Note. A reply to the message I originally had here can be seen on page 2. It was irresponsible of me to post it without hearing from DI first so I have removed it.

[Edited by Duster on 09-12-2000 at 11:12 PM]

Contacting them now!

Duster, Tabernack,

I have read your message in detail and I would like to invite you to take a look at Catalog.com. I am Marketing Director for our Dedicated Hosting division. I think we have a package that will meet your needs.

Our prices are extremely competitive and we can custom build any system you require.

We currently offer servers that have a browser based interface and the following software installed, standard:

Support for SSL (BenSSL), SSI, PHP3, and CGI. Also included within the installation are MySQL, Q-mail, proFTPD, DNS/BIND, and FrontPage Server Extensions.

I probably should not have posted this here, but since you seem to be upset about this, I thought I needed to.

Please contact me with any other suggestions you may have on making our services better.

Regards,
Chris Henning
Catalog.com, Inc.
http://servers.catalog.com

Thanks Christian,

I will be contacting you shortly since I am in the market for another server.

[Edited by tabernack on 09-09-2000 at 09:56 PM]

Chris,

Any chance on lowering the prices for extra IP's... I think 1.00 per IP per month is a more then fair price. Also, how about charging a flat 3.00 per extra GB instead of having to purchase 50, 100, ... GB at a time to get that pricing?

I know you guys provide a great service but if you fixed these 2 things I would move my other servers over and I am sure you would get a lot more customers since these are the only complaints I hear.

Scott

Originally posted by Christian
Duster, Tabernack,
I probably should not have posted this here, but since you seem to be upset about this, I thought I needed to.


No offense intended, Christian, and you're right. You shouldn't have posted it. I didn't say I was looking for another company and it should be obvious that I am familiar with Catalog.com since I know the programs you offer. I'm not looking to change to another host, just to change my host, who I'm generally satisfied with, and urge them to improve (by following your lead in choice of programs, for one thing).


Thanks for being an example that a company doesn't have to use antiquated programs.

I've gone over catalog's site and scottlaw is right. The high price of ip's and extra bandwidth ($20/GB) are the major disadvantages to going with catalog.

I also did not find anything about hardware upgrade services. If I purchase their Celeron 500 with 128 megs of ram, how much will it cost me to upgrade that to 256 or 512 megs of ram in the future? How much to add a second hard drive?

If they fixed the two factors mentioned above and clarified their hardware upgrade options then they would be an excellent choice, assuming their support and network is as good as scottlaw says it is.

Unfortunately, those factors are enough to look elsewhere.

[Edited by tabernack on 09-09-2000 at 10:06 PM]

Hey guys,

Why don't you start your own discussion about Catalog instead of taking this one so off topic, or e-mail them? This is a serious issue and I would like to see any discussion here about it.

Thanks.

Duster is right, we should start our own discussion group.

I am very interested in listening to what everyone would like in a dedicated host. I have the ability to change our offering so your messages will not fall on deaf ears.

Regards,
Chris Henning
Catalog.com, Inc.
http://servers.catalog.com

As a comsumer, I support any reasonable request for better service from vendors.

Duster, your request is reasonable and you have my moral support.

Why does DI not upgrade its software when these software programs are free? Anything to do with integration with its control panel?

Here is the new thread that Christian started if you want to discuss anything that is not related to Duster's topic.

http://www.webhostlink.com/showthread.php?threadid=1867



[Edited by tabernack on 09-09-2000 at 11:35 PM]

I have a dedicated server w/ one great company,
Ultra Speed! It's a UK company but they have a USA division and I talk often with the owner there. Great servers. Ultra Speed is co-located in VDI and makes no secret of that. The fact is, they build excellent servers and then provide honest support on them. (if you actually ever need it) So check out http://www.ultraspeedusa.com and send them an e-mail for a quote. That's where I have a dedicated server and ever since I moved there, I've felt a lot more secure and trustworthy that I'm with a company that acts like me, normal human beings. Not a company that acts like robots and ignores you or lies to make sales.

taberneck, just curious - were there any other factors that made you look for a different hosting provider instead of dial tone internet?

