Slashdot Mirror


Ask Slashdot: My Host Gave a Stranger Access To My Cloud Server, What Can I Do?

zzzreyes writes "I got an email from my cloud server to reset the admin password, first dismissed it as phishing, but a few emails later I found one from an admin telling me that they had given a person full access to my server and revoked it, but not before 2 domains were moved from my account. I logged into my account to review the activity and found the form the perpetrator had submitted for appointment of new primary contact and it infuriated me, given the grave omissions. I wrote a letter to the company hoping for them to rectify the harm and they offered me half month of hosting, in a sign of good faith. For weeks I've been struggling with this and figure that the best thing to do is to ask my community for advice and help, so my dear slashdotters please share with me if you have any experience with this or know of anyone that has gone through this. What can I do?"

34 of 176 comments (clear)

  1. Talk to a Lawyer by eldavojohn · · Score: 5, Interesting

    That's it. That's the truth and that's how 99% of ask Slashdot answers start and end. It's good advice. Everything that follows hereafter is my own, uneducated, horseshit assumptions on how things (should) be.

    It wouldn't hurt for you first to read up all that legalese you agreed to when you first entered into a "business contract" with these guys. I'll bet that they say somewhere in there that they are not liable for any illegal or unauthorized access/control/etc of your domains and property. And by clicking a checkbox at the end of this fifteen million word tome, you agree not to hold them liable.

    Go ahead, I bet it's in there and I've never even read one of these things myself. Which, don't lose heart if it is, a lawyer can probably sacrifice a few kittens, babysit the judge's nephew for free and come out with some sort of "unreasonable burden" to parse that whole thing upon completion of the transaction. I don't know, I know that people are slowly starting to become more reasonable about massive ToS documents.

    Lawyers cost money, I have no idea how much money this lost you but sometimes it's not worth fronting $5,000 for a lawyer when $500 is at stake. What I would do is send them another message saying you find their consolation gift unacceptable and you're moving all your business away from them. Then I would do that. Then, I would simply write up a detailed account of these events with a tl;dr of "got F'ed in the A by XYZ Inc" and just go out and drop that on every single forum and review site you can find for domain names and hosting. Why not hit the Better Business Bureau while you're at it? Then I'd let those ferment and field questions in my free time because, hey, revenge releases a special kind of endorphin, right? Then you could be done with it or you could just send them endless requests for reimbursement with the fallout being more zero star reviews and a possible visit from your non-existent lawyer. And why not? They deserve the reputation they have exhibited to you.

    And whenever I go off and do something like this and I get sick of the effort, I justify everything by imagining that if I don't do this they'll just screw over god knows how many other customers. So you're doing a public service.

    --
    My work here is dung.
    1. Re:Talk to a Lawyer by Eponymous+Hero · · Score: 4, Insightful

      agree with all except that, in general, when someone makes threats to sue they are usually full of hot air. the ones who actually sue don't tell you until you're being served. companies know this. just spam as much negative publicity as you can and pull your business.

      --
      insensitive clod overlords obligatory xkcd car analogy russian reversals whoosh pedant fanbois ftfy in 3...2...1..PROFIT
    2. Re:Talk to a Lawyer by TheCarp · · Score: 4, Informative

      definitely talk to a lawyer. I want to add something to it that you may not know.... some clauses that seem to protect them in one case, can hurt them in another because of legal presedents that interpret those.

      For example, one that a friend told me about.... lets say you live here in MA and lease an apartment. Well, there are some legal clauses that can be put in there to protect the landlord from legal fees. However, if they are in there, and the landlord is found to be at fault, then that same clause can be turned around to make them pay instead.

      This is not obvious from the wording or just reading the contract, but is well known (to lawyers) legal precident. I forget the exact specifics but....I know a friend of mine is hunting for the last remaining copy of the second page of his rental agreement because he says it contains terms that will get him treble damages in his case with his landlord. (as a landlord myself, I can also say, if the allegations are true...that guy is a douche bag, and has even entered the rented apartment without cause, permission, or even notice... among other things....)

