Page 2 of 2 FirstFirst 12
Results 26 to 47 of 47
  1. #26
    Join Date
    Apr 2004
    Location
    Chicago, IL
    Posts
    83
    Originally posted by Watcher_TVI
    So they accessed and altered your database so you wouldn't know they had been in there. While in your database they obtained some User's login information for the purpose of logging in undetected and reviewing private directories for a TOS violation?
    Well, here's exactly what he said, draw your own conclusion:

    "Now I can understand why you assume that the 'tracks would
    be covered', in that you beleive the information of the
    added account was falsified. In essence, the row directly
    above the user that was inserted was copied, and then
    modified with random information. The IP was simply not
    changed from what it was copied from. This was not to throw
    anyone off, or mislead anyone in anyway. To put it simply,
    the user information that was used to create a test account
    was simply pulled out of the air, with the exception of the
    ip address.

    As for the Apache logs, to the best of my knowledge they
    have not been tampered with in the least bit. Stats are run,
    and apache logs are compressed and rotated on a nightly
    basis. This is most likely the reason you are missing a
    "chunk" of records for your site. They arent lost, they were
    simply compressed and rotated just like the logs for every
    other domain on the server. You can find your rotated and
    compressed log files under [etc..]

    [...]

    I hope this clears up any misunderstanding between yourself
    and HostRocket. Once again, I apologize for any concern this
    may have caused. Please let us know if we can do anything
    else for you and good luck with the site."

    Keep in mind much of my site is secured behind a mandatory membership system, and I'm under the impression that they accessed the admin functions to verify that I do indeed actively screen photographs as opposed to just allowing photos to go public with no approval process at all.

    I can understand why they'd check just as they can understand why I'd freak out about them checking without warning me first.

  2. #27
    I think it's quite clear what they did, thank you for posting this thread and following things up with the facts you obtained during your inquiry...

  3. #28
    Join Date
    Oct 2002
    Posts
    45
    You are letting them off way to easy.

    I would be raging mad if a host violated my privacy like that.

    Thats the same thing if a building owner uses his copy of the key to enter his tenants apartments in the middle of the night to snoop around.

    Its wrong.

  4. #29
    You're leasing a server from a hosting company; it's not your hardware or your network. What makes you think you have a right to privacy?

    The owners have the legal right to monitor and investigate activity for legal reasons and technical reasons. What if a user takes down a whole server -- one that you also happen to be on? What if the Feds confisicate a hard drive -- that you had data on?

  5. #30
    How many time do I have to tell you people to keep the data in the database encrypted, nothing is safe on the web!

    (espetially the email address)

    Dont even trust your own brother if he uses the internet :-)

  6. #31
    Join Date
    Oct 2002
    Posts
    45
    monitor server - ok

    alter clients DB to gain access to his site? - no

    If you have root, why do you need to create a user? Just look at the source of the files.

    Sounds like this guy just wanted to view sites photos.

  7. #32
    Join Date
    Nov 2000
    Location
    Newport Beach CA
    Posts
    609
    Squeak - I'm glad that you feel this matter was resolved to your satisfaction. HostRocket has a responsibility to quickly investigate material and conduct the mentioned compliance checks throughout our network.

    If you or anyone else on that board have any additional questions at all regarding this matter or HostRocket operations/practices, please feel free to contact me directly off the board at timothy@hostrocket.com or 518-371-3421 x116. I apologize for any and all confusion, and thank for you your continued confidence in HostRocket.
    VOIPO - VoIP Telephone Service

  8. #33
    Quote Originally Posted by HRTimothy
    HostRocket has a responsibility to quickly investigate material and conduct the mentioned compliance checks throughout our network
    It is your methods to accomplish these "compliance checks" that are raising so much interest in this thread....

  9. #34
    Well

    Everything on your server is actually the property of the company your hosted by, They have every right to do as they see fit to maintain their service.

    Sad but true

  10. #35
    Originally posted by tonyBBB
    Well

    Everything on your server is actually the property of the company your hosted by, They have every right to do as they see fit to maintain their service.

    Sad but true
    Actually that is not true at all. If I create an image and have it stored on a server, the datacenter certainly doesn't own the image, it's copyright or anything else connected with the image...

  11. #36
    Join Date
    Mar 2001
    Posts
    397
    Actually that is not true at all. If I create an image and have it stored on a server, the datacenter certainly doesn't own the image, it's copyright or anything else connected with the image...
    Anyone remember when Yahoo bought GeoCities and claimed copyright to all content hosted on its servers? Ah, fun times.

  12. #37
    Hey,

    WoW.. Great details and a great job keeping up on the info. I'm sure alot of users will find this post very useful.

    hmmmm HRTim.... i know you.. LOL
    John
    100Megswebhosting INC

  13. #38
    Join Date
    Dec 2000
    Location
    The Woodlands, Tx
    Posts
    5,974
    Originally posted by Watcher_TVI
    Actually that is not true at all. If I create an image and have it stored on a server, the datacenter certainly doesn't own the image, it's copyright or anything else connected with the image...
    Actually, yes it is, but not so clearly defined. They have an automatic license provided by the DMCA1998. They have Fair Use License. I will state a section of our TOS from our free host section for this as an example.

