Whitelist de-listing: HostDoc

135

Comments

  • @WSS said:
    I've never used HostDoc, so you may take this with a grain of salt -

    I deal with WHMCS and SolusVM issues every day, and I see how this could occur, sadly- by trying to make things more convenient for the client.

    I really don't know - I know how I'd feel if I was a cause of this, but I also know how I'd feel if I caused this.

    If they were aware of this for months and didn't manage to handle it, that's completely on them- but shitting on them in public due to being unhappy with their service or otherwise just leaves a bad taste in my mouth. I do not find an excuse for them not handling this as there were obviously several notifications, but I question if this is the platform to hoist them upon.

    Sorry for realposting, but this could easily kill the brand, and I like the cheeky little bastard. We all fuck up, just don't do it again.

    I will realpost as well: when there is clear evidence that the issue has been raised privately by different individuals and that said provider individually assures each customer matters have been taken care of when it is clearly not, keeping every single customer in the dark about the true extent of their private data being leaked because provider assures them individually it is just a one-off only that customer experienced, that is plain wrong.

    Just because you "like the cheeky bastard" doesn't mean that you can question the motivations of other people for telling the truth. This is a matter that is serious enough that any customer should know and factor into decision making. I am concerned if I speak without facts, but that's not the case.

    Your defence on the basis of you liking HostDoc instead of facts and questioning intentions instead of facts, while laudable for honesty, is disappointing in basic reasoning and decency. You basically are saying "Hey folks, I like this guy. Nevermind if he doesn't give a shit about your private data for months despite over a dozen customers reporting breach issues and him falsely assuring them they have been fixed. You are safe with him because I like him."

    Sorry man. I disagree with your position.

    Thanked by (2)AlwaysSkint dosai

    Deals and Reviews: LowEndBoxes Review | Avoid dodgy providers with The LEBRE Whitelist | Free hosting (with conditions): Evolution-Host, NanoKVM, FreeMach, ServedEZ | Get expert copyediting and copywriting help at The Write Flow

  • @HostDoc fyi, from yet another thread on LET ...

    @jar said:
    Found in headers from a curl:

    X-Server-Powered-By: Engintron

    https://engintron.com

    "with an additional micro-cache layer to significantly improve performance for dynamic content generated by CMSs like WordPress, Joomla or Drupal"

    Might this help to identify the cause? This is a significant stack that focuses on caching. Looks like it uses APC + memcached. Could it be caching the dynamic data and returning it to other visitors when they hit the same URLs?

    Thanked by (2)vimalware bikegremlin

    HS4LIFE (+ (* 3 4) (* 5 6))

  • The silver lining in all of this is that there are some very knowledgeable, very smart people who are helping the Doc to troubleshoot this issue. It may be at the expense of some negative PR, but given the serious nature of the issue, it's a small price to pay.

    Keep in mind @HostDoc, this has been kept under the rug for a long time.. you and I both know that. And BTW, you and I both know about a lot of other things that are hidden under that rug, if I was motivated to attack you, those would also be mentioned publicly with the same lack of regard you gave to trying to make me look like I'm attacking you.

    If there was no customer data leak, there would be no thread, remember that.

    Thanked by (1)poisson

    Get the best deal on your next VPS or Shared/Reseller hosting from RacknerdTracker.com - The original aff garden.

  • WSSWSS OGRetired

    @poisson Thanks for sharing your reasoning - and I would never iuse the based upon the same ideology, but all the same- you have done your duty. Take care, and move on.

    @dahartigan I still consider you a shitposter, muich as myself, and take it with as much heed as I would another shitposter. Thanks for providing further information.

    Thanked by (2)poisson dahartigan

    My pronouns are like/subscribe.

  • The shitposting will continue until morale improves!

    HS4LIFE (+ (* 3 4) (* 5 6))

  • edited January 2020

    @WSS said:
    @dahartigan I still consider you a shitposter, muich as myself, and take it with as much heed as I would another shitposter. Thanks for providing further information.

    I am honored by your recognition, impressed inspired by your ability to shitpost covertly, and happy that I used the oxford comma correctly in this sentence.

    @uptime said:
    The shitposting will continue until morale improves!

    As it was written, let it be done.

    Thanked by (1)WSS

    Get the best deal on your next VPS or Shared/Reseller hosting from RacknerdTracker.com - The original aff garden.

  • WSSWSS OGRetired

    @dahartigan Butts.

    Thanked by (1)dahartigan

    My pronouns are like/subscribe.

  • edited January 2020

    Oh man.

    Putting myself in HostDoc's shoes in my head, gave me instantaneous hypertension.

    I hope the teardown fixes the leak.

