I'm surprised anyone with the tech savvy to be reading and contributing to HN wouldn't be using a VPS for hosting.
The lowest tier server at Linode is $19/month (see http://vb.ly/linode) and will easily host plenty of virtual host based sites - although you could also check SliceHost or RackSpace Cloud Servers, etc.
Learning to run a simple server is really rewarding and you get to own root and run the box the way you want to.
Full disclosure: the link above has my referral code in it - it doesn't effect the cost of Linode's plans to you but if you do sign up you'll cover my hosting for a month. I hope people are ok with that.
Firstly, the author's Dreamhost account was used primarily for domain registrations.
Secondly, Dreamhost does provide VPSes with root access as well as web hosting and domain reg.
Thirdly, VPS isn't always the right solution. You have to account for time and willingness to do the sysadmin work -- instead of spending the effort on, say, programming or marketting.
Not everybody wants to spend several extra hours up front setting up and securing a server for a simple website or webapp.
And then patching it regularly and worrying about all sorts of things that may not be related to your goal in the slightest.
The point I'm confused about is how a VPS would have helped the original poster. Couldn't the hacker just request a password reset from the (obliging) tech support guys?
Yes, I wasn't thinking about "DreamHost VPS" (although come to mention it I do remember them offering such a service).
With most (read:good) VPS offerings the support guys won't have access to your VPS password (root, etc) and so from that perspective this would be safer and more secure for the OP. Shared hosting, by it's nature, holds a much higher chance of the hosting company holding your password in the clear/decryptable state.
My apologies if I wasn't clear in my original reply.
I use a VPS too, but even $19/mo is significantly more than DH -- I pay $119.00 or so for yearly renewal, which evens out to almost $10/mo. A VPS is $100 more per year, and if you're not using the host for anything more than having a web host around for storage, etc., as I do, it's not worth the extra $100 or the extra time spent in proper configuration.
Dreamhost is fine for what it offers. People hopefully don't think they can really run something big and serious on $9/mo, but it's a good easy out for people who just want some web space.
You're advocating an unmanaged solution to people who want managed services. Dreamhost are shit, but an unmanaged VPS is a huge time investment. Apples and Oranges.
There are managed VPS offerings. Another option would be to hire someone to set this up (prob 1hr work for someone remote).
Sure, I totally understand that this is over-kill if you are just running a personal blog - but then that's what wordpress.com etc are for. I'm working on the assumption that most people here on HN are either running a startup, a public facing project or building their personal brand -- all of which IMHO warrant setting things up properly.
I can vouch for dotBen's recommendation. I recently signed up with a VPS for the first time a year ago for a site I'm still in the progress of building. There are a ton of step-by-step guides and how-to resources that make getting up and running relatively easy and painless. You'll be overwhelmed by the options you'll have access to, but there's really only a handful of decisions you need to make to get started. Go for a Managed VPS and you don't even have to worry about keeping up with system upgrades and such.
There's of course, the added reward of having learned and accomplished something new.
Anyone who is the slightest bit technical would gain a lot from managing a VPS for their site. Even if you just want to host a bunch of wordpress blogs, or even static files.
You're glossing over the complexity of configuring email solutions. Though I'm not entirely certain if you're only advocating web hosting on a VPS with mail through something like Google Apps for Domains.
Things like Exim and Postfix are non-trivial to setup correctly and very easy to screw up the configs, at least in my experience; though most of the time that I've tried to configure them I was trying to get them to do non-standard things (like redirect all outgoing emails to non-whitelisted -- through a pattern/regex -- email addresses to a specific mailbox).
There was someone, maybe a Dreamhost employee, posting on HN a month ago with justifications for this practice...
He explained that there are customers who want passwords e-mailed to them, presumably even if you explain that it is not secure: http://news.ycombinator.com/item?id=1148848
(he also mentions that they're not stored the clear "They are stored as a hash and in a reversibly encrypted form; access to the plaintext passwords is heavily logged.")
I don't agree with their decision though, since most major websites will not email you back your password, by default. If facebook can get away with it, I'm sure dreamhost can too.
Facebook doesn't have paying customers. Also, most Facebook users access it for personal use. A lot of people access/use Dreamhost for business purposes. I'm sure there are a lot of PHBs that have access to Dreamhost accounts because they feel compelled to micromanage everything (or just PHBs that make the 'requirement' that the password is recoverable).
Along with the PHBs, we've also got a lot of plain old non-tech-savvy customers who just want to run their [personal blog / small business homepage / church web page / etc], and don't know, nor want to learn, too much about computers. Requiring them to use semi-strong passwords for FTP and email logins is enough of a challenge; requiring them to change those passwords every time they forget them is often a real hassle.