      So yes... call a lawyer.

      --
      "I opened my eyes, and everything went dark again"
    3. Re:Talk to a Lawyer by Anonymous Coward · · Score: 4, Informative

      That's not really true, lawyers will very often threaten a suit before filing if doing so would be advantageous. For example, if the mere existence of a lawsuit would bring to light facts that a company would rather not make public, they may be willing to offer a settlement prior to any filing. But once the suit is filed and on the public record, the damage is done, and they may decide at that point they may as well fight to the end. Now the real truth is that non lawyers who threaten to sue generally don't, and lawyers know that. Basically, if you write a letter to your colo facility telling them you're considering the merits of a lawsuit, they'll ignore it. If your lawyer writes the same letter, they'll probably take it more seriously.

    4. Re:Talk to a Lawyer by Anonymous Coward · · Score: 5, Informative

      I agree that you need to talk to a lawyer, and I am coming from experience since I am a lawyer. My gut reaction is that unless you actually sustained tangible damages (such as loss of business revenue, harm to your business reputation, or having to pay out of pocket expenses to clean up the mess created by the host) you probably don't have much legal recourse against the host. However, depending on the state where you live and the state where the host is located, there may be consumer protection or privacy laws that provide for statutory penalties of some amount for acts such as this.

      I practice law in Florida, and I get similar inquiries quite often and my first question is generally "what have you lost?". If all you suffered is your own disappointment and frustration with the company, it is not going to be worth the time or effort for you to keep dealing with it. Don't use the company anymore, and feel free to report them to whatever consumer protection agency you feel. But be warned that you should never exaggerate the facts, as I've also seen consumers sued by companies alleging defamation when the customer sprinkles some fantasy in with the truth. Don't put yourself on the wrong side of a lawsuit, because chances are the company will have the resources to sue you and you would be left paying out of pocket to hire an attorney to defend you.

      My advice? Talk to a lawyer just to see what your options are. But don't let your emotional response govern over good sense.

    5. Re:Talk to a Lawyer by cpu6502 · · Score: 3, Informative

      >>> I'll bet that they say somewhere in there that they are not liable for any illegal or unauthorized access/control/etc of your domains and property.

      Which goes right out the window when the State Law says the opposite. Example: Paypal's EULA said they are not responsible for lost funds, and the judge said that's bullshit and ordered them to return all funds to customers (I got back 100-some dollars).

      Plus in this case the stolen domain names were lost through incompetence by the webhost (they accepted incomplete forms). They are liable for damage caused by their inemptitude.

      --
      My AC stalker: " I personally agree with your posts most of the time, but that won't keep me from modding you troll"
    6. Re:Talk to a Lawyer by Anonymous Coward · · Score: 4, Informative

      Also consider talking with an executive at the company. Sometimes these conversations can be fruitful.

      I once had a dispute with a datacenter that had me sufficiently upset that I was ready to leave. However, I wound up receiving a $15,000 service credit, had my monthly recurring reduced by $3,000/mo, and had them agree to provide detail on how they were going to prevent the problem from recurring. All because I flew to the CEO's office and had a polite (though tense) one hour meeting.

      No lawyers or anything. Just a conversation.

    7. Re:Talk to a Lawyer by Eponymous+Hero · · Score: 3, Funny

      i'm referring to when people say, "i'm going to sue you if i don't get my way!" a cease-and-desist letter is the first step in actually getting the ball rolling in litigation -- you have to give them a chance to stop. people often send out these letters without angry fist-shaking. and some lawsuits aren't about ceasing and desisting anything. in this situation we're discussing there's nothing for the cloud host to cease. there's no ongoing bad behavior.

      --
      insensitive clod overlords obligatory xkcd car analogy russian reversals whoosh pedant fanbois ftfy in 3...2...1..PROFIT
    8. Re:Talk to a Lawyer by Anonymous Coward · · Score: 5, Interesting

      The threat of a suit has considerably more weight when it arrives on letterhead from a law office.

