Suexec has been talked about a lot on the forums as of late, as well as security problems where user's are able to view each other's files.

This isn't real new news, but there was an article on wired, where ziff davis agreed to settle and pay damages for failing to implement standard security procedures, resulting in privacy violations of its customers.

http://www.wired.com/news/business/0,1367,54817,00.html

So hosts beware. You will be held accountable.

Thanks Mark,

Very informative.

And it is about time the circle starts coming back to higher hosting charges, better administration and fewer customers on a box.

You cant beat truth.. it has a nasty habit of coming back at you! :)

Ouch! Let this be a lesson to us all, though we all should know it already. Don't put anything you don't want everyone to see in the web tree.

Originally posted by bitserve
Suexec has been talked about a lot on the forums as of late, as well as security problems where user's are able to view each other's files.

This isn't real new news, but there was an article on wired, where ziff davis agreed to settle and pay damages for failing to implement standard security procedures, resulting in privacy violations of its customers.

http://www.wired.com/news/business/0,1367,54817,00.html

So hosts beware. You will be held accountable.

I hope this was posted for humor purposes. This has nothing to do with things like SuEXEC. Even with the suexec wrapper you can still have clients snoop around to other user's directories and files if you don't configure the server properly. I assume you are aware as I've seen you in those threads discussing this topic.

However personal information and some account name and files are different. That is not a database of user information that wasn't attempted to be secured. I agree that hosts should implement things, even if just suexec, it's better than nothing, but there's no way a host could be held accountable because they weren't good enough to deny user's from other user's information. The client agrees to the fact that the host isn't liable in that regard when they sign up with them.

I don't see the relation between that article and things like SuEXEC, or even the more realistic further step of more than just suexec. I'm not sure why you mentioned that or made the connection between the two, but this is an entirely other matter and I wouldn't assume it had the relation that you make it out to be. Then again that's my view on it and I'm not a judge and jury and that's all it takes to make any unreasonable, irrelevant and irrational connection to have someone win a suit, so what do I know.

Originally posted by 2host.com
I hope this was posted for humor purposes. This has nothing to do with things like SuEXEC. Even with the suexec wrapper you can still have clients snoop around to other user's directories and files if you don't configure the server properly. I assume you are aware as I've seen you in those threads discussing this topic.

However personal information and some account name and files are different. That is not a database of user information that wasn't attempted to be secured. I agree that hosts should implement things, even if just suexec, it's better than nothing, but there's no way a host could be held accountable because they weren't good enough to deny user's from other user's information. The client agrees to the fact that the host isn't liable in that regard when they sign up with them.

I don't see the relation between that article and things like SuEXEC, or even the more realistic further step of more than just suexec. I'm not sure why you mentioned that or made the connection between the two, but this is an entirely other matter and I wouldn't assume it had the relation that you make it out to be. Then again that's my view on it and I'm not a judge and jury and that's all it takes to make any unreasonable, irrelevant and irrational connection to have someone win a suit, so what do I know.

I wasn't kidding.

The subject line of my post was for effect.

You might read my actual post again.

"... as well as security problems where user's are able to view each other's files."

Also, you might read the article again.

"Their privacy policy promised that they would take reasonable precautions to protect customers' personal information. Our investigation found that they didn't follow through on that promise..."

User's information in their home directories is included, as far as I can tell.

The only noteworthy thing for me to add is that there was no legal precedent set. I'm sure that was part of their intent on settling out of court.

Like you, I could have read it wrong.

I know what you mean about the question of where it ends in regards to this. I can agree that it's possible, because anything is. I just didn't see the relation to it being something that could be compared to a shared hosting server, for example, where users are expected to be on the same system, have logins, expected to access files and use the system, where that sort of thing is pretty common. But again, it could be possible and who knows. It would be interesting to see. I just didn't think that by the article that it meant things of that nature, but just being careless with the data they stored.

I.e., mtv.com has a sign-up membership, asks for names, addresses and personal details and then doesn't take any effort to make sure that someone can't just access that database directly or gather information about someone they don't like from the MTV chat room or some such thing. I mean, rather than system level stuff with user's on a server with accounts (not an account for a service with HTML and form and community type access only, not actual system logins (FTP, shell, etc.)). However, who can say that will only stay in that realm. After all, laws are made to waste people's time. :-)

I would never host my website with any hosting provider that does not use something like SuEXEC. :angry:

That's interesting about the MTV web site. I recently signed up at legal match (http://www.legalmatch.com) to find a lawyer for a recent problem with fraud, and in their privacy policy they say that they use SSL for the transmission of logon information. I kept waiting for the SSL to be used somewhere, and it never was.

I notifed them of the "problem", but they haven't taken action. It's been a month. They also have a trust-e logo. I've notified trust-e.

You'd think a web site that collects such confidential information would be more on the ball. They provided lousy service anyway.

Thanks Mark for your information