32 Responses to “Read This Now!”

1. Blog power outage tomorrow night (Grrr…) at the Sam Jackson College Experience Says:
   February 23rd, 2007 at 7:22 pm

   [...] power outage is caused because of… I’m not even sure why. The Dreamhost blog has it all here. This may also mean my e-mail will be down, which would be… bad. [...]

2. The BOB Says:
   February 23rd, 2007 at 9:09 pm

   You have to be joking, how dangerous can it be to put some silicon or foam around the the 1″ thick plastic insulation.

   Still would be nice to see what (300+ Amperes) would do the the piece of metal :)

3. Hanan Cohen Says:
   February 24th, 2007 at 1:04 am

   For Dreamhot customers outside of the US, look here on when it will happen your time

   http://timeanddate.com/worldclock/fixedtime.html?month=2&day=25&year=2007&hour=0&min=0&sec=0&p1=256

4. Ryan Says:
   February 24th, 2007 at 2:28 am

   Or if you don’t want to waste the time clicking on the link its going to begin at 08:01 UTC/ZULU/GMT (adjust accordingly for your time zone)

5. Unofficial DreamHost Blog Says:
   February 24th, 2007 at 3:58 am

   Power Outage This Weekend…

   DreamHost has just announced that all servers and websites will be offline for approximately five hours the night between Saturday and Sunday (from 11:15 PM PST , Saturday night, February 24th).
   The building where one of DreamHost’s three data ce…

6. Andrew Says:
   February 24th, 2007 at 4:08 am

   Stick a piece of wood or something in between the metal rod and the insulation. Problem solved? =) Or just take away the rod, it doesn’t look that useful anyways… Take it easy guys, we know you’re trying :)

7. Hanan Cohen Says:
   February 24th, 2007 at 7:12 am

   Here is …. the Dreamhost downtime calculator

   http://info.org.il/english/dreamhost_downtime_calculator.php

   Since it is hosted on Dreamhost, it only works when Dreamhost is up, which does not happen often lately.

8. Ricky Says:
   February 24th, 2007 at 9:01 am

   It’s the government I tells ya!
   Everyone panic!

9. ttancm Says:
   February 24th, 2007 at 1:53 pm

   I cast my vote for “fix it properly” over “jury rig it with a piece of wood” =P

10. Dustin Says:
    February 24th, 2007 at 7:31 pm

    What is with the picture of Antarctica for?

11. Min Thu Says:
    February 25th, 2007 at 5:41 am

    I cannot even access to http://www.dreamhoststatus.com when it is down. I can only see dreamhost.com main site. hope DreamHost will have only a very very very short downtime in the future!

12. Vincent Chow Says:
    February 25th, 2007 at 5:49 am

    What the use of monitoring DreamHost’s downtime using a website hosted by DreamHost? When DreamHost is down, your website will be done. Thus it doesn’t actually monitor a thing. Correct me if I’m wrong.

13. disgruntled Says:
    February 25th, 2007 at 5:56 am

    Someone posted this in the status page, that is also OFFLINE now:

    “Forcing your customers to contantly check up on the instability of your service by way of this board is not only unprofessional, but a slap in the face to the people who put food on your table.”

    Brilliant. Being cheap isn’t an excuse for not working. Cheap cars also work. They don’t go at 200mph, but they work.

    DH has serious issues. Its “one-click” things always have some glitches. Support never answers you with detailed info when needed, they keep repeating dumb solutions like “is your computer on?” for problems with local configurations, outages, etc. etc.

    The good point in having a company that is administered by employees is that the boss(es) always know about the problems, but nobody gets fired.

    I’m well over the supposed 5 hours downtime and nothing works. But it will, eventually.

    Vincent: I suppose it was a joke. A bad joke. But hilarious. And TRUE.

14. batTUrd Says:
    February 25th, 2007 at 6:04 am

    Dreamhost Status.com is hosted somewhere else so I guess it is just a coincidence that its down now.

    I was accessing it before

15. EMOruffino Says:
    February 25th, 2007 at 6:20 am

    All of my sites are still down….. and have been for more than 8 hours…. people are getting mad, i also think there burning….. OUCH!!! you should add more stats to us for this!!!!! j/k

    you guys do a good job…. that’ll do pig, that’ll do.

16. Ken Says:
    February 25th, 2007 at 8:05 am

    Eight hours!!!! And still nothing. Please get this back up.

17. Simon Says:
    February 25th, 2007 at 8:44 am

    well at least the e-mail is back up…

18. Jim Says:
    February 25th, 2007 at 9:37 am

    ns2.dreamhost.com, server farm in all it’s glory:

    http://img410.imageshack.us/my.php?image=computersfrozen01sd7.jpg

19. S Jain Says:
    February 25th, 2007 at 1:40 pm

    Meanwhile chew on this humongous security whole on the Dreamhost … I am sure Dreamhost is not the only host :)

    http://www.webhostingtalk.com/showthread.php?t=582814

    I just went back a level in the structure, picked an NSF mount (they start with periods, as if that hides them or something), browsed into someone’s directory, went into logs (which is world viewable and tells me the name of their domain name), checked out their access log (which would show me any password sent via GET), browsed into their web directory since now I know its name, and explored their files, including finding out their wordpress mysql password. As far as I can tell, this works for EVERY user, and you can’t secure it because if any of those directories are set with non-world-readable permissions, the hosting won’t work.

20. James Printer Says:
    February 25th, 2007 at 2:36 pm

    When I try it, I just get ‘Permission denied’

21. Jim Says:
    February 25th, 2007 at 4:19 pm

    @S Jain: I think you are referring to something that has been fixed. I remember trying that same thing back when I joined last year and was worried about it. I could see all users’ directories. Since the beginning of this year I have noticed that that is not possible anymore. The user directories are restricted to the users themselves now.

22. S Jain Says:
    February 25th, 2007 at 6:52 pm

    You get ‘Permission denied’ error if you don’t know the name of any inside directory. Since you know that each user has logs folder … you can access that. Then find out which domain names they have and then try to guess the domain directory (usually domain name) … now you have complete access inside that domain directory. You can read all the files!

    Aparently it still works according to the webhostingform posting.

    I am saying it after knowing that Dreamhost had long time, at least a day … and possibly over a year as reported on the earlier link, to fix it.

23. Jim Says:
    February 25th, 2007 at 9:22 pm

    I see the problem now. That is bad cause people can access and read program files (PHP, Python, Rails, etc.) without being processed and some of those files can have passwords to databases/logins.

    One fix for this… remove read access to outside (everyone) world from all files/directories in your main directory. Or at least the domain directories.

    That way unless someone knows you have X CMS installed and knows the file/directory structure of that program, there is less chance of them doing anything.

    As for things showing up in the logs… There should not be anything important in the logs. Passwords should NOT be passed by GET and should not show up in the url. If a program does use GET to pass important form variables, I would contact the developers or fix it yourself (if possible).

24. Chris Says:
    February 26th, 2007 at 6:27 am

    Tactful, real fucking tactful.

    This guy finds what he believes to be a serious security flaw, and rather than contact Dreamhost to report it, he:

    1) assumes “they know they have an insecure setup”
    2) posts the alleged security flaw for everyone to see.

    Get a goddamn clue to fucking moron!

25. Marcos Says:
    February 26th, 2007 at 7:01 am

    Why my comments are being tagged as spam? Being unhappy is not an option?

26. carol taylor Says:
    February 26th, 2007 at 7:14 am

    Catering To Computers is our web host service using you as a server source. We are still experienceing the IMAP email error and we are unable to update our web site as access is denied. This has been going on since last Thursday.

27. S Jain Says:
    February 26th, 2007 at 7:26 am

    @Chris
    According to the link I posted http://www.webhostingtalk.com/showthread.php?t=582814 … Dreamhost was notified about security breached before I even posted it. In addition, according to 1 person on that forum, he notified Dreamhost about it in 2005.

    I have also submitted a ticket but with no response so far in over 15 hours. I would assume something of this importance would get their notice.

    @Jim
    Once you access the log folder of someone, you can find out which domains they host and then it is relatively quick to find out their CMS and in turn directory structure.

    You can use that directory structure to read all the files including config files because I believe the lowest permission they assign is still 664. I haven’t seen 660.

28. Dallas Says:
    February 26th, 2007 at 12:10 pm

    As Jim pointed out, the situation pointed out on that forum thread is not really an issue. We have historically left things relatively open by default to make it easier for customers to have direct access to their other user accounts on the server. Your email is private, though, and has never been open to anyone but you. Any files you do not need to have read by the web server (including config files read by scripts running as your user) can and should be locked down appropriately. We have historically left that task to you. Web files are inherently public as they are on the Internet so that hasn’t been a concern for us, and config files with database information should always be locked down. Our one-click installer handles that part for you.

    That said, this particular question has been brought up enough times that we have decided to change our default permissions on user directories. It’s been rolling out little by little to make it easier to rollback if anything unexpected happens. Newly created users have had the newer more restrictive permissions for a week and a half now already. If you are concerned about your own home directory and can’t wait until the new setup rolls out to your server, you can contact our support team and we can lock it down for you.

29. Barbara Says:
    February 27th, 2007 at 7:26 am

    Just Great! Now you all are gonna get “hand-held” by dreamhost…and they are gonna raise their prices…

    just great!

30. DreamHost Blog » Super Lame Apology Says:
    February 28th, 2007 at 10:14 pm

    [...] We are all really bearry sorry about the extended downtime this Sunday from the planned power outage! [...]

31. Unofficial DreamHost Blog » Blog Archive » Security Issues Says:
    March 7th, 2007 at 12:58 pm

    [...] get access to sensible files including e.g. passwords. Dallas, one of the founders of DreamHost, explains that the issue is minor, and that it’s up to each customer to secure their files [...]

32. Security Issues Says:
    March 18th, 2007 at 5:20 pm

    [...] get access to sensitive files including e.g. passwords. Dallas, one of the founders of DreamHost, explains that the issue is minor, and that it’s up to each customer to secure their files [...]