      But all that aside... TELL US WHO THE PROVIDER WAS!

    9. Re:Talk to a Lawyer by mhajicek · · Score: 4, Insightful

      Indeed. Let us know so that we can not use them.

    10. Re:Talk to a Lawyer by PCM2 · · Score: 5, Informative

      When you visit a lawyer for the first time, you shouldn't be doing it with a mind to threaten a lawsuit. You're going for advice. You probably have some kind of contract that governs your relationship with the hosting provider. You might not have had a lawyer read it before you signed it; do that now. Then you can ask exactly what the hosting provider may be liable for, and where they may have effectively covered their own asses. If you do think you might want to threaten a lawsuit, it's important first to know whether you have a leg to stand on.

      Empty threats to sue may sound like hot air. A letter on an attorney's letterhead that specifies the ways in which the hosting provider is in breach of contract will probably be taken seriously. And 90 percent of the time, the issue will be resolved before it ever gets to court. Nobody wants court.

      Also, don't assume this process will lead to you getting absolutely everything you think you deserve. Have some sort of minimum compensation in mind that would allow you to walk away feeling like you've had some justice. Your lawyer will help you figure out this number, too. Negotiations can proceed from there.

      But if you won't be happy until the hosting provider is well and thoroughly punished for what they did, you will probably walk away disappointed. Especially if they're a public company, you're not going to be able to shame them into giving you what you want. The civil legal process is there to determine what you may be owed, legally. It's not there to exact vengeance for you. In fact, you'll sleep better at night if you just let that go.

      Really, I think the most important thing here is to begin the process of moving to a hosting provider that will give you better service. Everything else is secondary. In fact, I would skip the "negative publicity" part, except in private. Particularly if you're investigating legal options, trash-talking the hosting provider publicly before proceedings begin could work against you. It could even become the source of a counter-suit.

      --
      Breakfast served all day!
    11. Re:Talk to a Lawyer by dubl-u · · Score: 4, Informative

      Yes, exactly. On a couple of occasions a sternly worded letter from a lawyer has worked wonders for me.

      My favorite was when a company who owed me for months of contract work suddenly got a case of we-can't-afford-to-pay. My lawyer wrote a letter explaining that under California law, wages had to be paid before anything else, and encouraged them to contact the very energetic state agency in charge of enforcing that if they were unclear. It was a masterpiece of subtle menace, and I got a wire transfer for the whole amount two days later. Total cost to me: a few hundred bucks. A decade later, he's still my lawyer.

  2. Tell us who it was. by characterZer0 · · Score: 5, Informative

    If it was my provider, I'm leaving.

    --
    Go green: turn off your refrigerator.
    1. Re:Tell us who it was. by Anonymous Coward · · Score: 5, Informative

      I'd suggest checking the submission tags; there might be a clue there.

    2. Re:Tell us who it was. by CAIMLAS · · Score: 3, Interesting

      If it were my provider, I'd leave and tell all my friends and acquaintances precisely which provider it is.

      This behavior is worse than inexcusable. Sure, it's a 'cheap' service but the reprecussions for this are massive to the user.

      --
      ~/ssh slashdot.org ssh: connect to host slashdot.org port 22: too many beers
    3. Re:Tell us who it was. by philip.paradis · · Score: 4, Informative

      It was apparently Rackspace, judging by the PDF document linked in the original submission.

      --
      Write failed: Broken pipe
    4. Re:Tell us who it was. by dubl-u · · Score: 4, Interesting

      Whoa. That puts a different light on things. The poster, who does web development, bought a domain name learning-together.ca which was used by his client Learning Together Inc. Rackspace transferred control of the domain name from the poster to Learning Together, Inc. It seems very weird indeed that the poster is trying to keep control of that domain.

