
- requiring use of passwords and
- validating your identity before disclosing personal information
I will assume that these three standards are already met.the duty of care can be applied to the network and server security in the same manner that you would reasonably expect physical security. when the provider demonstraties that they are concerned about physical security, a standard of care is established.
a breach of the duty of care is a serious issue.
when you said:
We were cracked first within 5 days of our site going live. After paying communitech.net $62.50 for reinstalling the OS, it was cracked just 24 hours later.
This established that you did advise the provider of the problem and they do havd a duty to resolve this issue. the second point is that the providers action did not resolve the issue. if you were charged $62.50 and promised that this action would resolve the security issue then demand your money back. any reasonable hosting provider would be pro-active in the installation of OS patches which leads to my second point of you get what you pay for.
Solutions
if you know/are a law student then standard and duty of care are discussed in Donahuge V Stevenson 1932 All ER Rep1 (HL)]
Regards Sinesurfer A Nerd is someone who lives for technology, A Geek is someone who lives for technology and loves it
"That said, the security of your box is your responsibility. It doesn't matter where your box is located or whose pipes it's connected to. "
If there was an understanding that security was to be handled by the ISP then it's NOT your responsibility. You are paying them for a service and it's their responsibility. That's what service contracts are for so you can let someone else handle the problem.
War is necrophilia.
Debian plus psionic.com.
Go to psionic.com and download their free tools logcheck is an official potato package but portsentry is not (it's in woody). Either way you can either download the tar file or the deb from debian and install them.
Then go to The Trinity document and do some reading.
After that you should be able to defend yourself from most attacks.
War is necrophilia.
Actually, IDC's numbers show that both Linux and Solaris have been gaining market share, at the expense of all of the other Unixes (and NOT at the expense of Windows).
One way to interpret this is that the Unix market is consolidating around Linux and Solaris.
"It is our blasphemy which has made us great, and will sustain us, and which the gods secretly admire in us." - Zelazny
Of course some responsibility needs to fall on the buyer. If someone offers you a Porsche for $29.95, you shouldn't be suprised if it is not what you expected.
Xix.
"Everything is adjustable, provided you have the right tools"
I work for an ISP that provides multiple levels of web server hosting. There's managed, where the customer has limited access on a server that they rent from us. We take full responsiblity for patching the server which ever OS they choose. If they go with the dedicated server, they have full root access. Even though they are still renting the hardware from us (which we maintain) they have to take care of patching the OS and any software on it. Then if the customer requires us to help them apply a few patches, we charge for our time.
Be nice to everyone, they out number you 6 billion to 1.
Did the contract you signed make any statements about security upgrades? I read over their FAQ and it does not lead me to believe that they would do that. To the contrary, it basically says "we're as secure as any other unix platform but a determined cracker can get in".
I've been a victim of contract assumptions in the past. Never ever ever expect a contractual partner to do something that will cost him money (in material or labor) unless its explicitly stated.
SuperID
Free Database Hosting
"Exclusions. Maintenance and support services shall not include services for problems arising out of (a) tampering...."
SuperID
Free Database Hosting
Managed Service = Looking after the server, including applying security patches.
They purchased a sysadmin package, so that the hosting prover supply sysadmin for the box.
So:
:)
- power outage - don't they have a backup generator? Always find out about backup electricity when co-locating.
- $850 for 2 boxes per month co-location with unlimited bandwidth - even in the UK you can pay £3100 per year (under $500 per month) for unlimited bandwidth for a box (4U or under), with a reputable provider (clara.net) who know what they are doing.
Anyway, American in store service may be great, but America doesn't match many other countries for tech support. Anyway, in a few months time when the recession bites home in America, there will be plenty of high quality techs available, and service will improve.
it all boils down to providing good managed services. the hosting company here obviously, in my opinion, faulted in its service agreement. ensuring that their customers are well protected should be one such service they provide. more so since they're _renting_ the cobalt box and not co-locating it on behalf. renting the box implies that they're responsible for it's upkeep due to normal wear and tear.
Yeah, yeah. I saw that right after I posted it. I just had to bold it too :(
---
satire, n: 1) witty language used to convey insults or scorn; 2) a form of humor lost on most slashdot moderators.
Doesn't really suck when, even after proofing your message, you don't catch the mistake until after you post. And to do it in bold, no less :(
---
satire, n: 1) witty language used to convey insults or scorn; 2) a form of humor lost on most slashdot moderators.
Well, my previous post has an error too!
:o
Should be "Doesn't it suck.."
Oh, to correct your correction, it actually should have been "It is their responsibility..."
Its Beer Ti^H^H^H^H^H^H^HSaturday, what can I say?
---
satire, n: 1) witty language used to convey insults or scorn; 2) a form of humor lost on most slashdot moderators.
Well, they specifically said it is a dedicated server. That means that they have leased it, just like you would lease a car. Maintenance, upkeep and system administration is solely the lessors responsibility.
Visit Cobalt's website, subscribe to Cobalt's lists, especially the announce list.
Search the user list archives and discover the unholy number of folks that have been hacked through BIND because they didn't upgrade.
The fact is, they leased it. It is they're responsibility for the upkeep. It would be a different story if they leased web space, but they didn't.
Leasing a dedicated server does not absolve you of system administration, but exactly the opposite!
---
satire, n: 1) witty language used to convey insults or scorn; 2) a form of humor lost on most slashdot moderators.
Zeno Lee,
:)
It's fairly simple. Check your contract. Does it guarantee patches will be installed on build? If not, maybe it should. Escalate the issue to one of their managers; maybe you can convince them to change the policy, and once the policy is changed, you should not be charged.
I happen to work for a fairly large dedicated hosting company, and the majority of the clients that really loathe us simply don't understand the service they've signed up for.
Just because it's a dedicated server doesn't mean it's a managed server. Dedicated means it's yours; managed means they either fully manage or help to manage the server.
Personally, I think that the ISP is responsible for providing to you the RAQ3 in the most secure configuration available (ie, with all patches installed on delivery), but once it's delivered, it becomes your responsibility unless your contract says otherwise.
On a side note, ditch the RAQ3. Cobalt is notoriously bad about providing updates on a timely basis; they didn't release a RAQ3 patch for the recent BIND exploit until three weeks after it had been published on BUGTRAQ.
I think you've already gathered some decent bargaining strength in that you have the entire slashdot community waiting for them to fix your problem. Let them know this. You should be able to get a bit more of a fair deal. Remember, the customer (especially with a lot more customers, prospective, past, or current) is always right.
Good to see you highlighted your own grammatical error for us ;)
If you want something done right, do it yourself.
I think he just did :)
Psst... remove the space between "2000" and "-June."