    12. ###pre wording cut out for this post### By hosting your material on our servers, you agree to 'fair use' distribution by WORLDZONE. When a visitor comes to your site hosted by us, your material viewed by them is cached within their computer. This is a form of DISTRIBUTION. This 'FAIR USE DISTRIBUTION' permission is given to WORLDZONE by you upon uploading your content to our servers.
    Otherwise, if someone really wanted to be lawsuit happy, they could sue a host for "distribution of copyrighted materials", which the DMCA now protects against. Our wording was there in 1996, and not much has changed, except that now there is Federal Law that backs up our TOS..

  14. #39
    You're right in that there are protections for Fair Use in some cases, not all. I am quite certain that if you gained access without my knowledge to my database to steal a User's password so that you could access otherwise restricted content, you would not be entitled Fair Use for that content...

    What happened here in this thread is just not right by any stretch of the imagination...

  15. #40
    Join Date
    Mar 2003
    Location
    Duluth MN
    Posts
    3,863
    What HR did makes sense, and I agree that they did it in a proper fashion. They received a tip that someone was breaking their TOS, rather than confront the user and risk them trying to "cover their tracks" in cleaning up the issue before HR can find the truth, they did some investigating "under cover"

    Yes they would have root access to the DB and server, but just because you are root doesnt mean it is easy to see what is going on by looking at database tables and files. They need to be able to see the system in use. So they copied some random row to create a user (rather than announce their actions by using the normal create user/registration feature, I am assuming). They gave themselves the permission that they needed to do their investigation, and they completed it.

  16. #41
    Join Date
    Oct 2002
    Posts
    45
    to each his own.

    IMO, the method in which HR used to check the data was wrong, but I am not a client of theirs so it does not concern me.

  17. #42
    Squeak: The way I see it, your attitude and handling of this issue have given you a lot of credibility. Thanks for all the follow-up information - it's refreshing to see something like this resolved, rather than leaving everyone wondering who was right...who was wrong...whether HostRocket was good after all, etc. Kudos.

  18. #43
    Join Date
    Oct 2002
    Location
    EU - east side
    Posts
    21,920
    Personally I don't like how things were handled. While they had to investigate, that doesn't mean they should use any methods available. I believe that one is innocent until proven guilty, not the other way around and thus should be treated accordingly. But that's just me it seems...

  19. #44
    Originally posted by jpayne
    Squeak: The way I see it, your attitude and handling of this issue have given you a lot of credibility. Thanks for all the follow-up information - it's refreshing to see something like this resolved, rather than leaving everyone wondering who was right...who was wrong...whether HostRocket was good after all, etc. Kudos.
    I have to agree. Unlike many others, this user seemed to be able to follow through with the whole story and did it in a very calm and professional manner. Very well done Squeak.

  20. #45
    Join Date
    Apr 2004
    Location
    Chicago, IL
    Posts
    83
    The way I see it, we're all webmasters or hosting reps here; webmasters want to run their sites, hosting reps want to make money off of us--it serves the general interests of the web hosting community better when there's trust and understanding between host and webmaster alike.

    Without this system there wouldn't be anything besides super-conglomerate sites up because nobody would be able to afford it. So kudos to all involved, and even though it was amicably resolved I still apologize for freaking out; You spend a lot of time securing your site so when you see something unexplained happening to your database you immediately fear a massive attack.

    But, IMHO, paranoia keeps the web up because let's face it--there's still a lot of script kiddies out there and new ones are born every day. I've endured POST-floods, GET-floods, and brute force attacks and I must say having gone through those things has taught me a bit about what needs to be done to keep a site running despite the k-rad who get their kicks off of lame DoS attacks that take advantage of poor coding; it was when I saw something occuring to the DB directly that was *totally* beyond my control to secure that I got pretty nervous; you should have seen me fly through all the password changes that morning!

    So thanks to all for your attention to this.

  21. #46
    Join Date
    Aug 2001
    Posts
    1,210
    Originally posted by Watcher_TVI
    What happened here in this thread is just not right by any stretch of the imagination...
    I usually steer clear of these types of threads, but need to chime in on this one. You are absolutely correct - what HR did in this case went well beyond simple and acceptable probing for inappropriate content, and is in no way to be condoned or rationalized. That, combined with the fact that they don't seem to recognize the problem with their actions, would have me taking my business elsewhere immediately. Immediately.

    -B
    iptables -I INPUT -s 64.88.128.0/19 -j DROP
    iptables -I INPUT -s 66.111.192.0/18 -j DROP
    iptables-save > /etc/sysconfig/iptables

  22. #47
    Join Date
    Sep 2002
    Location
    Boston, MA
    Posts
    21
    I feel exactly the same way as you TMX. If I were a client of a hosting company and that company actually went so far as to alter my database under the guise of "checking for inappropriate content" I would not let let them off nearly as easy as you have.

    While I do belive the host has every right to keep his property and network safe, they crossed the lines in this case. From their responses I believe that this is a standard operating procedure and so I would never feel safe with my sensitive information on their servers.

Page 2 of 2 FirstFirst 12

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •