I asked the same questions to FutureQuest.net and Pair.com (I'm looking for a host with EXCELLENT uptime because I want to sleep well...). FQ answer me after only 6 minutes. Pair don't answer yet after 28 hours...

Is it normal for FQ and for Pair ?

:)

Hello,

Both are quality providers of web hosting. Did you send an email to sales?

Well I guess there response times to pre-sales questions would indicated how much they would care about you becoming one of there customers...

As to pair not responding, did you send to info@pair.com? It could be that they either don't have a sales staff or have a very small one on weekends...I don't know. I would just say sales response may not be consistent with customer support.

As to futurequest, the quick response is not surprising as they are a very professional organization.

Hello,

Yes I send to info@pair.com >> Pre-Sales Information and New Service Inquiries. I'm very surprise by Pair because they don't have uptime guarantee. :confused:

Damned, Futurequest seems to be perfect (great team and great uptime) but the disk space is so small... So small...

Do a search for people saying bad things about Pair, then take into account the fact that they have more customers that most other hosts you know combined, and that deinfatly should tell you something about the level of service they provide.

-Brendan

I have always found FQ to answer very quickly to ANY e-mail (I'm not a customer, but I have asked questions before).

As for pair.com, I had an account with them for a short time and they have some MAJOR security issues on their shared accounts (as of September). I e-mailed them about it and they basically said that you need to secure your own website if you don't want to get hacked. I know they have been in business for a long time, but this one issue makes me very concerned about the safety of a website on pair.

I'm not defending anyone but pair.com could be one of those companies that only answers pre-sales questions during business hours as I've heard a few companies are like that. I don't agree with it though.

Originally posted by parawing742

As for pair.com, I had an account with them for a short time and they have some MAJOR security issues on their shared accounts (as of September). I e-mailed them about it and they basically said that you need to secure your own website if you don't want to get hacked. I know they have been in business for a long time, but this one issue makes me very concerned about the safety of a website on pair.

I'm sorry, but that's quite untrue. I assume this is another variation of the old "I can see other accounts' files so it must be insecure".

Many Webmasters would like for their host to practice security through obscurity so they don't have to think about securing certain things. The fact remains that on a shared hosting service, you have to secure your material according to your needs. The Web server runs as nobody; other accounts can run scripts as nobody, so anything the Web server can see, other accounts can see, unless you are using cgiwrap, which we fully support.

Regarding the initial topic, we have always given top priority to current customers, not pursuing new ones. Consequently, our 24x7 coverage is focused on support, not sales. If a customer needs a typical 6-minute response, they can contact our urgent address any time, day or night.

Thanks,
Kevin

Originally posted by Bot

Yes I send to info@pair.com >> Pre-Sales Information and New Service Inquiries. I'm very surprise by Pair because they don't have uptime guarantee. :confused:


In our defense, I personally believe that Uptime Guarantees are usually a marketing sham and nothing more. We do have one of the strongest uptime records in the industry. Would you rather have actual uptime, or a "guarantee" with so many exceptions (e.g., must notify the host in writing, one hour downtime or more, not maintenance) and such minor penalties (e.g., 10% of monthly fee back) that it's of no use to anyone?

I'm not posting to promote, only to defend.

Kevin

Originally posted by sigma


In our defense, I personally believe that Uptime Guarantees are usually a marketing sham and nothing more. We do have one of the strongest uptime records in the industry. Would you rather have actual uptime, or a "guarantee" with so many exceptions (e.g., must notify the host in writing, one hour downtime or more, not maintenance) and such minor penalties (e.g., 10% of monthly fee back) that it's of no use to anyone?

I'm not posting to promote, only to defend.

Kevin

I agree. At least you guys are honest enough to admit it. Also, for anyone wanting to debate their uptimes, go to netcraft and do a search on servers with the best uptime. You will see a few Pair machines on the list. (Well at least you did a few months ago) ;)

Bot,Uptime Guarantees Do you get uptime guarantees from your cable, phone, electric, water company.

Why do you expect uptime guarantees from a hosting company?

Just curious.

Originally posted by sigma


I'm sorry, but that's quite untrue. I assume this is another variation of the old "I can see other accounts' files so it must be insecure".

<snip>

Thanks,
Kevin

Having other accouts see my files did not bother me as much as them being able to download the files. When I had an account with you (I presume you work for pair), I was actually able to download files from other users accounts (including files that stored passwords, etc). That is what bothered me enough that I canceled service.

