×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Ask Slashdot: My Host Gave a Stranger Access To My Cloud Server, What Can I Do?

samzenpus posted about 2 years ago | from the was-that-the-wrong-thing-to-do? dept.

Security 176

zzzreyes writes "I got an email from my cloud server to reset the admin password, first dismissed it as phishing, but a few emails later I found one from an admin telling me that they had given a person full access to my server and revoked it, but not before 2 domains were moved from my account. I logged into my account to review the activity and found the form the perpetrator had submitted for appointment of new primary contact and it infuriated me, given the grave omissions. I wrote a letter to the company hoping for them to rectify the harm and they offered me half month of hosting, in a sign of good faith. For weeks I've been struggling with this and figure that the best thing to do is to ask my community for advice and help, so my dear slashdotters please share with me if you have any experience with this or know of anyone that has gone through this. What can I do?"

cancel ×
This is a preview of your comment

No Comment Title Entered

Anonymous Coward 1 minute ago

No Comment Entered

176 comments

Talk to a Lawyer (5, Interesting)

eldavojohn (898314) | about 2 years ago | (#39576869)

That's it. That's the truth and that's how 99% of ask Slashdot answers start and end. It's good advice. Everything that follows hereafter is my own, uneducated, horseshit assumptions on how things (should) be.

It wouldn't hurt for you first to read up all that legalese you agreed to when you first entered into a "business contract" with these guys. I'll bet that they say somewhere in there that they are not liable for any illegal or unauthorized access/control/etc of your domains and property. And by clicking a checkbox at the end of this fifteen million word tome, you agree not to hold them liable.

Go ahead, I bet it's in there and I've never even read one of these things myself. Which, don't lose heart if it is, a lawyer can probably sacrifice a few kittens, babysit the judge's nephew for free and come out with some sort of "unreasonable burden" to parse that whole thing upon completion of the transaction. I don't know, I know that people are slowly starting to become more reasonable about massive ToS documents.

Lawyers cost money, I have no idea how much money this lost you but sometimes it's not worth fronting $5,000 for a lawyer when $500 is at stake. What I would do is send them another message saying you find their consolation gift unacceptable and you're moving all your business away from them. Then I would do that. Then, I would simply write up a detailed account of these events with a tl;dr of "got F'ed in the A by XYZ Inc" and just go out and drop that on every single forum and review site you can find for domain names and hosting. Why not hit the Better Business Bureau while you're at it? Then I'd let those ferment and field questions in my free time because, hey, revenge releases a special kind of endorphin, right? Then you could be done with it or you could just send them endless requests for reimbursement with the fallout being more zero star reviews and a possible visit from your non-existent lawyer. And why not? They deserve the reputation they have exhibited to you.

And whenever I go off and do something like this and I get sick of the effort, I justify everything by imagining that if I don't do this they'll just screw over god knows how many other customers. So you're doing a public service.

Re:Talk to a Lawyer (4, Insightful)

Eponymous Hero (2090636) | about 2 years ago | (#39577013)

agree with all except that, in general, when someone makes threats to sue they are usually full of hot air. the ones who actually sue don't tell you until you're being served. companies know this. just spam as much negative publicity as you can and pull your business.

Re:Talk to a Lawyer (4, Informative)

Anonymous Coward | about 2 years ago | (#39577099)

That's not really true, lawyers will very often threaten a suit before filing if doing so would be advantageous. For example, if the mere existence of a lawsuit would bring to light facts that a company would rather not make public, they may be willing to offer a settlement prior to any filing. But once the suit is filed and on the public record, the damage is done, and they may decide at that point they may as well fight to the end. Now the real truth is that non lawyers who threaten to sue generally don't, and lawyers know that. Basically, if you write a letter to your colo facility telling them you're considering the merits of a lawsuit, they'll ignore it. If your lawyer writes the same letter, they'll probably take it more seriously.

Re:Talk to a Lawyer (0)

Anonymous Coward | about 2 years ago | (#39577229)

It is really true. The lawsuit culture is so pervasive in America that a large percentage of the population who feels aggrieved or wronged in some way, no matter how ultimately minor or inconsequential the perceived offense was, will have no problem threatening a lawsuit over it just as a means of trying to get their way. People who work in call centers hear these legal threats all the time - probably several times a day - and nothing comes of it.

Re:Talk to a Lawyer (5, Interesting)

Anonymous Coward | about 2 years ago | (#39578207)

The threat of a suit has considerably more weight when it arrives on letterhead from a law office.

But all that aside... TELL US WHO THE PROVIDER WAS!

Re:Talk to a Lawyer (1)

Oxford_Comma_Lover (1679530) | about 2 years ago | (#39577259)

the ones who actually sue don't tell you until you're being served.

Not generally true, although true for some. That's what the whole "cease-and-desist" letter thing is about.

Re:Talk to a Lawyer (3, Funny)

Eponymous Hero (2090636) | about 2 years ago | (#39577875)

i'm referring to when people say, "i'm going to sue you if i don't get my way!" a cease-and-desist letter is the first step in actually getting the ball rolling in litigation -- you have to give them a chance to stop. people often send out these letters without angry fist-shaking. and some lawsuits aren't about ceasing and desisting anything. in this situation we're discussing there's nothing for the cloud host to cease. there's no ongoing bad behavior.

Re:Talk to a Lawyer (5, Informative)

PCM2 (4486) | about 2 years ago | (#39578889)

When you visit a lawyer for the first time, you shouldn't be doing it with a mind to threaten a lawsuit. You're going for advice. You probably have some kind of contract that governs your relationship with the hosting provider. You might not have had a lawyer read it before you signed it; do that now. Then you can ask exactly what the hosting provider may be liable for, and where they may have effectively covered their own asses. If you do think you might want to threaten a lawsuit, it's important first to know whether you have a leg to stand on.

Empty threats to sue may sound like hot air. A letter on an attorney's letterhead that specifies the ways in which the hosting provider is in breach of contract will probably be taken seriously. And 90 percent of the time, the issue will be resolved before it ever gets to court. Nobody wants court.