Sigh... even more reasons that I hadn't heard yet that Communitech sucks. I never had a problem with ZIP files (and my sites use them extensively), so I'm guessing that they just had a grudge on you and that was the best excuse they could come up with. They do that a lot. BTW, there's absolutely no way you have to pay any of that extra money just because they want you to do so. Ask them to pay you $5000. Tell them the reason, "just because" - after all, that's the reason they're demanding money from you. The only power they have over you is a) the TOS and the agreement you signed, which most certainly doesn't mention anything about additional fees that were never agreed upon, and b) they can take down your website, which they had already done, so they relinquished that power. They have no right to request that money, and you have the right to sue them (well, at least threaten that) or report them to BBB, attorney generals, etc.
BTW, if you're serious about the site dedicated to "showing the truth" behind CT (or possibly, a general site to uncover dark secrets of other bad companies) then I'll definitely join you. My CT hell ended over a year ago, so my hatred for them has somewhat dampened, but I'm still enraged when I think of their company.
I used communitech for a little over a year, and my experience was awful. They kept on taking away services that were promised when I signed up, and refusing to refund anything. They suspended my accounts twice; their policy for suspension is to immediately take the site down and leave a "forbidden" page, then ask questions later. One of the times it was because I was using too much bandwidth - one of the primary reasons I used communitech was because of their promise of "unlimited bandwidth" (I believe they've since changed their policy, without notice of course). The second time it was because I alerted them of a security hole in their system. ALERTED them - I simply wanted it fixed, but they suspended my site. When I called soon after, they threatened to call the police. They guaranteed 99.5% uptime when I signed up, but never met that - later, when questioned, they said that they were working towards that goal, but it wasn't in actually a guarantee (even though it was advertised on their front page). Customer support was horrendous - I'll leave it at that. When I finally canceled my accounts, they continued billing me. They wouldn't stop until I threatened to call the Attorney General of their state (after that, of course, they quite willingly stopped). I could keep going, but I'll leave it at that. Please, whatever you do, get away from Communitech. If you don't, I assure you that you'll regret it later.
I have had a dedicated server at Dialtone Internet for over a year, and have been pleased with their service. They have great connectivity, 24 hour monitoring, a ticketing system and reasonable pricing. They don't handle patches under my plan (I handle those via ssh) but I have dealt with their support department several times (reboots, and a hardware failure) and they have been very professional. I did have some difficulty once, straightening out some billing issues with their mostly Spanish-speaking staff in that department. It took two days of faxes and emails and a lot of patience on both sides before we were able to overcome the language barriers and get things in order.
Anyway, I would definitely recommend Dialtone to anyone looking for a dedicated server.
--
Wouldn't the best way of demonstrating your pissed-ness be to take your business elsewhere? Find another provider.
Also find a web-host review site or something, and tell the world how bad your current provider sucks.
--
python -c "x='python -c %sx=%s; print x%%(chr(34),repr(x),chr(34))%s'; print x%(chr(34),repr(x),chr(34))"
After looking at a LOT of different dedicated hosts, I've seen only very few that will patch a user's machine. If you're going with a large facility, they have thousands of machines. It is almost ALWAYS the user's responsibility to manage the server; this INCLUDES keeping the patches up to date. A facility should, however, provide a system initially with all patches up to date; this only makes sense. If it was a new server, you should have been up to date. If you'd had it for a few years and ignore security bulletins (or don't subscribe to them), it's your fault. Clearly you had a new server and shouldn't have had problems, but a user must take some accountability themselves. I recently got a dedicated server and the FIRST thing I did -- before transfering from my old dedicated to the new one, even -- was to check for patches.
What APACHE cracked? How come when an apache server is cracked, the slashdot crowd says "who were these idiots who can't apply patches!" but when an IIS server is cracked and people say "they haven't applied the patches, cluess admins!" those folks get either flamed or modded into oblivion? The double standard is really getting old and the reason I don't read /. very often anymore....
---
DO NOT DISTURB THE SE
How about Slashdot (or some nice volunteers) doing a review of some of the main hosting companies out there, at least the ones that offer Apache/PHP/Mysql, doing some reviews and such, helping us all determine which is the best/worst for our paticular purpose. I am currently looking at several but I haven't found that one that is exactly what I need yet.
I'll soon be starting on a few volunteer sites. Community based projects all non-profit, so I neeed some space that is the closest thing to having my own box (SSH/phpmyadmn,etc) but is reasonably priced (read cheap).
I am currently using phpwebhosting.com for my personal home page but I'm thinking it may not be as great as I once thought it would be.
Suggestions are welcome.
-Mark
Nemmer's Law:
All Internet Service Providers suck.
I know. I worked for two of them: Internet Direct and MindSpring. The small ISPs are driven into the ground by their idiot owners and then have to sell out to the big ISPs, which just don't give a shit.
--- even the safest course is fraught with peril
getting them hit with the slashdot effect certainly seems like a good way to start getting revenge ;)
Be the Ultimate Ninja! Play Billy Vs. SNAKEMAN today!
It sounds like they're incompetant, which really doesn't surprise me at all. Most companies seem to feel you can train some monkeys to do sysadmin level work. That's not true of any OS, although some of the more "User Friendly" ones delude you into thinking you can, right up until the skript kiddies march in and take over. You have the correct level of expectation that security holes will be fixed as part of what you're paying them to host the site, so if they don't hold up their part of the contract, threaten to sue the crap out of them. Or at least demand that they release you from the contract since they're not upholding their end of the deal. IANAL but I play one on TV.
As a side note, a lot of these web hosting places are fly by night operations that disappear a couple of months after they open up. The fly-by-nights are much more likely to try to get by with trained monkeys on the sysadmin team. If the guy who sold you your service is also the system administrator, be wary. It's always a good idea to see how long a company's been in business and ideally get some references from other customers of that company before you decide to do business with them.
I'm trying to teach myself to set people on fire with my mind... Is it hot in here?
Please MOD this up!
Sig goes here
Very informative!
Sig goes here
Email me (jmc@spamm.net) if you have questions.
-----
We do give our customers root to their servers and we warn them that while one advantage to a dedicated server is that we will maintain the server and keep it running, when they do something boneheaded (like chmod -R bob /) we will bill them to fix it.
So far it hasn't been a problem and only one customer has actually done something to break the server (see the chmod example above).
-----
The first thing you should do is make sure to get it in writing. If you look over the contract and don't see something like "system administration" or "full OS maintenance" then ask about it. If they say "Oh yeah, well we say we do some software updates" then you probably want to ask them to change that so that it says specifically OS maintenaince or system administration or security monitoring or something. If they refuse to change it on the grounds that they'd "have to get it cleared with [insert everyone under the sun here]" then either don't use them or be aware that they probably won't do it.
I'd advise finding a company flexible enough to write a contract to your terms. I know at PhenomINET we always are willing to adjust contracts so that we provide exactly what the customer needs, or if we can't provide it, then we just tell you so. This *should* be the case with any company if you are actually paying them in the 1000s per month, but it often isn't so. (since we ourselves have recently been negotiating contracts in the 10s and 100s of thousands and some companies still won't budge) There is no point we see in telling you we will do it but we can't put it in writing, because either you or we will be unhappy afterwards, and that can only mean bad press.
