Ask Slashdot: Where Are the Complete Hosting Providers?

Kludge writes "In 2000 there were thousands of email/web hosting businesses. In 2013 not much has changed. To get my email/web/webmail/domain/VOIP/public-key/XMPP/VPN hosting I have to deal with five different service providers. Where are the complete hosting providers? The absence of competition in this area drives many to Google, making data siphoning easy for the NSA. Why has hosting not advanced in the last 10 years? Where are the hosting providers that make end-to-end encrypted email/web/VOIP/XMPP easy and automatic for all my clients?"

Managed servers

[NormalVisual]

I think probably what's happening is that it's cost-prohibitive for a provider to train their staff to maintain all of the different packages that would be required to offer such a service, and a provider that offers VoIP generally has to have more quite a bit more infrastructure in place to offer any kind of reasonable service. The closest thing to what the submitter is asking for is probably a managed server provider, and there's no shortage of those out there, at varying quality/price points.

Re:Managed servers

[mysidia]

The closest thing to what the submitter is asking for is probably a managed server provider, and there's no shortage of those out there, at varying quality/price points.

Yes..... I think the poster is asking Where's the place I can get all those things together in high quality at a commodity price?

In other words.... Where can I purchase a car with all the amenities of the high end Rolls-Royce, for the price of a Civic?

Re:Managed servers

[girlintraining]

In other words.... Where can I purchase a car with all the amenities of the high end Rolls-Royce, for the price of a Civic?

You steal the Rolls-Royce. Hundreds of millions of computers right now are part of one kind of botnet or another because botnets offer everything the poster is looking for. There are websites out there where you can purchase the resources of the botnet for cheap; Just gotta know where to look. As a bonus, they also offer a degree of anonymity and resistance to the kind of tracking the author is apparently worried about. If you want to be resistant to a search and seizure by a government, I can think of few things better than a massively decentralized, worldwide network with millions of potential servers to shift your data around within.

Shameless plug.

[philip.paradis]

I'm a senior engineer at FireHost, and we can provide managed infrastructure and installation assistance for the things you've listed, complete with managed SSL VPN access for all your employees.

Again, this is an admittedly shameless plug, but it does answer the question.

Re:Shameless plug.

The submitter implied Google was not suitable with the remark "making data siphoning easy for the NSA".

How is FireHost significantly less vulnerable to the NSA when "The Letter" arrives? From what I see FireHost has significant infrastructure in USA, a CEO with US ties, many employees living in the USA.

If the NSA is not a worry to the asker, then there are many solutions, FireHost possibly being one of them. If the NSA is an issue then it becomes trickier...

Re:Shameless plug.

It's the FBI that shows up with the NSL in the US. In every other country the same thing happens. IOW, you're all fucking retards for thinking an offshore hosting provider is going to be any different.

Re:NSA?

[MerlynEmrys67]

Why do you think the NSA snoops on Non-US traffic more than it snoops on US traffic?
Really?
Frankly, if you are sending e-mail in the clear (and, unless YOU encrypt it - you are) - it is like mailing post cards from your holiday trips and expecting no one to look at the back of them.

Moar tin foil!

[girlintraining]

...making data siphoning easy for the NSA.

I have gotten incredibly sick of the tin foil hat brigade putting the NSA into every one of their conspiracy theories, and equally tired of the idiot replacement editors from Dice rubber-stamping submissions like this that even most bloggers wouldn't post. You wanna talk about hosting providers? Okay, let's talk. Obviously you are concerned about your data being intercepted and stolen.

Do you guys honestly think, for one second, that you can hide from these guys if they really want you? Any of you? This is the largest, most powerful government on the planet, with resources you could only dream of. Even businesses the size of Google can't keep them out; And if you believe any press releases to the contrary, you're an idiot.

The only way you're keeping your data safe is in a physically secured facility, with the computer locked in a faraday cage and with no access to the internet. Just about anything else and the data will be vulnerable at some point to a legal intercept of it. You can manage those risks, limit them, but ultimately, if they want it they're gonna get it.

So please guys, stop asking for NSA-proof [insert thing here]. There are only two defenses when your opponent has a half trillion dollar budget and you got twenty bucks and a cracker; Anonymity (ie, don't get on the radar), or don't do anything that would be interesting to them... or if you must, for the love of fuck, minimize your electronic footprint. Forget the credit card, the cell phone, the wifi-enabled anything. Go off grid, stand in the woods in the middle of nowhere, and then do whatever it is you're keen on doing without the government being aware of it.

There are no high tech solutions to this that are within your budget, ok? Just... deal with it already guys.

Re:Moar tin foil!

[girlintraining]

So no.. I will not just 'deal with it', that is completely the wrong attitude. We DO NOT have to deal with it, we will not deal with it. It will be stopped, eventually.