    5. Re:Tell us who it was. by dubl-u · · Score: 5, Interesting

      Sure, but it makes it an understandable mistake on the part of Rackspace. And if the company gave Rackspace some documentation that the poster was buying the name on behalf of Learning Together, then the transfer may have been proper.

      More importantly, though, it puts the poster in a different light. He concealed material facts in his summary, and on the face of it trying to hold on to a client's domain is shady. It makes me wonder what else he's hidden.

  3. If you value security and your data by mrsam · · Score: 5, Insightful

    Your provider has de-facto admitted that they messed up. These things happen. The only question is whether they would truly respond in a professional manner. If they do, and they agree to the following, do the following, and move on. Contact them, and request them to:

    * Provision a new virtual host for you.

    * You will copy all your existing data into your new virtual host, using your own copies of whatever you use the host for. You do have your own copies of everything, and you don't trust the host with the entirety of your data, right?

    * For convenience, I think it's ok to copy some data directly from your compromised host, provided that you're comfortable with whatever verification steps you deem are necessary to certify that it hasn't been tampered with. Data, no code.

    * When your migration is complete, your provider will swap in your replacement virtual host in place of the compromised one, which they'll decomission.

    Of course, for the duration of your migration, your host will not charge you for the second virtual host. You might consider negotiation with your host for an additional discount, as compensation for the work you have to do as a result of their security breach. I think that free hosting for however long it takes you to migrate, that is, no charge for the new virtual host, and billing suspended for your compromised host, would be fair. If that's the two weeks they're already willing to give you, then that's that.

    1. Re:If you value security and your data by Shoten · · Score: 4, Insightful

      Your provider has de-facto admitted that they messed up. These things happen.

      Um...not really, not if the hosting provider is doing things the right way. And that's the problem. I will elaborate...

      The only question is whether they would truly respond in a professional manner. If they do, and they agree to the following, do the following, and move on. Contact them, and request them to:

      * Provision a new virtual host for you.

      This will not address the fact that there's clearly an issue with the underlying processes and procedures that should have prevented this in the first place. This was a *process* breakdown, not a question of architectural segregation. A new virtual host, (improperly) protected by the same procedural controls, is no more secure.

      * You will copy all your existing data into your new virtual host, using your own copies of whatever you use the host for. You do have your own copies of everything, and you don't trust the host with the entirety of your data, right?

      See above, about "process breakdown."

      * For convenience, I think it's ok to copy some data directly from your compromised host, provided that you're comfortable with whatever verification steps you deem are necessary to certify that it hasn't been tampered with. Data, no code.

      See above, again, about "process breakdown."

      * When your migration is complete, your provider will swap in your replacement virtual host in place of the compromised one, which they'll decomission.

      See above, about "process breakdown." I keep saying it because none of these points addresses that problem, which is the root cause of this and the source of future risk of the same nature.

      Of course, for the duration of your migration, your host will not charge you for the second virtual host. You might consider negotiation with your host for an additional discount, as compensation for the work you have to do as a result of their security breach. I think that free hosting for however long it takes you to migrate, that is, no charge for the new virtual host, and billing suspended for your compromised host, would be fair. If that's the two weeks they're already willing to give you, then that's that.

      The problem is that something non-technical failed here. It wasn't a buffer overflow, it wasn't a bad firewall rule, it wasn't a zero-day vulnerability. The title of the Slashdot topic is the key: "My Host Gave a Stranger Access". Unless that Host changes what they did wrong the first time, it doesn't matter which server within their control you reside on, or if you're supposed to be there all by yourself. It comes down to if they can demonstrate to you, transparently, what they did wrong and what they have done to fix it. It sounds like there's been a lack of transparency as to the breach, at least at first; that is not a good sign. Good luck, but you may have to take your business elsewhere.

      --

      For your security, this post has been encrypted with ROT-13, twice.
  4. The offered only half a month of hosting???? by mark-t · · Score: 4, Insightful

    Seriously?

