Slashdot Mirror
Ask Slashdot: My Host Gave a Stranger Access To My Cloud Server, What Can I Do?
zzzreyes writes "I got an email from my cloud server to reset the admin password, first dismissed it as phishing, but a few emails later I found one from an admin telling me that they had given a person full access to my server and revoked it, but not before 2 domains were moved from my account. I logged into my account to review the activity and found the form the perpetrator had submitted for appointment of new primary contact and it infuriated me, given the grave omissions. I wrote a letter to the company hoping for them to rectify the harm and they offered me half month of hosting, in a sign of good faith. For weeks I've been struggling with this and figure that the best thing to do is to ask my community for advice and help, so my dear slashdotters please share with me if you have any experience with this or know of anyone that has gone through this. What can I do?"
Your provider has de-facto admitted that they messed up. These things happen. The only question is whether they would truly respond in a professional manner. If they do, and they agree to the following, do the following, and move on. Contact them, and request them to:
* Provision a new virtual host for you.
* You will copy all your existing data into your new virtual host, using your own copies of whatever you use the host for. You do have your own copies of everything, and you don't trust the host with the entirety of your data, right?
* For convenience, I think it's ok to copy some data directly from your compromised host, provided that you're comfortable with whatever verification steps you deem are necessary to certify that it hasn't been tampered with. Data, no code.
* When your migration is complete, your provider will swap in your replacement virtual host in place of the compromised one, which they'll decomission.
Of course, for the duration of your migration, your host will not charge you for the second virtual host. You might consider negotiation with your host for an additional discount, as compensation for the work you have to do as a result of their security breach. I think that free hosting for however long it takes you to migrate, that is, no charge for the new virtual host, and billing suspended for your compromised host, would be fair. If that's the two weeks they're already willing to give you, then that's that.
agree with all except that, in general, when someone makes threats to sue they are usually full of hot air. the ones who actually sue don't tell you until you're being served. companies know this. just spam as much negative publicity as you can and pull your business.
insensitive clod overlords obligatory xkcd car analogy russian reversals whoosh pedant fanbois ftfy in 3...2...1..PROFIT
Seriously?
Take your business elsewhere, if they value your privacy and security that little.
File under 'M' for 'Manic ranting'
"Lawyers cost money, I have no idea how much money this lost you but sometimes it's not worth fronting $5,000 for a lawyer when $500 is at stake."
Except that you can sue for legal fees as well.
What I have done in the past & have gotten good results from is to politely decline their offer & tell them that you need your domains returned - just don't be a dick about it. If they say that they can't/won't, tell them that you will be contacting the attorney general & the BBB in regards to the matter. Send either a certified, signature required letter or an email to all three locations - the hosting/domain company, the BBB and your attorney general. With the copy of your complaint that you send to the hosting company, explain that you have also sent the letter to the AG and BBB and that they can expect to hear from them soon.
Even if the AG and BBB don't immediately get involved, this will usually get results because you are no longer a pushover. You have proven that you are doing something about it. Then, if/when they get your domains back, transfer them to someone else immediately.
Your second mistake may have been to accept the free hosting. It is quite possible that by accepting you have just cut yourself out of any future ability to seek redress.
There is no "-1 offended" or "-1 you don't agree with me" mod options for a reason.
No, step 2 is to transfer all of your domains to an account with an actual registrar. Buying domains through a hosting provider is a recipe for disaster. It means that:
are all protected by a single password, managed by a single team of people, capable of making a single mistake and causing you to lose everything. Your best security is ensuring that no single point of failure can fully compromise things other than the registrar (which is bound by fairly strict rules that make such compromise less likely).
Check out my sci-fi/humor trilogy at PatriotsBooks.
The whole Cloud Computing thing is an industry fad, like many others that have come and gone. Given the advent of cost-efffective mega-comms like dark fibre and WAN optimisation, remoting all of your infrastructure or services seems like a logical thing to try.
The problem is......pretty much everything that could go wrong when you trust strangers to handle all of your sensitive IT stuff and protect yourself with a simple piece of paper (hark, I think I can hear the ghost of Neville Chamberlain checking his email...), like as not written by the provider, will go wrong for someone out there at some point. And the implications for the victims are very serious.
When you outsource fully, this sort of stuff can and will happen. And you just have to accept it. Cloud providers are just people, and they are going to screw up in spectacular ways, and their customers are just going to have to cop it. End of story.
Or you could keep stuff in house and take some actual responsibility for your own destiny.
I wouldn't make any decision based on that, as any user can add tags to a story.
Indeed. Let us know so that we can not use them.
...but maybe it's time to get off the fucking cloud.
"I got an email from my cloud server to reset the admin password, first dismissed it as phishing, but a few emails later I found one from an admin telling me that they had"
Hmmm. I'd say you were duly notified and chose to ignore the built in security mechanisms. This will make any legal case pretty tough.
Hard to give great advice knowing nothing really... so either get an attorney's advice or take your lumps and move on. They did catch their mistake, so this might have just been an isolated event and not a matter of routine sloppiness.
Hopefully you'll learn a lesson from this as well. Treat those types of emails very seriously, and contact the host asap.
You don't know the business relationship there - regardless, under no circumstance short of court order does Rackspace have the right to arbitrarily grant Learning Together access to an account they do not have authorisation to access. Rackspace did bad here, however you look at it.
This really doesn't have anything to do with "the cloud" - its plain old hosting, and everyone needs a domain registrar in order to hold a domain. In this case the registrar fucked up and allowed access to an account they shouldn't.