In short, I'd advise talking to several different companies (including phenominet.com of course) and asking them if they can fulfil your needs exactly. If they say they can, get it in writing, and it should be writing that you can easily understand (legalese doesn't have to be complicated, and generally the only times it is complicated is when someone is trying to hide something). Then pick whichever one of those companies offers you the best price.
--Braeus Sabaco
This is SO educational! -- Kintaro Oe
I think it can kiss its reputation goodbye he moment this story is on /.
You can check webhostingmenu.com to find better web hosting.
It lists plans from FirstWorld, AF Hosting, NYI.net, Hyper Hosting, Verio, Bitserve, ThinkHost, Interliant, and Dell Host. None of these will be as bad as CommuniTech. [/plug]
Violating the security of a box/site/etc is cracking. Hacking refers to a kind of coding.
You've obviously been reading too many mainstream media articles on crackers.
They have a backup generator. I wouldn't colo anywhere without one. But even backup generators aren't foolproof. Many tier 1 colocators have had problems from time to time.
Like I said, that's 2 boxes, so its completely comparable. The same cost for a single box would have been ~500-550 $US/mo. That said, I'm pretty damn skeptical you can get a provider in the UK with good bandwidth and peering for that low of a price, because the Internet content is still mostly in the US, which means unless the sites in question are local to the country, they'll be paying to haul the traffic over the atlantic, and that's not cheap. I'm not up on the situation enough to know if euronet is still trying to gouge people (I imagine not, with the explosion of first tiers in the US running bandwidth over there).
In any event, "tech support" isn't even the right term. Everyone expects the front line to be morons. It's certainly true when I've dealt with UK networking companies, as much as it is here. The question is: how hard is it to issue a trouble ticket which escalates to a real engineer who knows how to handle the situation? In their case, I was unimpressed, but that's a problem everywhere, and it won't go away even IF there are a lot of spare engineers on the market (which, recession or not, I'm not seeing), because you have to have managers and HR people who can discern good from bad, which many cannot. Some places, the engineers approve the engineers, but in those places, they already HAVE the good ones.
I've had a pair of boxes hosted at Maxim.net for quite a while. The prices are low -- for 2 boxes and 1 dedicated meg (which we can fill 100% all month long for the same price), we pay around $850. These are for boxes we built, so hardware is not included, but that's still pretty impressive. Although I've never remote-rebooted (both boxes up 185 days running linux since they had a power outage 6 mo ago), they have telephone reboot, as well as some services.
They just merged into a larger company, and they finally got a trouble ticketing system, but customer service is still pretty awful, so its fortunate I rarely need it. They have a few very clued network guys, if you can get them.
Also, the cobalt raqs are very easy to patch. They have a GUI, a section to install software (Maintenance/Intall Software). You can just paste the URL of the patch, and it installs it. The patches are here.
That said, communitech sucks. I've had problems with them in many other areas too. I can't recomend another ISP that will patch the servers for you, but I can say that communitech sucks.
--
--
Stay tuned for some shock and awe coming right up after this messages!
RedHat Linux 2.0.34 ?
"Be vewy vewy quiet, I'm hunting wuntime ewwors!" - Elmer Fudd
Cobalt makes their patches available for everyone to download and install. Sure, it takes them several weeks to make a patch available, and given that they use RedHat GNU/Linux security holes keep popping up, but there is no reason why your ISP should be more able than you to download and apply the patches.
Of course, I have to wonder why you're using a Raq anyway... I've never quite understood how $1000 of hardware plus lots of free software equals a $5000 server.
Tarsnap: Online backups for the truly paranoid
The long: A similar thing happened to one of our clients. I work for a web development company and we have over the last year tried to get away from hosting. Its annoying, we don't want to do admin work, etc. so we partnered with a well known hosting provider (with pretty much a similar contract). The box was running NT (not my choice) and the day before they had scheduled to install a patch for a very well known (and for a good amount of time) bug, a script kiddie hacked the site. The first thing the hosting provider did? Blame us AND demand more money to get the site back up. WTF? Anyway, while they scrambled around with their heads cut off, we brought the servers back to our office, brought in security experts we were negotiating a partnership with anyway, and locked down the site and brought it back up (all in 24 hours ;-) ourselves. Then, we had our new security partners go into the hosting providers rack area (the hp let us into the wrong closet first.. *sigh*) and effectively make the provider their bitch. "This is wrong, this is wrong", etc. The client is very happy with us and 5 seconds away from dumping the provider. Since then, the provider has pretty muched asked "how high" when we or the client has said jump.
psxndc
The emacs religion: to be saved, control excess.
This post highlights the particular lack of service and bad attitute of one company but I believe it brings up some interesting issues that the entire Internet community is dealing with now, even the best of us.
Unfortunately, many dedicated server hosting providers are not addressing security, but even with those that are, the assurance level of staying secure is not too high. Why? Because as security guru Bruce Schneier preaches, security is a process, not a product. The security "posture" (as we call it around my office) of your server is deeply intertwined with the goals that you are trying to achieve, the amount and types of access you need to create for legitimate maintenance, your corporate culture (and specifically aversion to risk), and the technical competency and training abilities of your IT staff or consultants.
Because security is a process, not a product, it's difficult for a hosting company to wrap it up in a nice neat bundle for $299.99/month - especially when in the same breath they speak of giving you telnet access and "complete control".
My firm recently handled the "cleanup" of three different cracks for three different companies. The proper response is to setup a new, fresh server, with (what probably never existed before) a "defensive" security posture instead of the "open" security posture that most setups default to. The report that we create documenting the custom modifications and configurations for the new posture is ~60 pages long and represents a good chunk of time. We are in the service business dealing with web design, programming, and management so this is a natural extension of our services. Web hosting companies, however, are increasingly finding themselves in a commodity business - witness the mass consolidation of hosting organizations to leverage resources and the dwindling of the mom & pop hosting shops. In my mind this isn't bad, actually - it allows specialization and is the natural evolution of any complex field into several disciplines.
I'll comment on Cobalt because we've dealt with their RaQ 3 servers. Cobalt servers are not secure and are incredibly difficult to make secure while preserving any remnant of "Cobaltness". As an example of the type of thinking at Cobalt, they configure their boxes to run two Apache daemons - one for the public site(s), and one for administration access. The administrative daemon *runs as root*, so that the CGI programming within their (very nice looking) admin GUI can then do lots of useful things. Anyone who seriously administrates *nix boxes connected to the Internet is surely raising an eyebrow (if not shaking their head in disbelief).
A more specific problem with the Cobalt system is security updates. The Cobalt Linux distro is based on Red Hat but so heavily customized that you really waste time administering it in ways other than through their interface. Normal Red Hat gurus are *not* going to feel at home on this type of box. Cobalt patches do get posted on their public web site, but they typically lag behind the corresponding Red Hat fix. Here are some facts:
Red Hat posted a RHSA to update to bind 8.2.2_P7 on 11/27/00 whereas Cobalt did not post this until 01/16/01.
Red Hat posted a RHSA to update to bind 8.2.3 on 01/29/01 whereas Cobalt did not post this until 02/06/01.
Moreover, automatic update is an issue. To update a Red Hat system automatically is easy, and has been since the 6.x series - we always recommend that servers check for updates daily and without any human intervention download and install new software. As a manager, you should get an email the next day just summarizing the fact that a new package was installed. The work that Red Hat is now doing with their Red Hat Network is going to make this even more robust and intelligent in the future. (I believe this is so important now because the black hat community watches for Red Hat vulnerabilities and pounces on announcements.) I am not aware of any provided method to update a Cobalt server like this daily, and if such a system were available, it should be installed and turned on by default to follow up on Cobalt's plug-and-play marketing promises. Even so, the default security posture and the inflexibility of the system is not appealing anyhow.
Now does the Cobalt system have it's pluses? You bet - it's great for simple administration of lots of straightforward web sites. It's bad for developers who want to get their hands dirty.
I think from here we go forward two ways. First, over the near future there is a natural progression that can and will be made in the security defaults and simple configurability of major distributions and web hosting offerings. This will happen. Second, I believe knowledge and skills in network survivability (and security as a subset of that) will grow in importance and companies will need to hire or contract it to keep things "humming" without interruptions. Organizations that don't want to address this and just want a simple web site will probably stick to lower-cost shared hosting plans where the environment is controlled by administrators at the ISP's who will be responsible for the assurance level of security.
You could send your service provider a friendly letter noting they are being dissected on /.
This could dramatically improve their service in roughly 5 seconds...
I lease a RaQ3 from Interliant (formerly Sage Networks) and I was cracked with some scripts that someone ran. Luckily, Interliant knew about 3 of 5 exploits, of which 2 were used on my box. They were able to patch the holes and no data was lost. I have also found that when I have problems with the RaQ, the support for Cobalt machines at Sun is almost more helpful than the service at Interliant. Mind you, it sounds nighmarish at this Communitech, but I can certainly recommend Interliant as they have an unlimited bandwidth policy which I have not seen changed nor have I seen any radical unannounced shifts in policy. Regardless, sometimes it's definitely easier to bypass the ISP altogether as Cobalt is friendly and knowledgable and able to help as a RaQ customer...
I know that this is a random plug, but I get my service from toolshed51.com The service they provide is excellent, they have the PHP, Apache & mySQL tools installed and they run FreeBSD that is constantly patched for security holes. You should contact them!
PS--I don't have any affiliation except that I'm a satisfied customer!
Doh!
...or do you think Solaris sunglasses provide all the light in the world?
I think the fee of $125 is not proper, the previous $62.50 fee for OS installation should've covered your issue. To any person who calls themselves a System Administrator, "OS installation" minimally consists of the installation of the operating environment and the immediate application of all current patches to the OS and other components (sendmail, bind, apache) that comprise the customer's operating environment.
If CommuniTech is behaving in the manner suggested, then their actions are highly irresponsible. Thanks to DDoS, any compromised system can be a small part of a serious problem on someone else's network.
maru
You need apache, php, and mysql. Many, many hosting providers will have accounts set up around this configuration, allowing you to "just have a website up without all this bull" as you put it. They worry about server admin and security (on the host and network level anyway), all you have to do is write code and pay the bills.
As an example of a place that has the feature set you're looking for with very generous disk allocations for reasonable prices, see csoft.net. (I've never used them but I've heard good things about them, and when I emailed them some techie questions about their service they responed quickly and very professionally.) For example, the $25/mo. plan gives you unlimited disk. All plans include 1Gb/day of traffic ($6/Gb per Gb over 30 per month). Anyone here actually, directly used these guys that would like to comment?
--
News for geeks in Austin: www.geekaustin.org
News for Geeks in Austin, TX
If your an open source project thats paying to space, maybe you should look for a hosting provider that caters to the OS movement and projects? Since they care about OS software they will probably be a little more knowledgable about security and understanding of security problems being thier own in a case like this.
/. email addy.) I run terrabox.com. I allready donate heavily to the OpenProjects network of irc servers via hosting a server for free and have made other donations in the form of time and hardware. I also have a standing offer to projects that lack any money resources to get them limited hosting till they can afford to host themselves. We are very security conscious and have a sense of morality when it comes to charging the customer for services.
Me for example.(yes, blatant attempt to generate business! Please read on to see why. And if you want to flame me, feel free to use my
We offer all sorts of hosting including custom firewall that we maintain at no charge to limit access to your server as you want it. On top of that we only charge you for the services that you actualy use and offer premade systems even with a deposit for the initial hardware costs. Or you can send us server for colocating. One of the benifits is that server maintenance is covered for the first 2 hours on a commercial class server for much less.I also have a couple of my own projects that I run from here. ISFree, and libxh. My services are geared towards geeks and OS developers. I also believe that the biggest problem with companies today is the lack of morals and ethics.
On the next hosting provider you choose to move to you now know what all questions you should ask them. It's a bitter learning experience and I wish most other companies weren't so lacking in ethics on how they "earn" thier income. 8-P
Brian
What? me have a sig? don't be ridiculous.
I would refuse to pay the extra bills and keep paying the service fees. Then I would take them to small claims court if they didn't agree. It seems clear cut enough that they have no room for being so unfair.
This Wiki Feeds You TV and Anime - vidwiki.org
I hate to say this, but you may be out of line. Sounds like these guys are idiots, and completely lack in customer service. BUT, there is a difference between dedicated and managed services. If you have only dedicated service, they essentially lease the box to you, and its your responsibility. If you have a managed account, its then THEIR responsibility to the limits of the service agreement in your contract. However, if they provided you with a dedicated RAQ, and were negligent in that they didn't provide you with root password to manage the box, you have at least something to bitch about. But it sounds like they would have every right to charge for a "managed" service on your "dedicated" box. I don't know how far you could push it claiming that the boxes should have been reasonably secured with free patches provided by the manufacturer before you leased the services. You may have a bad faith argument there.
I worked for UUNET at a data center until laid off by Worldcom recently (grumble), and there most definately is a difference in the services provided between what is essentially colocation and managed hosting. You might want to just chalk it up to experience, and go elsewhere when that option becomes available. Im not sure you have a legal, or fair business practice, case here at all.
Derek
As an addendum, I am not a part of this website. I am just a concerned associate. The members of this website have nothing to do with the original post.
I recently purchased an account on HostPro.net in order to host a light database driven site.
... it running mysql, a VERY fast database server.