        There are only two hard things in Computer Science: cache invalidation and naming things.
    
        -- Phil Karlton
    
  • My 2c:

    Yes, this is a major problem that can’t be ignored. And yes this absolutely should have been taken care of earlier.

    But that doesn’t mean everything was handled well here. There’s always more than meets the eye, and I think there’s more that happened behind the scenes here that we might never know the truth about.

    Regardless, I see two things here:

    • @HostDoc: you have a good service and I know you’re working super hard to make it work. That said, this security issue should have been handled differently given the severity. And sometimes you’ve gotta put emotions aside and deal with insults without retaliating, especially if you’re the face of a company. Trust me, it’s friggin hard and I fail at it. But if you can’t do it, hire someone for PR that’s not so emotionally invested.
    • @poisson / @dahartigan: While I’m sure there was communication about this before today, it definitely doesn’t help your case that your posts read like a personal attack. You’ve both made your point quite well, and action is being taken. There’s no point in beating a dead horse. If your primary intention is educating fellow forum members, then your job is done.

    It don’t be like it is until it do.

  • @deank said:

    We will see is my take on it.

    Edit: What happens in the transition period matters. If no-deal brexit happens, then GDPR can kiss good-bye to have any influence in UK.

    The UK will want some kind of trade deal afterwards anyway, with the EU demanding it to be enforced just like with EEA countries like Norway. And anyway, moving a business to the UK to avoid GDPR doesn't inspire potential customers with a lot of confidence regarding how their personal data will be handled...

  • @ouvoun said:

    • @poisson / @dahartigan: While I’m sure there was communication about this before today, it definitely doesn’t help your case that your posts read like a personal attack. You’ve both made your point quite well, and action is being taken. There’s no point in beating a dead horse. If your primary intention is educating fellow forum members, then your job is done.

    Yup. The job is done. I am not sure how you define reading like personal attack when the original communication was all clearly referencing verifiable evidence and HostDoc make baseless accusations without a single shred of evidence, and that somehow seems ok?

    Anyway, I am not bothered by claims of malice because I reference every single point with evidence. However, I will review my priorities now and ask myself if I should devote my time and effort to contribute to making the low-end community a better place.

    Thanked by (1)dahartigan

    Deals and Reviews: LowEndBoxes Review | Avoid dodgy providers with The LEBRE Whitelist | Free hosting (with conditions): Evolution-Host, NanoKVM, FreeMach, ServedEZ | Get expert copyediting and copywriting help at The Write Flow

  • bikegremlinbikegremlin ModeratorOGContent Writer
    edited January 2020

    @dahartigan said:
    Keep in mind @HostDoc, this has been kept under the rug for a long time.. you and I both know that. And BTW, you and I both know about a lot of other things that are hidden under that rug, if I was motivated to attack you, those would also be mentioned publicly with the same lack of regard you gave to trying to make me look like I'm attacking you.

    But... you just did that. Now everyone can just imagine the worst thing that comes to their mind. :)

    ...Is HostDoc really a cat person?!

    To avoid any misunderstanding: HostDoc apparently hasn't handled this issue properly. Also, some of his public posts were out of line - if a company representative doesn't keep their head, why expect forum members to do the same? In my opinion: any accusations by HostDoc about you or Poisson about getting personal - should perhaps be precluded by taking a look at himself (and consider hiring a proper PR as mentioned above).

    Thanked by (2)dahartigan uptime

    Relja of House Novović, the First of His Name, King of the Plains, the Breaker of Chains, WirMach Wolves pack member
    BikeGremlin's web-hosting reviews

  • @ouvoun said:

    • @poisson / @dahartigan: While I’m sure there was communication about this before today, it definitely doesn’t help your case that your posts read like a personal attack. You’ve both made your point quite well, and action is being taken. There’s no point in beating a dead horse. If your primary intention is educating fellow forum members, then your job is done.

    I absolutely agree with you that our posts are hindered by the appearance of it being a personal attack, it seems that even an unfounded suggestion of a personal attack is enough to change the narrative.

    It's tragic that it took this becoming public before he took it seriously. It's even more tragic the way this is being handled.

    Thanked by (1)bikegremlin

    Get the best deal on your next VPS or Shared/Reseller hosting from RacknerdTracker.com - The original aff garden.

  • bikegremlinbikegremlin ModeratorOGContent Writer

    @poisson said:
    However, I will review my priorities now and ask myself if I should devote my time and effort to contribute to making the low-end community a better place.

    Just a touch of PMS? :)

    For what it's worth coming from me: your work is appreciated. Sure doesn't put food on the table, but not all value can be measured, nor paid with money. As long as it doesn't take too much time and you can go past anyone barking at you on them Internetsess.