Personally, I think that when an account is setup the option should be a prominent one with an explanation of the security implications, as well as noting that you can only reset the password, but not recover it when it is hashed. Then the onus is on the customer since they made the choice when presented with information explaining the risks/rewards of the options. It's kind of 'passing the buck' in that a single employee at a company could choose the wrong option, then if the company ever complains you just point the that person (though indirectly, since you would only be replying that password hashing is an account option that was turned off).
- They've forgotten the password, but it's still in the keychain (or equivalent) for their mail or FTP client, which will all stop working when they reset the password.
- The password is shared with other employees, and it might be difficult to notify them all of the new password.
(1) Right -- and, even if it is possible to recover the password, walking a non-tech-savvy customer through the process may not be a palatable option, either for Support or for the customer.
(2) I wish I knew. Not really our place to ask, though.
When I made that comparison, I meant that dreamhost users are presumably more tech-savvy than facebook users, and facebook users don't seem to have a problem with the password reset structure.
That's the only drawback? It's not at all bothersome that the reps gave out passwords over chat? Or that the reps changed the email address of a different account based on someone's request?
I would be very interested in any register that supported at least SMS for multi-factor authentcation, hell I wouldn't even mind having a real token.
The Apache Software Foundation has had some issues in the past with guys trying to hijack apcahe.org -- same thing, password resets on our registors site, etc, but luckly we noticed within a minute, and were able to talk to a human being on the phone quickly.
But I still really really want multifactor authentication for registers :|
Maybe a lesson of you get what you pay for? No negative connotation implied, just stating that you are getting discount hosting and to offer that, this company needs to keep expenses low.
They keep expenses low with no telephone support. So you're SOL when bad stuff happens.
I've had a couple of these throughout the years (with hosts that will remain nameless). The nice thing was the control panel was separate from the support site. (Extra login info to remember but comes in handy when the server hosting your cpanel via a vm is compromised.).
> just stating that you are getting discount hosting and to offer that, this company needs to keep expenses low.
Maybe I missed something in that thread, but IIRC the original poster said that his Dreamhost account was only for domain registration. How does that translate into 'discount hosting?' Back when domain registration cost $75/year from Network Solutions, they were still known for horrible customer service, IIRC. Paying more money for something doesn't necessarily mean you get better service.
The ability to have my whois record anonymous (for free) by registering through Dreamhost is a big plus to me.
I have a couple of private servers on DH which entitles me to free "live chat" with support.
This story makes me wonder if I should open up another account, and put one of my private servers on it, so if something happens to one account, I use the other one to make contact with support.
The fact he is running sites that want to be anonymized and he feels there is a high chance of "something happening" to them means everyone else should consider looking elsewhere.
> he feels there is a high chance of "something happening"
Where did he state that he feels there is a 'high chance?' If I encrypt my hard drive, does that mean I feel there is a 'high chance' of law enforcement coming after me and that I must be doing something 'bad?'
> The fact he is running sites that want to be anonymized
WHOIS records are only 'supposed' to be used to contact the site admin, etc. That said, when my WHOIS records were public I used to get a ton of junk snail mail. Especially from other domain registrars or 'protection services' wanting me to jump on board with them. The fact that he doesn't want his phone number and address connected to a domain doesn't mean that he wants the domain 'anonymized.' He just doesn't want someone to be able to Google his name and get a phone number and address.
> Don't put up home in the ghetto.
So the fact that a person wants a site to be 'anonymous' means that it's by definition a sleazy site? What about a forum for abused women? Should the site admin be forced to be contacted/harassed by possessive (and potentially violent) men that are trying to find where their girlfriend/wife that ran away is?
> "Where did he state that he feels there is a 'high chance?'"
He didn't but the fact cryptnoob felt the need to mention it suggests he/she is concerned about. I myself don't go around registering multiple accounts "in case something happens" to one of the accounts. Do you?
>"WHOIS records are only 'supposed' to be used to contact the site admin, etc"
Dude, cry me a river. I own a shit ton of domains and so I get that spam all the time. The spirit of the rules around public record of WHOIS data (for com/net/org at least) is that someone can be contacted for technical and administrative reasons about the domain. It's a reasonable rule and so if people fundamentally disagree with it perhaps they should lobby ICANN/etc.
From my own experience running a web hosting business in the past that most people who anonymize their WHOIS details are doing so for suspicious reasons.
> "So the fact that a person wants a site to be 'anonymous' means that it's by definition a sleazy site?"