I was doing some benchmarking on their database box I was assigned to
I executed a fairly complex query, something like:
SELECT warps1.sector as warp1, warps2.sector as warp2, warps3.sector
as warp3, warps4.sector as warp4, warps5.sector as warp5,
warps6.sector as warp6, warps7.sector as warp7, warps8.sector as
warp8, warps9.sector as warp9 from warps as warps1, warps as warps2,
warps as warps3, warps as warps4, warps as warps5, warps as warps6,
warps as warps7, warps as warps8, warps as warps9 where
warps1.sector=7 and warps1.dest=warps2.sector and
warps2.dest=warps3.sector and warps3.dest=warps4.sector and
warps4.dest=warps5.sector and warps5.dest=warps6.sector and
warps6.dest=warps7.sector and warps7.dest=warps8.sector and
warps8.dest=warps9.sector and warps9.dest=200 LIMIT 1;
and the query took 26 minutes and 30 seconds on their server.
On my AMD box running at 350Mhz with only 64 ram, the query ran in 5 seconds.
I initiated a support request with HostPro regarding the issue and it was ignored. They also promised PHP 4 support, but they were running PHP3 and initially refused to upgrade.
This is not the only host I've had these same problems with.
Is it the goals of such hosts to just screw us people over? We need more nerd-friendly businesses.
Ever need an online dictionary?
That is the responsible party. If you do not have root, you cannot institute most of the security measures and it shows that the ISP does not trust you enough to be responsible for your own box. If they do not give you root, there's not a darn thing you can do to patch anything without requesting their help to begin with.
On the other token, if YOU have root, you don't need to be a security professional to keep up with the patches and updates given out by the makers of the software. You just need to keep on top of the forums that are there for people to keep up with the security patches.
DanH
Cav Pilot's Reference Page
Cav Pilot's Reference Page
UNIX - Not just for Vestal Virgins anymore
"Greetings. I'm from your local... uh... Business association. I'm here to offer you protection from the... uh... disreputable business around town. Pardon? Oh, yes. We collect the dues at the American-Russian Social Club."
---
Desperation is a stinky cologne
I work as a computer security officer for a hosting company. I can tell you that as far as my company is concerned, where the blame lies resides on the type of contract you have. For instance, if you have what we call Dedicated root, that means that you have the root password, and wiether its colocated (where you bring in your own machine) or leased (you got the machine from us), you are responsible for the security integrity of the box. Now, if your a shared or managed costomer (just a vhost on a box with many others or a box leased from us with the understanding that we are the sys admins, then it is our responsiblity to maintain it. It sounds like you were in the latter group and they are simply trying to pass the buck. There is no way you should pay for their laxness. However, if there is nothing in the contract sippulating what they are responsible for, I don't see what legal recourse you may or may not have. I would perhaps check with an attorney, however I would definately look for another hosting provider.
SealBeater
-- Its survival of the fittest...and we got the fucking guns!!!
I've dealt with communitech before, and I have one thing to say about them, "They SUCK!" Our website was running on a 2000 box with ColdFusion. Yeah, I know it's sick, but that doesn't give them any kind of excuse for our site to be down 6 or 7 times a day. I've also dealt with Media3. We got a "Semi-Dedicated" server, which means we only share it with 1 other user. At one point in time, they took down our site, blaming us for taking down the server, with slow coldfusion scripts. It took them 6 hours to realize it was the OTHER site's fault. Needless to say, we didn't stay with them much longer. In the end, we ended up buying a dedicated server from the guys at Rackspace. Now that we admin it, and not some dumbfuck MCSE, our uptime is much, much better. There have been 1 or 2 network outages, but they only lasted for minutes at time. Anyways, the point of this post was to teach you a valuable lesson that we've learned much too late, and therefore costing us a lot of money. Don't host on shared servers. Always get a dedicated server that you have root/Administrator access on. (P.S. I wasn't trying to plug rackspace in, you can also use CAIS and other services that do the same shit)
hlag
Yes. CGI scripts will run from anywhere on the RAQ III server.
You really, really, REALLY need to get a load of this.
It's downright FUNNY....
-
I have no problem with your religion until you decide it's reason to deprive others of the truth.
It seems to me that the BBB (Better Buisiness Bereau) was set up to handle situations just like this -- a buisiness doesn't provide services which it said it would. Although it usually doesn't have any official power AFAIK, the power of reputation in this case can be enormous.
That's it. I'm no longer part of Team Sanity.
I'm the admin of a hosting provider, and upon starting up, attempted to colocate with VIIS (note, their site has been down for the past few months, though I don't know why. I hope they died!). The experience was a horrible one. They at one point actually claimed there was a DoS _coming_ from our server, provided no evidence backing this up, and claimed that even telling us the names of the other "parties" involved would be a "disservice to the internet community". I quote "parties" because I believe they faked the entire thing, after changing their minds about wanting our business. Although I believe they've gone under, I've been unable to confirm it, so if you have the opportunity, please choose against them.
;)
Anyway, things are much better now, and if you're still looking for a better provider, please consider Stratius (sorry about the blatent advertisement). All the admins are as much of security freaks as you are
--
--
grep "xercist"
apt-get dist-upgrade wont break anything as long as you are using a stable package base in the sources.list. debian does NOT do any major version changes in stable, therefore any patches/updates most likely will not hurt anything. they also backport any fixes to the versions used in stable so you wouldnt be using the latest and greatest. cron'ing an apt-get upgrade from security.debian.org and also the normal mirror is a good idea in my opinion.
no no no! its not the web site, its the phone line... it IS an 800 number after all... just remember, 1-800-webhost!
SSL Certificate
Software Tool and Die hosts web sites. In my experience, they are secure, reliable, and straightforward to deal with.
What's the security-maintenance potential of Debian-based systems? I generally set up Red Hat-based servers at client sites, run a tight ipchains firewall and custom compile whatever daemons will be publicly available from the latest source; and then watch for security news, compiling updated daemons as necessary. So, far, no problems, fingers crossed. But I've recently been playing with Debian, am coming to like .deb far better than .rpm, and wonder what the odds would be of a daily "apt-get dist-upgrade" in cron on server's keeping security relatively tight (and not sometimes mucking things up)? Some of y'all must be doing this?
"with their freedom lost all virtue lose" - Milton
There might be a reaction.
Check out the Vinny the Vampire comic strip
"It is a greater offense to steal men's labor, than their clothes"
In such a situation, your only hope is to contact the Better Business Bureau to find out about other possible incidents. You could perhaps start a group lawsuit against this thieving company.
-Billco, Fnarg.com
If you take your car to get fixed and the mechanic screws you, you don't go back. If a painter comes and paints the wrong wall, you don't pay. If you eat at a restaurant and the food sucks, you don't go back. I don't see how this is any different than bad service or a bad product anywhere else. Just Go elsewhere! This seems hardly worthy of such public discussion.
Well all I can recommend is for you to try and see if from the other point of view. You have some ISP here who is barely making money. They are probably understaffed, and now they are being asked to provide security. Providing good security is a very difficult process. It involved weekly or even daily checking for new holes, fixing old holes, testing for weaknesses, logging everything, searching the logs for the unknown, etc, etc. This isn't Disney land we live in. This work takes people and time, and if you are dealing with a company, and if that company cares about staying alive, they will charge you for their service. Its one matter to loan someone a piece of hardware that just takes power and bandwidth, its something completely different to have someone proactively working on security issues for you. Also any company who takes on the role of security also has to assume the risk of if that security is breached. For example, lets say your site does get hacked and big time. If a company promises security, they may be opened to be sued by yourself. Also why wasn't these issues figured out when you first set up the server? Why is this other company to blame when you guys probably never even talked about the issue until after the site was live?
