Do you like paying extra so other people can ask amateur questions? That's how it is at other hosting companies where beginners and experts pay the same price. Beginners drive up the cost by asking a lot of novice support questions while the experts don't contact support. That is great for amateurs, and unfair to the experts like you.
No Support Linux Hosting has a completely different business model. We ignore the support questions, and pass the savings on to you! If you are an expert who does not want to pay extra for help with amateur support issues, then you can host with us and save big money.
Experts like you can sign up now for free. We charge $1/month per website, and there is no limit to the number of websites you can host in your account. This is the best deal in the web hosting industry, as long as you are the type of person who can find his or her own answers.
For those interested in this kind of thing, there are two fun resources I would recommend. First, LowEndBox (https://lowendbox.com/) which documents where you can get VPS hosting for as little as $1/month or even cheaper in some instances. Second, Super Dimensional Fortress (http://sdf.org/) where for a $1 you can get lifetime low level hosting and for $25 you can get access to a much beefier server. A community of old school *nix nerds comes as a bonus.
Just watch out: lots of the low end box providers end up shutting down, and may take your servers and data with it.
I now stick to reputable “value” providers like BuyVM. Having an operator I can discord and get frank answers, as well as a commitment to privacy (Tor exit nodes welcomed), is nice.
Do people seriously NOT perform backups via independent methods utterly independent of their primary cloud service provider?
No one remembers Photobucket or the hundreds of other cloud services that went "poof" into the night?
There is no cloud, just someone else's computer - always have backups of some other means. A different provider with a different account, alternate mechanisms (i.e. email addresses with different email providers, etc.) to get to that data and accounts...
It's even easier now with VM's, snapshots, free open source backup software that understands all of that - fairly inexpensive commercial solutions like veem - there is zero excuse.
My favorite was a small SAAS provider that had all their backup infrastructure on AWS under the same account as the test/dev and operations - and someone got in and deleted it all. Partitioning - yes, it's an essential thing. And not just for technical. Separation of duties. Requiring concurrence by more than one person for critical operations. Lessons that should have been learned from past experience.
Peoples (especially developers) eyes glaze over with documents like NIST 800-53 - but all those controls exist from experience. The bigger/more critical your system is to your survival, the more of those controls you should have answers for!
Honestly, they generally don't go poof. I remember I had a VPS for more than 10 years with Hetzner. No poofing till they had to get rid of that offering. I have the backups but I think now I prefer just running on GKE + RDS for funsies. Costs a bunch (like $50/mo) but I don't have to worry about anything.
And fuck me if I'm ever writing a BIND zonefile ever again.
This is one of the reasons why business negotiation books will remind you that when you’re making a deal with a vendor, you want to make a deal that is profitable for the vendor and supports / sustains their business. If you don’t, then you’ll have to find a new vendor after they collapse (or get rid of you as a client).
For personal hosting I think one of the problems that makes this more complicated is that even as a group, you’re nobody’s biggest customer. You’re just a side business for someone selling hosting B2B, usually. I know that the local grocery store will make sure that they can still sell to local customers, because that’s the core of their business; I’m not so sure that cloud providers care much about my dinky website.
lowendbox.com was great to start, but they got popular, and then profitable, and finally were bought by a low end hosting aggregator/rollup, and now almost all the different offers on lowendbox.com are coming from essentially the same company. The sister site, lowendtalk.com, seems to have picked up the mantle of open discussions, and they have offers, too. For example, recently I bought a 1GB KVM VPS for $14.83/yr. With KVM, I can use netboot.xyz and play to my hearts content with any Linux distro I want. I have NixOS running on it at the moment. On another, I'm playing with dokku, which takes over the whole VPS as a heroku clone.
These companies are often unstable, so regular backups of anything you might be sad losing are vital. I recommend paying by the month, if that is available, and using this whitelist of low end providers who have been in business for a reasonable length of time[0].
I'm so glad Super Dimensional Fortress is still around. I learned how to use Unix thanks to them back in the 1990s. They're in a different league than the goofballs selling unlimited web hosting cheaper than arizona iced tea.
Definitely be careful with hosts off Lowendbox, as other commenters have mentioned providers go offline without warning all the time. Never pay more than a year in advance etc...
Notorious for "Deadpooling", providers sell ultra cheap hosts. Run them on over-provisioned servers for a year or two and disappear overnight.
I think the claim is that anything clearly legal is allowed. The problem is how iffy 'clearly' legal is. First, which country's law are we using? Second, which court rulings are we applying? Anything controversial ceases to be clearly legal because the police can go after it. Even if a well funded defense will eventually win the case, it may be on appeals meaning that punishment for the content has already begun. Thus it becomes easy to justify anything controversial as not being fully legal.
And that's assuming they'll actually try to stick to their claim. I find that isn't the case when it is really put to the test.
I get it, I was reading "police" too literally; police enforce the law, so how can you have only legal content and describe that as "not policing"? And if you have only legal content, of course you don't police it because that's redundant. "We don't filter the filtered water" you must because that's how you get filtered water, but you don't because you already have done so and it doesn't need doing again.
Un-moderated, or "we have no content policy or acceptable use policy separate from the law".
Saying "whatever reason Amazon gave" is a pretty good reason to downvote it. Amazon gave reasons. If you can cite them, then you can disagree with them. But to simply wave those reasons away as "whatever" is intended to convey "that was obviously legal content being shut down for purely ideological reasons", and that is simply not the case.
The "reason Amazon gave" was "content that threatens
the public safety, such as by inciting and planning the rape, torture, and assassination of named public officials and private citizens", with examples given in:
So it's a bad example of something being dismissed for ideological reasons, and a bad example of something whose reasons can be assumed when the answer was easily available.
