FSO solutions needed

[rvbeck]

you need to quickly propose a total solution to the FSO problem before we and other leave and go elsewhere.

For no fault of our own many of our sites have been disabled as a result of the FSO issue. A VPS solution is proposed. but for many smaller sites such as ours this is very expensive solution when we will use less than 10% of the resources. In our case our costs have increased by >500%

In addition we need a complete solution. We just need the sites ported and up and running in as short a time as possible with the same interfaces etc . .So far my VPS upgrade has been treated like a new purchase. I have had to by a VPS-2 for the My SQL and pay extra for the plesk. We relatively amateur users we do not want/need direct control over the server. A VPS-1 would have been a more reasonable price, but why not include the plesk option as well ??

I do not mind paying a bit extra, but 500% ? and then we just need the system ported across and up and running ASAP with as little intervention as possible. There is no specific assistance being offered to us, who though no fault of our own find ourselves with sites offline.

So please a complete solution approach , because I am afraid that today it looks more like a scam to sell upgrades, rather than a real attempt to provide a solution to the problem.


Richard

[John]

Hello Richard,

We are working on it. The FSO is something we are working very hard on, but until we are sure the security of the servers are safe, it will remain turned off.

In regards to VPS pricing, I will be entirely honest with you. We make very little in the way of profit on the stand alone Windows VPS products. Audits show that we just about break even on them, so they are already as low as they can be pricing wise. Again, with Plesk, we actually sell these to customers under our cost price from Parallels. We only offer the Windows VPS as it is considered a mainstream product these days and we can't be without it.

[John]

Hi,

Just to add, I'm doing some calculations as we speak to see if there is any other product we could offer which would work for you guys.

[rvbeck]

Hi,

Just to add, I'm doing some calculations as we speak to see if there is any other product we could offer which would work for you guys.

This is good news, but as I tried to put across, what is also important is that you try to offer the complete solution, rather than just a new host product. Today it is a FSO problem, tomorrow it may be another component that you have to take down at short notice, which causes disruption to another group of users. You need to be a position to respond quickly to get things ported across and up and running ASAP, as transparently as possible for the customer.

regs

Richard

[John]

This is good news, but as I tried to put across, what is also important is that you try to offer the complete solution, rather than just a new host product. Today it is a FSO problem, tomorrow it may be another component that you have to take down at short notice, which causes disruption to another group of users. You need to be a position to respond quickly to get things ported across and up and running ASAP, as transparently as possible for the customer.

regs

Richard

Hi,

If everyones website got hacked on a server because we opted not to disable something in case it broke some websites, would you be happy? I wouldn't be. At the time we actively saw people targeting this across all shared hosting servers. If we hadn't turned it off, maybe when you wake up in the morning your website is defaced and we are in the situation where we have to restore tens of thousands of domains and deal with that support load.

So, although I understand your frustration, I'm pretty much not going to entertain the idea of leaving problems we actively see alone.

There is no magic server, firewall or security measures which are going to always keep your server secure from now and forever. It changes every hour.

[rvbeck]

Hi,

If everyones website got hacked on a server because we opted not to disable something in case it broke some websites, would you be happy? I wouldn't be. At the time we actively saw people targeting this across all shared hosting servers. If we hadn't turned it off, maybe when you wake up in the morning your website is defaced and we are in the situation where we have to restore tens of thousands of domains and deal with that support load.

maybe I did not explain very well. I am quite aware of the need to take down servers or remove components. This is not in question.

What I am raising is the issue having a structure in place to recover the situation for those impacted user groups as quickly as possible (crisis management), and to minimise your costs.

It is clear that a bunch of people were seriously impacted and were raising tickets and calling in. In my case I have spent several hours over 3 days on chat + several tickets with sales and tech , just to get the VPS online (still not there yet!).

The process could have been more efficient for both of us. e.g sales and tech teams fully briefed on issue (my perception is that this was not always the case) . Ticket /call comes in. If identified as FSO prob re-direct to sales team that are prepared and can quickly propose an identical ( functional ) package, update invoice and point back to tech team to port system. Repeat process for all similar cases - job done. This saves us and you guys time and effort.

regs
Richard

[John]

Hello,

I see from the brief that people were advised to switch to a Windows VPS as a work around. As for infrastructure, we have enough in place to cope with a sudden increase in VMs. However, I can't keep hardware sitting idle, which I purchased at a special discount rate, just in case I suddenly need to give a very special deal to customers. You know why? Because if I could offer that pricing to begin with, it would already be on the website.

There isn't actually a way for us to run a command and see who is using a certain module/feature, so there is also no way to notify only those impacted clients, only server wide clients. With that in mind, we would also never know how many would be needed to move to a new infrastructure, be it 1 or 100.

To clarify, I personally don't mind what settings or modules you run on your website. If we tell you something is a potential security issue and you opt to use it regardless, I consider that then your responsibility. The only stage we will step in and take that choice away from you is when that something could lead to accounts beyond yours being impacted, as it would have in this case.

In regards to migrations, they aren't as simple as they sound. They are time consuming, depending on the data being moved, where DNS is hosted, who has access to change said DNS, ensuring that only the needed settings are implemented. Add to that the usual support load, the number of clients needing that exact same setup and general delays in replies, I don't believe there is a fast solution. However, the 3 days you referenced is excessive. Please PM me your ticket ID and I will look into that.

In regards to the calculations I was trying to make, I was trying to calculate if it would be viable to have a separate shared server setup with this feature enabled. I was then deciding if customers would be happy with this option, KNOWING that we know that they could be potentially exploited via another user on the server. Although I'm sure some would opt for it, I don't believe most people, hand on heart, would actually consent to being hosted on a lower security server.

I get the point you are trying to make, but I don't entirely think it is realistically achievable. Unfortunately there are far too many unknowns.

[John]

Hello,

A related post http://www.eukhost.com/forums/f10/fi...th-free-14220/

[Phatman]

I use (used) FSO for uploading photos for my shopping cart products. Many years ago I used to use Persits ASP Upload componant - maybe that could be put on the server? I've now rewritten my file upload code in PHP which I'm gradually migrating to - I've had a belly full of Microsoft I tried .Net but it utterly ties you into MS which can only be bad in the long term.

I don't think FSO is to blame, I think it could be bad coding practise. I sometimes work on sites hosted by a company called Tollon and they run a robot that checks your code for best practice and if you're found wanting you get a warning, then your sites taken down until you fix it - it could be for not closing recordsets or not destroying connections or not protecting against SQL injection. At first it was annoying but their servers do run extremely efficiently.

[John]

Hello,

A large VM has been created to help those who are not able to afford a VPS or change their code quickly enough.

I stress that we don't consider this a long term solution and our usual SLAs don't apply, as we know the level of security is not good enough, but it is available for those wishing to proceed even with those things in mind.

CRM, Sales and Support have all been briefed with the availability of this server. Please submit a support ticket if you wish to proceed with it.