amuck-landowner

BuyVM Legal Defense Fund? LOL

Status
Not open for further replies.

tchen

New Member
Why does this keep coming up? You and I both know it had nothing to do with the security of ChicagoVPS, but everything to do with Solus and WHMCS exploits that no host could protect themselves against. So please tell me why the blame is passed onto me still after knowing that was the case.
For what it's worth, I was actually impressed that you guys set up remote logging alerts after the second? breach. It didn't fully stop the third try but at least you managed to catch and stop it in progress. People don't tend to deal with security on a daily basis and don't know how it works - so you'll likely never see props for that outside this post.
 

texteditor

Premium Buffalo-based Hosting
Why does this keep coming up? You and I both know it had nothing to do with the security of ChicagoVPS, but everything to do with Solus and WHMCS exploits that no host could protect themselves against. So please tell me why the blame is passed onto me still after knowing that was the case.
maybe if you weren't kicking hives all the time, the bees might sting someone else first, ya know?
 

MartinD

Retired Staff
Verified Provider
Retired Staff
Fwiw, there was never any hard proof those hacks had anything to do with Solus. Only 'my tech said so before he left' Noone else was affected at that time.
 

raidz

Member
Why does this keep coming up? You and I both know it had nothing to do with the security of ChicagoVPS, but everything to do with Solus and WHMCS exploits that no host could protect themselves against. So please tell me why the blame is passed onto me still after knowing that was the case.
Maybe if you didn't have such a big mouth and weren't such a prick you wouldn't have made your company and your customers a target. 
 

peterw

New Member
When they kept on questioning him, he straightened up and said to them,


"Let any one of you who is without sin be the first to throw a stone at (insert target here)."
I don't like circles so stop this and bring this to an end.
 

Darwin

Member
I find silly that "Not our fault" thinking. You bought a crap software, you make money using the crap software and it is not your fault if data is leaked?

Don't care if others buy that software too. There are smaller providers, i.e which don't have 25k clients, that have custom solutions. Btw both Solus and whcms provide an api that can easily be used to create a secure front end to these products.
 

DomainBop

Dormant VPSB Pathogen
I find silly that "Not our fault" thinking. You bought a crap software, you make money using the crap software and it is not your fault if data is leaked?
You're not the only one who finds it silly. Visa's best practices guide on how to handle a breach recommends not trying to play the victim or trying to pass the blame onto a 3rd party  by saying "it's not our fault, the Solus and WHMCS developers are to blame, etc", in your public statements to customers following a breach.

http://usa.visa.com/download/merchants/cisp_responding_to_a_data_breach.pdf

 

Take ownership.

Immediately acknowledge

responsibility for the breach and express

regret for its impact. Once you’ve done

so, you can quickly move to talking

about the solution (what you are doing),

rather than the problem. Avoid the blame

game, which might include placing

responsibility on an employee or vendor.



Don’t play the victim.

Ten years ago,

when announcing a data breach, it may

have been possible for companies to

successfully portray themselves simply as

fellow victims. Today, this is a flawed and

dangerous strategy. Although you may have

had a crime committed against you, the

public and business press will still hold you

accountable and will not consider you a co-

victim. Best practices recommend that rather

than announce that your company was the

“victim of a criminal computer hacker,” you

should announce that you became “aware

of unauthorized access to our computer

system,” or some alternate phrase.



Express regret.

Apologizing is a critical

step in taking ownership. Avoid qualified

or conditional apologies. For example,

“We don’t think anyone was affected but

regret if anyone is inconvenienced” might

be worse than not apologizing at all.
 

drmike

100% Tier-1 Gogent
So, I've been sitting on the picket fence wondering what has been poking me for a long time.

I don't think it's time to shutter the thread and people should have at it.  Everyone needs to stop using excuses and man up to things.  I could spend half of eternity beating points into resisting heads.  I could find Jimmy Hoffa's body under the CC daycare and folks would say OCD/foil/theorist, etc. It's tiring.  