Excuse me... I didn't say just roll over and take it. But trying to solve a social problem like this with technology is the very height of stupidity. It's like saying if we take away everyone's guns, we'll solve that pesky violence problem. The gun is just the tool. Just like the internet. Just like a cell phone, a camera, a packet sniffer, a data center... all of these things that the NSA uses are not the problem! It's the people that are the problem, and the people alone.

People problems can only be solved by people. I know that seems like a stupidly obvious thing to say, but it's clear to me that when article after article posted is variations of the question "What technology can I use to stop the NSA from spying on me?" There isn't any! You stop the NSA by getting off your ass and participating in the democratic process. You cannot fix this by keyboard warrioring.

Re:Moar tin foil!

[istartedi]

Yep. When I was a kid nobody* had a computer. Then for a while people had computers but little or no connectivity. Then everybody had a computer and fast connectivity.

During the sneakernet era you had computing ability, but if they wanted your data they'd have to get a warrant or ransack your office illegally.

If keeping things away from the NSA is that important, go all 1980s on your selves. It really wasn't such a bad time for most of us. Swapping floppies in person was actually kind of fun. There were no government agents at swap meets.... that I know of, LOL.

*The term "nobody" means no ordinary middle class household or small business. Yes, I know NASA and big companies had computers when I was a kid. "Nobody" is being used in the loose, colloquial sense here. The standard disclaimer about not inferring the ridiculous also applies. This includes casting a loose net over the definition of computer so as to include devices such as the abacus, or employees with "computer" as their job title and mocking me for implying that I'm older than written history. The standard disclaimer also applies to the text of the standard disclaimer.

Re:Moar tin foil!

[girlintraining]

During the sneakernet era you had computing ability, but if they wanted your data they'd have to get a warrant or ransack your office illegally.

Neither of which you'd necessarily be informed of. There's two ways to approach security; tamper-evident, and tamper-resistant. Everyone is focusing on tamper-resistant right now to deal with the NSA; "How do we stop them?" ... Have you noticed nobody is asking the question; How do we detect them? Sneakernet also had the benefit of being tamper-evident... if they broke down your door, you'd come home to a broken door. It'd be pretty obvious that something was up. Legal or illegal, when you physically search a property, you leave evidence behind that you did so. However, much of the technology the NSA is using doesn't leave any proverbial fingerprints behind.

Re:Moar tin foil!

[girlintraining]

You're trying to convince a lot of IT professionals, who know damn well that its technically possible to secure communications end to end, that they are powerless to do what they know they can do.

No, I'm merely suggesting that locking those IT professionals in a room and beating them with a metal pipe, is an effective method of "unsecuring" those communications. It's only in the imagination of Anonymous Cowards and hollywood screen-writers that the police kick in the door, seize the computer, and then say "Oh shit! He's using a 8192 bit encryption key. We'll never recover the data! I guess we better just leave then, defeated."

It's just short notice, we thought we lived in a system of rules that protected our privacy, we thought TLS worked and so on, stupidly thinking there were warrants and judicial courts and so on. Silly us! No matter, it's a bug. We need to switch to end to end encryption to fix it.

The people who designed these systems, those venerated IT professionals you mentioned earlier? Yeah, they knew from day one that TLS, SSL, certificate authorities, etc., were not truly secure. They were a compromise that provided "reasonable" security -- and it still does do that. Millions of internet-based financial transactions are secured using SSL, TLS, etc., every day and are not compromised. Is it a perfect solution? Of course not. Is it a decent one? Sortof.

But fundamentally, you're asking for the impossible with your "end to end" encryption non-sense. The very first in a long list of problems is: How do you securely exchange keys with an entity you have no prior relationship with? How does Alice know she's talking to Bob, if she has never met Bob before? The solution that TLS/SSL used was certificate authorities; A trusted third party that both Bob and Alice trust. Unfortunately, like any trust model, it is only as strong as the weakest link, and as certificate authorities proliferated... rogue CAs and stolen keys became a very real threat.

But simply switching the protocols around won't solve the very first problem: How do you securely exchange keys over what is, inherently, an insecure medium? You can't.

Well I bow to your superior knowledge and will immediately stop writing this Thunderbird OTR add on and step away from my keyboard.

First, yes, I do have superior knowledge (obviously). And I'm willing to put my reputation on the line by not posting anonymously. This frequently comes back to bite me in the ass, especially when dealing with Anonymous Cowards, but karma is not as important to me as getting as accurate of information as possible in front of as many eyeballs as possible. If a few -1, Troll mods is the price I pay, I do so gladly. Second, Thunderbird has an OpenPGP addon... developing another addon is silly, and frankly, you and I both know you lack the chops to actually program.