Also, don't assume this process will lead to you getting absolutely everything you think you deserve. Have some sort of minimum compensation in mind that would allow you to walk away feeling like you've had some justice. Your lawyer will help you figure out this number, too. Negotiations can proceed from there.

But if you won't be happy until the hosting provider is well and thoroughly punished for what they did, you will probably walk away disappointed. Especially if they're a public company, you're not going to be able to shame them into giving you what you want. The civil legal process is there to determine what you may be owed, legally. It's not there to exact vengeance for you. In fact, you'll sleep better at night if you just let that go.

Really, I think the most important thing here is to begin the process of moving to a hosting provider that will give you better service. Everything else is secondary. In fact, I would skip the "negative publicity" part, except in private. Particularly if you're investigating legal options, trash-talking the hosting provider publicly before proceedings begin could work against you. It could even become the source of a counter-suit.

Re:Talk to a Lawyer (0)

Anonymous Coward | about 2 years ago | (#39577025)

This this this this this!!!!!!!!

Seriously get a lawyer, where are you located? Perhaps some Slash folks could recommend a good law firm who deals with issues like this.

Re:Talk to a Lawyer (4, Informative)

TheCarp (96830) | about 2 years ago | (#39577051)

definitely talk to a lawyer. I want to add something to it that you may not know.... some clauses that seem to protect them in one case, can hurt them in another because of legal presedents that interpret those.

For example, one that a friend told me about.... lets say you live here in MA and lease an apartment. Well, there are some legal clauses that can be put in there to protect the landlord from legal fees. However, if they are in there, and the landlord is found to be at fault, then that same clause can be turned around to make them pay instead.

This is not obvious from the wording or just reading the contract, but is well known (to lawyers) legal precident. I forget the exact specifics but....I know a friend of mine is hunting for the last remaining copy of the second page of his rental agreement because he says it contains terms that will get him treble damages in his case with his landlord. (as a landlord myself, I can also say, if the allegations are true...that guy is a douche bag, and has even entered the rented apartment without cause, permission, or even notice... among other things....)

So yes... call a lawyer.

Re:Talk to a Lawyer (2)

QuincyDurant (943157) | about 2 years ago | (#39577107)

Ask your lawyer to write a scary letter with threats. This costs a lot less than $5,000, and at least will help you get a little of your own back. Not your money back, of course, but some self-respect.

Their best offer was half a month of free hosting on their dangerously insecure server? What was their second-bast offer, six week of free hosting?

Re:Talk to a Lawyer (2, Insightful)

Anonymous Coward | about 2 years ago | (#39577115)

"Lawyers cost money, I have no idea how much money this lost you but sometimes it's not worth fronting $5,000 for a lawyer when $500 is at stake."
Except that you can sue for legal fees as well.

What I have done in the past & have gotten good results from is to politely decline their offer & tell them that you need your domains returned - just don't be a dick about it. If they say that they can't/won't, tell them that you will be contacting the attorney general & the BBB in regards to the matter. Send either a certified, signature required letter or an email to all three locations - the hosting/domain company, the BBB and your attorney general. With the copy of your complaint that you send to the hosting company, explain that you have also sent the letter to the AG and BBB and that they can expect to hear from them soon.

Even if the AG and BBB don't immediately get involved, this will usually get results because you are no longer a pushover. You have proven that you are doing something about it. Then, if/when they get your domains back, transfer them to someone else immediately.

Brilliant analysis, logical conclusion (2)

rsborg (111459) | about 2 years ago | (#39577155)

What I would do is send them another message saying you find their consolation gift unacceptable and you're moving all your business away from them. Then I would do that. Then, I would simply write up a detailed account of these events with a tl;dr of "got F'ed in the A by XYZ Inc" and just go out and drop that on every single forum and review site you can find for domain names and hosting.

Looks like this is the only recourse in many of these cases. Expect this to be made illegal soon.

Re:Brilliant analysis, logical conclusion (1)

TheGratefulNet (143330) | about 2 years ago | (#39579835)

next up: ISP's to be declared 'legal persons' with special rights.

you just wait. you know this is how the modern 'legal' system works.

Re:Talk to a Lawyer (5, Informative)

Anonymous Coward | about 2 years ago | (#39577307)

I agree that you need to talk to a lawyer, and I am coming from experience since I am a lawyer. My gut reaction is that unless you actually sustained tangible damages (such as loss of business revenue, harm to your business reputation, or having to pay out of pocket expenses to clean up the mess created by the host) you probably don't have much legal recourse against the host. However, depending on the state where you live and the state where the host is located, there may be consumer protection or privacy laws that provide for statutory penalties of some amount for acts such as this.

I practice law in Florida, and I get similar inquiries quite often and my first question is generally "what have you lost?". If all you suffered is your own disappointment and frustration with the company, it is not going to be worth the time or effort for you to keep dealing with it. Don't use the company anymore, and feel free to report them to whatever consumer protection agency you feel. But be warned that you should never exaggerate the facts, as I've also seen consumers sued by companies alleging defamation when the customer sprinkles some fantasy in with the truth. Don't put yourself on the wrong side of a lawsuit, because chances are the company will have the resources to sue you and you would be left paying out of pocket to hire an attorney to defend you.

My advice? Talk to a lawyer just to see what your options are. But don't let your emotional response govern over good sense.

Re:Talk to a Lawyer (3, Informative)

cpu6502 (1960974) | about 2 years ago | (#39577353)

>>> I'll bet that they say somewhere in there that they are not liable for any illegal or unauthorized access/control/etc of your domains and property.

Which goes right out the window when the State Law says the opposite. Example: Paypal's EULA said they are not responsible for lost funds, and the judge said that's bullshit and ordered them to return all funds to customers (I got back 100-some dollars).

Plus in this case the stolen domain names were lost through incompetence by the webhost (they accepted incomplete forms). They are liable for damage caused by their inemptitude.

Re:Talk to a Lawyer (4, Informative)

Anonymous Coward | about 2 years ago | (#39577545)

Also consider talking with an executive at the company. Sometimes these conversations can be fruitful.

I once had a dispute with a datacenter that had me sufficiently upset that I was ready to leave. However, I wound up receiving a $15,000 service credit, had my monthly recurring reduced by $3,000/mo, and had them agree to provide detail on how they were going to prevent the problem from recurring. All because I flew to the CEO's office and had a polite (though tense) one hour meeting.

No lawyers or anything. Just a conversation.

Re:Talk to a Lawyer (1)

chrismcb (983081) | about 2 years ago | (#39577699)

It wouldn't hurt for you first to read up all that legalese you agreed to when you first entered into a "business contract" with these guys. I'll bet that they say somewhere in there that they are not liable for any illegal or unauthorized access/control/etc of your domains and property. And by clicking a checkbox at the end of this fifteen million word tome, you agree not to hold them liable.

No matter what the contract says, they are still responsible and can not be negligent. If you can prove that they screwed up and gave someone else access, then they are negligent.
But to answer the OPs original question, it depends. Do you think they will do it again? Then move hosting companies. Do you want them to pay, then sue them (or at least talk to a lawyer)

Re:Talk to a Lawyer (2)

ShanghaiBill (739463) | about 2 years ago | (#39577823)

That's it. That's the truth and that's how 99% of ask Slashdot answers start and end. It's good advice.

It is usually bad advice. It will cost hundreds of dollars just to talk to a lawyer. The advice you get from the lawyer will be this: spend more money on lawyers. It will cost thousands if you want to the lawyer to actually do anything like, say, write a letter.

Instead, you should look at this unemotionally. What were your actual damages? Then take a quick look at your contract. It probably limits the host's liability severely. Unless you think you have a realistic chance of recovering tens of thousands of dollars in damages, you should drop it and move on with your life.
 

Do NOT talk to a lawyer (3, Interesting)

petes_PoV (912422) | about 2 years ago | (#39578527)

First of all, assess the damage. How much time has it cost you to rectify the situation? Have you got your 2 domains back? If you can come up with a reasonable figure for the time and any commercial damage that has been done, set that against the cost of "lawyering up".

If you asked for this amount. I would expect your service provider would interpret it as the opening round in a negotiation and eventually you'll probably end up with about 50% of what you ask for. So make sure you've included everything in whatever you think you're due. Add on to that the time it will cost you to negotiate a fair settlement.

The only time it's worth the time, trouble and potential cost of involving a third party (who will probably take as much of your time as you'd spend reaching a solution on your own and will almost certainly earn much, much more from this than you'll ever receive: possibly from yourself - and double that for the other guy's lawyer, if you lose) is if you get stonewalled, or counter-sued. If you can possibly reach an agreement without involving others, you stand to get the fastest and most satisfactory outcome. Remember, this is not a money-making opportunity.

You are in a negotiation here (4, Interesting)

DG (989) | about 2 years ago | (#39579071)

I don't thing you need a lawyer - yet.

You are in a negotiation. The company has made you an initial offer - the half-month free hosting - and that initial offer has a dollar value associated with it.

You have been inconvenienced, and it took time to rectify the problem. Your inconvenience and time also has a dollar value associated with it. So what is it?

I would work out the value of what you lost, add 20% for general hassle costs, and present that as a counter-offer to the company.

I would also work out the minimum value for which I would settle. It's less than getting everything I want (which you might get) but enough to counter-balance the additional hassle of hiring a lawyer and all those extra expenses.

Then negotiate. If they present an offer that is above your settle value, take it. If they don't, THEN you call the lawyer. Not only is this likely to arrive at a mutually agreeable solution without lawyers taking a cut, if you do wind up hiring a lawyer, you give him more to work with "my client made a perfectly acceptable counter offer and you refused it" etc.

Lawyers can be a useful tool, and sometimes they are necessary, but a reasonable negotiation can also work. You just need to understand your position first.

DG

Re:Talk to a Lawyer (2)

AK Marc (707885) | about 2 years ago | (#39579373)

It wouldn't hurt for you first to read up all that legalese you agreed to when you first entered into a "business contract" with these guys. I'll bet that they say somewhere in there that they are not liable for any illegal or unauthorized access/control/etc of your domains and property. And by clicking a checkbox at the end of this fifteen million word tome, you agree not to hold them liable.

No contract may void law. Negligence is outside all contracts. You don't have the right to sign away liability for neglegence. Just like you can't sign yourself into slavery. If they were negligent in allowing access, you would likely win any such lawsuit, regardless of the contents of the contract. It just results in your legal bills being higher, as you have more proof to present to nullify the contract while suing for breach of it.

Re:Talk to a Lawyer (1)

hairyfeet (841228) | about 2 years ago | (#39579411)

Small Claims court. When it isn't worth paying crazy lawyer money filing yourself in small claims court is cheap and most corps would rather just cut a check for $5k than to pay the costs of flying someone to wherever you are and dealing with it. Also small claims court judges aren't bowled over by legalese bullshit and basically just want the facts. you tell what happened, they tell their side, and most judges go by what is reasonable and I'd say handing your domains over to someone else without contacting you (I'm sure they had your cell number right?) would probably be seen as unreasonable.

Tell us who it was. (5, Informative)

characterZer0 (138196) | about 2 years ago | (#39576939)

If it was my provider, I'm leaving.

Re:Tell us who it was. (5, Informative)

Anonymous Coward | about 2 years ago | (#39577015)

I'd suggest checking the submission tags; there might be a clue there.

Re:Tell us who it was. (3, Interesting)

CAIMLAS (41445) | about 2 years ago | (#39578025)

If it were my provider, I'd leave and tell all my friends and acquaintances precisely which provider it is.

This behavior is worse than inexcusable. Sure, it's a 'cheap' service but the reprecussions for this are massive to the user.

As the Lawyer response has been given... (2, Informative)

Anonymous Coward | about 2 years ago | (#39576959)

Step 2 is find a different Hosting provider. There's only, what, several thousand out there!

Re:As the Lawyer response has been given... (0)

Anonymous Coward | about 2 years ago | (#39576979)

And how do you know that any one of those several thousand is any better?

Out of the frying pan and into the fire...

Re:As the Lawyer response has been given... (1)

PCM2 (4486) | about 2 years ago | (#39577075)

Well you had to choose one at some point. The way to do that the first time is to look around until you can write up a short list of maybe four or five options. Eventually you will narrow that down to one. If you later realize that you made the wrong choice, reassess the other options on your original shortlist and pick a second choice.

Re:As the Lawyer response has been given... (1)

samazon (2601193) | about 2 years ago | (#39577265)

When choosing a host for a web site, I went to some of my go-to technical sites and blogs to find a reliable option (i.e. - who they used, and whether they advertised about/talked about their service). This doesn't work for everyone, but can be a good starting point when trying to find a new service provider - like asking your dad which plumber you should call.

Re:As the Lawyer response has been given... (2)

rHBa (976986) | about 2 years ago | (#39579353)

Nice analogy, although sometimes the plumber retires, his son takes over and standards drop... (and so is life)

My 2c on picking a hosting provider (speaking as a freelance web developer with a couple hundred SME websites I manage hosting for) is:

Don't place a lot of trust/money with a company you've never used, i.e If you're looking to get a virtual/dedicated server from a new company start off by hosting one website/domain with them and see how you are treated, how they come across, quality of support etc...

As you interact with the company pay attention to how you are dealt with, it can be small things, the 'personal touch', e.g I recently ordered a VM and received an automated email saying it might take up to 24hrs before it was ready but "please reply to this message if you have any questions", not a no-reply address, I was impressed!

More importantly, when I did ask a question, I got a sensible reply within a couple of hours and my VM was ready in a total of 8hrs.

Re:As the Lawyer response has been given... (0)

Anonymous Coward | about 2 years ago | (#39577045)

Step 2 is find a different Hosting provider. There's only, what, several thousand out there!

The trick is to find a better hosting provider. Otherwise he'll only have the same problems or worse.

I'll bet there aren't several thousand of those out there.

Re:As the Lawyer response has been given... (4, Insightful)

dgatwood (11270) | about 2 years ago | (#39577219)

No, step 2 is to transfer all of your domains to an account with an actual registrar. Buying domains through a hosting provider is a recipe for disaster. It means that:

  • your email address (assuming it is at that domain),
  • the contents/management of the site itself,
  • management of the domain, and
  • management of SSL certs, if any

are all protected by a single password, managed by a single team of people, capable of making a single mistake and causing you to lose everything. Your best security is ensuring that no single point of failure can fully compromise things other than the registrar (which is bound by fairly strict rules that make such compromise less likely).

Who? (1)

BronsCon (927697) | about 2 years ago | (#39576993)

I'm curious to know which hosting provider this was.

Re:Who? (4, Informative)

lattyware (934246) | about 2 years ago | (#39577065)

It's tagged as rackspace. http://www.rackspace.com/ [rackspace.com]

Re:Who? (1)

l0ungeb0y (442022) | about 2 years ago | (#39577571)

Seems fanatical support is coming back around to bite them in the ass.
Ohh - you want root access to one of our customer's server accounts? Let me bend over backwards to help you with that!

Anyone could have added that tag. (4, Insightful)

pavon (30274) | about 2 years ago | (#39577885)

I wouldn't make any decision based on that, as any user can add tags to a story.

A simple test...FAIL! (-1, Flamebait)

Anachragnome (1008495) | about 2 years ago | (#39578335)

"It's tagged as rackspace. http://www.rackspace.com/ [rackspace.com]"

I just went to that website, as well as every single link from the main page. At each page I used the find function to search each page for a single word. I did not find it....anywhere. That being said, maybe they simply overlooked the concept.

The word I searched for?.........."SECURITY".

Re:A simple test...FAIL! (1)

nedlohs (1335013) | about 2 years ago | (#39578827)

Clearly you didn't, since it's in the title of one of the submenus on that front page.

Or you have a retarded definition of "every" or "link".

Re:Who? (1)

Anonymous Coward | about 2 years ago | (#39577085)

thread is tagged rackspace. rackspace maybe?

If you value security and your data (5, Insightful)

mrsam (12205) | about 2 years ago | (#39577001)

Your provider has de-facto admitted that they messed up. These things happen. The only question is whether they would truly respond in a professional manner. If they do, and they agree to the following, do the following, and move on. Contact them, and request them to:

* Provision a new virtual host for you.

* You will copy all your existing data into your new virtual host, using your own copies of whatever you use the host for. You do have your own copies of everything, and you don't trust the host with the entirety of your data, right?

* For convenience, I think it's ok to copy some data directly from your compromised host, provided that you're comfortable with whatever verification steps you deem are necessary to certify that it hasn't been tampered with. Data, no code.

* When your migration is complete, your provider will swap in your replacement virtual host in place of the compromised one, which they'll decomission.

Of course, for the duration of your migration, your host will not charge you for the second virtual host. You might consider negotiation with your host for an additional discount, as compensation for the work you have to do as a result of their security breach. I think that free hosting for however long it takes you to migrate, that is, no charge for the new virtual host, and billing suspended for your compromised host, would be fair. If that's the two weeks they're already willing to give you, then that's that.

Re:If you value security and your data (4, Insightful)

Shoten (260439) | about 2 years ago | (#39577325)

Your provider has de-facto admitted that they messed up. These things happen.

Um...not really, not if the hosting provider is doing things the right way. And that's the problem. I will elaborate...

The only question is whether they would truly respond in a professional manner. If they do, and they agree to the following, do the following, and move on. Contact them, and request them to:

* Provision a new virtual host for you.

This will not address the fact that there's clearly an issue with the underlying processes and procedures that should have prevented this in the first place. This was a *process* breakdown, not a question of architectural segregation. A new virtual host, (improperly) protected by the same procedural controls, is no more secure.

* You will copy all your existing data into your new virtual host, using your own copies of whatever you use the host for. You do have your own copies of everything, and you don't trust the host with the entirety of your data, right?

See above, about "process breakdown."

* For convenience, I think it's ok to copy some data directly from your compromised host, provided that you're comfortable with whatever verification steps you deem are necessary to certify that it hasn't been tampered with. Data, no code.

See above, again, about "process breakdown."

* When your migration is complete, your provider will swap in your replacement virtual host in place of the compromised one, which they'll decomission.

See above, about "process breakdown." I keep saying it because none of these points addresses that problem, which is the root cause of this and the source of future risk of the same nature.

Of course, for the duration of your migration, your host will not charge you for the second virtual host. You might consider negotiation with your host for an additional discount, as compensation for the work you have to do as a result of their security breach. I think that free hosting for however long it takes you to migrate, that is, no charge for the new virtual host, and billing suspended for your compromised host, would be fair. If that's the two weeks they're already willing to give you, then that's that.

The problem is that something non-technical failed here. It wasn't a buffer overflow, it wasn't a bad firewall rule, it wasn't a zero-day vulnerability. The title of the Slashdot topic is the key: "My Host Gave a Stranger Access". Unless that Host changes what they did wrong the first time, it doesn't matter which server within their control you reside on, or if you're supposed to be there all by yourself. It comes down to if they can demonstrate to you, transparently, what they did wrong and what they have done to fix it. It sounds like there's been a lack of transparency as to the breach, at least at first; that is not a good sign. Good luck, but you may have to take your business elsewhere.

Re:If you value security and your data (1)

erik.erikson (1821660) | about 2 years ago | (#39578665)

Technically, an automated process may have provided the access. It's astute to consider (and even likely) that a non-mechanical process failure may also have been involved. That doesn't change that a bug or other issue in the host's rights provisioning code may have provided the access just as easily.

The offered only half a month of hosting???? (4, Insightful)

mark-t (151149) | about 2 years ago | (#39577039)

Seriously?

Take your business elsewhere, if they value your privacy and security that little.

Re:The offered only half a month of hosting???? (1)

MarkGriz (520778) | about 2 years ago | (#39578983)

My thoughts exactly. They could offer me free hosting for life and I'd still tell them to piss off.

Re:The offered only half a month of hosting???? (1)

mark-t (151149) | about 2 years ago | (#39579079)

Well... free hosting for life isn't anything to sneeze at. It's subjective of course...

But half a month? Come on!

It's like leaving your waiter a tip of exactly five cents on a $50 meal. It's just insulting.

Here's what I'd do (1)

JustNiz (692889) | about 2 years ago | (#39577057)

1) Check your agreement with them to make sure you didn't already agree to waive their liability for any mistakes they make.

2) Sue them for loss and punitive damages.

Re:Here's what I'd do (1)

Anonymous Coward | about 2 years ago | (#39577221)

Such agreements cannot legally bar you from seeking damages the result of gross negligence or wanton acts of misconduct by a party to the contract.

And people wonder why I'm against the cloud. (5, Informative)

Paleolibertarian (930578) | about 2 years ago | (#39577069)

As long as your data is out of your hands it is extremely vulnerable. The hosting company only cares about the money you pay them and little else. If they're hacked, too bad. If they're servers are down, too bad. if the justice department comes with a request, all your data belong to them. Host your own systems on your own property and make your own "in-house" backups. The cloud by definition is vaporware.

Re:And people wonder why I'm against the cloud. (0)

Anonymous Coward | about 2 years ago | (#39577241)

Host your own systems on your own property and make your own "in-house" backups.

If your servers are hacked, you're dealing with them. If they're down, you're dealing with it, and it's you're fault - which is fine if you run websites about your cat, but not if you've got C-level executives above you. And if the justice department comes with a request, all your data belong to them in addition to your dog and/or toddler being shot.

Oh, and uh, good luck with those power requirements, SAS certifications and peering agreements.

The cloud by definition is vaporware.

Vaporware? I'm not sure you understand what that term means. The cloud - while an asinine moniker - exists and has existed for years.

Now, should you use it? Hell no. I've yet to see the "cloud" provider that doesn't have shit I/O performance, among other things. You can do far more with a physical machine and a rudimentary knowledge of cfengine, puppet, chef - or hell, bash, FFS - than you can with all the whizbang useless bullshit cloud vendors try to sell people on.

Re:And people wonder why I'm against the cloud. (0)

Anonymous Coward | about 2 years ago | (#39578745)

I'm totally with you on this one. The Cloud is for sheep and idiots. I mean, WTF did they expect would happen? Hand off control to someone else, and suck up the consequences, buddy.
The Cloud is great for distributing LOLcat pix and high-larious YouTube videos, but only a fool would place anything important out there. If you *must* use "The Cloud", use it for things which you don't mind losing/being copied, or want to share. Keep the important stuff where it belongs.

yawn (1)

Anonymous Coward | about 2 years ago | (#39577119)

There was life before the "cloud". Back up your own shit.

Re:yawn (0)

Anonymous Coward | about 2 years ago | (#39577621)

Right, I'll just back up all my domains...

Goofy, pls.

Re:yawn (1)

exomondo (1725132) | about 2 years ago | (#39579249)

There was life before the "cloud".

I'd be surprised if when Rackspace started using the term 'cloud' they actually changed anything aside from the name of the service, most of this 'the cloud' shit is just renting a server.

Never accept anything (4, Insightful)

DaveV1.0 (203135) | about 2 years ago | (#39577135)

Your second mistake may have been to accept the free hosting. It is quite possible that by accepting you have just cut yourself out of any future ability to seek redress.

Co-Locate everything (1)

Anonymous Coward | about 2 years ago | (#39577161)

In the future, either host in-house or co-locate. I use cloud servers for thing like my kitten&gumdrops website (it's a private site sorry /. ers)

Re:Co-Locate everything (0)

Anonymous Coward | about 2 years ago | (#39577351)

I use cloud servers for thing like my kitten&gumdrops website (it's a private site sorry /. ers)

Hey, thats MY site. I'm switching providers.

sox? (0)

Anonymous Coward | about 2 years ago | (#39577181)

Is there an SOX requirement here - is this a breach by the hosting company?
Was it an isolated incident (did it happen to other customers)?

You did the "right" thing by writing a letter - email is not legal (in this sense).
I would continue the discussion with the paper documentation you've already started.

Document what you believe is a fair estimate of your loss - time x hourly rate.
See if you can negotiate an agreeable resolution - you did good by not releasing their name
showing good faith on your part.

I'd avoid an attorney for now...

Clown Computing (0, Insightful)

Anonymous Coward | about 2 years ago | (#39577235)

The whole Cloud Computing thing is an industry fad, like many others that have come and gone. Given the advent of cost-efffective mega-comms like dark fibre and WAN optimisation, remoting all of your infrastructure or services seems like a logical thing to try.

The problem is......pretty much everything that could go wrong when you trust strangers to handle all of your sensitive IT stuff and protect yourself with a simple piece of paper (hark, I think I can hear the ghost of Neville Chamberlain checking his email...), like as not written by the provider, will go wrong for someone out there at some point. And the implications for the victims are very serious.

When you outsource fully, this sort of stuff can and will happen. And you just have to accept it. Cloud providers are just people, and they are going to screw up in spectacular ways, and their customers are just going to have to cop it. End of story.

Or you could keep stuff in house and take some actual responsibility for your own destiny.

Lawsuit or bust (2)

Krakadoom (1407635) | about 2 years ago | (#39577249)

Truth is it's probably not worth it to file a suit, but if you can afford the fees and such and dont much care about the financial side of it, it's a good way to get peace of mind. If you dont want to be out of pocked, all you can do is take it as a life lesson and next time you get password reset emails, act on them. Personally I would take the "Half a month of hosting as a good faith gesture" as a slap in the face and give em hell for it.

Simple: publicly crusify them (0)

Anonymous Coward | about 2 years ago | (#39577251)

Publicly crusify them and setup a website - then complain to the regulatory body and start spinning 100 articles ... bet they will then suddenly start listening.

This is not only a legal issue, you need leverage and the Internet gives it to you (which is why they so badly want to shut this down) ... use it !

Stop trusting other people to manage your servers. (2)

Sir Realist (1391555) | about 2 years ago | (#39577277)

I don't mean that as a flippant smart-alec remark, I mean it as real advice. You probably do have legal recourse about which you should consult a lawyer, but after its all said and done your servers are still going to be in the hands of someone else, who can do this again.

Business in "Cloud" (1)

s.petry (762400) | about 2 years ago | (#39577291)

I very much agree with others that said the gift as well as the act is not enough to justify staying with that service provider. I'm guessing that if it happened once, it can easily happen again. Sounds like they need to change some policies in order to protect people, and policies generally take a long time to fix.

Now that we have that out of the way, I have to ask the more meaty questions. Do you really put high risk data on servers that you don't own? Do you really trust anyone but your company with your companies secrets? Do you have things in the Cloud that you can not replace?

Lets face facts: Cloud services have no vested interest in your business. They are their to make money from you, so of course they don't want to piss people off. At the same time, the lack of the vested interest means that things can, and often do, fall through the cracks. Their TOS, just like most EULAs from Software vendors protects them from pretty much anything you can think of.

This means that they gave you a gift to keep your revenue coming in, not because you have a chance in hell of taking them to court and winning anything no matter how bad you were harmed.

Cloud is good for some things, but remember that it's not yours. If you don't care about some sales person leaving it at Starbucks, then it's Cloud safe. If you care, then it's not.

You have few options... (5, Interesting)

Tolvor (579446) | about 2 years ago | (#39577373)

I used to work at a major domain name registrar before I went into business for myself. I have heard of dozens of cases like yours, and in short you are toast.

Scammers look for valuable domain names that are in vulnerable accounts that have public emails addresses on free email servers (hotmail, gmail, yahoo, sbcglobal, comcast...) and that can be registered. Or it can be an old phone number that can be used, or some simple paperwork that can be faxed in that the scammer has access to.

The registrars try to protect the domain name and send out warning emails that major account changes are occurring. If those emails are ignored and the domain names get transferred out, it is too late. It is unbelievably difficult (ICANN dispute) to reverse a transfer and force a domain name back once that transfer has finished.

You ignored the email, so unfortunately it is your own fault. Just as it would be your fault if you ignored an official notice that you are required to show up for jury duty thinking it was spam, and afterwards get fined or arrested. Just as if you ignore the car alarm going off in the parking lot as a false alarm and in fact your car was jacked does not mean the alarm company is at fault. The fact that you ignored it means that you did not take needed and necessary steps to protect your property.

You need to read the registrars terms of service and legal agreement that you agreed to. I am familiar with most of the major registrars and they all specifically cover this situation (basically that the onus is on you to protect your services). The registrars do this to protect themselves from lawyers.

The only realistic course of action is for you to register a new domain name, sad as that may be. Or pay the hostage fee to whoever took the domain name which will probably be in the thousands of dollars.

I wish you luck.

Re:You have few options... (2)

Mr. Underbridge (666784) | about 2 years ago | (#39579925)

Or pay the hostage fee to whoever took the domain name which will probably be in the thousands of dollars.

If there's a way to pay them, wouldn't there be a way to sue them? They do seem to have falsified documents, presumably committed wire fraud, and ultimately must have stolen something of value. Are these scoundrels all outside jurisdictions where they can be touched?

True Story (1)

Anonymous Coward | about 2 years ago | (#39577459)

Last week, requested a KVM on a new dedicated server so I could install a custom OS. Datacenter monkeys plugged KVM into another client's server, giving me terminal access. Almost formated the drives, only noticed when there were non standard services booting up like Asterisk, etc. Close call for the other customer, and I can guarantee that my provider won't even bother contacting him to warn him about the potential breach.

Re:True Story (1)

Skapare (16644) | about 2 years ago | (#39578045)

YOU should have sniffed around further just to get that customer's identity and contact info. I once found a big wallet left in a grocery cart in the parking lot. Rather than take it inside to the store where minimum wage people would fondle it and possibly keep it, I rummaged around to find the name of the owner. I caller her and we met at a Subway restaurant. Anyway, after YOU move to another hosting company, be sure to let the other customer know about it.

Welcome to cloud computing. (1)

roc97007 (608802) | about 2 years ago | (#39577597)

We've been combating similar schemes in other externally originating services (ex: stealing domains) for years. Is anyone shocked that people are phishing access to cloud computing accounts?

When your resources are internal and set up properly, a bad guy has to first defeat your physical security before they can even start trying to defeat your software security. Requests for access coming from the outside are immediately suspect. But in "the cloud", *every* request is an outside request, and the service provider has to manage multiple realms with completely different access while maintaining the lowest possible cost *and* a healthy profit margin. Fails like this are inevitable.

As someone else said, stop trusting other people to manage your servers. To which I add: The value of your data probably exceeds any damages you could possibly get out of the service provider. It's a sucker bet.

Trademark your domains (4, Informative)

Animats (122034) | about 2 years ago | (#39577659)

It's helpful to register trademarks on your important domains, if they're unique enough. This means a quick win in a UDRP proceeding, and gives you the option of suing anyone who ended up with your domain. It's about $400 per domain.

More importantly, own your domains. If WHOIS doesn't have your name and address in "Registrant", you do not own the domain. You're just renting it from somebody. Your hosting provider should never have their name in there. This really matters when there's a dispute. Deal directly with your domain registrar. Do not deal with them through a hosting service.

"Private registration" works the same way. The "private registration" service owns the domain, and you have a contractual relationship with them, at best. See what happened when RegisterFly went bust. [wikipedia.org]

find a new host, post reviews (1)

bcrowell (177657) | about 2 years ago | (#39577779)

This doesn't seem difficult to me. You have a month's free hosting. That's the time window you need in order to find new hosting and make sure the transition goes smoothly.

You should also post descriptions of your experiences in relevant forums like webhostingtalk.com and hostingdiscussion.com.

Protecting the guilty to trap the innocent? (1)

reybo (2540564) | about 2 years ago | (#39577815)

Failure to identify the business that failed you is as selfish and cowardly a thing as can be done. And to have the nerve to ask for help from us while exposing us to such a loss is insulting beyond belief.

Re:Protecting the guilty to trap the innocent? (1)

Widowwolf (779548) | about 2 years ago | (#39578007)

It's in the tag Dumbarse...Rackspace.com

Re:Protecting the guilty to trap the innocent? (1)

Bill Dimm (463823) | about 2 years ago | (#39578381)

Who applied the tag, and how did they know it was Rackspace? Seems like pretty sparse evidence to warrant calling someone a dumbarse.

Re:Protecting the guilty to trap the innocent? (5, Informative)

Tacvek (948259) | about 2 years ago | (#39579215)

The tag was applied by the submitter. See the Original submission [slashdot.org] and notice the link to the original source [google.com], which is a letter the submitter wrote to Rackspace about this incident.

An old story (1)

squidflakes (905524) | about 2 years ago | (#39577833)

I used to work for your host's primary competition, and while they have been bought up and chopped to pieces, their terrible approach to customer service is the stuff of legends.

The Random Reboot Lottery was an hourly occurrence, as one poorly trained data center monkey after another went swinging from rack to rack pressing all of the shiny buttons. The Random Restore Lottery was a daily thing, as the same reboot monkeys removed the hard drives from the wrong machines and replaced them with default images. Of course the removed drives were never checked for data or media issues, simply reformatted with the default image and put in the queue to fail again and cause some other customer hours of frustration.

We can't help you ... (1)

Skapare (16644) | about 2 years ago | (#39577921)

... if you don't give enough details like the name of the hoster, dates of events, what domains were transferred, yada, yada, yada. You know if you took this to a lawyer (the best thing to do, really) they need all this info and more. If you want us to help, we need it, too.

Re:We can't help you ... (1)

mmcxii (1707574) | about 2 years ago | (#39578259)

And we need your passwords too. We won't use them for anything crooked... I swear to God.

Check Your SLA (2)

PerfectionLost (1004287) | about 2 years ago | (#39578017)

Let me preface this by saying I work at a company (http://www.edgewebhosting.net) that directly competes with rackspace.

Check your Service Level Agreement (SLA). They are usually not too hard to read, as they are often used as a selling point to people (that said, get a lawyer if you want to get hot and heavy with them). Usually the SLA will say something like this (which is from our SLA):

Our Guarantee: If your ability to send and receive traffic is impacted for more than 30 minutes, we will credit your account 1/30th of the monthly fees for each 30 minutes of downtime - up to one full month fees in a given billing period for the affected server(s) or service.

A month and a half of hosting under those terms is pretty comparable. That said, I would recommend switching hosts. Someone gamed their support to get access to your account. Their support mindlessly (or fanatically if you prefer) went and turned off your domain with out verifying what was going on.

legality (0)

Anonymous Coward | about 2 years ago | (#39578287)

Simple. If someone transferred a domain from you, that's theft or at the very least fraud. Go call the local wallopers and get them onto it. Once that's all done and dusted, I'd be looking for a bigger cloud provider. You get what you pay for. If you want penny dreadful providers, you get crap insecure service. :( Sucks

Do it your self (1)

Sla$hPot (1189603) | about 2 years ago | (#39578343)

If your system contains business critical information, such as contracts, email correspondence etc.
Then you should consider allocating space, hardware and human resources.
The operating costs is always a problem, but that's how it is.
If you don't have the necessary funds, then the choice is easy.
Do as most startups. Use google business, podio, dropbox, salesforce or what ever you need.
The security concerns are the same. Other people will have access to your information.
Just make sure that you can backup your data. That is imo more important than strangers accessing you daily IT systems.

Not to be reductive... (1, Insightful)

fusiongyro (55524) | about 2 years ago | (#39578453)

...but maybe it's time to get off the fucking cloud.

Re:Not to be reductive... (1, Flamebait)

EricTheGreen (223110) | about 2 years ago | (#39578929)

Fabulous idea!

And move to .... what exactly? His own private internet, where there's no dependencies on anyone else for DNS/ domain registration and management / etc. ?

Or is there a killer opportunity involving stone tablets he should switch his business model to?

Re:Not to be reductive... (1)

Anonymous Coward | about 2 years ago | (#39579447)

Oh fuck off. Like the internet didn't exist before everyone started clamoring about TEH CLOUDZ! People like you make me ill

Re:Not to be reductive... (0)

Anonymous Coward | about 2 years ago | (#39579783)

Yes, I agree. If you want hosting then that's your problem. If you want a server, build it yourself and pay to co-locate it yourself...pay for you domains and you'll have lots of legal protection. The internet isn't free, it takes folks like you an me putting servers up and paying for bandwidth.

Grow some balls and get a lawyer. (0)

Anonymous Coward | about 2 years ago | (#39578513)

Really, slashdot, you're going to ask slashdot? Here is what you should do:
1. Grow a pair.
2. Call a lawyer, and file a lawsuit for negligence.

Are you for real? (0)

Anonymous Coward | about 2 years ago | (#39578749)

1. If you actually had this experience, I expect you will let us know the outcome.

2. At some point after legal consultation, I expect you will reveal the name of ypur host unless they provide a significant settlement based on keeping your lip zipped.

3. Do you really think any cloud service is more secure?

Take Your Lumps (1, Insightful)

Anonymous Coward | about 2 years ago | (#39578797)

"I got an email from my cloud server to reset the admin password, first dismissed it as phishing, but a few emails later I found one from an admin telling me that they had"

Hmmm. I'd say you were duly notified and chose to ignore the built in security mechanisms. This will make any legal case pretty tough.

Hard to give great advice knowing nothing really... so either get an attorney's advice or take your lumps and move on. They did catch their mistake, so this might have just been an isolated event and not a matter of routine sloppiness.

Hopefully you'll learn a lesson from this as well. Treat those types of emails very seriously, and contact the host asap.

my thoughts on this subject (1)

RobertLTux (260313) | about 2 years ago | (#39578835)

1 DID YOU GET YOUR DOMAINS BACK??

2 did you lose any data??

the absolute lowest you should accept is

1 their offer
2 your domains back
3 an actual physical letter detailing how they will be preventing this from ever happening again (ie you setup some sort of secondary password and or you get a phone call before any change of that type gets processed).
4 any data lost gets restored from the last backup FOR FREE (assumes they have backups) or you add X more days to your freebie time)

other than that they have lost your account

Lawyer (0)

Anonymous Coward | about 2 years ago | (#39578967)

Talk to a lawyer, you fucking idiot. Who else can tell you best what to do?

cloud server equivalent (1)

koan (80826) | about 2 years ago | (#39579107)

Hey here's the keys to my Porsche because I know you won't drive it when I'm gone *WINK WINK*

I'm thinking small class action (1)

BlueCoder (223005) | about 2 years ago | (#39579611)

Depends on the size of the company and if you can convince the lawyer to do it on his own dime. He could then subpoena customer records and inquire if anyone else has had security issues. How did the security problem happen and how could it have been prevented? No matter what the shrink wrap service licence says their are implied minimum standards and expectations. If people aren't getting what they think they are paying for then it should merit a class action.

Just this act might make it worth it to you to pay the lawyer yourself. Maybe $500 or $1000. It would get the companies attention. You would have their complete customer list and be emailing all their customer pasts and current asking for people to come forward with security issues. Just that act would bring awareness of the issue to other customers and have them asking the provider about security and guarantees.

The company will talk to you before they hand over customer records. You can likely negotiate to pay your minimal legal costs and to work with you and actually fix their security procedures. You might even be able to get a couple grand compensation in exchange for working with you to fix THEIR security issues.

Another thing you can do is write senators and congressmen and bring attention to the issue. Suggest a minimum penalty that companies are liable for, like $500 or $1000. Something that would make companies pay attention and not sacrifice security for convenience.

Terrifyingly Commonplace (1)

Zaelath (2588189) | about 2 years ago | (#39579953)

The amount of clients I've worked with that have this "timeline" for their internet presence is disturbingly high:

1. Discover the internet is important to sales
2. Spend 400 man hours discussing what the domain name should be
3. Spend 5 minutes on Google finding a website designer
4. Allow designer to sell you a hosting package and do all that technical stuff, like registering domain names and setting up DNS servers.
5. Wait 12 months
6. Decide they want to move hosting of "their" domain
7. Spend 400 man hours trying to work out how to "regain" ownership of "their" domain.

In my mind this is the same process:

1. Discover cars are important to sales
2. Spend 400 man hours deciding what colour the car should be (yellow)
3. Spend 5 minutes at a car lot and buy a yellow coupe for your family of 6.
4. Allow the car salesman to sell you the upgraded everything and do all that technical stuff, like registering the car (in the yard's name)
5. Wait 12 months
6. Decide you want to sell "your" car
7. Spend 400 man hours trying to work out how to regain ownership of your car.

Why is the second example ludicrous and the first commonplace?

And yes, I'm blaming the victim here.

Load More Comments
Slashdot Account

Need an Account?

Forgot your password?

Don't worry, we never post anything without your permission.

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>
Sign up for Slashdot Newsletters
Create a Slashdot Account

Loading...