Slashdot Mirror
Ask Slashdot: Should Hosting Companies Have Change Freezes?
AngryDad writes "Today I received a baffling email from my hosting provider that said, 'We have a company-wide patching freeze and we will not be releasing patches to our customers who utilize the patching portal for the months of November and December.' This means that myself and all other customers of theirs who run Windows servers will have to live with several critical holes for at least two months. Is this common practice with mid-tier hosting providers? If so, may I ask Eastern-EU folks to please refrain from hacking my servers during the holiday season?"
If so, may I ask Eastern-EU folks to please refrain from hacking my servers during the holiday season?
At least 10 countries have just been given the green light for hacking.
Using windows to provide an internet facing service was the first mistake.
Just reply to this message with the IP addresses of any servers you want to make sure will not be hacked and I will make sure the list gets to the right people.
Happy to help.
If I were God, wouldn't I protect my churches from acts of me?
I work for a company with 1200+ VMs and the change freeze concept is nothing new. For us, it's only 1 month around new years and mainly due to staffing issues if something goes wrong.
The server will be spending 50% of its life rebooting to apply minor updates and install software, reducing the risk of a security breach.
Under any shared hosting, or control-panel-abstracted hosting, you're at the mercy of your provider for things like this. I realize they offer stuff on the cheap, but it's times like these when you realize you're getting what you've paid for. Many more hosting companies have hypervisors amongst their offerings than did just five years ago, and you can get a basic ESXi server for $50/month or thereabouts. Add memory, disk space, IPs, and bandwidth to suit.
This is for automated patching, you may certainly request to be patched by the support teams. Typically these two months are the busiest for online shopping sites and a botched patch could cost the business tons of money. Since you know your business the best, you make the call. Better safe than sorry in my opinion.
Translation: "Dear Slashdot, I'm looking for a good Windows host. Any suggestions?"
As company using a hosted service you do have a redeployment plan should movement to another hosting service be required, don't you ?
Now would be a good time to exercise that plan.
While I think its rather unacceptable for this to be done, its not all that surprising and you kind of deserve the result.
When you outsource you sacrifice things. Why are you letting them patch for you anyway? Its not like they are going to do anything special. All the do is release patches from their own internal WSUS server (or whatever its called now) rather than you have to do it yourself or letting the machine auto-patch on its own.
Realistically, if you're going to have someone else auto-patch, you might as well just turn automatic updates on fully and be done with it. They only thing they are going to 'save' you from is if a patch happens to interfere with something locally on their network which is going to be pretty damn rare.
Persistent Volume manager for Kubernetes - https://github.com/dwimsey/openshift-pvmanager
This ("change moratoriums") is a common practice around the holiday season. A number of the datacenters and other vendors I work with implement similar policies starting right before "black friday" and ending a week after new years. The logic is that changes could have undesirable consequences and the volume of e-commerce around this time would result in a potentially detrimental impact on operations. However, I have never heard of a company that holds out on security updates and other critical fixes due to such a moratorium.
Two months is a looong time. 17% of the year not getting full fidelity on your contracted services seems excessive. Usually, changes freezes are a few hours in the middle of the night, once a week.
It's just too late. No more Twinkies.
And if you are concerned about freezing them, as the article seems to state? Don't bother. The shelf-life is astronomical!
"Flyin' in just a sweet place,
Never been known to fail..."
Is this something to do with global warming?
Real (TM) IT shops have change freezes all the time. It's called release management. Perhaps you should a) host on some more stable platform, or b) co-lo your own gear where you can run daily patches and reboots and only affect your own stuff.
I want to delete my account but Slashdot doesn't allow it.
Are you referring to Point of Sale business or Piece of Shit business?
When you fall off that high horse.
What is the reason for an anti-outsourcing rant in this thread? To me, it sounds like the guy has his own website and that's what he's talking about. Do you host your own website? By that I mean do you have your own server, on your own property? If not, then you are outsourcing it. Even if you do, you are still probably outsourcing your Internet access and power generation.
If you don't like outsourcing that's fine and there's plenty of arguments against it, but save it for when it is relevant. Don't just go off on it.
Most individuals outsource their webhosting, and for good reason.
How are they "your" servers if you cannot patch them whenever you deem necessary?
Having change freezes is standard practice. Most places I've worked have a short month-end freeze, and a couple of month year-end freeze.
However, critical security vulnerabilities are exempt from these freezes. Those still get done using whatever emergency protocols are in place.
In the land of the blind, the one-eyed man is kinky.
Yes! If your company does not have a change freeze in effect for at least some portion of December or November it should. Nearly all countries and religions observe significant national holidays during this time. It also tends to be a very significant or the most significant time of the year economically for many countries and companies. That said non-functional security patching and security related activities would be good exceptions to this rule. Large hosting providers, not wanting to single out customers, often have blanket change freezes in effect including patching.
There is or can be built a machine that can simulate any physical object. -Church-Turing principle
If you read the email properly, they are not doing automatic patching of these releases, but nothing to stop you applying them yourself.. or getting them to apply them if you specifically ask for them.
Time to change hosts.
You didn't get this email from your hosting company. You got it from the company managing your servers. The fact that it's the same company is largely irrelevant.