But regardless, if I'm going to get serious about personal privacy, I'm not going to do it by sitting down to write my own crypto addon. For one, it would almost certainly be more buggy than the ones that have been reviewed and certified as correctly implimented by crytologists... and crypto is amazingly easy to get wrong, and devilishly difficult for someone without loads of experience to detect the failure. For two... why would I spend hundreds of hours doing that, when I can spend dozens of hours making phone calls and writing letters to the people who have far, far more power than I do, and convince others to do the same?

I'm sorry, but looking at my large list of tools available to me, the one labelled "Democracy" seems far more likely to get me what I want than one labelled "Amateur Crypto".

Re:Moar tin foil!

[Xest]

You don't need to stop them, you just need to make their life too difficult for it to be worth chasing you when you've got nothing worth chasing for.

The more people that do this the more it eats into NSA resources, if you force a real person into the loop to decide if you're worth chasing then you really cause a massively disproportionate impact on the NSA's resources compared to if you just let them farm your data automatically from unencrypted services they have a tap on like Google.

Then eventually when things like the Boston bombings keep happening despite the NSA has a mass of financing from the US government behind it and taps on most the world someone in congress is finally going to have to ask "What the fuck is the point in all this expenditure?" and the plug is going to get pulled.

If the NSA ends up chasing, expensively, because of the cost of intervention of human resources, people who are entirely irrelevant and innocent of everything, then eventually they're going to have to change tact. Eventually they're going to have to realise that universal snooping is ineffective and just makes it even harder to tell who really is and isn't a threat. They'll have to go back to what they should be doing in the first place - focusing on the hard work of identifying real actual threats rather than hoping a mass computer network will somehow figure that out for them, something the Boston case showed it absolutely can't.

Re:Moar tin foil!

[Tom]

Do you guys honestly think, for one second, that you can hide from these guys if they really want you? Any of you?

The qualifier is "if they really want you".

You can't hide from the NSA unless you're a government entity yourself. If I were to head the Iran nuclear program, I'd give it a try.

However, you can hide from the NSA dragnet, because it's not targetting you specifically.
So if you use any of the big e-mail providers, you can be 100% certain that a backup copy of all your e-mails exists somewhere in an NSA database. But if you run your own mailserver, the mails that you exchange over encrypted channels with someone else who also does that have a chance of not being caught by the net, not because they couldn't, but because the world is huge and even the vast NSA resources are limited.

The problem with the submitters concept is that as long as you roll your own, you can slip through the net (but never count on it, it's a probability like all things in IT security). But as soon as someone sets up a "secure hosting provider", he'll become a target. And the bigger it gets, the higher the chance that the NSA will expand some resources to penetrate it.

So it's not a viable business concept, and thus it doesn't exist. Of course, someone will make the claims, because scam is always a viable business concept.

Re:the cloud killed hosting providers

Hostgator... was purchased by EIG a while back (joining ranks with Bluehost, among others). It's just all that much worse now. While the support provided by Hostgator was generally adequate even in relatively recent history, forced migrations and a slew of bone-headed business decisions were made... and now their support staff is generally tied up coping with the after effects. They could have easily vanished into "The Cloud", but there is something to be said for dedicated hardware. When you sell support as a service (a full staff of dedicated support admins cost more money than one might think), you need to make sure your _product_ isn't being contaminated by the doings of the factory. Indeed, these hosting models are steadily approaching the brink of experiencing natural selection first hand.

Re:Ummm

Or maybe they are asking the wrong question.

Any CPanel install has a lot of that stuff in it (I won't say all because I hate CPanel/WHM and it needs to die a horrible death for the amount of extra manual work needed to prevent it from shooting itself)

The real question is "why am I looking for someone else to provide this when I can just do it myself?", the passive aggressive version of "everyone who offers this is too expensive."

Re:the cloud killed hosting providers

[Xest]

What actually is a complete hosting provider?

I don't get the question in the summary. It sounds like the guy is asking for a host he can pay that will automatically set up some arbitrary services that he's decided constitute "complete hosting"?

I don't really see how an ISP can cater to such an arbitrary definition when there's literally millions of different services an ISP could be expected to provide.

Isn't the solution just to get your own VPS or dedicated server and just install everything you want on it or am I missing something here?

Is there some defintion of "Complete Hosting Provider" whereby said provider to conform must provide the services the summary is asking for even though it's a rather obscure combination of things to provide on one host?

From what I can fathom the answer to the question is: "You are not the only person on the internet, different people have different use cases, no ISP could possibly cater to ever combination people may want, nor would they probably want to because it would require having experts in each of those millions of technologies to manage them all hence why they stick to their areas of expertise or provide you a blank server you can install whatever the hell you want to on". Unless there is some definition of "Complete Hosting" that encompasses only a fringe handful of available services then I can't see this changing.

I don't use providers HQ in the USA

[Taco+Cowboy]

The absence of competition in this area drives many to Google, making data siphoning easy for the NSA.

For me, I do not use any provider that has their HQ inside the United States of America.