No, and my apologies for not being clearer on that - perhaps the word "ghetto" wasn't what I meant. What I meant was shared hosting is like being in the ghetto - you are at the mercy of your neighbors on the same server. An account on the same box sharing warez forums is going to affect YOUR site's performance.
> "Should the site admin be forced to be contacted/harassed by possessive (and potentially violent) men that are trying to find where their girlfriend/wife that ran away is?"
As someone whose domestic partner is a leading voice in women's rights online, who receives regular abuse and has had numerous death threats, I can assure you I am very familiar with this subject.
There is a difference between anonymous (read:un-contactable) whois vs using a business address or mailbox where you can receive communication but is not your private residence, etc.
Well, you're the expert. Who am I to argue with anybody who owns a "shit ton" of domains?
As someone whose domestic partner ...has had numerous
death threats
OK, on this, I'd say you're a liar. Anybody actually in that situation, I guarantee, would understand perfectly why anonymity on the net is often considered important to people. You are either a complete dolt, or a liar (or both, I suppose)
I enjoy the convenience DH offers me in keeping my name out of Google. My reasons have nothing to do with whether or not my sites are sleezy. They're not. Privacy for myself and my family is not something I should need to justify to some random git (look it up) on HN.
> OK, on this, I'd say you're a liar. Anybody actually in that situation, I guarantee, would understand perfectly why anonymity on the net is often considered important to people. You are either a complete dolt, or a liar (or both, I suppose)
While I agree that there's a higher chance of it being a made-up story just to try and win an 'internet argument,' than of dotBen actually happening to have a domestic partner in such a situation; there's still a possibility that dotBen and his/her domestic partner are people that are into ultra-openness (i.e. change doesn't happen unless you take risks). Don't be so quick to discount that possibility. Though I agree that rabidly trying to enforce your 'ultra openness' on other people is an aggressive stance to take, and a bit out of nature on HN.
> Dude, cry me a river. I own a shit ton of domains and so I get that spam all the time. The spirit of the rules around public record of WHOIS data (for com/net/org at least) is that someone can be contacted for technical and administrative reasons about the domain. It's a reasonable rule and so if people fundamentally disagree with it perhaps they should lobby ICANN/etc.
> There is a difference between anonymous (read:un-contactable) whois vs using a business address or mailbox where you can receive communication but is not your private residence, etc.
Either you don't fully understand what 'private' WHOIS records are or you're purposely ignoring that information. When a WHOIS is 'private' a person is not 'un-contactable.' The service that makes your WHOIS record 'private' acts as a proxy, forwarding messages on to you while allowing you to remain 'anonymous' if you choose not to reply to the messages. Having public WHOIS information isn't just about having your contact information out in public, it's also about having your name attached to the site. If someone is upset with the content of the site and wants to find your home address, putting a PO Box or a business address as your WHOIS address isn't going to stop them if your real name is attached to the record. With a proxy service, you allow others to contact you while preventing personal information from leaking out unless you choose to respond to the person. It's not like public WHOIS information forces a site admin to respond to issues you have when you contact them.
> From my own experience running a web hosting business in the past that most people who anonymize their WHOIS details are doing so for suspicious reasons.
Suspicious how though? This is turning into a "if you haven't done anything wrong, then you've got nothing to hide" argument.
> I myself don't go around registering multiple accounts "in case something happens" to one of the accounts. Do you?
Did you say the same thing when people got paranoid about Google shutting down entire Google accounts over an issue with one of their products? (i.e. Google thinks that someone's AdSense account is gaming the system so some automated process closes the entire account and now the person no longer has Gmail access, nor Google Analytics access, etc) I remember multiple people talking about keeping each service on a separate account just in case one of them got shut down. That way they wouldn't lose 'everything' for the duration of the time that they were trying to get support from Google (if they ever got support from Google).
Why is this issue with Dreamhost that much different? If someone hijacks your account, and you need your account to contact Dreamhost to tell them that your account was hijacked, it presents a sort of Catch-22, no? Why is a person therefore to be looked at with suspicion for wanting to prevent such a problem?
In any case, why is it that someone must be a devious 'evil-doer' rather than just holding paranoid delusions? Wouldn't it be more likely that the person is just ultra paranoid than someone that was 'up to no good?'
The lowest tier server at Linode is $19/month (see http://vb.ly/linode) and will easily host plenty of virtual host based sites - although you could also check SliceHost or RackSpace Cloud Servers, etc.
Learning to run a simple server is really rewarding and you get to own root and run the box the way you want to.
Full disclosure: the link above has my referral code in it - it doesn't effect the cost of Linode's plans to you but if you do sign up you'll cover my hosting for a month. I hope people are ok with that.