Originally posted by Chestnut
As a comsumer, I support any reasonable request for better service from vendors.

Duster, your request is reasonable and you have my moral support.

Why does DI not upgrade its software when these software programs are free? Anything to do with integration with its control panel?

I am loathe to speak for anyone other than myself. DI hasn't had a chance to respond yet, and I won't speculate on their answer. I will say that in telephone conversations with them, they have stated that they offer a basic vanilla configuration and don't make many changes from the stock configuration. Red Hat ships sendmail, so they use sendmail. However, Red Hat uses qmail for themsleves, so what does that tell you?

Doubtless some changes would be required in their control panel to work with different program, but I doubt that's the reason they are offering what they do.

Let's see what their answer is. I'll probably post it when I get it.

I guess, they just dun wanna go through the head ache of making a customised installation?? Maybe they just pop the cd into the drive and boom bang.. workstaion Red Hat is installed, and the system is ready to go live!! \

kunal,

As I said, other than what they told me, I won't speculate on. I do know that they have a configuration that is duplicated on numerous hard drives. That's why they can get a server ready so fast.

Let's assume for a moment that this effort is successful and they decide to change to these more secure programs. They would have to configure the programs (there's always a little bit of customization required), alter their server interface to work with them, and then they could duplicate this set up on all those hard drives.

They could post a notice on their updates and bug fixes page, and I expect a lot of present customers would gladly move to the new programs. That would reduce somewhat having to support two sets of programs, for the limited support they offer.

I know some of their tech support people are familiar with at least some of these more secure programs, just from talking to them. That will make it easier switching over since some support personnel are familiar with the better programs.

As I see it, it's mostly a matter of caring enough to make better choices.

I guess, could you post whatever there answere is out here??

I heard from Dialtone today regarding the e-mail I sent a few days ago. Before I post their response, I have a few things to say. Since several of us are regulars and chat with each other, it's easy to forget that many more people may view posts than make them.

I have made no secret that I am new to server management and far from an expert. Indeed, my own server site includes my experiences and advice based on my learning.

I chose DI after much investigation and research, as I wanted this to be the last time I moved. Four months of service has only reaffirmed the good choice I made. Their concern for service, even calling customers a month or so after service has started, has impressed me to no end, as it has others here (and on other forums).

My original post was made in ignorance and hastily. I should have waited for their response first so as to understand their viewpoint. I relied on the writings on security sites as regards programs, without thinking of specific configurations and other issues, like licensing requirements.

I'm generally a very fair person, but I was not fair to DI in this instance. All I had to do was wait a bit, and I failed to do so.

I only thought of marshalling support for change, something that has worked with having new features added to the discussion program I use when posting on the author's forum. I gave no thought to their reputation or viewpoint, and consider my hasty post irresponsible because of that. It is uncharacteristic of me, but I made the mistake all the same.

To err is human, to forgive is divine. It's a good thing I renounced that web hosting god title because I sure proved my humanity and fallability. (insert icon with egg on face, embarassment, and guilt.)

I apologize for my hastiness and impatience, and have done so to DI, both on the phone and here, publicly.

They were kind enough to call me today before sending a written response. They wanted to be sure I understood the reasons for the choices they made and addressed security matters in greater detail than the post below. I'm glad they did. They covered my questions and concerns in far greater detail than covered here.

Here is their post (greetings excluded), with their permission to post it:

As respects the security post, a point by point comment on the security:

sudo versus su

Ever heard the saying "Better the devil you know than the devil you don't?" It applies here. Improper use of sudo VERY easily can compromise security, even though you THINK it's secure. An example, which I've actually seen in the real world: vigr. An employee at a company was allowed to run vigr, which allows the user to edit /etc/group. They let the employee run this command from sudo, and he promptly got a root shell. vi (which vigr is based upon) has a command which lets you suspend to shell (:sh). He simply ran the sudo command, and then executed :sh, and boom -- root shell.