Nothing is going to change and general atmosphere in the world today is ME ME isms.  Get rich and do it quick, even at others expense.  This market is a youthful hyperactive version of  piranhas feeding (kudos to the person that posted the graphic).  It is stuff like letting guys that work for you stiff their wife, family, etc.  It's HORRIBLE and makes me sick.

It's talking smack on a guy long in the communities who has helped damn near everyone freely and most folks/competitors can't even decently thank or be kind.

So, make the excuses about slabs and cabs and customer counts... run shells companies, manipulate markets.... Hell if I care... Rip your clients off.  Lie about dates, spin the fucking moon for all I give a damn.   Each the cheese and choke on it.

It's damn clear it isn't the micro nature of the market as to why everything runs the way it does and continues.  Hell if I know who or what is doling out free tickets, but they aren't at my lunch counter.  I know these communities are mostly sell-shit markets.  Plenty of smart people with scruples that ought to be cobbling and keeping folks honest (thanks to the slab-detector author) pick up the slack.

Folks need to pay attention out there.  Behind the monitor.  Outside.   This stuff, none of it is real other than the harm.  Me I think it's all a honeypot.  Maybe all the companies will starve if we just ignore them.

Unsure where I am going, certainly not emo [i let someone else play that role].  Stepping back, lowering the cannons, cleaning the firearms.... shooting some stuff for fun. Taking a self imposed time out.  To enjoy real life.   Oh, but I'll be back and hopefully the usuals hold it down.

Be kind to each other.  Not me to blame for it now :)
 

FHN-Eric

Member
Verified Provider
I find silly that "Not our fault" thinking. You bought a crap software, you make money using the crap software and it is not your fault if data is leaked?


Don't care if others buy that software too. There are smaller providers, i.e which don't have 25k clients, that have custom solutions. Btw both Solus and whcms provide an api that can easily be used to create a secure front end to these products.
If he did use api, I wouldn't count on it being any more secure. All databases can still be hacked, even with api.
 

Darwin

Member
The api ins't secure, you are right. But what I am suggesting is: code something to use the api and sanitize all the user values that you pass to the api.

Bulletproof? No, but should make you endure most of these 0-day exploits. If it was a direct db hack, not using sql injection, then omg someone need a better sysadmin...
 

tchen

New Member
The api ins't secure, you are right. But what I am suggesting is: code something to use the api and sanitize all the user values that you pass to the api.


Bulletproof? No, but should make you endure most of these 0-day exploits. If it was a direct db hack, not using sql injection, then omg someone need a better sysadmin...
They did that with SolusVM. I miss my Solus CP. :( The WHMCS 0 days hit anyone who didn't have modsecurity up and running. And even if you did, chances were good you disabled some of the sql injection rules because the admin backend passes queries in the post. Sure, some people find coding to be a hobby and go beyond modsec and build a shell api, but that doesn't make this feel less like a case of blaming the victim.
 

tchen

New Member
You're not the only one who finds it silly. Visa's best practices guide on how to handle a breach recommends not trying to play the victim or trying to pass the blame onto a 3rd party  by saying "it's not our fault, the Solus and WHMCS developers are to blame, etc", in your public statements to customers following a breach.

http://usa.visa.com/download/merchants/cisp_responding_to_a_data_breach.pdf
It's good to be neutrally bland in the PR. Incident reports do need to detailed enough. Even Ramnode's post incident report mentions Robert Clark by name along with Solus***. That one didn't generate a stink so where's the line drawn?


My guess, separate the PR from the IR. Nick uses twitter first which gives him just enough space to follow VISA's guidelines. No one remembers the post incident release since it wasn't news by then and people have had time to cool down. Don't be silent, waiting for all the facts to come in before letting your customers know someone's on the job. Mix the two types of reports and they'll end up combing through that first post and seeing what they want to see, not what you wrote.

