
The ongoing story of a Dreamhost account compromise - btilly
http://old.nabble.com/Dreamhost-account-hacked-td28062149s24859.html
======
dotBen
I'm surprised anyone with the tech savvy to be reading and contributing to HN
wouldn't be using a VPS for hosting.

The lowest tier server at Linode is $19/month (see <http://vb.ly/linode>) and
will easily host plenty of virtual host based sites - although you could also
check SliceHost or RackSpace Cloud Servers, etc.

Learning to run a simple server is really rewarding and you get to own root
and run the box the way you want to.

Full disclosure: the link above has my referral code in it - it doesn't effect
the cost of Linode's plans to you but if you do sign up you'll cover my
hosting for a month. I hope people are ok with that.

~~~
mrcharles
Some of us aren't heavy web programmers.

~~~
dotBen
Honestly, that doesn't matter.

Anyone who is the slightest bit technical would gain a lot from managing a VPS
for their site. Even if you just want to host a bunch of wordpress blogs, or
even static files.

~~~
mrcharles
You discount the power of being lazy.

~~~
dotBen
^_^

------
mildweed
By and large, Dreamhost is responsive, savvy, and competent. Lack of direct
phone number for such situations is the only drawback I see to this story.

~~~
Frazzydee
As of last month, they were still storing passwords in plaintext. They sent me
my password over email when I forgot my password.

That, to me, is not a good indication of a savvy & competent company.

Edit: I haven't used them for hosting.

~~~
jcl
There was someone, maybe a Dreamhost employee, posting on HN a month ago with
justifications for this practice...

He explained that there are customers who want passwords e-mailed to them,
presumably even if you explain that it is not secure:
<http://news.ycombinator.com/item?id=1148848>

And he mentioned that Dreamhost offers the (non-default) option of not storing
the password text: <http://news.ycombinator.com/item?id=1148732>

~~~
Frazzydee
Thanks for that.

I don't agree with their decision though, since most major websites will not
email you back your password, by default. If facebook can get away with it,
I'm sure dreamhost can too.

~~~
pyre
Facebook doesn't have paying customers. Also, most Facebook users access it
for personal use. A lot of people access/use Dreamhost for business purposes.
I'm sure there are a lot of PHBs that have access to Dreamhost accounts
because they feel compelled to micromanage everything (or just PHBs that make
the 'requirement' that the password is recoverable).

~~~
andfarm
Along with the PHBs, we've also got a lot of plain old non-tech-savvy
customers who just want to run their [personal blog / small business homepage
/ church web page / etc], and don't know, nor want to learn, too much about
computers. Requiring them to use semi-strong passwords for FTP and email
logins is enough of a challenge; requiring them to change those passwords
every time they forget them is often a real hassle.

~~~
Frazzydee
Why don't they want to change their passwords when they forget them?
Presumably the old password isn't much use anymore, since it's been forgotten.

But unless there's something I'm missing, I suspect I'm just preaching to the
choir right now ;)

~~~
andfarm
One or both of:

\- They've forgotten the password, but it's still in the keychain (or
equivalent) for their mail or FTP client, which will all stop working when
they reset the password.

\- The password is shared with other employees, and it might be difficult to
notify them all of the new password.

~~~
Frazzydee
(1) Fair enough, I suppose some keychains might make it difficult to recover
the password.

(2) Why not just ask the other employees for the old password?

~~~
andfarm
(1) Right -- and, even if it is possible to recover the password, walking a
non-tech-savvy customer through the process may not be a palatable option,
either for Support or for the customer.

(2) I wish I knew. Not really our place to ask, though.

------
dminor
So is there a registrar with good security measures who is relatively
inexpensive? I've always just used GoDaddy, but maybe it's time for a change.

~~~
pquerna
I would be very interested in any register that supported at least SMS for
multi-factor authentcation, hell I wouldn't even mind having a real token.

The Apache Software Foundation has had some issues in the past with guys
trying to hijack apcahe.org -- same thing, password resets on our registors
site, etc, but luckly we noticed within a minute, and were able to talk to a
human being on the phone quickly.

But I still really really want multifactor authentication for registers :|

~~~
foobarbazetc
Paul,

Try dynadot.com.

They offer SMS for auth, and they're also the registrar for wikileaks.org,
which takes a lot of guts, IMHO. :)

------
pragmatic
Maybe a lesson of you get what you pay for? No negative connotation implied,
just stating that you are getting discount hosting and to offer that, this
company needs to keep expenses low.

They keep expenses low with no telephone support. So you're SOL when bad stuff
happens.

I've had a couple of these throughout the years (with hosts that will remain
nameless). The nice thing was the control panel was separate from the support
site. (Extra login info to remember but comes in handy when the server hosting
your cpanel via a vm is compromised.).