I am a part owner in a hosting company in charge of technical operations. I can understand CommuniTech's position on this. In their contact I see an 'attempt' at covering themselve on this. In section 10 "Limitation of Liability" it says something like they aren't responsible for any loss of data - even in regards to maintainence (or lack of). Applying patches could be considered maintainence. Section 7.2 is also another attempt at dealing with this. They didn't come right out and say it, but to me it seems what they mean is "If you get cracked, don't come crying to us - and yes you will pay to have it fixed."
As an owner of a hosting company I can understand the challenge of keeping 100's of servers current with the latest patches. I might keep up with it on new installations - but trying to support older systems would be tough! I would make sure (and I do) that the service agreement is clear as to who is responsible if a server is cracked. But as a point of service I would apply patches if a client asked me specifically to do so. Personally, I try to keep up on all security patches, but I may miss one here and there. Perhaps this is the same issue with CommuniTech.
The report by former CommuniTech customers shows that they are not that concerned about customer service. Or that they have too many customers to provided good service. My company is a bit more concerned about service, and I think we take the precautions neccessary to prevent such problems. But if a dedicated host on our system gets cracked, and they want us to fix it for free - humm. Depends on the circumstance. I would be much more likley to do it if i was informed ahead of time that there was a problem. I think other hosting companies should provide the same service. If they don't - that's fine. It just means more business for us.
You'd do well to read this guide, it's helped me out tremendously:
m l/ coverpage.html
:)
http://www.openna.com/resources/articles/v1.3-x
(Securing and Optimizing Linux, by Gerhard Mourani)
First let me say that I'm a reseller for Communitech, virtual accounts only, though I don't believe that makes me biased toward them; if anything, my experiences have biased me against CT. I've had my own nightmares with them and I'm still wrapped up in being double-billed on one resold account for almost a year. Personally I think you're lucky they reinstalled the OS for free the second time around; be sure to double-check your credit card bill when it comes in... CT is one of those companies you love and hate at the same time and their customer service does suck - that's why they have a lot of resellers. We can provide the personal service and support that they aren't capable of.
That said, the security of your box is your responsibility. It doesn't matter where your box is located or whose pipes it's connected to.
Communitech isn't responsible for making sure your box is secure any more than RoadRunner is responsible for making sure my local linux machine is locked down. Their responsibility is to make sure that your machine is connected, powered up, and able to serve traffic. When you order a dedicated server from CT, they slap on an installation of your chosen OS, along with Apache and some development tools. They don't make any promises or guarantees that your system will be secure or that they'll be patching your box every time an exploit is found.
CT still uses Redhat 6, and it says that on their dedicated server config page (the RaQ page just says Linux 2.2, but the more general pages indicate they're using Redhat 6). If I were to take on a box with a fresh installation of RH6, the first thing I'd do is upgrade bind - shot in the dark, but I bet that's how you were owned.
In any case, the bottom line is this, and you're free to disagree: if no one in your group is prepared to spend time finding patches and securing the box, your group isn't ready to be running a dedicated server.
Good luck and make sure to check that URL. You've got a dedicated server for at least a few more months, someone on your team needs to read up and get to work
Shaun
Thanks to the War on Drugs, it's easier to buy meth than it is to buy cold medicine!
I had a site hosted by then about 3.5 years ago when they were starting out. I had a couple simple CGI scripts running and they kept chmodding them to 0 as they said I was using too much CPU (I was getting about 100 visitors a day and the scripts were fairly simple). I thought whatever and took them off and thought that was that.
Then my site got a bit popular and it started using a half gig of transfer per day (not too much) well they shut off my account without telling me. I had to email them and only then did they reply and let me know. I prepaid half a year with them so I disputed the charges and got out of there as fast as possible.
I've been through about 3 other hosts since then and I have to say that they were by far the most unprofessional bunch.
Shouldn't you direct these questions directly to the company first??
sure the (semi) mass media is a great tool to embarass companies into giving you what you want but its often easier to send them an email or two to someone very high up or someone in marketing who cares what people think of the company.
Sure it'd be great to see a lively debate on slashdot about the ethics behind the cost of bug updates and who should foot the bill.
But by naming names and making it personal about CommuniTech it just looks as if all you want is results.
Wheres CommuniTech's right of reply?? i hope to see the otherside of the story.
-------
Drink Coffee - Do Stupid Things Faster And With More Energy!
-------
Drink Coffee - Do Stupid Things Faster And With More Energy!
Now, I would agree that they should have installed the server properly and installed the latest patches. But if I was the ISP there was no way I would make any contract where it said that I was responsible for the complete security of the site/machine. You _will_ need someone in the project that can evaluate the security of the setup and design.
:-)
There's two problems in this case. One is that the user gets full access to the machine to do what ever he wants. The second reason is that he is writing their own programs for the machine. This means that the user can install a program with a security hole and also write a program/script that provides a entry for the intruder.
If you have root access to a server and are writing programs for it, there's no easy way out, you have to gain the knowledge needed to keep the site secure.
What the ISP should provide is uptime(power backup/connection backups/spare parts) and maybe backup. The good thing about placing your machine in a serverfarm is to save the costs of getting bit fat internet pipes, building serverrooms with all that follow(UPS, security, fire ex., cooling etc.).
Or you could have choosen IBM,:-) that is if I have understood their commercial correctly. heh
--------
Figure out how the crackers got in, root the ISP yourself, and hold their servers ransom until the problems are fixed...
We have more to fear from the bungling of the incompetent than from the machinations of the wicked.
This is not the first horror story I hear from Communitech. There are very different opinions about this company reaching from "ok" to "they are a bunch of spamers".
Please check alt.www.webmaster for opinions on communitech and for suggestions on dedicated service providers.
Additionaly I'd check budgetweb.com. They have a comprehensive directory of web space providers (not only dedicated servers) and I think there are user comments too.
mike
From their homepage:
i al/support.cgi
CommuniTech.Net's dedicated server support services allow you to obtain general technical support on your dedicated server as a part of your monthly fees. Our support engineers can assist you with general troubleshooting issues. We recognize that there is a start-up, or "grace" period when dedicated server customers have questions regarding bandwidth consumption, the Server Administration Utility, and general setup issues. Know that we are here to help you through this transition period and any other other general support issues you might have throughout your service with us.
http://www.communitech.net/hosting/dedicated/spec
Here is the dedicated server contract from Communitech.
It seems that 7.1, 7.2 and 7.3 are covering the software maintainance. Altough they are not very specific on it.
