# SolusVM Audit Update



## ShardHost (Jun 22, 2013)

Internal audit will be completed Monday.  On Monday it is my understanding an external audit will begin with an aim to attain certification.

http://blog.soluslabs.com/2013/06/22/audit-update/


----------



## drmike (Jun 22, 2013)

It says:

As you may know we are currently carrying out a code audit for SolusVM. This is just to inform you that the audit is due to be complete on Monday 24th June 2013.

We are working on a find and patch basis (no news is good news) so if anything is found it will be fixed and released before we continue the audit.

Thanks for understanding!


----------



## ShardHost (Jun 22, 2013)

buffalooed said:


> It says:
> 
> As you may know we are currently carrying out a code audit for SolusVM. This is just to inform you that the audit is due to be complete on Monday 24th June 2013.
> 
> ...


Indeed


----------



## mikho (Jun 22, 2013)

There is no information if this is an internal or external audit. There is no information that an external audit will start after an internal audit.


One can then suspect that this is an internal audit and no external audit will be made if nothing is found.


If,nothing is found, that can be both good and bad news. It is good that nothing was found, bad in the way that they already do the audit before every release and nothing was found then either.


One can hope that it is a good external company that audits the code. Perhaps it should even be two different companies.


----------



## drmike (Jun 22, 2013)

Yes, the verbage is very wide open.

Someone needs to push SolusLabs about this audit and get some details. @MannDude?

An internal audit would be ummm...... useless.

An external audit could be alright, but would have to be full source analysis and I doubt a rush job like this would end up anywhere near perfect.


----------



## ShardHost (Jun 22, 2013)

I've already contacted Solus Labs before my first post.  My comments were not speculation.

This is currently an internal audit that will be completed on Monday.  Solus Labs will then start an external audit with an aim to get certification


----------



## Nick_A (Jun 22, 2013)

This is very disappointing.


----------



## ryanarp (Jun 22, 2013)

Yea, you would think it would be easier to just start with a external audit.


----------



## mikho (Jun 22, 2013)

ryanarp said:


> Yea, you would think it would be easier to just start with a external audit.


Yeah, if you didn't find it before. What says you will now?


----------



## willie (Jun 22, 2013)

Starting with an internal audit is fine since it may pick up some stuff before handing off to the external auditors.  However, there really has to be an external audit at this point.  The company has had persistent problems with security cluelessness and as such, the internal audit by itself doesn't carry much weight.  External audits are useful even if you know what you are doing.  We were security freaks where I used to work, and auditors still told us things that we didn't know.


----------



## vanarp (Jun 22, 2013)

How many providers are actually waiting for SolusVM to be certified by external audit before enabling access to your customers?


----------



## rsk (Jun 22, 2013)

vanarp said:


> How many providers are actually waiting for SolusVM to be certified by external audit before enabling access to your customers?


To be completely honest, what we will do is after they are certified, we will completely reinstall our master. I know it sounds crazy but this is called paranoia.


----------



## willie (Jun 22, 2013)

vanarp said:


> How many providers are actually waiting for SolusVM to be certified by external audit before enabling access to your customers?


That was something else that stuck out at me.  I've never heard of an auditor issuing "certifications" and I'd consider it suspicious if they did.  They look for problems, identify what they spot, and make general recommendations about good practices to follow.  Software is too complex for auditing to certify that any sizeable program is guaranteed to be free of problems.  That said, if Solus releases the audit report, that could help convince people about the current state of the program.  I wouldn't hold it against them if they don't release it though.  They may actually not be allowed to (depending on the audit contract).


----------



## kaniini (Jun 22, 2013)

willie said:


> That was something else that stuck out at me.  I've never heard of an auditor issuing "certifications" and I'd consider it suspicious if they did.  They look for problems, identify what they spot, and make general recommendations about good practices to follow.  Software is too complex for auditing to certify that any sizeable program is guaranteed to be free of problems.  That said, if Solus releases the audit report, that could help convince people about the current state of the program.  I wouldn't hold it against them if they don't release it though.  They may actually not be allowed to (depending on the audit contract).


