SolusVM Audit Update

[Marc M.]

Probably $100-200k cleaning up the code, outsourcing a real audit and paying new employees/contractors.

@ I know a few people who would write a new panel from scratch... for that kind of scratch... and really fast... me included... that's way too much money just to clean up the code.

 

[Nick_A]

The name may be worth it. Obviously the code would need work, but I'm sure the name isn't completely tarnished beyond repair across the VPS world.

 

[drmike]

@ I know a few people who would write a new panel from scratch... for that kind of scratch... and really fast... me included... that's way too much money just to clean up the code.

The issue really isn't cleaning up the code.  It is cleaning up the mess and having a real audit by a real firm that will back their work with certification / warranty / similar.  Solus from a PR perspective is on the ropes about to get punched out.  They need to get some pros on board to deal with media and how to help their customers going forward.

Solus can hire any hacks to modify the source to cover the low hanging issues.  But I suspect being PHP, there are quite a few other exploits that are total control and unknown in public at this time - not per se PHP but how PHP is being used.

Audit needs to employ a team of programmers to deal with cleanup, as well a team of hacker types to exploit the software --- where they have full source to reverse engineer/come up with ideas from.

That's a big project with lots of folks involved.  I suspect the $100-200k number might actually be low for a real audit/cleanup like this  This would take, oh, months.

Sure, you can build a new panel for $100-200k.  Still will be subject to breakage/exploits/etc. once it amasses any popularity.  Still will probably end up doing this same was exploited, patch it, repeat and rinse dance.

Nothing stopping anyone from competing with SolusVM.  Heck, from a business standpoint, the industry needs more paid software with actual support and backing.   Look at the mess right now due to SolusVM stumbling like this.  At least three exploits in a week...  Where are providers going to go when Solus does a hatchet job and exploits continue next month?  It's a very possible scenario.

 

[peterw]

Yeah, if you didn't find it before. What says you will now?

They have to admit that they either did not search before or are not able to find anything.

 

[D. Strout]

The issue really isn't cleaning up the code.  It is cleaning up the mess and having a real audit by a real firm that will back their work with certification / warranty / similar.  Solus from a PR perspective is on the ropes about to get punched out.  They need to get some pros on board to deal with media and how to help their customers going forward.

[...]

Sure, you can build a new panel for $100-200k.  Still will be subject to breakage/exploits/etc. once it amasses any popularity.  Still will probably end up doing this same was exploited, patch it, repeat and rinse dance.

SolusVM does the job. It has security holes, sure, but if it were bought out and some pros in both coding and security could get their hands on it, I'm pretty sure it would be in good shape. That's how software is built. Slowly, working around a mostly-good core and weeding out the bad stuff. The only reason all the vulnerabilities in SVM are so dramatic is because it is the VPS industry, except for a few hosts that use something else. I think that with work (and I mean real work, something which SVM is unfortunately not known for), SVM can be very good software. But with SVM, I've come to see that they don't feel they have to do anything.

 

[MartinD]

blahblah

But with SVM, I've come to see that they don't feel they have to do anything.

What have you seen to make you take this stance?

 

[kaniini]

As an update, they released a major security update last night: http://blog.soluslabs.com/2013/06/24/security-updates-available-for-all-solusvm-versions-2/

What we don't know is whether or not that is from their own audit or the external one.  They don't say specifically.

 

[D. Strout]

What have you seen to make you take this stance?

Come on, everyone knows they have been lax about releasing security updates and responding to threats, unless they were as major as some of these recent ones. They've got their client base (80%+ of VPS hosts), why bother trying?

 

[drmike]

They've got their client base (80%+ of VPS hosts), why bother trying?

 

I'd consider that a comfortable monopoly position.  

 

[Aldryic C'boas]

I'd consider that a comfortable monopoly position.  

I'm sure Henry Ford thought the same thing, once upon a time  

 

[D. Strout]

I'd consider that a comfortable monopoly position.  

Definitely. I'm surprised they haven't started putting up hotels (a.k.a. notching up the price).

 

[MartinD]

Come on, everyone knows they have been lax about releasing security updates and responding to threats, unless they were as major as some of these recent ones. They've got their client base (80%+ of VPS hosts), why bother trying?

That doesn't make sense to me - why would they ignore it if people inform them of security issues?

 

[Aldryic C'boas]

That doesn't make sense to me - why would they ignore it if people inform them of security issues?

Maybe Fabozzi secretly works for them as well.  It would explain the lack of concern as well as the horrible code. 

 

[Jack]

Maybe Fabozzi secretly works for them as well.  It would explain the lack of concern as well as the horrible code. 

opcorn:  opcorn:  opcorn:

 

[drmike]

Maybe Fabozzi secretly works for them as well.  It would explain the lack of concern as well as the horrible code. 

 

Oh boy... That's funny.  Chris can't code anything.  He would have to be their salesman.

This is really funny when you realize CC use to employ a fellow who was also working for cPanel at the same time.  Yeah unrelated, but another mega popular software used by many and the CC overlap.