These patches should be applied as soon as they are evaluated for relevancy, and since you pay for service, I'd think they'd do that for you. I work at an ISP and we are millitant about patching, I personally don't want my name associated with ANY security related failures or screw ups. We provide that service to our customers, and indirectly to ourselves. I'd look for a new provider.
nb
Web hosting firm upgrades service, threatens eviction
Which just goes further to point out what this company still doesn't understand: customer service is important.
I would suggest that we all call them personally to ask about their policy on customer satisfaction. 1-800-WEBHOST. Or, maybe we shouldn't, since they do have to pay for every 1-800 number and we could end up costing them a lot of money. Yeah, forget I said anything.
From their site:
99.95% Uptime Guarantee
Hardware issues, though the responsibility of CommuniTech.Net, are not the fault of CommuniTech.Net and are therefore exempt from this policy.
What exactly do they cover then? Good to hear that the 99.95% counts everything but hardware failures, maintenance, and anytime they take down the site purposely because they "discontinue all communication from and to the dedicated server" becuase "[they] will assume there is a software issue" if you use "greater than 10 Megabits".
What a company!
I don't know what kind of services the ISP in this case provides, but remember, there are always two sides to an issue like this. If you have the root password (and especially if you change it), don't expect someone else to maintain the server.
So basically, you pay them X dollars a month for some hardware and a bandwidth connection. I'm starting to wonder where the value in "value added service" comes into play here. On a side note, to all the people whining about how CommuniTech uses Solaris with sparse reasoning, or how raQs are pieces of junk, apparenty (I'm not a big networking dude) the raQ uses Linux over Solaris, even though the front page says they only use Solaris for what basically comes down to accountabilty and security in case of fuckups: they feel Sun is more likely to pay up if things go bad for them.
I Browse at +4 Flamebait
Open Source Sysadmin
Most reputable hosting site have SLAs for each one of their services. ANy place worth their salt actually draws a very clear demarcation betwwen what the customer is responsible for and for what the hosting provider is responsible. For example, the company that I work formakes absolute guarantees about the stability and security of the OS (when you purchase such a package) that they only allow our engineers to build up the os and do NOT allow root access to anybody else.
I used to use communitech for hosting a *while* back. I found a huge security whole in their setup. I notified one of the SAs. Month passed and it was still there. And later on my account was cancelled and they fined me for hacking. Stay away from them.
--
Violators will be prosecuted and prosecutors will be violated.
I've also got a lush, cheap and very secure host-
cubesoft (http://csoft.net).
You can choose a linux or freeBSD server and can do CGI from PHP to mod perl.
very nice!
1up.org
I may be wrong on this, and I invite non-flame instruction if I am, but my impression of server hosting is that you get the hardware and the wire, and the rest is up to you. It would be nice for the hosting company to issues security bulletins, but I certainly wouldn't expect them to administer my server for me. I think you are confused about the terms 'ISP' and 'Dedicated Server.'
Evil is the money of root.
Try http://www.rackspace.com. It would be more expensive. On the otherhand I doubt you'd have very many admin headaches. Just my $0.02
Maskirovka
We are getting service from CommuniTech, who rent us a Cobalt Raq3 server. Part of the reason to go with a dedicate server from an ISP is to outsource system administration.
In my experience, if you pay for a dedicated server from a hosting company they usually expect for you to be responsible for the administration and so-on. Typically if you use one of their shared systems then they will handle all the administration and what-not on their end. But I gather that varies from company to company.
But the bottom line for anyone who is considering outsourcing anything (even just web hosting) is to make sure that in the contract EVERYTHING is specified. Everything from who maintains the system, who is responsible for security and any breahes of said security, what kind of backup system will be in place, what sort of service-levels are required to be maintained, penalties for violating SLA's, and even what happens if the hosting company goes under. And what the additional charges will be for services outside the realm of what is included in the contract.
Anyone who isn't getting all of this in writing is settings themself up for a fall.
Two come to mind:
:)
:) That's a pretty cool deal if you ask me. They have an into ded. server (special doesn't apply to this package) that goes for 99 bucks a month. For hosting one domain, that is fairly adaquate if you ask me.
1. Catalog.com - Their Linux servers have really jumped in price, but they are running a special on slightly beefed up Raq3's (extra RAM). I don't have any personal experience with them, but I have heard decent reports from abroad and was highly considering them when I was looking for a dedicated server. I read on their forums before that a couple customers ded's got hacked, but they seem to take a pro-active approach to helping to secure servers.
2. CIHost.com - I am currently hosting a shared (virtual) account there and have been for about 6 months. I have had no major problems thus far (granted, it's not a dedicated server), but what issues I have had (questions, setting up databases, etc) have been handled promptly. As well, I just noticed that even though I used their online Credit Card processing page to pay for my last month, the charge never appeared on my CC and my account hasn't reflected the payment. Yet, my page is still functional and there has been no break in service.
As well, they are running a special on Dedicated Servers. Lease one, get one free
There are plenty of others out there, but these are the two I was really looking at when I was in the market for a ded. Still don't have one, figured a new car should come first =)
Good luck in getting everything resolved!
That should tell you something right there. I think they mean RedHat 6.0 with kernel 2.0.34 installed?
The Cobalt Linux implementation is as secure as any commercial Unix implementation on the market today. Linux was developed with publicly reviewable source code, and as such, has been subjected to a tremendous amount of security testing. In our opinion, as a provider of internet services, our server is more secure and stable than Microsoft Windows NT.
Sure it was, four or five months ago. Things change.
An individual with enough computing power and 'hacking' expertise could crack a password and gain access to the system. Such an individual, in order to crack the password, would also need direct access to the network that the RAQ administrator uses to access the RAQ. Once again, this feature is inherent to nearly all Unix systems.
But, uh, if the machine is relatively secure, how exactly is the attacker going to get to
The RAQ II server uses Sendmail 8.8.8.
Errrrrgh...
I think what you've got is an ISP that will start you off with a server that was secure a few months ago (or currently, raise your hand if you think they check). They leave you responsible for hardening it and most likely give no support whatsoever... Well, at least not free support. A lot of co-location companies are doing that.
I hate to plug, but if you're looking for another dedicated provider, I would try Rackspace. They start you off with a pretty secure server with all the latest packages and will apply a patch for you, help you, or do any work of that type for free.
But, here are a few sites that will help you get familiar with Linux security:
Hope this helps...
Do you like German cars?
Just remember, Dick Stallman's picture was released under GPL, so you can't sell it.
In the USA, we like stuff watered down, like beer, television, and freedom.
Actually, I never signed an agreement - the webmaster did. All I did was explain the situation to my site's audience, helping to provide avenues for contacting the company. They said we were 'spamming' them because their TOS dictated that the emails were 'unwanted'. One of their guys came over to my site and posted messages anonymously before revealing his status as a CT employee; he used the anonymity to harass me and call me various names - rather unprofessional. This, too, was about a year ago. If you've had a bad experience with CT - send it to me via email and I'll see what I can do.