Yes, this talk of certifications seems odd to me, too.  I have never heard of an auditor certifying code to be bug-free.  That just seems like a bad business move on the part of the auditor, too.

Do we know who the auditor is?


----------



## joepie91 (Jun 22, 2013)

rsk said:


> To be completely honest, what we will do is after they are certified, we will completely reinstall our master. I know it sounds crazy but this is called paranoia.


Personally, I consider this the best move, and would very much recommend other providers to do the same (after backing up the database, obviously). There's been quite a bit of root-level-compromise nastiness going around... fair chance that some of the masters have been messed around with in a more severe manner.


----------



## concerto49 (Jun 23, 2013)

There are plenty of exploits, reports and known issues floating around different channels, websites, forums, etc... I don't get how hard it is. Some known ones are still floating around. Personally, if I was Solus, I'd be actively contacting those around here and other places for help. Way easier. Just get users to PM known exploits etc to them. Being active helps fix theri reputation right now.


----------



## Nick_A (Jun 23, 2013)

Perhaps someone should offer to buy them out and take it in a new direction at this point.


----------



## concerto49 (Jun 23, 2013)

Nick_A said:


> Perhaps someone should offer to buy them out and take it in a new direction at this point.


Not worth it. You'll need a complete code rewrite.


----------



## wlanboy (Jun 23, 2013)

Nick_A said:


> Perhaps someone should offer to buy them out and take it in a new direction at this point.


I think they are praying someone will do it. But honestly would you buy that source?


----------



## drmike (Jun 23, 2013)

wlanboy said:


> I think they are praying someone will do it. But honestly would you buy that source?


 

The source can be cleaned up / fixed.  The main functionality/features are well known and they work.  Probably $100-200k cleaning up the code, outsourcing a real audit and paying new employees/contractors.

The company has paying customers and quite a few of them.

Don't talk too loud   iNet Interactive would do well to purchase this.   Any major provider/datacenter could benefit and shake up the market by buying SolusLabs.  cPanel could tender an offer.

Quite a few folks that are interested in Solus from acquisition standpoint.


----------



## Marc M. (Jun 24, 2013)

buffalooed said:


> Probably $100-200k cleaning up the code, outsourcing a real audit and paying new employees/contractors.


*@* I know a few people who would write a new panel from scratch... for that kind of scratch... and really fast... me included... that's way too much money just to clean up the code.


----------



## Nick_A (Jun 24, 2013)

The name may be worth it. Obviously the code would need work, but I'm sure the name isn't completely tarnished beyond repair across the VPS world.


----------



## drmike (Jun 25, 2013)

Marc M. said:


> *@* I know a few people who would write a new panel from scratch... for that kind of scratch... and really fast... me included... that's way too much money just to clean up the code.



The issue really isn't cleaning up the code.  It is cleaning up the mess and having a real audit by a real firm that will back their work with certification / warranty / similar.  Solus from a PR perspective is on the ropes about to get punched out.  They need to get some pros on board to deal with media and how to help their customers going forward.

Solus can hire any hacks to modify the source to cover the low hanging issues.  But I suspect being PHP, there are quite a few other exploits that are total control and unknown in public at this time - not per se PHP but how PHP is being used.

Audit needs to employ a team of programmers to deal with cleanup, as well a team of hacker types to exploit the software --- where they have full source to reverse engineer/come up with ideas from.

That's a big project with lots of folks involved.  I suspect the $100-200k number might actually be low for a real audit/cleanup like this  This would take, oh, months.

Sure, you can build a new panel for $100-200k.  Still will be subject to breakage/exploits/etc. once it amasses any popularity.  Still will probably end up doing this same was exploited, patch it, repeat and rinse dance.

Nothing stopping anyone from competing with SolusVM.  Heck, from a business standpoint, the industry needs more paid software with actual support and backing.   Look at the mess right now due to SolusVM stumbling like this.  At least three exploits in a week...  Where are providers going to go when Solus does a hatchet job and exploits continue next month?  It's a very possible scenario.