    Relja of House Novović, the First of His Name, King of the Plains, the Breaker of Chains, WirMach Wolves pack member
    BikeGremlin's web-hosting reviews

  • cybertechcybertech OGBenchmark King
    edited January 2020

    as someone who has some limited experience in (offline) BD, imo doc might wanna take a step back and consider:

    • consolidating traffic to just a single site. Flash sales running for too long isnt flash sales. it dilutes value of main site. make up mind to keep either hostdoc uk or kvm doctor. Focus on maintaining main site, client area, enduser panel. Run flash sales with coupons instead
    • consider improving consistency on quality of services (as raised among many members of LES/LET and my own experience) either by refining the setup, reducing contention ratio (by having more nodes) or having some RAID 10 or idk, just to eliminate CPU/IO blackouts that sometimes happen on non flagship nodes. Moving to EPYC / Ryzen is a good call btw, again consider spending efforts on improvement of config (as opposed to running flash sales or expansion) to increase density. every provider needs to oversell but the good ones do it with style
    • Better PR and more sleep is chicken and egg issue i believe. Maybe it is OK to not continue live chat 24/7, or slow down on expansion and focus on stability (hence more sleep) or hire a PR

    I bench YABS 24/7/365 unless it's a leap year.

  • @poisson said:

    @ouvoun said:

    • @poisson / @dahartigan: While I’m sure there was communication about this before today, it definitely doesn’t help your case that your posts read like a personal attack. You’ve both made your point quite well, and action is being taken. There’s no point in beating a dead horse. If your primary intention is educating fellow forum members, then your job is done.

    Anyway, I am not bothered by claims of malice because I reference every single point with evidence. However, I will review my priorities now and ask myself if I should devote my time and effort to contribute to making the low-end community a better place.

    I’ve mentioned this to you before, but myself and others really do appreciate the great service you do for the community with your testing. Just because this post went south doesn’t mean you should stop.

    Thanked by (1)dahartigan

    It don’t be like it is until it do.

  • cybertechcybertech OGBenchmark King
    edited January 2020

    Mate, just do you. Do reviews the way you like it. Heck I just open review threads whenever I feel like it wherever with no standard benchmarks. It doesn't even get taken seriously but who cares.

    That's what forums are all about. It's lowendspirit you gotta have some soul

    Thanked by (1)dahartigan

    I bench YABS 24/7/365 unless it's a leap year.

  • Nothing against long running flush sales.
    If its a long runner, you know, that it does not meet any deadpool criteria, thus no one from LET will buy it.

  • edited January 2020

    @Dream said:
    I was undecided to post to this topic anything.
    But now here we are...

    This is MY OWN PRIVATE vision

    @HostDoc I hope you can fix this issue ASAP and there has not been massive damage to the clients them self.
    If you need any help please feel free to ask. I will be there to help as much as my knowledge could help.

    As @WSS has written, we all know that such things could appear and of course it's for both sides the worst outcome in such a relation.

    For the GDPR which has been spoken about, If you're accepting customers from the EU, than you need to be GDPR conform this is also for the US or China Service provider. If the EU is doing about these providersanything, is somewhat unknown. There has been companies from the US which encounter with such bills but let's be somewhat real, they're just started to actively enforce the law. This also counts for me as a Swiss provider which is not in the EU. Also, after the Brexit the law is still current for them for EU customers.

    Just at this moment I got an email from WHMCS about a potential security vulnerability.

    Also, another point to mention is the pricing of the Products. Of course I like also to almost pay nothing. This is of course NO EXCUSE but the sad truth is, that the most providers don't take this aspect of our industries as serious as it should be. And Yes this aspect could cost more than you may earn from the customers.

    @poisson Please take this with an edgy smile
    You also could have handled this a bit more professional from my aspect. I have read the Thread before any comments were posted. And to be truth I was thinking its just for some SEO bullshit because the first sentence was a link to your website. --> just my side of view.

    Please don't beat me, or do it so hard i won't stand up anymore.

    Cheers Dream

    This.

    To be honest, I don’t like the way this thread started. It seems to get more visitors for the new “review” site rather than discussing about the fact and issues. I remember more people left LET due to lots of drama there, and now this topic is a drama like that.

    I think the more proper way to put the title and content like “Possible Data Leak - HostDoc” in “other” forum instead of advertising about another side project.

  • Such an LET thread. You love to see it.

  • InceptionHostingInceptionHosting Hosting ProviderOG

    @BarryHercules said:
    Such an LET thread. You love to see it.

    Indeed, I don't like it much, but it did happen and people have a right to discuss it and be pissy about it, I don't think it will really hurt hostdoc much though ultimately.

    So I did not (do not) feel it has reached a point of needing any moderation yet.

    Thanked by (1)uptime

    https://inceptionhosting.com
    Please do not use the PM system here for Inception Hosting support issues.

  • jarlandjarland Hosting ProviderOG
    edited January 2020

    Does anyone else have a good way of reaching HostDoc to let him know that it's Engintron? I messaged him on LET but he hasn't logged in and now the SSL cert on LET is expired, surely a problem that will take days to fix. Worried he may have checked out from the frustration and may not be seeing useful information.

    Not asking for the info for myself, but if someone is in contact and wants to ping him, that'd be cool.

    Thanked by (1)uptime

    Do everything as though everyone you’ll ever know is watching.

  • RossRoss Hosting ProviderOG
    edited January 2020

    @jarland said:
    Does anyone else have a good way of reaching HostDoc to let him know that it's Engintron? I messaged him on LET but he hasn't logged in and now the SSL cert on LET is expired, surely a problem that will take days to fix. Worried he may have checked out from the frustration and may not be seeing useful information.

    Not asking for the info for myself, but if someone is in contact and wants to ping him, that'd be cool.

    I sent him a DM with a link to the engintron cache docs and he mentioned some problem with not being able to disable the cache globally. The client area seems to be back online and the cache status is bypass, so hopefully he's managed to resolve it all.

    I do agree that ideally he should just get rid of engintron completely.

    Thanked by (3)jarland bikegremlin uptime
  • My feeling is that Doc has left the building.

    ♻ Amitz day is October 21.
    ♻ Join Nigh sect by adopting my avatar. Let us spread the joys of the end.

  • uptimeuptime OG
    edited January 2020

    @jarland - I let him know via chat on kvm.doctor

    Thanked by (4)jarland angstrom flips dosai

    HS4LIFE (+ (* 3 4) (* 5 6))

  • cybertechcybertech OGBenchmark King
    Further from our previous announcement of a possible data leak, action has now been implemented that will see this issue eradicated moving forward.
    The client area is once again active and clients can now manage their accounts.
    
    
    What was the cause?
    
    With no further evidence of any other application caching the data, it is still believed our tawk.to module was the cause of the leak.
    Micro caching as well as an nginx plugin (Engintron) were also speculated as possible culprits. While these are plausible causes, during earlier troubleshooting of the issue, engintron had previously been disabled as well as global caching. The symptoms of the leak however were still present.
    Removing the tawk.to module saw the symptoms temporarily vanish for a month or so later at which point the tawk.to code was also removed from the footer.tpl.
    
    
    
    What has been done to rectify this and avoid it from happening again?
    
    A rebuild of the client area has been carried out.
    Tawk.to has been removed from the client area.
    Cron job added to clear nginx cache every 24 hours.
    Cron job added to clear template cache every 12 hours.
    Engintron configuration and rules have been tweaked.
    Static caching of client area has been disabled.
    Micro caching of the client dashboard has been disabled.
    Php configuration tweaks.
    
    
    What has been done regarding GDPR and PCI ?
    
    ICO have been contacted and alerted about the data leak by phone.
    An assessment was carried out with information collated about the breach, possible causes and what we intend to do to avoid such leaks again in the future.
    We have been offered advice for future security practices.
    
    As a company utilizing Paypal and Stripe (stripe elements) as our card processors, we ensure card data never touches our servers and is therefore processed securely offsite.
    There is no evidence that payment methods, payments  or available  credit were leaked, however, we are PCI compliant in the way in which we accept card payments.
    
    
    Anything else?
    
    Here at HostDoc, we prescribe hosting medication.
    PR never has been a strong point unfortunately. But please never let that define the service.
    
    I would like to apologize to all HostDoc clients.
    It is never an easy decision to decide to stick with a provider after such an event. It is an even harder decision when the provider lacks the skills to compose themselves in an appropriate manner publicly.
    Security is taken very seriously hence this is not the first time this issue has been addressed and will be continually monitored over the coming months.
    
    Thank you to those who continue to support and utilize HostDoc for their hosting needs.
    
    
    
    
    
    Kind regards
    HostDoc Hosting Team
    
    Thanked by (1)uptime

    I bench YABS 24/7/365 unless it's a leap year.

  • TLDR: LiveChat is cancer.
    Hope all is well.

  • @vimalware said:
    TLDR: Incorrectly configured LiveChat is cancer.

    FTFY :-)

    Get the best deal on your next VPS or Shared/Reseller hosting from RacknerdTracker.com - The original aff garden.

  • YmpkerYmpker OGContent Writer
    edited January 2020

    Whatever is happening in here, it's time to go.

Sign In or Register to comment.