That's an excellent reason to downvote something. It's simply not accurate.
“whatever reason Amazon gave” was dismissive, but also accurate. They gave a reason. The poster dismissed it and the comment was downvoted for the dismissal.
You don't know why it was downvoted; the comment just wasn't very helpful at explaining or clear (I didn't downvote). If the reason was "unpaid bill" that would come under "whatever reason" but would that be relevant to policing anything?
Without knowing what reason Amazon gave that leaves me to go look it up; I do, and see various news site quotes including "District Judge Barbara Rothstein sided with Amazon, which argued that Parler would not take down posts threatening public safety." quote on npr.org, and "Amazon told Parler it would boot the company from its web-hosting service [...] because of repeated violations of Amazon's rules" on NYTimes.com, I try to find an official looking source of exactly what reasons Amazon gave and get to the filing for the lawsuit/legal case between Parler and Amazon[1] which includes on page 3 "17. During this same time period, AWS claims that it received reports that Parler was failing to moderate posts that encouraged and incited violence, in violation of the terms of the CSA and AWS’s Acceptable Use Policy (“AUP”). Exec. 2 Decl., ¶ 4; Ex. C (AUP). The AUP proscribes, among other things, “illegal, harmful, or offensive”". It's not clear here whether Amazon is claiming it was illegal or not, or whether it actually was illegal or not.
I google "inciting violence illegal usa" and get to a Cornell Law School[2] page on 18 U.S. Code § 2101 - Riots - saying, abridged, "whoever uses a facility of interstate commerce including but not limited to telegraph, telephone, radio, to incite a riot or promote or organize a riot, or aid or abet any person rioting or commiting any act of violence furthering a riot, shall be fined or imprisoned". Still not clear whether Parler was actually breaking the law or whether Amazon was alledging that they were, or whether this has been decided, or what exact reason Amazon gave.
I know there are arguments about whether hosts are or aren't responsible for content on them, or are just blind transmission systems, but I don't know which way it falls in which scenarios.
It reads more like a complaint about Parler being taken down than a helpful explanation, and could be more clearly and directly said "(policing legal content) means a company removing things against their content policies, even if the things are legal" in as much space and effort.
Assuming the best from the GP, I think they might have meant "whatever" in the sense that AWS enforced their terms of service by enforcing something that they don't hold their other customers to. As you said, this could be for ideological or PR reasons.
The "whatever" being any cause they could justify their actions with.
Thank you; you have done a good job of steel-manning the OP. I appreciate that.
The way it was written, it doesn't surprise me that people didn't read it that way, and downvoted. It comes against a background of people loudly claiming to be oppressed for ideological reasons and failing to support that claim or acknowledging that a serious act of violence has just occurred by people professing the same ideological reasons. At the very least, I felt it was worth pointing out how it reads, so that they might consider it without requiring others to specifically seek an assumption-of-the-best.
NearlyFreeSpeech, where I have been hosting my static personal site for 9 years has a similar model. You pay for exactly the resources you use. I pay less than $20/year.
“Why did it take you so long to answer my question” , “I just wanted a quick answer why are you charging me for 20 minutes of support”. Human time spent on support is not as cut and dry as hosting resources used, so I imagine it’s easier to not have that discussion. Also 5$ would be like 15 mins of any qualified persons time, so really you’re not paying much.
>Also 5$ would be like 15 mins of any qualified persons time, so really you’re not paying much.
Be less minutes than that I dare say. $20 an hour tech costs, then you have overheads and that's without a profit margin. I'd say 5 mins be more closer to the mark. Really gets down to how many support calls you have as if you have a couple admins who have to dip into a support queue, then their hourly rate would be higher. However if you have a nice frontline 1st line support pool with 2nd and 3rd for escalation model/scale then it will get cheaper.
That all said you have to factor in how much support they use and maybe your average user will need one or two tickets a year and then at the other end you the types who fail to read FAQ's and end up needing more support to use their computer, let alone the service and blur the lines contacting you for an issue that after some back and forth turns out to be the user's end. Those will be costly. So you balance things out - and go with the average and yet at the same time, dread some types of customers.
from experience, i can tell you high end support far exceeds $20/h (think 3rd level network and systems support).
$20/h is more in the 1st line territory.
Not just SV, but almost anywhere in the US at this point I would imagine. I was working support in the Phoenix area back in the mid-90s' and it paid roughly 2-3x minimum wage at that time. While the ratio wouldn't be the same, a lot of places now have a minimum wage in the $9-12 range. Given that, $20/hr+ wouldn't be improbable for first line email/phone support.
A couple of years ago I took a break from IT to work first-line support at a local (midwestern) software company. Hourly rate was just a little over that minimum wage range, nothing near $20hr though. I was glad to get it, glad for the experience, and glad to go back to IT when my time was up.
In all fairness, support costs also include all of the techs' phones, computers, networking, software licenses for Teamviewer et al, and office overhead. So a $20/hr bill is pretty cheap for a minimum wage technician.
> "Paid support must be opt-in. Whatever we do with paid support should have no effect on the 80-95% of people who don’t use it."
I assume that includes "when the tech has no tickets, they /do not/ work on anything that would improve the service for everyone"?
> "Essentially, if you want support, you’re not really paying for the answer to a question. You’re paying for somebody who knows what the heck they’re doing to be there when you have a question"
Often no, what I need from support is something I could technically do or am willing to work out, but cannot because it needs to be done on your side of the customer/business security boundary, or needs information from your side of it. e.g. the difference between support resets passwords vs self-service password resets.
This is covered down at the end of the comments in a list of recent support examples, many of them can be potentially fixed by the customers who are using the support as a consultancy service, but a couple cannot. Take password resets, you can design your company to have a self-service one or not at your choice and a good self-service one will mean fewer support requests. Thus, if you charge for support, it would incentivise you to have no self-service reset so that you can get support money for salaries. But you need to pay salaries either way because you need some techs available to run the service, and to provide support-as-consultancy.
> "Although there is a distinct response time benefit to subscribing before you need support, we do expect that a nontrivial number of people will wait until the first time they need support to subscribe. Leaving the first month at $5.00 helps protect us in that scenario."
1. There are parts of the system customers cannot get to, cannot find out about, which can go wrong, so there is the risk of every customer needing support at some point. 2) People who willingly pay a support subscription also go times when they aren't using that support. 3. The people paying for the support and not using it are subsidising the retainer fee of the technical employees being still available when the other peolpe waiting until they need support to subscribe have something still around to subscribe to. 4. Technical people employed and not doing support can do things to benefit all customers.
It only makes sense to include the cost in the fees charged to everyone. It can still be prioritised by inverse usage, or etc.
There are three main problems with pay-as-you-go support based on time. All three come down to support being provided by people:
1) Unlike software objects, it is not yet possible to instantiate qualified support personnel as needed.
2) Unlike virtual machines, people get very cranky if you attempt to suspend them to disk or delete them to save resources when not in use.
3) Unlike physical hardware, uploading large volumes of data to people so they can produce useful output is extremely time-consuming and resource-intensive.
Here's a more serious answer:
When you seek (qualified) support, you're not paying for the time it takes the person to type the right answer; you're paying for them to know the right answer. (See also: https://www.snopes.com/fact-check/know-where-man/)
It took us quite a while to figure that out, and we tried pay-as-you-go support along the way, as someone linked below. l-lousy correctly guessed the outcome of that: more time spent arguing with people about how much we charged them for support than providing support.
Worse, that's how the person providing support makes their (minimal) income: by nickels and dimes and on other people's schedules. So, if you're doing that job, you're making very little money and frequently dealing with angry people due to a system you have no control over.
It's the tech support version of being an Amazon delivery driver. Amazon may be cool with treating people like that, but I'm not.
One detail l-lousy did get wrong (as others observe) is the 15 minutes. $5 is 5 minutes or less of a qualified person's time.
That does assume people want qualified support and not first-tier "I can't be bothered to search the FAQ, read me the right one!" interactions.
Usually, but by no means always, that's a reasonable assumption for us. People looking for that level of hand-holding tend to be much more successful with other hosting services with multiple tiers of support and (usually) phone support.
I guess for small shops, a steady stream of income to pay a support person's salary is more important than the benefits of hourly billing like fairness and possible higher income.
> Each website in your account can use up to 1GB of disk space and 30GB of monthly bandwidth. These resource limits are enough for most normal websites. Each website can set up 3 databases and 25 email accounts.
Yes, but how often does that really happen? I've known of this possibility since I was a teen, and sometimes it happened on fairly popular sites back when unlimited bandwidth was very expensive, but it was rare back then and I haven't heard of this actually happening to any site in the last decade. I'm sure you can find examples online, but it's way more common to get a proper DDoS than to get this kind of attack.
You'd think it'd be more common given how many sites are on EC2 and how expensive Amazon's egress is, but nonetheless, I never hear billing horror stories from that vector.
At my last job, we would get casually DDoSeD from time to time. One of the ones I remember was a wordpress pingback reflection to a large file. Not too hard to handle (pingback is dumb and needs to die in a fire, but at least wordpress sets user-agent), but used a ton of bandwidth until sorted it out.
This was a common prank on mobile browsers using 30+GB favicon.ico files. I am not even sure that was ever truly fixed in all the browsers, might be a good thing to test. The browsers would continue to download the favicon in the background even if you left the page. People that were roaming would get their cellphone accounts suspended. Providers reacted by putting roaming limits in place, but it still caused grief for people.
CDNs are the only sites that have ever saturated my broadband or fiber connections. Accessing 'mere mortal' web sites is way slower. Block out the whole day on your calendar.
An easy to understand price schedule: $4/month per account, and $1/month for every 64MiB ram. Please note; this means all plans come with $4/month worth of support.
While that copy is old, and our pricing reflects the hardware we run on today, the quip has now been updated to: "You get $5/month of support," which is the price of the smallest package we offer.
That wisecrack aside, the reality of the support we provide is more in-line with our byline: "We do not assume you are stupid." In practice, and with a hat tip to pera replying to you here, that means we provide what you might call peer support--we explain what's going on, what steps are necessary to correct it, and take responsibility when we caused the issue. And expect similar candor.
As you might expect, most of the technical support we provide is routine--with sufficient information communicated to both parties the problem is typically straightforward to resolve. But we treat tickets on their merit and customer reports do come in that admit more substantive investigation and resolution:
I know but I believe they should rephrase that: I have been using their VPSs for ten years and they have the best customers support I have ever dealt with :)
Also, no one noticed how funny is that they actually used Microsoft servers/tech for their own website (At least I presume by seeing urls ending in .aspx[0]) while offering "Linux Hosting"?
A lot of people, myself included, would throw in fake extensions to throw off the script kiddies. It seemed like everybody wanted to be one at some point and throwing up an ASPX extension on a php powered site made the scans stand out that much more. Plus it funny :)
If that kind of thing is appealing to anyone, check out uberspace.de. It’s the best possible version of shared hosting and it can even cost 1€ too (you should pay more though).
Unlike this thing they are both super friendly to all manner of linux nerd stuff yet provide excellent, gracious support where they teach you the stuff you don’t know.
I love that model when done well. Others have mentioned NearlyFreeSpeech.net web hosting.
What they provide to me: a place to upload my static web pages to, period.
What I ask from them: serve these web pages I've uploaded, period.
I don't want or need support for any of that. If something breaks on my part, I can and will diagnose and fix it. If something breaks on their end and they need to fix it, then that's a bug report and not a support request.
In exchange for that, their prices are dirt cheap and perfect for the things I need it for. I couldn't possibly host it myself for the prices they charge me. I think that's a good example of there the business model makes a huge amount of sense for all involved.
Looks like it was old school shared web hosting with things like WHMCS, Cpanel, Softaculous, Wordpress one-click installers, in-house written web admin, etc. Where each user was running in the same instance of Linux. Not, for example, a VM per user. That kind of setup has a really wide attack surface. Not surprising it was hacked. That kind of setup with deliberately narrow support was bound to get hit.
I used to manage a fleet of cPanel servers years back, they were a pain to manage as users would regularly get infected on their local machines and have HTML infected with malicious javascript. We used a bunch of tools like clamav/configserver etc to keep on top of it but it was definitely whack-a-mole. Even with inotify style job triggers to check the newly uploaded content.
I set up a virtual guestbook for my daughter's birthday party last year on a cPanel-based hosting system. Couldn't for the life of me figure out why the damned thing wasn't working until I discovered that the admin had gone ahead and disabled my link "guestbook.cgi" since it was a common cPanel attack point. Apparently cPanel comes with a hackable default guest book of its own.
They use php-fpm pools where each website gets it's own uid:gid and the php process runs as that user. Then standard linux file permissions so you can only access your own uid files. To access web assets from nginx/apache, they add file permissions wich standard Linux acls.
Altough not fancy, the security model is actually quite mature. Security problems in these servers come from misconfigured permissions and scripts, not the security stack.
Sure, but there's nothing inherent to the language that fueled that. They could have done that with Python, for example.
Rather, it was popular software like bulletin boards and blogging platforms that built the demand. PHP used to have one of the lowest barriers to entry because you could get by with plain HTML and incrementally add business logic inline.
> Sure, but there's nothing inherent to the language that fueled that. They could have done that with Python, for example.
Not quite true. With shared hosting it was (is?) uncommon for a user directory to have ExecCGI enabled. If you wanted scripts to run they had to live in the cgi-bin directory. Additionally mod_rewrite could be expensive on low powered servers. This all meant doing anything dynamic meant "ugly" URLs and meta tag forwards if you were on such a shared host. It was also non-trivial amounts of effort to get some random CGI script working since you needed to know enough to get the shebang path correct for the server and set the right permissions.
Contrast this to PHP where you dropped a .php file into your user directory and you've got some dynamic content. Platforms built on PHP became popular because you could upload them to your user folder and they just sort of worked. There were no special executable paths, no shebangs, and no execute permissions to set.
Perl was huge in the CGI space for a long time but the (consumer) content platforms built on it weren't nearly as successful because of the difficulty of mere mortals getting them running on their shared hosting plans.
Not really; PHP had many features to make this easier; for example "safe_mode" and "open_basedir". These are not easily replicated in a stock Python by just "flicking a switch", even today (although the need for that today is a lot less than it was in 2000, and PHP even removed safe_mode). Not that these measures were perfect, but they were mostly "good enough".
There was a reason that in ~2000-2005 you could find PHP shared hosts for $1/$2 month, and that Python/Perl/etc. shared hosts were much harder to find and more expensive. People started using PHP bulletin boards and blogging platforms because at the time it was easier and cheaper to run, but that's an effect and not a cause.
These either weren't available at all in 2000 or very new and much harder to set up. You need to consider the state of things 20 years ago, not how they are today.
chroot and jails have been around for a while, i don’t know the date but since ive used bsd and linux they’ve been there. definitely during this era. selinux was launched in 2000.
Sure, you could even argue that PHP was a success despite the PHP language (which was, in the beginning, only a cobbled-together templating language, and then, to Rasmus Lerdorf's dismay, people started to implement their backend logic in the templating language), and Python could have done it, but, well, they didn't...
PHP succeed precisely because of how it executes .php files directly as scripts from a single running instance. This allowed it to be the shared hosting solution because it uses far far less resources than a similar python solution.
Python is great if you want to run your own server or VM per site. It's not so great if you want to run a shared server and it's shared servers (not VMs) that brought the price down and therefore opened the floodgates of allowing people to run their own sites cheaply and easily.
Python webserver support doesn't support SSI-style open and closing code tags in HTML files to be executed per-request, last I checked.
Is there anything like php or bml (bradfitz's equivalent for perl) for python, so that you can put code right in your html to be replaced at serving time with the code's output?
https://docs.python.org/3/library/cgi.html
All your prints are essentially sent as response with CGI, but I think for Python WSGI is the standard you should use, and you can e.g. use jinja to render HTML with templates where you can use variables, certain functions, etc. Is that what you are looking for?
With the recent problem in sudo, I suspect this to be a likely cause. The typical shared hosting stack uses that somewhere, so servers will have it installed. A fast, malicious user (and a slow update process) is enough to get root on one machine and penetrate the rest of the net from there (can still be avoided, but requires some effort).
I assume because they have more margin to keep up. If you work a system like this with $1/user minus the 30 cent Cpanel license, you have little to spend on security.
The "no vm per user" means any privilege escalation bug lets a hacker wipe it all. And your unsupported customers are probably running all sorts of vulnerable stuff.
CVEs for breaking out of a docker container come along as well [1]. Usually you need root in the docker container, but if you combine it with an escalation from non-root to root.. well, you can see how that's less secure than a VM
In theory it is a security boundary. But the attack surface is so big, and local privilege escalation bugs so common, that you should not rely on it to isolate different untrusted users.
They most certainly are not. That's a common misbelief. Containers are not designed as a security boundary, they just happen to function as one most of the time.
