This is what happens when you make me angry.
I signed up with iPage hosting back in late 2013 to consolidate all of the various domains I own or manage. In April of 2015 I started working on a Jooma! website for my employer. Things didn’t work out well and because of this I discovered Bad Things. I fled iPage and moved to another hosting. You can read my posts on this here and here.
I had one more thing to get out of my system. The following letter I wrote is, and yet is not NSFW. I did not let my “inner Samuel L. Jackson” out, although R. Lee Ermey got out once or twice. There are no swear words in this letter, every word could be said at a ladies tea party. However, I believe it to be scathing enough that if you were to print it, the paper would burst into flames.
One note: for those of you not knowledgeable on Internet servers, a “shared hosting” is like your computer. All the different domains exist in separate folders, however they are on the same drive. It would be easy for one infected domain to infect others in the same system. A “VPS” or Virtual Private Server, is like where you have different domains on different drives on one system. The domains are totally separate and cannot infect one another. A dedicated server means you are the only domain on that server. This is the most secure (and expensive) option for hosting.
Here is the letter:
To the President of iPage,
Greetings to you and your employees. I am writing to you today as a former customer and I thought you should know why I am a former customer, rather than a current customer.
I personally have been involved with computers in one way or another for 40 years. Starting as a teenager on an RCA Elf, I worked my way through the various major computer systems (Apple ][, Commodore 64, Macintosh, Osborne 1, MS-DOS, Windows and more) where I self-taught myself how to build and repair hardware, while also writing software for all of my systems. While in the US Navy, I became interested in data security while I was responsible for all of the PC’s handling classified information in my last command.
After my time in the Navy, I entered the civilian job market as a computer service technician and moved all the way up to being the Chief Information Officer for a company with $125 Million in annual sales. I hand wrote my own web pages in the heyday of the Internet and the World Wide Web. For the past twenty-plus years I have studied and learned how to attack systems and networks, while also learning how to defend them against such attacks. I am no novice or inexperienced cretin when it comes to computer security. I made the sad mistake of thinking your company was competent in this regard as well.
Today, I personally own and/or manage six separate domains, all of them were until recently hosted on one of your shared servers.
Back in March 2015, two of my domains were subjected to a script attack, which left them with spam links inserted into their headers. Being very busy at the time, I didn’t think too much about it, restored them from a backup to clean up the insertions and promptly forgot about it.
Then, in late April I started building a Joomla! website in a subdomain directory. Right from the start, things were not working as they should. I was among other things, receiving 404 type errors whenever I tried to resolve an internal article. Then finally one of the modules threw an error saying it would not work because the PHP scripting used by the server was out of date. Sure enough, as of May 2015, the PHP on the server I was using was out of date. The choices I had were PHP 5.3, 5.2 and 4.0. PHP 5.3 became unsupported as of August 2014. When I learned this, I became very angry.
Why did I become angry? In today’s existence on the Internet there is a constant battle between software developers writing secure applications and bad people who attack domains and servers on the Internet for nefarious purposes. This is why there are things called security updates, because new exploits are constantly found and need to be locked down. When something essential like scripting software is no longer supported those patches and updates are no longer made, resulting in vulnerabilities to the websites and servers running the outdated software. When a hosting provider abandons his basic duty to keep the software his customers rely on for proper operation and basic security, he violates the trust he is given by his customers and shows a craven disregard of their need for data security and integrity.
It does not matter if we are talking about the Server OS, firewall/security applications or the scripting software used by the customer. If any of these are not kept updated to a current stable release, you seriously compromise the security of the server and put your customer’s data at unnecessary risk. Letting the scripting software fall into an unsupported part of its lifecycle makes me wonder what other software that is active on the server is also out-of-date and thus vulnerable to attacks?
In order to get to the bottom of this matter I called your Technical Support line. The first level CSR had no answer, so I ended up speaking with a supervisor. That discussion made me even angrier.
I was given several worthless answers before I got to the truth of the matter. Let me share three of them with you:
“We need to support our legacy customers.”
Okay, I will accept you have some customers who are fat, dumb and happy running old versions of their software on PHP 4.0. I am sure there are computers still connected to the Internet running Windows 95 as well. That being said, do you think for a second that that Win95 system is not riddled with hundreds of viruses? That it doesn’t have security vulnerabilities that you could fly a 747 though? Your company already offers customers the choice between PHP 4.0, 5.2 and 5.3. Could you not expand that list to include a current supported version? It is not like PHP costs thousands of dollars per server to install. It is free, last I saw.
“I don’t know, I think we are scheduled to test the stability of the latest release on some of the shared servers.”
PHP 5.6 has been the current stable release since 5.3 went unsupported, ten months now. PHP 5.4 is in its limited support phase and 5.5 while it is currently in the active support phase, 5.5 will enter limited support within the next ninety days. All I can infer from this supervisor is that he knows the software is way out of date and he doesn’t know if or when there might come an update. You couldn’t have at least PHP 5.5 running on your shared servers?
“Actually, we are running 5.6 on our VPS and dedicated servers. Would you like to upgrade?”
Now I understand. The “need to test the stability of the release” reason just went out the window, because you already have been running the current release on your VPS and private servers. Which means it all comes down to how much I can afford. My deepest apologies, the domains I own or manage are for my personal edification or for organizations that cannot afford the $20+ a month for VPS or dedicated server type services. None of my domains generate income or receive enough traffic to warrant a VPS or dedicated server. The amount of overkill I would employ by upgrading to a VPS would be like using a thermonuclear weapon to swat a housefly. If my domains did generate the income or receive enough hits to warrant at least a VPS, I would partake of those services.
At this point of the conversation I am ready to wrap my head in duct tape because I know it is ready to explode from the sheer volume of stupidity oozing from my phone and I want to be able to find all of the pieces after it explodes. My vocabulary and thesaurus do not have the words to adequately describe the contempt and blatant disregard you and your company has shown for every customer you host on a shared server.
Your concern about your customers on shared servers obviously has never lasted more than a femtosecond. If it had, you would have chosen the proper course of action and made your customers security an active priority over maximizing your profits.
Just so you know, I downloaded all of the files I had on your hosting, then uploaded them to the new hosting I selected. The new host immediately locked down my account because their routine security scan revealed multiple viruses in my domains. As a result, I had to delete all of my domains, then reload all of the software from fresh copies. I am still picking up the pieces from this and it will likely be several weeks before I hope to be somewhat near where I was when I escaped from the sorry excuse you define as “secure hosting.”
I will be posting this letter on my websites and social media so everyone knows how depraved you are towards your customers. If anyone asks me about where they should host a website, I will tell them “anyone but iPage.” To me, your company has no integrity and if I had to select a number to rate you, it would have to be an imaginary negative number.
I sincerely hope you receive every possible reward from your actions.