----------



## peterw (Jun 25, 2013)

mikho said:


> Yeah, if you didn't find it before. What says you will now?


They have to admit that they either did not search before or are not able to find anything.


----------



## D. Strout (Jun 25, 2013)

buffalooed said:


> The issue really isn't cleaning up the code.  It is cleaning up the mess and having a real audit by a real firm that will back their work with certification / warranty / similar.  Solus from a PR perspective is on the ropes about to get punched out.  They need to get some pros on board to deal with media and how to help their customers going forward.
> 
> [...]
> 
> Sure, you can build a new panel for $100-200k.  Still will be subject to breakage/exploits/etc. once it amasses any popularity.  Still will probably end up doing this same was exploited, patch it, repeat and rinse dance.


SolusVM does the job. It has security holes, sure, but if it were bought out and some pros in both coding and security could get their hands on it, I'm pretty sure it would be in good shape. That's how software is built. Slowly, working around a mostly-good core and weeding out the bad stuff. The only reason all the vulnerabilities in SVM are so dramatic is because it _is_ the VPS industry, except for a few hosts that use something else. I think that with work (and I mean _real_ work, something which SVM is unfortunately not known for), SVM can be very good software. But with SVM, I've come to see that they don't feel they have to do anything.


----------



## MartinD (Jun 25, 2013)

D. Strout said:


> blahblah
> 
> *But with SVM, I've come to see that they don't feel they have to do anything.*


What have you seen to make you take this stance?


----------



## kaniini (Jun 25, 2013)

As an update, they released a major security update last night: http://blog.soluslabs.com/2013/06/24/security-updates-available-for-all-solusvm-versions-2/

What we don't know is whether or not that is from their own audit or the external one.  They don't say specifically.


----------



## D. Strout (Jun 25, 2013)

MartinD said:


> What have you seen to make you take this stance?


Come on, everyone knows they have been lax about releasing security updates and responding to threats, unless they were as major as some of these recent ones. They've got their client base (80%+ of VPS hosts), why bother trying?


----------



## drmike (Jun 25, 2013)

D. Strout said:


> They've got their client base (80%+ of VPS hosts), why bother trying?


 

I'd consider that a comfortable monopoly position.


----------



## Aldryic C'boas (Jun 25, 2013)

buffalooed said:


> I'd consider that a comfortable monopoly position.


I'm sure Henry Ford thought the same thing, once upon a time


----------



## D. Strout (Jun 25, 2013)

buffalooed said:


> I'd consider that a comfortable monopoly position.


Definitely. I'm surprised they haven't started putting up hotels (a.k.a. notching up the price).


----------



## MartinD (Jun 26, 2013)

D. Strout said:


> Come on, everyone knows they have been lax about releasing security updates and responding to threats, unless they were as major as some of these recent ones. They've got their client base (80%+ of VPS hosts), why bother trying?


That doesn't make sense to me - why would they ignore it if people inform them of security issues?


----------



## Aldryic C'boas (Jun 26, 2013)

MartinD said:


> That doesn't make sense to me - why would they ignore it if people inform them of security issues?


Maybe Fabozzi secretly works for them as well.  It would explain the lack of concern as well as the horrible code.


----------



## Jack (Jun 26, 2013)

Aldryic C said:


> Maybe Fabozzi secretly works for them as well.  It would explain the lack of concern as well as the horrible code.


 opcorn:  opcorn:  opcorn:


----------



## drmike (Jun 26, 2013)

Aldryic C said:


> Maybe Fabozzi secretly works for them as well.  It would explain the lack of concern as well as the horrible code.


 

Oh boy... That's funny.  Chris can't code anything.  He would have to be their salesman.

This is really funny when you realize CC use to employ a fellow who was also working for cPanel at the same time.  Yeah unrelated, but another mega popular software used by many and the CC overlap.


----------