    Take your business elsewhere, if they value your privacy and security that little.

  5. Re:Who? by lattyware · · Score: 4, Informative

    It's tagged as rackspace. http://www.rackspace.com/

    --
    -- Lattyware (www.lattyware.co.uk)
  6. And people wonder why I'm against the cloud. by Paleolibertarian · · Score: 5, Informative

    As long as your data is out of your hands it is extremely vulnerable. The hosting company only cares about the money you pay them and little else. If they're hacked, too bad. If they're servers are down, too bad. if the justice department comes with a request, all your data belong to them. Host your own systems on your own property and make your own "in-house" backups. The cloud by definition is vaporware.

    1. Re:And people wonder why I'm against the cloud. by Richard_at_work · · Score: 3, Insightful

      This really doesn't have anything to do with "the cloud" - its plain old hosting, and everyone needs a domain registrar in order to hold a domain. In this case the registrar fucked up and allowed access to an account they shouldn't.

  7. Never accept anything by DaveV1.0 · · Score: 4, Insightful

    Your second mistake may have been to accept the free hosting. It is quite possible that by accepting you have just cut yourself out of any future ability to seek redress.

    --
    There is no "-1 offended" or "-1 you don't agree with me" mod options for a reason.
  8. Re:As the Lawyer response has been given... by dgatwood · · Score: 4, Insightful

    No, step 2 is to transfer all of your domains to an account with an actual registrar. Buying domains through a hosting provider is a recipe for disaster. It means that:

    • your email address (assuming it is at that domain),
    • the contents/management of the site itself,
    • management of the domain, and
    • management of SSL certs, if any

    are all protected by a single password, managed by a single team of people, capable of making a single mistake and causing you to lose everything. Your best security is ensuring that no single point of failure can fully compromise things other than the registrar (which is bound by fairly strict rules that make such compromise less likely).

    --

    Check out my sci-fi/humor trilogy at PatriotsBooks.

  9. You have few options... by Tolvor · · Score: 5, Interesting

    I used to work at a major domain name registrar before I went into business for myself. I have heard of dozens of cases like yours, and in short you are toast.

    Scammers look for valuable domain names that are in vulnerable accounts that have public emails addresses on free email servers (hotmail, gmail, yahoo, sbcglobal, comcast...) and that can be registered. Or it can be an old phone number that can be used, or some simple paperwork that can be faxed in that the scammer has access to.

    The registrars try to protect the domain name and send out warning emails that major account changes are occurring. If those emails are ignored and the domain names get transferred out, it is too late. It is unbelievably difficult (ICANN dispute) to reverse a transfer and force a domain name back once that transfer has finished.

    You ignored the email, so unfortunately it is your own fault. Just as it would be your fault if you ignored an official notice that you are required to show up for jury duty thinking it was spam, and afterwards get fined or arrested. Just as if you ignore the car alarm going off in the parking lot as a false alarm and in fact your car was jacked does not mean the alarm company is at fault. The fact that you ignored it means that you did not take needed and necessary steps to protect your property.

    You need to read the registrars terms of service and legal agreement that you agreed to. I am familiar with most of the major registrars and they all specifically cover this situation (basically that the onus is on you to protect your services). The registrars do this to protect themselves from lawyers.

    The only realistic course of action is for you to register a new domain name, sad as that may be. Or pay the hostage fee to whoever took the domain name which will probably be in the thousands of dollars.

    I wish you luck.

  10. Trademark your domains by Animats · · Score: 4, Informative

    It's helpful to register trademarks on your important domains, if they're unique enough. This means a quick win in a UDRP proceeding, and gives you the option of suing anyone who ended up with your domain. It's about $400 per domain.

    More importantly, own your domains. If WHOIS doesn't have your name and address in "Registrant", you do not own the domain. You're just renting it from somebody. Your hosting provider should never have their name in there. This really matters when there's a dispute. Deal directly with your domain registrar. Do not deal with them through a hosting service.