*** Actually, i've had a chance to sit down at my workstation now and went through the email logs.  I don't see mention of Robert in the RamNode incident reports.  I also have the CVPS reports from the same time and they're pretty neutral too (although the spelling is atrocious :p).  I guess it goes to show that say something enough times on the Internet and it suddenly becomes truth.
 
Last edited by a moderator:

HN-Matt

New Member
Verified Provider
I can't talk for anyone else but all the provider bashing going around has actually had an effect on my purchasing plans. [...]

At this moment, I'm leaning back to . . . or even take . . . just because its less drama. 
Same here. I PM'd @drmike the longer version of this, but as a host with no dog in the LET/vpsBoard fight, the main reason we left CC was because we didn't want to be dragged into all of the e-detective rage comic narratives surrounding them (and not because of any lack of quality with CC's hosting--likewise, I'm sure BuyVM is also a quality host).

I think you've missed the point of this thread completely and utterly. Spectacularly, even.
http://supb.ro/nies
 

drmike

100% Tier-1 Gogent
Same here. I PM'd @drmike the longer version of this, but as a host with no dog in the LET/vpsBoard fight, the main reason we left CC was because we didn't want to be dragged into all of the e-detective rage comic narratives surrounding them (and not because of any lack of quality with CC's hosting--likewise, I'm sure BuyVM is also a quality host).
Is that really why you left ColoCrossing?   Really?  Positive? 100% sure.   I don't want to see any accidents involving a bus full of fake nuns and a tractor trailer or anything.

I seem to remember you never even dealt with ColoCrossing directly that I know of.  You were mucked up in some downstream perhaps via HVH via GVH via reseller hosting ??? Something like that.

HVH back then was it's own company, or so the story was perpetuated.   

You left on your own volition due to internet foil hattery activity?

You are telling me that a sacrilegious parody purporting to be a hosting business is more worried about little old me rather than the billions of adherents you caustically bang in the head?

Did someone put you up to this?   You may have picked the dumbest day in history to jump up again.
 

DomainBop

Dormant VPSB Pathogen
I also have the CVPS reports from the same time and they're pretty neutral too (although the spelling is atrocious :p).

The reports they emailed were neutral, now if only they had thought to put a muzzle on Chris...

but as a host with no dog in the LET/vpsBoard fight, the main reason we left CC was because we didn't want to be dragged into all of the e-detective rage comic narratives surrounding them

That is a mother[venial sin redacted] [venial sin redacted] reason for making a business decision but not surprising given how heavily some [venial sin redacted] small hosts unwisely rely on forums for the bulk of their sales.
 

CVPS_Chris

New Member
Verified Provider
The reports they emailed were neutral, now if only they had thought to put a muzzle on Chris...
I dont need a muzzle, no one has control of me sir. I own the company, and I will keep saying it until I am blue in the face. Get it through your head.

small hosts unwisely rely on forums for the bulk of their sales.
I agree, it is a shame. Thats why RLT got burned so bad. Every company they bought out relied on LEB for sales and they did not realize that. As soon as they stopped posting sales went to 0.
 

drmike

100% Tier-1 Gogent
I agree, it is a shame. Thats why RLT got burned so bad. Every company they bought out relied on LEB for sales and they did not realize that. As soon as they stopped posting sales went to 0.
RLT got burned by their quick and extreme location moves, support that was unacceptable and basically abandoning the routine of participating in LET BS.  All of that was self inflicted and could have been handled much better.

RLT getting burned?  It may involve your pal and a lawsuit potentially... Of course the constant BS slamming of URPad isn't helping. Shame when the contract holder batters you with his owned asset / website.

As far as sales and 0, there is far more to the world and VPS than LET/LEB.   They drive sales obviously, but nature of those sales is low cost, too often youthful type and with propensity to be a PITA..  Plus they have low attention spans and little provider loyalty.

A good for instance of a company deploying a mass of containers is Digital Ocean.   You don't see the corporate troll account saying provider X sucks.  Nor do you seem them once a week posting an offer.   Other than happy customers, they are really not represented over there.
 
Status
Not open for further replies.
Top
amuck-landowner