jump to navigation

Making The 13th Impossible November 18, 2010

Posted by ismywebsite in general.
trackback

Something awful happens the 13th of every month, part of Murphy’s Law. I am aiming to keep out Murphy next month. Here’s how the current disaster can never happen.

1) Clearer Communication
I am working on some strategies to improve our communication, including making it more convenient for our team to email eachother, easier to check that email, and groups for departments. Thus, it is possible to email the administration, in entirety, without having to remember everyone’s name. This will make it easier for clients who need help, which isn’t being provided by support, to contact us. It will also make it easier for us to keep in touch with eachother. I am also establishing more solid policies, which are mandatory for all volunteers to follow.

2) Full Website Change Logs
Every single action, from a registration, website creation, change of account setting, cPanel access, modification of cPanel, and of course deletions or errors, will enter a log, along with complete PHP code to undo or redo that action. Thus, if it ever happens that thousands of accounts are removed, we know who did it instantly, and can begin a discussion with that individual without having to guess who they are, and ask around. For this to work completely, raw database access will have to be completely disabled. Nobody will ever have access to the database, and all actions must happen through objects, sets of code which securely handle commands, and ensure they get appropriately logged.

Thus, not only is it possible to know who made changes, but they could be restored in 5 minutes without affecting any current clients or data in any way. Not even losing 5 minutes of changes by restoring a 5 minute old backup.

3) Automated Daily Backups
The largest barriers with this are about the storage of the backups, as well as getting a full backup in DirectAdmin. As an alternative to purchasing commercial storage, I am seeking three individuals with a shared hosting account, or server, on another host, with the ability to spare 1 FTP account, and approximately 4 GB of storage (leaving room to grow to at least twice our current size). To prevent any misuse, backups will be compressed, and key data will be encrypted. Passwords, specifically, cannot be retrieved, using a complex set of md5s, with a dynamic salt. If you can decrypt this, show me how and you get 200 credits:

15ed39ee9a37409832687df743c8d8a6

As for cPanel passwords, which need to be used for FTP (for example), they will be stored with a reversible encryption, however, at the client’s option they can be automatically changed every night just after the backup is taken. I will see if it’s possible to omit them from the backup entirely as well. (In this case, you would get a new password if the backup was restored.)

If you’re able to help, then send me an email and I will consider you. Please include the host you are using, recent uptime statistics (if you have them), how long you’ve used them (or been in existence), and your plans for the future (how long you plan to continue keeping the website running). If you can host more than one version of the site, let me know as well.

4) Tightened Hiring Policy
New rules surrounding volunteers will be implemented, including that every volunteer must have used our service a minimum of 6 months, they are required to actually host websites on the service, and they should theoretically place them on the worst servers, because this, I feel, is the only way to truly ensure any problems get fixed. For the record, my websites are currently on every single server, with one of the most important on Node 1. In this particular case, there was no issue here, however another recent event has brought this to light.

5) New cPanel Access Controls
On the subject of volunteers accessing client cPanels, it’s fully necessary. There is no other way to detect many types of abuse, or fix issues with the accounts. It is not a good idea to store passwords unencrypted in plain text format, no matter where you store them. So please make sure you are protecting important critical data in your account.

No volunteer will ever receive the actual cPanel password. Instead, when they wish to access your account, the password will be changed to a temporary password. This will be logged, including the reason for access, a log which you, as the client, will be able to see. When finished, the password will be restored.

6) Review Process For New Clients Only
I think it’s quite ridiculous that trusted clients still need to wait for their websites to be reviewed. The invite system is designed to keep evil-doers out. It’s a good idea to actually know the people who you invite. Despite adding costs, people are still inviting largely random people in many cases. Do remember you are also responsible for those people who you invite. If they abuse the service, we will come back to ask why you invited them. That said, I want to encourage everyone who has friends who can use our site, to invite them when we get to the new version. I’m preparing our marketing department to heavily promote it then.

Advertisements

Comments»

1. antivir2010 - November 19, 2010

i looked up that MD5 Hash at http://md5.rednoize.com/
and found that the MD5 Hash that sits in the post is equaled to 5

2. andrew (andyb215) - November 19, 2010

md5-decrypter.com detects the md5 hash as equalling 5.

“MD5 hash: e4da3b7fbbce2345d7772b0674a318d5
Decrypted text: 5”
MD5 hash: e4da3b7fbbce2345d7772b0674a318d5
Decrypted text: 5
don’t know if this is correct or not but i just thought i’d let you know.

3. iVidman - November 20, 2010

type: md5 Database
hash: e4da3b7fbbce2345d7772b0674a318d5
pass: 5

4. Rick Ace - November 22, 2010

Guys. Don’t post the hashes here 😦 This just helps out hackers.

I’m quite impressed 😀 The only thing that scares me is th 13th story 😛

5. Sjones - November 26, 2010

Obviously, 5.

(Would have posted earlier, not enough time.)


Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: