From: "Geo" 

If the rent a server folks provide you and 253 other websites with the
ability to write code that can be the doorway a hacker uses to root the
server then who are you supposed to blame when someone elses code is the
reason your website got wiped out? Who do you blame that your server is
unavailable for a week while they rebuild their server farm because that
box was used to root the others? How do you know the hacker isn't one of
the other 253 websites?

The responsible disclosure folks have pretty much silenced the security
community, the defaced websites tracking sites have pretty much been
silenced as well so I can't point you to a site that shows how often this
happens but people talk to me about their websites all the time and
rootings are happening more often now than ever from what I can tell.

When Glenn told me about his server, I showed the form letter to our techs,
one of them who has his site hosted on some india web host laughed and told
me it was nothing. A week later his site went down due to a rooting and was
down for a week. Then again last month his site went down due to a rooting,
he's now getting the idea that maybe there was more to what I was telling
him than he thought although he's still not convinced the problem is all
the checked checkboxes for server extensions.

There are some good hosting services out there but the only way I know to
find them is to ask people who have used them for a year or longer.

Geo.


"Gary Britt"  wrote in message
news:4378199d$1{at}w3.nls.net...
> I don't think its reasonable to blame the rent a server folks for
insecurity
> built into my web pages.  I'd have those same insecure web pages on my own
> server.  As long as they protect me from being bothered by someone else's
> server or virtual server getting rooted and my server getting rooted on a
> operating system thing, then they are doing their job.  Along with
providing
> a always on 24/7 uptime reliability.
>
> Gary
>
> "Geo"  wrote in message
news:4378021c$1{at}w3.nls.net...
> > "Gary Britt"  wrote in message
> > news:4377c73b{at}w3.nls.net...
> > > I didn't say it necessarily would.  Just that if you don't have or
want
> to
> > > spend the money for dedicated full-time people to handle these kinds
of
> > > things, stay on top of everything security wise, and handle all the
> > > associated hardware costs, then it is far more likely that with a
little
> > > research you could find the few firms who do have quality experts and
> > would
> > > do a better job at keeping a secure server going than some part-timer
> > inside
> > > the company could do.
> >
> > It's just the rent a server folks don't care about security, they care
> about
> > having check marks in all the checkboxes on the list of available
features
> > so that everyone will go to them because they offer all the features the
> > people who don't know security always want.
> >
> > Look at PHP, it's insecure not because of the server setup but because
of
> > the actual code written in PHP. Security on a web server that's running
> php
> > is up to the guys writing the web pages not the admin.
> >
> > So now that you know this, how can any hosting company offer PHP and
still
> > call their machines secure? I mean it's a joke right?
> >
> > Ok now look at any other web server extensions that offer real power
> stuff,
> > like cold fusion. Cold fusion offers the ability to modify the system
> > registry. Hello? How can someone who rents websites allow every website
> > owner on a machine to modify the registry which no doubt affects the
> machine
> > security and every other website hosted on that machine? Is that secure
in
> > your opinion?
> >
> > My point is to be secure and still use any of the power extensions like
> .NET
> > or PHP you have to have your own server and you have to understand basic
> > security or the pages and features you make available may very well be
> what
> > opens you up to hacks.
> >
> > For Randall, he'll need to decide what extensions he needs then he'll
need
> > to learn how the exploits for those extensions work so he knows the weak
> > points and what sort of stuff to watch out for. Doing the patches and
> typica
> > l machine security is easy compared to that and having control over the
> > machine configuration instead of being stuck with some rent-a-server
> > standard image config would make things a lot easier. I'd say do it
> yourself
> > and deal with the learning curve.
> >
> > Geo.
> >
> >
>
>

--- BBBS/NT v4.01 Flag-5