Woah - someone had a bad experience with Communitech? I'm surprised. Wait, just the opposite of that. Communitech (known as "Communistech" by the little online cliche I'm a part of) is a company which loves changing its TOS and being sneaky/deceitful about it just to make a quick buck. First, according to one of their abuse department guys, the 'president' of the company went through a friend's site, SimStuff.com. Without consulting the owner, he deleted the entire site (including several dozen hosted sites) because they had .ZIP files that MIGHT have been pirated software. The company also said that SimStuff.com had 'pornographic' content on it.
Er - since when is a site about SimCity 'pornographic'? And what site doesn't use .ZIP files, especially if it's a gaming site?
The company eventually changed its position to that of "the owner was inappropriately using his space" - by having .ZIP files available for download.
When I posted news about this incident on my Maxis-related site, I was harassed in my forums by an employee of the company (though I don't remember the specifics; they used a fake name to post it originally, but I was able to trace the IP back to the company.)
The site was killed because the company decided that .ZIP files are pirated files and then lied about the content of the site.
The company also refused to refund the owner of the site, despite the fact that they made a clear mistake and then lied about it (and then went as far as to harass supporters of the site).
The company didn't return phone calls from the webmaster and it took him several days to even get an answer as to why his site was simply deleted.
From what I recall, they also threatened to charge the webmaster a $500 "cleaning up" fee (I'm not sure about that number - but it was rather large) for deleting the site. I was harassed after proposing that members of the community donate money to pay for that fee in case
they pressed it. And the reason they threatened to do it was because they felt the webmaster was 'harassing' them because I, and others, had posted the email addresses of various company officials for people to write them and ask them to reverse their decision. They also threatened to charge money for each of those emails sent in, as well as file abuse reports to our ISPs.
Not to mention the fact that they got rid of one of the guaranteed features, Ultraboard, in the middle of my hosting period; thus, when their server screwed up my config styles, I couldn't re-install the program and thus had to ditch my forums.
Communitech exists to make a quick buck. They lie about their features and twist their 'contract' and 'terms of service' around just to cheat people.
I'm more than willing to help out any site dedicated to reviewing Communitech's poor decisions and actions. I can probably even host the site on a server we rent from another company. Email me: adam@!nozone.net. (Remove the "!").
What is their justification for the $125 Charge? You say you rent the Raq3, do they mean to imply that this is something you could do yourself, and they will do it for you?
Just where does the boundary in your contract lie on that? If you are allowed to do the patch yourself, then there may be ~some~ justification for the charge (that doesn't make it right, mind you). However, if it's something they won't let you do, then they are exercising quite an unfair business practice. A bit of a Catch-22 where they won't let you fix it, it needs to be fixed, and they still want to charge you for it.
If the second option is true (You don't have access to patch the server), I'm sure if you call and complain enough, they'll work something out. Just remember to bug them A LOT!!! They'll buckle, escpecially if you're right, and they know it, and you can plant the seed in their heads that any court would know it too
-----
I used to use these guys for clients websites and I soon found out that they are indeed a company for which customer service is not an option. I was screwed over about $90 from these guys. They are very good at taking their legal agreements and beating you over the head with them over and over again. Because of my experiences with them, I will not use this company again under any circumstances.
I think we have heard this story before.
1. Internet company opens it's doors. Promises tons of kool stuff at low/normal prices with lots of free extras.
2. The company gets tons of people comming;mainly due to hype and the free stuff.
3. The comany makes jack and the management panics. Suddenly all the free stuff isn't free anymore, and the terms change.
4. People get ticked off at being charged for what was once free and the loss of the services that inticed them to come to begin with. Sometimes it is still a good deal; sometimes it isn't. Either way people are angry.
5. People go to someone else (or just go) and the company is even worse off. Often this kills the company.
EOF
"Never, never suspect the dreams within the dreams of dreaming children." ~The Amazon Quartet
You might want to check out cr0wbar's rant against Safe Audit when they screwed him over. The more you let people know about this kind of nonsense, the more likely it is said business will think twice about screwing you over.
We've seen this reaction all over the place. Any time people are treated unfairly in any situation, cry out publically about it. This does change things.
This story CLEARLY indicates wrong doing on their part. For example, anyone who has ever dealt with phone companies fixing their service knows that service providers are responsible for fixing problems with their own systems. When I got my second line installed, they had problems with line at a distro station. They didn't charge me to fix the problems there. If they had, I would have raised hell. But they didn't. They're responsible for it. End of story.
Why bother.
It makes me very angry to see how incompentent some ISP indeed are. I had to email my ISPs almost _weekly_ to point out errors in their configurations (smtp error, dns error, firewall misconfigured, mcast errors)... It was getting at the point that I emailed them _exact_ howto's how to set their stuff up - which they pretty much ignored, which is ok as long as they fix it, but they didn't! I even emailed one of them that I could take a walk on their mailserver more easily than login on to my webmail account - no reaction, ofcourse.
And I don't have a choice. It's either them or no internet at all.
What strikes me even more, from a personal view, is that every time I try to help them, either by email, phone or letter, they ignore me.
I am a computer science student, I have -despite my young age- years of experience in Unix-like OS'es, but when I apply for a job as administrator (to pay my studies), the only thing I hear is that I'm too young. It sucks terribly to see how things should be, how things can be fixed, but to run into a wall of ignorance every time.
If they have to charge you for someone to come in to fix a security hole it sounds like a bunch of amatuers trying to run a ISP. I'd call the BBB and file a complaint about it.
Berk Watkins
That's what you get when you use an ISP run by a six guys, and monkey, and talking puppet.
Some people...
------ 1001001
On the flip side of that, my company also offers "managed" hosting, in which we are entirely responsible for everything on the box except the customer's web content. It's up to the sysadmins to decide what security patches to apply, and when. The admins once grudgingly applied ALL available M$ (in)security patches to a managed NT server, due to the demands of a know-it-all customer. Quite a few things broke...
i've been dealing with one hosting company after getting scanned from their network, which is full of rooted cobalts. and not just scanned once, it's been going on for like half a year. and no one seems to do shit about it. really makes me wonder what kind of people are in charge of security in these companies. maybe they've just bought their racks full of boxes and are now sitting on their asses. go figure.
ok, basically the Cobalt RaQ3 server itself is NOT a good choice for a server. ooh, it runs a custom linux distro, but thats where the fun ends. All cgi scripts are executed with group root (YAY) and all the different hosted pages are viewable from your home dir. seeing as most people can stop users from getting telnet access, you can get a script which works liek a CGI shell in perl... one could easily steal neighboring sites' passwords and custom scripts, which poses a strong vulnerablility (seeing as most come with FrontPage access and most people are stupid enough to use it). Here is a little more info on the vulnerability lying in this death trap called Cobalt: http://fl2600.cjb.net./cobalth4k.txt
no recourse without hassle. I just dropped JPS.net cause they were bought by onemain then earthlink and they 'lost' me for a month and then cut me off because of a misallocated 16 cents.... Try Futurequest for really good php/mysql hosting