amuck-landowner

New SolusVM Update

BlueVM

New Member
Verified Provider
Proceed to update again => get hacked.

Thou shalt repeat the cycle.

--

I kid... I do like the fact that they're pushing updates.
 
Last edited by a moderator:

SkylarM

Well-Known Member
Verified Provider
I heard you liked security, and I heard you liked updates. SO we gave you a vague update for "security"!
 

Kris

New Member
Code:
Soluslabs Ltd 	Monday, June 24, 2013 : 11:26:48 PM GMT 0

PLEASE READ THIS INFORMATION CAREFULLY.

THIS INFORMATION IS RELEVANT TO ALL VERSIONS OF SOLUSVM, INCLUDING BETA VERSIONS.

As you may be aware we are currently running a full in house and external code audit. 

This release contains several important security fixes for all versions of SolusVM.

We highly suggest you update your system as soon as possible. 

Updates are available through the normal channels.

Latest Beta Version: 1.14.00 R7
Latest Stable Version: 1.13.07

Please be aware the audit is still underway and more updates may follow.

Thank you for your co-operation and understanding.

Regards,
Soluslabs Security Team
 
Last edited by a moderator:

Kris

New Member
I heard you liked security, and I heard you liked updates. SO we gave you a vague update for "security"!
TBH - This is the first day the external audit happened. First day Solus coders aren't sitting with their thumbs firmly up their asses, and already an update has come out.

I'd expect a few more of these through the week - a final 'stable version' - then the other shoe will probably drop.

Drop your cpbackup daily check timing to .15 and update your crons, keep multiple backups off-site if you're using a Solus host. All I can say about that.

I'm currently migrating away from any Solus based host, I did when RAMNode got hit, and when CVPS got hit - I was glad I made the decision.
 
Last edited by a moderator:

SVMPhill

New Member
TBH - This is the first day the external audit happened. First day Solus coders aren't sitting with their thumbs firmly up their asses, and already an update has come out.
How do you know this? Where have you got this information from?
 

Kris

New Member
Found a bug already.
Judging as what the code fixes, that's not too bad.

As the saying goes, "Watch out for bridges and hop-ons... You're gonna get some hop-ons."

Screen%20Shot%202013-06-24%20at%204.42.33%20PM.png
 
Last edited by a moderator:

Kris

New Member
How do you know this? Where have you got this information from?
One of your own posts mentioned the external audit was starting Monday. Have I missed something?

As for the thumbs firmly up your asses, it's common knowledge with the exploits lately (during a 'code audit')

EDIT: I believe it was quoted an in-house audit was being completed Monday, with a 3rd party auditing it for 'compliance' (aka actually checking it) starting Monday. Can't find the source, too busy fleeing Solus powered hosts, it's around.
 
Last edited by a moderator:

SkylarM

Well-Known Member
Verified Provider
One of your own posts mentioned the external audit was starting Monday. Have I missed something?

As for the thumbs firmly up your asses, it's common knowledge with the exploits lately (during a 'code audit')

EDIT: I believe it was quoted an in-house audit was being completed Monday, with a 3rd party auditing it for 'compliance' (aka actually checking it) starting Monday. Can't find the source, too busy fleeing Solus powered hosts, it's around.
How does abandoning a solus host do anything? It's like saying you should use Mac over Windows because Mac has fewer viruses. Just because fewer hosts use it doesn't make it safer. If everyone swapped to Virtualizer or vePortal or any of the other available panels on the market, suddenly they become interesting to try and hack. What happens when an exploit happens on one of them, which is likely to happen? Just going to abandon ship each time something happens? If anything, this is a perfect time for Solus to get their shit together. 

I get that it sucks having to deal with data loss, etc -- but running from the issue to something equally as poorly coded isn't the best option.

If anything from a webhost perspective it's a huge wakeup call. We're presently working on better backup solutions and looking at proper disaster recovery methods and things like that. Don't live in a world where you think you are safe, focus on fixing the issue and having proper backup procedures and you're golden.
 
Last edited by a moderator:

Kris

New Member
How does abandoning a solus host do anything?

So my machine is secure and I don't have to wake up with my data being leaked?

I'm not switching to hosts with any type of budget panel or "web host in a box" package. Essentially all the same.

Getting old wondering if my data's been spilled again every morning.

So yes, switching to VPS hosts that don't just let Solus run things will help. Many hosts who are serious about security (or actually know more than pressing buttons in Solus) are looking at other options.

I get that it sucks having to deal with data loss, etc -- but running from the issue to something equally as poorly coded isn't the best option.
You have no idea what control panel I'm talking about, and I lost no data. I keep backups. You do know there are other options than crappy plug and play programs? OnApp is nice, but expensive - and would cut into the low end margin.

If anything from a webhost perspective it's a huge wakeup call. We're presently working on better backup solutions and looking at proper disaster recovery methods and things like that. Don't live in a world where you think you are safe, focus on fixing the issue and having proper backup procedures and you're golden.
How haven't you had this settled before? And where have I implied I don't have backups? I have 3 sets, 3 different data centers. Learn the machine you're using, consider other options rather than defend and wait for the next Solus exploit. Oh, and don't live in a world where you think you are safe with 1 backup set alone.

Next ?
 
Last edited by a moderator:

SkylarM

Well-Known Member
Verified Provider
I wasn't saying that I'm content with Solus, I'm just pointing out the fact that you're wrong if you think that the other alternatives available to most web hosts these days aren't any more secure than Solus, they are just not widely used so less likely to be targetted. Nor did I ever say 1 backup was sufficient.  I'm very actively looking at alternatives such as BlueCP and others.
 

BK_

New Member
Oh, and don't live in a world where you think you are safe with 1 backup set alone.
And don't live in a world where thinking that moving away from providers that use Solus will prevent you from being on a machine that becomes compromised due to a 0day/exploit.

I understand what you're saying and I'm not too happy about the exploits effecting my containers, sure, but do keep in mind that no panel can offer you one hundred percent safety. This has been a massive wake up call to the whole industry, as everyone is aware, and every single panel developer is probably thinking twice before throwing some sloppy code into the mix regardless of how big or small the actual project is. If anything, once the audit is complete over at Solus, it'll probably be one of the most 'secure' panels due to the scrutiny.
 
Last edited by a moderator:

SkylarM

Well-Known Member
Verified Provider
If anything, once the audit is complete over at Solus, it'll probably be one of the most 'secure' panels due to the scrutiny.
One could only hope so.

You'd have to be downright delusional to assume that will be the case though.
 
  • Like
Reactions: BK_

SeriesN

Active Member
Verified Provider
Okay, lets face the fact. Solus screwed up. So did linode, hypervm, Digital Ocean, whmcs, virtualizor, ve protal (a product that works only when it wants to), hetzner konsole.

Everything that has been made by human can be and will be attacked. It is not how you hack it but what matters most is how you are handling this. So far, solus doing tremendous job by constantly pushing updates and changes.
 
Last edited by a moderator:

drmike

100% Tier-1 Gogent
This is news:

we are currently running a full in house and external code audit.
 

In house and external audit.  Color me slightly impressed.  Wondering who the external firm is and if they are bonded :) ?
 

SeriesN

Active Member
Verified Provider
And lets face it, I am not a great coder, nor can afford to hire top notch Gold standard programer to code and maintain a panel for me, neither I will have access to awesome panels like Stallion.

I am sure most of us are on the same boat. If there is a leak, we can work on fixing it since we can't afford to build a better ship and no one will give us access to their own ship.
 
Top
amuck-landowner