I would say the information held at netcraft is of questionable use, uptimes of 497 days - that means 497 days of not applying kernel updates, netcraft measures the time a server was last rebooted. Netcraft themselves say they do not monitor network performance.

So, a server with 497 days uptime could be on an awful network and have had problems with http, smtp etc etc. In isolation it's of little use.

Originally posted by sigma


In our defense, I personally believe that Uptime Guarantees are usually a marketing sham and nothing more. We do have one of the strongest uptime records in the industry. Would you rather have actual uptime, or a "guarantee" with so many exceptions (e.g., must notify the host in writing, one hour downtime or more, not maintenance) and such minor penalties (e.g., 10% of monthly fee back) that it's of no use to anyone?

I'm not posting to promote, only to defend.

Kevin

I would agree this holds true for most hosts. However, I have several accounts with CommuniTech.Net. They guarantee 99.5% uptime and if it is not met, the entire month will be refunded. In five years they have only missed their uptime twice. I never even had to tell them it was missed. What's Up monitors the website every minute and determines if uptime is missed. That's about as close to a perfect solution as I have found yet.

Kevin makes a very valid point about uptime guarantees - I believe all too often they are used to create a false sense of security for a potential customer / customer. A host that knows it can constantly acheive good uptime percentages over a month shouldn't have to worry about uptime guarantees in my opinion.

Originally posted by parawing742

Having other accouts see my files did not bother me as much as them being able to download the files. When I had an account with you (I presume you work for pair), I was actually able to download files from other users accounts (including files that stored passwords, etc). That is what bothered me enough that I canceled service.

What I am telling you, however, is that except in very unusual setups (e.g., virtual servers which have resource problems of their own), you will be able to access other public files on the server no matter what tricks the provider puts in place to make you think you can't.

The Web server runs with as few privileges as possible - this is good security practice. Therefore the files users want to publish have to be public. Also, scripts that run in the Web server (e.g., PHP, non-wrapped CGI) will run with the same privileges as the Web server. Therefore those scripts can access the same files as the Web server.

Running the Web server with privileges just means that when a CGI script is exploited, instead of having user nobody, an attacker will have control of your account (or a privileged system account). Very bad.

I'm going to lay this all out in a detailed article for our newsletter soon. It's remarkable how many people are confused by the issue. I'm sure there will be posts telling me to use chroot, virtual servers, and other stuff. None of those meet our needs, sorry.

Of course, if you have content you need to protect from the other accounts on the same server, you can use cgiwrap.

Kevin

Originally posted by parawing742

I would agree this holds true for most hosts. However, I have several accounts with CommuniTech.Net. They guarantee 99.5% uptime and if it is not met, the entire month will be refunded. In five years they have only missed their uptime twice. I never even had to tell them it was missed. What's Up monitors the website every minute and determines if uptime is missed. That's about as close to a perfect solution as I have found yet.

99.5% is almost four hours of downtime per month. Most of the "sham" guarantees I'm referring to are "guaranteeing" 99.9% or higher.

Kevin

Originally posted by parawing742

files from other users accounts (including files that stored passwords, etc).

No user should be storing passwords in any publicly accessible file. Passwords used in .htaccess are MD5 or DES encrypted (this is one-way encryption by most standards) and if chosen wisely, are safe even when readable.

Passwords used for such things as accessing the MySQL service should always be in cgiwrap'ed scripts. Not doing so is bad practice on the part of the customer, and the best we can hope for is to educate them.

Having a setup which lets users think that other users can't see their files would only encourage such bad practices, in my experience. A false sense of security is a dangerous thing.

Kevin

Letting people see encrypted passwords is by no means safe. Why do you think only idiots don't use shadow passwords?

The best security is a matter of layers, where if one layer fails, there's another layer to continue protecting. I'm afraid I don't think much of a provider who doesn't know that. Maybe most people are goofballs about making assumptions about how secure something is, but some of us are not, and we want full access to all possible layers of securing our servers.

Originally posted by alphadesk
Bot, Do you get uptime guarantees from your cable, phone, electric, water company.

Why do you expect uptime guarantees from a hosting company?

Just curious.

I expect uptime guarantees or... an excellent uptime like every webmaster I know. Some very good hosts offer this kind of guarantees you know... (FutureQuest, Rackspace, etc.). Why do they propose these guarantees ? Because they have excellent uptime of course.

Of course, a lot of hosts propose uptime guarantee and don't respect it...