Now, nobody uses vigr anymore, but the lesson is STILL there -- they were running a program which was NEVER DESIGNED to be run as root by someone who's untrusted. The program did something it thought completely innocuous and it was exploited.

Again, better the devil you know than the devil you don't -at least with su you KNOW UP FRONT that you're baring your throat to the person... and so you make sure you really can trust them. sudo, most people won't, since they think that it allows them to let their users "securely run programs as root". Neat, huh?

Qmail v. Sendmail

First, I'd like to say I did a cursory look at security focus, and I didn't see an exploit FOR SENDMAIL that gave up privileges for the past couple of years. There was one exploit that is actually a problem with Linux that allowed ANY program to regain root privileges after dropping them. Many programs (in fact, it's considered a good security practice) use this method to run code that may or may not be insecure, happy in the knowledge that even if there is a bug, NO privileges will be gained. Since Linux was broken, it didn't work -- but it wasn't a sendmail specific bug. Many programs use this method. I would give us a good review on this, in fact... the exploit was published 8 Jun 2000 10:41:54 (-0400), and we wrote and released a kernel module that fixed the problem by 8 Jun 2000 14:56:24 (-0400). 4 hours to solution for a security problem is not bad. It's excellent.

As far as Qmail v. Sendmail itself, Qmail has a very restrictive license. We can't distribute modified binaries, which is something we'd need to do, and it's against the licensing terms to do so. If we wanted to improve something, we couldn't do it without the author's blessing.

[note: in our phone conversation, I inquired if they had asked the author's permission and was advised they had and that it was refused.]

I hope you understand that we cannot commit to a system as crucial as mail unless we can make improvements upon the codebase ourselves.

ProFTPD v. WU-FTPD

I don't have a whole lot to say about this, except by my rough estimation, over the past couple of years, and a great many of the exploits I've seen for either are shared between them. I will give you that wu-ftpd has more, but it also has more developers (redhat, suse, debian, turbolinux, etc) that will fix problems that come up. Since they're close in the amount of exploits, I'll go for speed to resolution. When script kiddies come a-knocking, it's all about how fast you fix it once published, not how often they occur.

OpenSSH v. Telnet

It was illegal to distribute OpenSSH from within the USA until last week. Will include shortly. 'nuff said.

Don't have a whole lot of a comment about anti-spam. Added to "to evaluate" list.

As far as "won't support" goes, no, we won't support qmail if you install it. If it doesn't touch anything, we should be supporting those programs untouched. If we're not, escalate it. Let me take care of it.

Thanks,

[snip]



My opinion of DI has only been elevated by their concern for their customer's concerns. I would not make any different choices for a host today as I did 4 months ago. DI remains, as ever, highly professional, ethical, fair, responsive to their customers, and exceptionally competent. While not the only good choice, they are in a rarerified atmosphere with little company.

They have increased the bandwidth to all customers, worked out solutions for those with high spikes so as to contain costs, and demonstrated a genuine concern for the satisfaction of their customers. They are still the most aggressively priced company when a total comparison is made, do not charge monthly fees for one time items, as some other companies do, and have tremendous flexibility in their systems.

I will continue to recommend them. I will also be adding specific things I've learned about security to my site.

I hope any readers of this discussion will forgive any confusion I caused in my haste. I learn from my mistakes and will not make this one again.

[Edited by Duster on 09-13-2000 at 12:06 PM]

Thanks for posting your response Duster. It definitely clarifies things. I also am very satisfied with DI and my next server (within the next month) will most likely be with them. I was very impressed with their new Linux plans which all include PIII's and scsi drives. I'm looking forward to seeing how the new server will perform against my "Memorial Day Special" (Celeron and ide drive)which has been fast and reliable (up 90 days now).

I also received a similar response regarding your suggestions.

Thanks again.

You're welcome. It is good to know. I just wish I had waited to hear from them. I don't mind sticking my foot in my mouth unless others suffer for it. It's not as easy as deleting the post. Quite a few people (almost 500 views) read this post and may be left with the wrong impression.

Now we know why we don't see these programs used at many companies.

[Edited by Duster on 09-12-2000 at 11:16 PM]