~~~
pyre
> _just stating that you are getting discount hosting and to offer that, this
> company needs to keep expenses low._

Maybe I missed something in that thread, but IIRC the original poster said
that his Dreamhost account was only for domain registration. How does that
translate into 'discount hosting?' Back when domain registration cost $75/year
from Network Solutions, they were still known for horrible customer service,
IIRC. Paying more money for something doesn't necessarily mean you get better
service.

------
cryptnoob
The ability to have my whois record anonymous (for free) by registering
through Dreamhost is a big plus to me.

I have a couple of private servers on DH which entitles me to free "live chat"
with support.

This story makes me wonder if I should open up another account, and put one of
my private servers on it, so if something happens to one account, I use the
other one to make contact with support.

~~~
dfranke
The fact that you're even considering that sort of hack probably means that
you should be more strongly considering looking elsewhere.

~~~
dotBen
The fact he is running sites that want to be anonymized and he feels there is
a high chance of "something happening" to them means everyone else should
consider looking elsewhere.

Don't put up home in the ghetto.

~~~
pyre
> _he feels there is a high chance of "something happening"_

Where did he state that he feels there is a 'high chance?' If I encrypt my
hard drive, does that mean I feel there is a 'high chance' of law enforcement
coming after me and that I must be doing something 'bad?'

> _The fact he is running sites that want to be anonymized_

WHOIS records are only 'supposed' to be used to contact the site admin, etc.
That said, when my WHOIS records were public I used to get a ton of junk snail
mail. _Especially_ from other domain registrars or 'protection services'
wanting me to jump on board with them. The fact that he doesn't want his phone
number and address connected to a domain doesn't mean that he wants the domain
'anonymized.' He just doesn't want someone to be able to Google his name and
get a phone number and address.

> _Don't put up home in the ghetto._

So the fact that a person wants a site to be 'anonymous' means that it's by
definition a sleazy site? What about a forum for abused women? Should the site
admin be forced to be contacted/harassed by possessive (and potentially
violent) men that are trying to find where their girlfriend/wife that ran away
is?

~~~
dotBen
> "Where did he state that he feels there is a 'high chance?'"

He didn't but the fact cryptnoob felt the need to mention it suggests he/she
is concerned about. I myself don't go around registering multiple accounts "in
case something happens" to one of the accounts. Do you?

>"WHOIS records are only 'supposed' to be used to contact the site admin, etc"

Dude, cry me a river. I own a shit ton of domains and so I get that spam all
the time. The spirit of the rules around public record of WHOIS data (for
com/net/org at least) is that someone can be contacted for technical and
administrative reasons about the domain. It's a reasonable rule and so if
people fundamentally disagree with it perhaps they should lobby ICANN/etc.

From my own experience running a web hosting business in the past that _most_
people who anonymize their WHOIS details are doing so for suspicious reasons.

> "So the fact that a person wants a site to be 'anonymous' means that it's by
> definition a sleazy site?"

No, and my apologies for not being clearer on that - perhaps the word "ghetto"
wasn't what I meant. What I meant was shared hosting is like being in the
ghetto - you are at the mercy of your neighbors on the same server. An account
on the same box sharing warez forums is going to affect YOUR site's
performance.

> "Should the site admin be forced to be contacted/harassed by possessive (and
> potentially violent) men that are trying to find where their girlfriend/wife
> that ran away is?"

As someone whose domestic partner is a leading voice in women's rights online,
who receives regular abuse and has had numerous death threats, I can assure
you I am very familiar with this subject.

There is a difference between anonymous (read:un-contactable) whois vs using a
business address or mailbox where you can receive communication but is not
your private residence, etc.

~~~
cryptnoob

          I own a shit ton of domains
    

Well, you're the expert. Who am I to argue with anybody who owns a "shit ton"
of domains?

    
    
         As someone whose domestic partner ...has had numerous
         death threats
    

OK, on this, I'd say you're a liar. Anybody actually in that situation, I
guarantee, would understand perfectly why anonymity on the net is often
considered important to people. You are either a complete dolt, or a liar (or
both, I suppose)

I enjoy the convenience DH offers me in keeping my name out of Google. My
reasons have nothing to do with whether or not my sites are sleezy. They're
not. Privacy for myself and my family is not something I should need to
justify to some random git (look it up) on HN.

~~~
pyre
> _OK, on this, I'd say you're a liar. Anybody actually in that situation, I
> guarantee, would understand perfectly why anonymity on the net is often
> considered important to people. You are either a complete dolt, or a liar
> (or both, I suppose)_

While I agree that there's a higher chance of it being a made-up story just to
try and win an 'internet argument,' than of dotBen _actually_ happening to
have a domestic partner in such a situation; there's still a possibility that
dotBen and his/her domestic partner are people that are into ultra-openness
(i.e. change doesn't happen unless you take risks). Don't be so quick to
discount that possibility. Though I agree that rabidly trying to enforce your
'ultra openness' on other people is an aggressive stance to take, and a bit
out of nature on HN.