I'm quite sure that Pair.com is one of the very best host in the world, that's not the question. The prices are high and if they have so much success after so many years in the business, the uptime must be very very good :)

Originally posted by time-to-go
I would say the information held at netcraft is of questionable use, uptimes of 497 days - that means 497 days of not applying kernel updates, netcraft measures the time a server was last rebooted. Netcraft themselves say they do not monitor network performance.

So, a server with 497 days uptime could be on an awful network and have had problems with http, smtp etc etc. In isolation it's of little use.

Well, I guess if you want to play devils advocate - sure. However unless I am blind, this discussion is about Pair. Do you have experience with them? Please post it. And as my post pointed out, it was about server uptime, not network. I think we all know what Netcraft measures as it is posted all over.

Please post about Pair's network uptime and lack of kernel updates to attck the simple fact, pair's servers perform very well as posted by a respected third party. Love to hear it.

Well, I guess if you want to play devils advocate - sure. However unless I am blind, this discussion is about Pair. Do you have experience with them? Please post it. If not, then save your beliefs about Netcraft for another thread.

I was commenting on your bad advice, to tell someone to use netcraft as a way of judging a hosts performance is rubbish, it does not give any guarantee of the providers network performance, whether good or bad, it just tells you last time they rebooted, if someone has a high uptime at netcraft it means they have not rebooted, thus have not updated the kernel in that period, which may or may not reflect upon the hosts competence, no comment on pair or any other host just some advice for those who mught mistakenly take yours.

I do believe you are not in a position to tell others whether they can post, or what they can post about as you raised netcraft I was pointing out to anyone who read your advice to be careful in using it and so is relevent.

Originally posted by sigma


99.5% is almost four hours of downtime per month. Most of the "sham" guarantees I'm referring to are "guaranteeing" 99.9% or higher.

Kevin

All webhost lie when they say 99.5% or 99.9% uptime. There are too many variables such as fiber cuts, ddos attacks, tier 1 router failues, hardware and software upgrades, etc. Many webhosts exclude these from their uptime measures. But clients dont care..downtime is downtime. So why guarantee uptime?

Yeah, I too noticed pair does not guarantee uptime. But they keep the users informed of any problems and they post the fixes made to each server. I noticed that pair does not offer virtual private servers either. That is good because VPS is a "sham" too. All it is, is a big shared web hosting account. Its not a private server because you and 30 other are still sharing the CPU. pair does not have forums per se, but they do have a newserver thread where you can get answers to your questions.

let me comment on your edited post

And as my post pointed out, it was about server uptime, not network. I think we all know what Netcraft measures as it is posted all over

Obviously you don't, netcraft just measures from the last reboot, it only polls once a day which means http could be down for 23 hours a day and netcraft would still show a continuous uptime for the server, secondly most hosts who provide an uptime guarantee do so on their network and servers not just servers, as a guarantee that the server is up while the network is down is a bit stupid

Originally posted by sigma
Regarding the initial topic, we have always given top priority to current customers, not pursuing new ones. Consequently, our 24x7 coverage is focused on support, not sales. If a customer needs a typical 6-minute response, they can contact our urgent address any time, day or night.

Thanks,
Kevin

Good answer ! :agree:

Originally posted by time-to-go
let me comment on your edited post



Obviously you don't, netcraft just measures from the last reboot, it only polls once a day which means http could be down for 23 hours a day and netcraft would still show a continuous uptime for the server, secondly most hosts who provide an uptime guarantee do so on their network and servers not just servers, as a guarantee that the server is up while the network is down is a bit stupid


Wow. Thanks for that education. I never knew that. :rolleyes:

Your seem to keep mising something. My post about Netcraft never said anything about network uptime. This is just something you threw in there.

Second. I think if someone had a choice to make between two host with all being equal except for the fact, Host A has a few servers showing up on Netcraft, I think they would tend to think that host A has at least some understanding on how to maintain a server in a shared environment. This was the reason for my comment.

Originally posted by UmBillyCord

Please post about Pair's network uptime and lack of kernel updates to attck the simple fact, pair's servers perform very well as posted by a respected third party. Love to hear it.

I'm sure this wasn't the point, but for the record, we do maintain up-to-date systems. There have been a number of times historically when all servers were rebooted for critical kernel updates. Most recently for upgrading to FreeBSD 4.6-STABLE (4.7 coming next).

Kevin

Originally posted by sigma


I'm sure this wasn't the point, but for the record, we do maintain up-to-date systems.

No, it was in regards to this comment by someone:

I would say the information held at netcraft is of questionable use, uptimes of 497 days - that means 497 days of not applying kernel updates, netcraft measures the time a server was last rebooted. Netcraft themselves say they do not monitor network performance.