VMs on the other hand actually are designed as a security boundary, but even then there are still attacks you can do against other VMs on the same box.
I agree that both are security boundaries in theory. But a minimal hypervisor is much stronger than a cgroup container. Cgroup containers are a thin door made of wood, VMs a vault door made of steel. So people saying "containers are no security boundary" are exaggerating a bit, but not much.
A minimal VM, like firecracker has a small attack surface, so I'm willing to trust that privilege escalation/VM escapes will be rare.
A process restricted by cgroup/namespace/etc. still has access to the huge API surface exposed by the kernel, so privilege escalation is common, and I'm unwilling to trust this mechanism to isolate malicious code.
I agree that they're not very good ones, but a container escape would be treated by everyone the same way a VM escape would be: instant patching, coordinated/embargoed disclosure, AWS finding out before you do, et c.
They didn't start out at the design phase that way, but they absolutely are today.
Of course VMs escapes exist. But many of the vulnerabilities are in functionality which aren't relevant for modern servers. Hardware virtualization support prevents many attacks. For example firecracker supports little more than network, block-storage and vsocks, which keeps the attack surface small.
Containers are not intended to be a security boundary -- functionality along those lines has been gradually backported as maintainers realized that nobody was going to care when they said "don't use these as a security boundary".
There's a world of difference between the amalgamation of hacks that comprise cgroups and something like BSD jails, which are and afaik always have been intended to be a security boundary, which implements real first-class kernel isolation for jailed processes, not just another subtree under proc that provides some direction to the kernel around resource consumption/priority and relies on UID/GID hacks to control access.
You expect people to read a book to find out your perspective? Do you have cliff notes on why using isolation mode doesn’t provide a security boundary?
Containers provide resource isolation using a shared kernel but are not intended to be used in hostile multitenancy scenarios.
A key feature of OS virtualisation is the strong segmentation boundary between
1. Guests
2. Guests and the hypervisor.
For this reason, VMs are seen to provide a stronger security boundary than containers and are used in preference where that aspect is critical owing to environment, multi-tenancy, business context.
So again, what about isolation mode? I don’t know what this is called in the linux world but in windows this feature does exactly this. Still a shared kernel but a far cry from what your explaining.
It's not good enough for multi tenant setups. A single malicious customer can potentially steal data from other customers. The docker team also considers security to be a pretty low priority.
People need to stop looking at containers as a cheap way to get security. They might be a more convenient way to get lots of apps running on a single machine, but they're not very secure.
1. I expect people to move towards a VM per pod model, even in private setups. Firecracker claims a memory overhead of 5 MB, and a minimal QEMU setup shouldn't be too bad either.
2. It sounds like this paper is mainly about covert channels not side channels. Covert channels assume cooperation between both sides, so they're only relevant if one of the sides can't communicate trivially (e.g. via network)
agreed. AWS gets a lot of flak, but open sourcing firecracker was really great. I'd really prefer to see us move toward vms instead of containers, even if we kept the same k8s abstractions.
> .. covert ..
thanks for the catch, should have taken more time. Here's a better paper:
> I'd really prefer to see us move toward vms instead of containers, even if we kept the same k8s abstractions
1. For me containers are one of those abstractions, defined by exposing an application controlled userspace. Containers can be implemented by different isolation technologies, from simple chroot/cgroup/namespaces... to VMs.
2. I'd still use chroot&co to partially isolate containers within a pod, while using VMs to strongly isolate pods from each other. This enables features like shared block-devices, unix-domain-sockets and monitoring the processes in an application container from a separate diagnostics container.
I think it's easier to say that namespacing is nearly orthogonal to security. Native containers (i.e. containers not running in a VM) are literally just processes running on the host and need to be secured with the same methods you would use on non-namespaced processes. Namespacing does add another layer when used properly but it doesn't replace any of the existing ones.
Yeah. There is an https endpoint, but the page renders wrong for me, so I linked the http one. I didn't look to see if the client login/registration sends plaintext over http.
Edit: It does login over http, plaintext passwords over the wire. Heh.
They were almost certainly impacted by the recent sudo bug, considering how they offered cPanel hosting: https://archive.is/PCZ99 I've been trying to make contact with virtual hosting providers over the last few weeks to bring the weakness to their attention, but I've been ignored. cPanel hasn't even issued an update. It's heartbreaking watching websites get destroyed by the bad guys.
As a tip for the future, in case you're interested: you can use hn.algolia.com, search "sudo", time window something like "past month", and you'd have found it.
It is much more efficient and future-proof to have someone put the exact link as a reply, that way people coming to the thread afterwards can simply click on.
Though they would have had to also get into the admin server running (probably) WHMCS.
The sudo bug would let a hacker take over a server where the customer code ran, but not the main admin server. They would have needed some other weakness to get that. Perhaps aided by owning one of the customer servers.
It's possible they don't have updates running on a cron. It's also possible they got hit in the day or so between the announcement and the automatic installation.
It's even possible that while this seems to be a very likely attack vector that the attacker used something else. One place to look if they had a billing system hit and all their hosting systems is if maybe the billing system got breached first. There are automated provisioning and C&C things built into, say, WHMCS or WHM Autopilot that would be an ideal vector to all the hosting servers if someone breached the billing and provisioning system first.
I don't know how many different individual hosting systems we're talking about. Having a user account to use the sudo vuln on each and every one of them and then also breaching the billing server seems unlikely. It seems more likely the centralized tool was taken over (perhaps using one or a few hosting systems as a springboard) and used to spread to all the hosting systems automatically.
(For context, unless you pay 20% extra for AWS support, you basically get no support. There is a public forum for those that like to scream into the void.)
I always liked Amazon's approach to this. In extremis, like if a whole region is down or something, they'll eventually change the green indicator to green with information mark.
> Given that they shut down suddenly and you could not reach a human, it sounds more like Google Cloud ;)
On Google Cloud for over four years, with three kubernetes clusters and a few dozen VMs across three projects... and this thing you describe has never happened. Have you had a different experience with them?
Your numbers are wrong, you can get 'developer support' for $29/mo or 3% of AWS cost (whichever is higher), and 'business support' at $100/mo or 10% of AWS cost. In my experience, the support reps are qualified engineers that take your issues seriously, and it's something that we gladly pay for (particularly since it's opt-in, and you can change your mind at any time).
AWS without paying extra for support can still be fine for a lot of people. Where I work we use AWS, but not many AWS services other than basic virtual machines.
As far as what we run on the machines goes (OS, applications) we are fine dealing with that ourselves. It's what we did back when our machines were machines we owned at a colocation facility, and its not much different when its on a VM at Amazon.
When something goes wrong that affects us and requires AWS intervention, 99.9% of the time it is something that is going wrong for many other people too, some of those will have paid support and bring it to Amazon's attention if it isn't something Amazon notices on their own, and when Amazon fixes it that fix will fix it for all of us.
I can only recall one time it didn't work that way. I was trying to track down a problem with our applications that involved something whose processing involved steps on three different systems. I needed to rely on the logs from those three systems to figure out the order things had happened in, and it was making no sense. I checked the clocks, and found that the three systems had wildly different notions of time.
It turned out that the clocks on some of our instances were ticking at the wrong rate. They were ticking at steady rates, and normally the time code in Linux systems can figure out how far off the rate is and apply a correction, but some of the AWS instances had rates that were something like an order of magnitude more than the Linux code can deal with.
We found some other people talking about this in the forums, but it apparently wasn't hitting anyone with paid support. Someone finally bought some paid support and reported it, and it got fixed. (It turned out that it had only affected one fairly small instance type, and only an older version of it that you were supposed to migrate away from over the next few months, which made it so that only a very small fraction of VMs were affected).
I trust AWS over others primarily because of support. Over last three years we must have opened about a dozen support tickets, 100% of them were resolved to satisfaction.
First line can be terrible, and I've had situations where I have tickets stuck in first line because someone in a timezone 12 hours different picked it up.
They then are resolved several times without an actual resolution. The last time it happened I only found out in the end it was fixed was because I managed to speak to a member of the technical team for a different reason and enquired.
It was the API Gateway dropping headers that contained underscores that happened for about 6 months last year if it impacted anyone else.
In relative terms though, they are far and away better than the alternatives. At least I can get to speak to people quite easily, and I was able to even speak to folks on the team working on API Gateway and they even got my ticket.
The joys of inheriting codebases is that you learn all sorts of edge cases.
Apache used to silently drop http headers with underscores in them because they state incorrectly that it is against spec, which Nginx then decided to copy in the name of "security" although it was just a flag so could be ignored if you aren't doing CGI scripting.
AWS silently added this to load balancers in 2019 until there was a backlash and they restored functionality, and then tried again to add this to API Gateways in early 2020 until, again, people complained.
HA Proxy doesn't, never did and likely never will because underscores are valid.
I don't pay anything for support at AWS, and I had <24h response every time I needed them, despite having a ridiculously low monthly invoice.
That is in stark contrast to other providers to which I give a lot more money, and who can't be bothered to answer in a week... And when they do ally do answer, it takes another full week to do finally have a solution.
You need to buy support on a per-account basis and if you're doing something complex enough with AWS you'll end up with multiple accounts for each environment and for security segmentation etc.
They'll give you general information from your account with the support plan but can't investigate any resources or logs without you owning a support plan on the other account and opening a ticket there.
Also, many companies will have this set up on each account and hardly use it. I don't think it's a loss leader.
Work in AWS Premium Support. Given the sheer volume of accounts with support plans, I'm confident it doesn't lose money in aggregate. Premium Support isn't where you'll find AWS's giant money printer, but it's not losing money.
That being said, I've definitely had cases where the engineering time to solve a case was worth more than that specific account was paying for support (at least for that month).
Well, yeah exactly. This whole business is set up so you don't pay for support if you don't want to. And AWS is set up the same way, they just also let you pay for support.
I've worked on the support side of the hosting industry for a Long Time. A few observations.
1) Hosting is hard. It doesn't seem like it should be, but it is. cPanel simplifies and complicates it because you're locked into doing things The cPanel Way whether you like it or not.
2) Hosting is getting more expensive because cPanel keeps jacking up prices, and I strongly suspect that this host threw in the towel due to the severity of the compromise but also the razor thin margins. Digging out from under it was likely more trouble than it was worth, especially if they didn't have insurance for this kind of thing.
3) KEEP YOUR OWN BACKUPS. For the love of all data that is important, keep your own backups. Did I mention that anyone with a website on any provider on any continent should keep their own backups? By all means, keep your own backups. Because if you don't keep your own backups, you'll wish you'd kept your own backups.
To add the rest of my usual mantra: AND TEST YOUR BACKUPS.
Memories of the look on someone's face when I had to tell them that their laptop drive was truly dead (unless they wanted to pay a data recovery company a pile o' cash) and the USB stick they'd been saving copies of important documents too appeared to be silently corrupting everything written to it...
There are many. CentOS Web Panel, Virtualmin, DirectAdmin, Interworx, and many others. I use Virtualmin on my own stuff. It has a FOSS version that works well. But it's no cPanel. The interface and general paradigms leave a lot to be desired. But it works. The problem isn't variety, it's user base. All the Big Hosts are using cPanel, migrating away from it is a pain.
There's also Plesk, but let's face it. Nobody likes Plesk.