If the server management company isn't flexible enough to meet your needs, do it yourself. You keep track of the patches, you decide when they're ready for release, you release them, you test them. If you don't have the skills for that, or the money to hire someone with the skills, then get another company to do it. If you're using a dedicated server, there's nothing stopping you giving someone else the access to manage and patch it.
If you yourself don't have root/Administrator access, then you don't have a server; you have access to a server. Fork out a little bit extra, and get a dedicated box that you control.
Just because you're paranoid doesn't mean there isn't an invisible demon about to eat your face
In my experience, they are one and the same.
Of course nobody reads the FAQ! If people read the FAQ, the Questions wouldn't be so Frequently Asked.
You can't put up a sign that says "only a few people allowed beyond this point". And you can't put up a sign that says "very little loitering accepted". So you put up signs that read "no access beyond this point" and "no loitering", and then you simply don't enforce it for the first few people.
If this company has a reduced staff, or wants to ensure that large problems don't happen during sensitive times, then they might want the freeze. And saying that there will be a freeze is the way to do that. But calling them and saying "hey, I know there's a freeze, but I'd really appreciate this patch when it's convenient." won't likely be met with a solid "no, screw you, we're in a freeze".
Ice is usually still a little wet. Not every molecule freezes at the same instant.
Look at it as an opportunity for you to be nice. They said "we'd really like to ease the harsh environment of christmas IT", and you can optionally say "I'll help you out by not patching for a while". It's an opt-out instead of an opt-in scenario, but it's the same.
You're complaining about the default, not the final. And you can override the default with a phone call. Don't sweat it.
I spent 2 years working for a utility company in Australia where we had an annual change freeze to core systems during the bushfire season. We couldn't afford for systems to be down for non-essential changes when there was the possibility of a 'real world' emergency breaking out. This went doubly so for anything involved in the SCADA network.
Sara
Designer, Gamer, Macgrrl in an XP World
If so, may I ask Eastern-EU folks to please refrain from hacking my servers
If so, may I ask the Slashdot editors to please refrain from letting people post trolls.
we lock down from about mid december to mid jan.. partially because of staffing, but mostly because our enviornment needs to be stable for year end processing (I work for a bank). no elective changes are allowed during this time.. only fixes if something breaks.
we don't run our shit in thrid party datacenters, so it's not exactly the same scenario, but it's understandable that no changes are allowed. what if your stuff breaks and you don't have staff due to the holidays? if we fuck up, we only fuck up our shit... if a hosting outfit fucks up, they fuck up a lot of other people's shit..
maybe they host a lot of retail outfits who need to be up for the holiday shopping season.
Yes you can (or even better with mono), but your application may not like it, so it depends on what you are running. Some do run as well that way as on an MS system and I'm using it so users can get to a single licence application using dotnet (fucking stupid name you can't use in a sentence) remotely via X instead of hotseating. Yes I know a lot about VNC but it sucks in comparison on a decent local network for several reasons, and that linux box in the server room has far more memory and CPU power than any of the available MS Windows workstations.
Whatever you do, don't take down 216.34.181.45.
I know which host and to which announcement this refers. All this is is a suspension of fully automated patching during the holiday season. If you want patching performed anyway, jut contact your support team. They prefer to make patching opt-in during this period to avoid site outages due to patching miscommunications.
may I ask Eastern-EU folks to please refrain from hacking my servers during the holiday season?
Sure, just provide me with your domain name, provider and root password and I'll add you to my do-not-hack list.
"It's too bad that stupidity isn't painful." - Anton LaVey
I'm sorry to say that OP seems to be nationalistic about his "hacker countries" conception, promoting negative stereotypes, not to mention that he confused EU with Europe.
Top hacking countries are very different from Eastern Europe countries: USA (yup, still number 1 spot), China (Eastern, but not European), Russia (not Europe, just Eastern), Brazil, Germany (Europe and EU, but not Eastern), UK (an island off Europe coast), India (totally away from Europe)...
With your attempt at "humour" you basically allowed all those people right to hack your servers over the next two months ;-)
What have you got against sys admins anyway that you go out of your way to make them cry like that?
MMO Quests are like orgasms:
You may solo them, I prefer them in a group.
As my grandad used to say: if you want it done right, do it yourself.
Confucius say, "Find worm in apple - bad. Find half a worm - worse."
And block everybody else at the firewall.
There's no reason to let any of China, Pacific Rim, Middle East, Former Soviet Bloc, Africa, etc. onto my servers.
So they don't get on, and nothing of value was lost.
Know what else? My log files don't fill up with useless shit anymore, and the numbers of automated attacks and form spams have dropped dramatically.
Last time I checked, you can download fixes for your servers. Just FTP them up or whatever and install them manually. Get a new web host over the long term, but this is just an annoyance, not some big rights-violating controversy as you make it out to be.
major companies generally require a change standstill during holiday seasons, as well as certain accounting-rules critical times. so do outfits like the FAA, which for some ungodly reason doesn't want its comm channels flipping like fish at all hours of the day and night. some damn silliness about "life safety" or some other freakin nonsense.
I work for a telco, and this is very very old hat to us. "why are our lines down, we have 30 planes stacked up for landing?" "uh, backhoe party on the front lawn ripped up all our stuff?" "you must get this up immediately, and we do NOT authorize any downtime to fix it!"
I'll call the fairies in immediately. wish real hard.
if this is supposed to be a new economy, how come they still want my old fashioned money?