    "Private registration" works the same way. The "private registration" service owns the domain, and you have a contractual relationship with them, at best. See what happened when RegisterFly went bust.

  11. Anyone could have added that tag. by pavon · · Score: 4, Insightful

    I wouldn't make any decision based on that, as any user can add tags to a story.

  12. Do NOT talk to a lawyer by petes_PoV · · Score: 3, Interesting

    First of all, assess the damage. How much time has it cost you to rectify the situation? Have you got your 2 domains back? If you can come up with a reasonable figure for the time and any commercial damage that has been done, set that against the cost of "lawyering up".

    If you asked for this amount. I would expect your service provider would interpret it as the opening round in a negotiation and eventually you'll probably end up with about 50% of what you ask for. So make sure you've included everything in whatever you think you're due. Add on to that the time it will cost you to negotiate a fair settlement.

    The only time it's worth the time, trouble and potential cost of involving a third party (who will probably take as much of your time as you'd spend reaching a solution on your own and will almost certainly earn much, much more from this than you'll ever receive: possibly from yourself - and double that for the other guy's lawyer, if you lose) is if you get stonewalled, or counter-sued. If you can possibly reach an agreement without involving others, you stand to get the fastest and most satisfactory outcome. Remember, this is not a money-making opportunity.

    --
    politicians are like babies' nappies: they should both be changed regularly and for the same reasons
  13. You are in a negotiation here by DG · · Score: 4, Interesting

    I don't thing you need a lawyer - yet.

    You are in a negotiation. The company has made you an initial offer - the half-month free hosting - and that initial offer has a dollar value associated with it.

    You have been inconvenienced, and it took time to rectify the problem. Your inconvenience and time also has a dollar value associated with it. So what is it?

    I would work out the value of what you lost, add 20% for general hassle costs, and present that as a counter-offer to the company.

    I would also work out the minimum value for which I would settle. It's less than getting everything I want (which you might get) but enough to counter-balance the additional hassle of hiring a lawyer and all those extra expenses.

    Then negotiate. If they present an offer that is above your settle value, take it. If they don't, THEN you call the lawyer. Not only is this likely to arrive at a mutually agreeable solution without lawyers taking a cut, if you do wind up hiring a lawyer, you give him more to work with "my client made a perfectly acceptable counter offer and you refused it" etc.

    Lawyers can be a useful tool, and sometimes they are necessary, but a reasonable negotiation can also work. You just need to understand your position first.

    DG

    --
    Want to learn about race cars? Read my Book
  14. Re:Protecting the guilty to trap the innocent? by Tacvek · · Score: 5, Informative

    The tag was applied by the submitter. See the Original submission and notice the link to the original source, which is a letter the submitter wrote to Rackspace about this incident.

    --
    Stylish sheet to fix many problems in Slashdot's D3: https://gist.github.com/801524
  15. Re:Co-Locate everything by Kalriath · · Score: 3, Interesting

    What's wrong with unmanaged dedicated? The provider doesn't know your password so essentially it's the same as co-locating (i.e. the provider can get into it anyway, since they have physical access but they'll have to hack it to do so).

    --
    For a site about things like basic rights, Slashdot users sure do like to censor "dissent".
  16. legally claimable losses by dutchwhizzman · · Score: 4, Interesting

    Having to completely reinstall the server because of possible back doors left by the "thief". Business value of the domains stolen. These are most definitively damages that are a direct result of the fact that they let a stranger on his cloud server. Possible damages include lost revenue that can be proven by either actual cancellations and possibly statistics, monetary equivalent of lost reputation (reduced business income) and overhead costs like legal fees, time taken to sort out the incident and such. Even if you only take 8 hours to reinstall the server at a modest rate of $50/hour you are looking at $400 in damages. I doubt you'd be paying much more than that for an average cloud server for a whole year, so the settlement offer they give is nowhere near your costs and what your claim should be.

    --
    I was promised a flying car. Where is my flying car?