It's not the "no support" part that concerns me, is that they've pocketed the customers money until there was a major problem, then just shut down, customers be damned.
Sounds like someone placed a server in their basement, added cPanel and a PayPal link and totally ignored whatever happened to that server.
It's not a business model. "No Support Linux Hosting" is a white labeled version of Shanje Inc. which is a small business from Iowa run by 1-2 people which was founded back in 1997, so they truly are a blast from the past. Shanje controls a Class C IPv4 block and they use it to host about 30,000 websites which nets them an estimated yearly revenue of ~$70k. Most of the sites that were impacted are ones you've never heard of like francisdiamonds.com and almuftahrentacar.com, but someone loved them enough to put them online, and now they've all been destroyed. Between hacking and COVID we've certainly seen a systematic decimation of the petit bourgeois. It's a tough time to be a small business owner.
That's what is especially frustrating to see. So much of the pre 2010 web is just gone, and I'm sure much of it gone because of something like this. hacks by ransomware garbage or script kids doing it "for the Lulz."
Don't mock lulz since that was the best part of the old web. When I think of lulz I remember stories like jobs and woz poking at&t in the eye blue boxing the pope. Today's guard rose to power on a billion laughs, but there's nothing funny about the criminality and extortion that flourishes under their watch as they focus their attention on banning people for vulgarity. OPM doomed us all.
Yeah, the idea is sound (assuming it was properly marketed), but simply shutting everything down because of an issue like that does sound excessive. At the very minimum, they should have a basic backup that is enough to get the servers running again even if the customers' data got wiped.
It sounds like they were just waiting for a reason to get out of the business. Sometimes you just keep something running because it handles itself, but isn't really bringing in any considerable amount of money. But once you hit a hiccup like this, it's not worth the time to fix it, because it wasn't really a revenue stream in the first place.
70k is a lot for a person, but not really a lot for a company. Someone mentioned they were one or two people, so that's not too bad, but if you get much beyond that, cutting that 70k may make it more trouble than it's worth.
I noted that too and it's really weird. So, they do no have backup of their part of the data (or they don't want/are not able to restore it) but they still have the customers data?
Perhaps things were running in maintenance mode already, and there is no longer the desire to run this part of the business, so they took this unfortunate opportunity to wind things down.
Maybe they’re compromised but data seems intact, as in it’ll be irresponsible to keep serving on the Internet but most of it are probably not maliciously altered?
Yeah, it's pretty common for hackers to upload backdoors to random web sites when they can and exploit them at a later date. If we're talking about a full server compromise then I wouldn't use those downloaded data for anything except for analysis/archival purposes, unless it's been thoroughly cleaned first.
The refund would be a fraction of a dollar that people would have paid for the incomplete part of their final month, no? So perhaps it's hardly worth refunding, or perhaps they did.
A cheap low reliability non-spammy service is a pretty good niche for hobbyists. Who cares that it shut down. It did a job while it lasted.
Yeah, they charged in increments of 12 dollars iirc. It wasn't set up as a yearly sub though - it just worked as account credits, so if you had multiple sites it would deduct money from the same account pool.
I have (had, I guess) a Wordpress site on here. They sent an email about the hack but somebody had already changed my password and recovery email in cPanel. They haven't changed the Wordpress admin credentials though, so I'm exporting what I can.
It's a web interface that gives you full admin access to a website. That's exactly where I would look for vulnerabilities if I were an attacker.
I know I'm going to get flack for victim blaming, but not putting something like cPanel behind a VPN or SSH reverse proxy is on the same level as not wearing a seatbelt. At this point we should all know better, and those who don't will have to suffer the consequences.
If my users have to access the cPanel from wherever they may be, how does a VPN or SSH reverse proxy help? Not trolling, I'm genuinely ignorant of top level security practices.
Because instead of exploiting cpanel directly from any random IP on the Internet globally, attackers first have to compromise your VPN connection.
It's a pretty significant barrier and dramatically reduces the amount of attack surfaces out there.
Mobile/Desktop OS's have come a LONG way in VPN support, so requiring VPN access for critical access (and administrative access should always be considered critical!) is not near the barrier of entry it used to be. Heck anyone can set a VPN server up on a raspberry pi in minutes that can handle hundreds of megabits of traffic - piVPN with Wireguard is drop dead simple to configure and deploy (WAY easier than the mess that is OpenVPN); the amount of friction to implement a VPN these days is just about negligable. It's a harder problem for service providers like this one that have thousands of customers - but they certainly had some sort of user account management/provisioning system; it' way past time to expect those to be able to handle security certificate management too.
It's far less effort than cleaning up messes like the one being profiled here! And if you have sensitive data? Once your system is compromised it's no longer sensitive. It's now public knowledge :p
NearlyFreeSpeech.net. It's probably not as cheap as this was but is close. I used to have a personal static website there. These days I use it only for my domain. It's been years and I've never had a problem with them. They have extensive support webpages and a custom-rolled web interface for management and they seem to know what they're doing.
There are many cheap shared hosts, though perhaps not that cheap if you want cPanel given their recent licensing change to per-account from per-server.
If you are fine doing your own setup and have low resource needs, you can get a 1$/month VM from a number of places. Cheaper if your resource needs are really low, or you don't need a dedicated IPv4 address.
There are even search engines collating them, https://www.serverhunter.com/ for instance. Just do a little background research before picking the cheapest, if you care anything for what you host.
You might be interested in the tildeverse[0] or sdf [1]. Both options offer basic Linux hosting and shell access on a shared machine, though they're more of a social network based on old Unix services than a real website host. Well, SDF is robust enough to use as a real host.
Really surprised to see this on hacker news, I would've thought it too piddly to warrant a thread here. Anyway, long time customer and was generally satisfied with the service. I just used it for my low maintenance low traffic wp blog. Got an email yesterday from them with the same message.
Think I still had like 6 bucks in my account with them, but frankly, who gives a shit. The cheapness of the service was baked in such that eating a couple of bucks doesn't really matter. We had a good run of 4-5 years. Sad to see them go though.
Long time customer as well and found out about this here on HN. I had $4 or $5 left as well but I guess it’s gone. My site is still up for the moment so if I care to save it I’ll move it.
Might just be the end of the road for that site as I’m not about to spend more than $12/year to keep it going.
Jekyl and Gatsby are pretty amazing. Got involved in a project at work that uses Gatsby underneath and once you get used to all the node.js/dependency BS it's actually fun.
I have/had an account there and they actually responded to every email I sent and it did not feel like canned responses. So, I was positively surprised by the level of support I got for the money I paid.
There are superior VPS available for free in the 'always free' tier of GCP or Oracle Cloud. In the latter case you don't even need to set up a billing account, just provide a credit card for verification only, and you get 2 * VPS with a 1/8 of a physical EPYC core and 1GB RAM each, 100GB of block storage between them, and 10TB outbound data a month.
Alternatively PaaS like Google's App Engine have 'always free' tiers sufficient for hobby sites.
Different audience. As much as I loathe Cpanel, there's a bunch of customers that know nothing about Linux and want to point/click things into existence.
Given the name "nosupportlinuxhosting.com" I would expect many using the service to ba capable of knowing/understanding "apt install nginx php-fpm" and so forth.
Though obviously cPanel and its ilk still offer some time-saving convenience even if you could setup everything yourself.
Is this legal? Don't they have to notify authorities about getting personal data hacked? And don't they have contracts in place with customers that they can't simply abandon? Just because you're cheap and don't offer support doesn't mean you don't have to follow the law.
Long time user of the site, don't think they stored any of my personal details - I just paid via paypal. Don't think you could pay directly using any other payment method.
NSH was my go to for years for quick unimportant sites. Like a decade ago. They actually were very helpful the once or twice I contacted them (trying to get bigger instances). And $1 a month!
If your needs can live in ½GB RAM and a few GB of space, it is fairly easy to find $1/month VMs. Cheaper if you don't mind paying annually and/or can cope with ¼GB RAM or other lower specs.
Fine for simple static hosting, or a bit of low concurrency more-dynamic server-side stuff, or running simple services like DNS.
https://www.serverhunter.com/ lists a few, and many for not a lot more, if your resource needs are low enough. Cheapest currently listed is $9.5/yr if you need an IPv4 address. You'll also see them offered in places like lowendbox / lowendtalk / webhostingtalk / similar.
It isn't worth the effort. Looking at their machine (CPU) specs, their equipment is pretty old. They likely have been running on autopilot for a few years.
Rebuilding their clientele after a unmitigated disaster like this would probably take so much time that they would never get back in the black, especially since they are trying to do it on $12/year per customer. That requires a LOT of customers and they will have lost most of their existing ones before they would be able to rebuild.
Add on that they probably have outdated software, probably a lot of it custom/customized, that have unknown security holes...
And from the other side of their potential audience, the cheap VPS setups that are readily available these days will probably have been eating away users too.
Heck, for $5/mo and a setup fee you can sometimes get a small dedicated server (only an Atom CPU, but 500Gb storage and half decent bandwidth) from Kimsufi and their ilk.
Perhaps it didn't make much money prior to the hack. And you would have to operate at a loss until enough new customers came in. With probably lots of bad reviews from the prior customers.
My guess is that if it was worth starting fresh, they did so with a new brand that makes no mention of the old service.
> Perhaps it didn't make much money prior to the hack.
There were significant changes to cPanel licensing not long ago which caused some consternation as it would result in some hosts needing to pay more. IIRC it moved from a per-server model to per-user, with a block of users included in the minimal fee so for small hosts the change had no effect, but for a host like this with many small accounts the extra cost there would make already small margins even more tenuous.
Presumably the little profit still made was better than nothing if the maintenance needed was minimal, but not (for this reason and/or others) large enough to be worth the rebuilding effort after this attack.
"There were significant changes to cPanel licensing not long ago which caused some consternation as it would result in some hosts needing to pay more."
That's interesting. And it would have hit those providers that were grossly oversubscribing the hardest. Guessing this service was in that bucket.
It looks like the message about shutting down was left by the hacker. I can't tell if NSLH is shutting down, though the breach doesn't instil confidence.
Whether NSLH is shutting down or not, it's a good time to make backup copies.
I guess you are also supposed to figure out for yourself what private information of yours has been compromised, since they can't be bothered to make it explicit.
The model of course is shared IP so there are dozens, even hundreds of sites at the same IP address.
I did some kind of lookup once to see who shared an IP with my site. It was stuff like churches, auto repair shops, high school kids experiments, plumbers. This was before Wix and friends. There was nothing scammy or spammy I saw on that particular IP anyway.
----------
Experts Host Sites Here for $1/month
Do you like paying extra so other people can ask amateur questions? That's how it is at other hosting companies where beginners and experts pay the same price. Beginners drive up the cost by asking a lot of novice support questions while the experts don't contact support. That is great for amateurs, and unfair to the experts like you.
No Support Linux Hosting has a completely different business model. We ignore the support questions, and pass the savings on to you! If you are an expert who does not want to pay extra for help with amateur support issues, then you can host with us and save big money.
Experts like you can sign up now for free. We charge $1/month per website, and there is no limit to the number of websites you can host in your account. This is the best deal in the web hosting industry, as long as you are the type of person who can find his or her own answers.
-----------
From https://web.archive.org/web/20201109042643/https://www.nosup...
I guess they took savings from security too.