And ... in order to retard NSA's snooping in my traffic, I deploy SSL forward secrecy on my sites.

Anyone who wants to know about forward secrecy please visit https://community.qualys.com/blogs/securitylabs/2013/06/25/ssl-labs-deploying-forward-secrecy to get more info

Re:I don't use providers HQ in the USA

[Somebody+Is+Using+My]

And none of the other nations ever spy on anyone.

This is not to defend or excuse the actions of the NSA, but if you believe you are safe from having your data intercepted from intelligence agencies just because you are using a service based out of a nation that is Not-The-USA, then you are living in a fools paradise. The technology is too ubiquitous and too effective for the spooks /not/ to use, and the main difference between the NSA and foreign intelligence agencies is that the NSA got caught at it.

Well, that and the NSA tries to take the high moral ground and insists its not only legal but also something most Americans support. That's some Goebbels-level hypocrisy there. At least the DGSE, BND and GCHQ aren't making loud proclamations as to their righteousness (they are wisely keeping their heads down).

Don't depend on the good behavior of the local intelligence agency. Instead, use proper security practices to make it either impossible or not cost-effective to break into your data stream.

Re:I don't use providers HQ in the USA

[blackest_k]

While there are many agencies around who could be monitoring what I do, I'm pretty sure its the NSA who does it as a matter of routine to everyone.

I'm in no doubt that other agencies could spy on me but i'm pretty certain they can't justify the expense.

Re:the cloud killed hosting providers

[Squash]

As the owner of a hosting company, that's the same impression that i got. He's asking for a grouping of products that don't naturally group together. When people think of hosting, they think of web, mail, and dns. They generally don't think of VoIP, VPN, or XMPP, or whatever the submitter expects to receive when he asks for "public key" service. It's nonsense.

Re:Ummm

[camperdave]

I agree TFA has it wrong - there is a lot of competition going on all the time and the large amount of services that exists are good for most of us.

Plenty of competition in marginal profit realms leads to a string of failed startups. How do you know the provider you choose is going to last?

The answer is in the post.

[Kludge]

What actually is a complete hosting provider?

A close example is Google. Google provides email, web, webmail, domain, XMPP, VOIP, all available from a single gmail login and manageable from a web interface.
No, I do not want to just rent a server from someone else, and set up and manage all this stuff myself. I want to pay for it, but I would like some competition, I do not like to send everyone to Google.
I realize that not every client will need or want all these services when I first set them up. Some clients will only use half the services ever. But having them easily accessible to the customer from a single provider if/when they need them has real value.

Re:The answer is in the post.

[Xest]

But what happens when a client wants half those services plus some others that aren't supported?

What services exactly do you deem to fulfil the criteria of being complete? What if someone wants an IRC server instead of XMPP?

If you really mean what you say then you can pay for it, if you don't want to set it up yourself you can hire someone to do all that for you and provide the arbitrary set of services and develop the bespoke software you need to integrate it all.

But what you're really saying in essence is "I want a bespoke easily managed server setup with integrated login, but I don't want to set it up myself and I don't want to pay enough for someone else to do it, I want it to be free like Google, or cheap". This isn't practical, Google can only offer what it does because it has a massive data mining operation and ad farm sat behind that to monetise it.

Contrary to your assertion otherwise, there is competition too, there's Microsoft with it's Office 365, Outlook.com and Skype offering but again they can only offer it because they have a massive amount of resources to do so and can monetise it through ads and data mining and tie in to their other offerings and it's not entirely free anyway - IIRC Office 365 is subscription based.

So again what exactly are you looking for? Seemingly you want to move away from Google because you don't like the NSA revelations, the data mining, or whatever else. You wont want Microsoft for the same reasons then I would guess given that it's at least as supportive. There's no business in anyone else doing it without that data mining operation behind it because no one will pay what it would cost then, most are happy to put up with the mining and ads if they get their stuff cheap or free. So the only option is for you to offer bespoke to your clients, but bespoke costs, and you don't want to set it all up yourself so you need to up the costs by hiring someone else but I'd wager you don't want this either?

What exactly is your position? it doesn't seem to make any sense. It sounds like you want to offer all in one services to people (clients?) but you don't want to actually do any work to earn your money from them. It sounds like you want to get a client and give them some turnkey bespoke solution, but a bespoke solution that you neither want to spend the effort to create, or presumably pay someone else to create. Are you asking to just make money as a middleman without putting the slightest bit of effort in to adding value to that position? That's what it sounds like.

If you are willing to pay someone else to do it then ask any number of bespoke software development houses. It's not going to be cheap though which again is going to return you to the question of whether there's even a business model in it, and if you return there you'll probably have your reason as to why no one else is doing it because you're again going to be outcompeted by Google's ad supported model.

I suspect this isn't the answer you wanted, but does it give you the answer you were looking for?