Since the discussion was about Pair, I thought maybe he knew something. But since he has no experience, I figured it was a typical devel's advocate post.

I have no doubt you guys maintain all up to date patches, etc...

Doing research a few months ago I found a few of your servers in the uptime area (no reboots). Since I didn't see any other host with anything close, I thought this was a compliment to your company's ability to at least manage a box, whether from choice of OS, limiting users, limiting options, etc....

Sure Netcraft doesn't record Network uptime or service uptime, but what it does record, yields results with you showing up a few times. :)

Originally posted by sigma
What I am telling you, however, is that except in very unusual setups (e.g., virtual servers which have resource problems of their own), you will be able to access other public files on the server no matter what tricks the provider puts in place to make you think you can't.

How about a 40751 /usr/local/sites/ owned by root:www, and 40570 /usr/local/sites/$domain/ owned by www:$group? Oh, and throw symlinks into the users' home directories of course.

Running the Web server with privileges just means that when a CGI script is exploited, instead of having user nobody, an attacker will have control of your account (or a privileged system account). Very bad.

Not always bad. I usually have each of my scripts suexecing to a different user -- with exactly the right permissions to exactly the right set of files. And before you ask, yes, I do use qmail. ;)

I don't host any sites with pair myself, but I've sent several friends over there over the years; and given that I haven't heard anything more from them (err, about web hosting problems, that is) I'd not hesitate to send other people to pair.

Originally posted by cperciva

How about a 40751 /usr/local/sites/ owned by root:www, and 40570 /usr/local/sites/$domain/ owned by www:$group? Oh, and throw symlinks into the users' home directories of course.


CGI and PHP scripts will execute with those same permissions. It's quite trivial to write a CGI script that reads a directory or file. And even if every directory is execute-only, the attacker quite likely knows what file they are looking for - either a commonly-named file in a package, or the source code to a script seen in a URL.



Not always bad. I usually have each of my scripts suexecing to a different user -- with exactly the right permissions to exactly the right set of files. And before you ask, yes, I do use qmail. ;)


If every script is suexec'ed or cgiwrap'ed, then the first time a script gets exploited (look at the history of phpBB, phpNuke, formmail, etc), the user's entire account is compromised, instead of just user nobody. That's not an appealing trade-off. You also can't run PHP as a module anymore.


I don't host any sites with pair myself, but I've sent several friends over there over the years; and given that I haven't heard anything more from them (err, about web hosting problems, that is) I'd not hesitate to send other people to pair.

Well, thank you :)

Kevin

Originally posted by sigma
If every script is suexec'ed or cgiwrap'ed, then the first time a script gets exploited (look at the history of phpBB, phpNuke, formmail, etc), the user's entire account is compromised, instead of just user nobody. That's not an appealing trade-off.

Well, I come from the BOFH school of thought: "If they cared about their account, they shouldn't have been running insecure code". ;)

More seriously... that's why I create user sandboxes for each cgi script I run -- it avoids compromising my regular user account, and it also keeps them away from files which I don't want any non-apache user to access. (And it makes it really easy to scan the process accounting logs for any cgi-related security problems!)

Originally posted by cperciva

More seriously... that's why I create user sandboxes for each cgi script I run -- it avoids compromising my regular user account, and it also keeps them away from files which I don't want any non-apache user to access. (And it makes it really easy to scan the process accounting logs for any cgi-related security problems!)

Are you referring to sites you build for customers, or how you setup a hosting account for general-purpose use? In my experience, our customers want CGI scripts to "just work" under pretty much any set of assumptions.

Kevin

Originally posted by sigma
Are you referring to sites you build for customers, or how you setup a hosting account for general-purpose use? In my experience, our customers want CGI scripts to "just work" under pretty much any set of assumptions.

I'm referring to sites I build for myself, actually, on servers where I have the flexibility to do so. That lack of flexibility is why I send my friends to pair.com while not hosting there myself. ;)

Hi Cperciva,

In one of your above post, you mentioned:

"More seriously... that's why I create user sandboxes for each cgi script I run -- it avoids
compromising my regular user account, and it also keeps them away from files which I don't want any non-apache user to access. (And it makes it really easy to scan the process accounting logs for any cgi-related security problems!)"

Could you please elaborate and/or give an example or illustration on this for those of us in "learn mode"?

Thanks you, as security sure is important!


Take care,

Louis

Just to say that everything is ok and I've got a nice and professional answer from Pair.com :agree: