Goodbye Dreamhost

This site has always been hosted on pair Networks, where I host my email and other personal things which I don’t ever want to go down. In 2005 I also signed up for a Dreamhost account to host a couple of less important things. I knew Dreamhost to be less reliable than pair, but I … Continue reading “Goodbye Dreamhost”

This site has always been hosted on pair Networks, where I host my email and other personal things which I don’t ever want to go down. In 2005 I also signed up for a Dreamhost account to host a couple of less important things. I knew Dreamhost to be less reliable than pair, but I figured that for what I was paying ($9.99/mo), I could tolerate a little bit of downtime.

Enter 2007. Dreamhost’s service seems to be getting more and more flaky. This year the following happened:

1) Mass power outages, with both primary and backup power failure
2) Complete DNS breakdown affecting all their customers, which Dreamhost classified as a “medium” severity problem

Enter May 2007. People’s sites start getting hacked into (by hackers compromising Dreamhost’s servers, not through client side hacks). Dreamhost doesn’t notify people until 6 June 2007 (!!!). I was one of the people notified of the breach, as my account had also been hacked into (and my files tampered with):

Hello –

This email is regarding a potential security concern related to your
‘XXXXXXX’ FTP account.

We have detected what appears to be the exploit of a number of
accounts belonging to DreamHost customers, and it appears that your
account was one of those affected.

We’re still working to determine how this occurred, but it appears
that a 3rd party found a way to obtain the password information
associated with approximately 3,500 separate FTP accounts and has
used that information to append data to the index files of customer
sites using automated scripts (primarily for search engine
optimization purposes).

Our records indicate that only roughly 20% of the accounts accessed –
less than 0.15% of the total accounts that we host – actually had
any changes made to them. Most accounts were untouched.

We ask that you do the following as soon as possible:

1. Immediately change your FTP password, as well as that of any other
accounts that may share the same password. We recommend the use of
passwords containing 8 or more random letters and numbers. You may
change your FTP password from the web panel (“Users” section, “Manage
Users” sub-section).

2. Review your hosted accounts/sites and ensure that nothing has been
uploaded or changed that you did not do yourself. Many of the
unauthorized logins did not result in changes at all (the intruder
logged in, obtained a directory listing and quickly logged back out)
but to be sure you should carefully review the full contents of your
account.

Again, only about 20% of the exploited accounts showed any
modifications, and of those the only known changes have been to site
index documents (ie. ‘index.php’, ‘index.html’, etc – though we
recommend looking for other changes as well).

It appears that the same intruder also attempted to gain direct
access to our internal customer information database, but this was
thwarted by protections we have in place to prevent such access.
Similarly, we have seen no indication that the intruder accessed
other customer account services such as email or MySQL databases.

In the last 24 hours we have made numerous significant behind-the-
scenes changes to improve internal security, including the discovery
and patching to prevent a handful of possible exploits.

We will, of course, continue to investigate the source of this
particular security breach and keep customers apprised of what we
find. Once we learn more, we will be sure to post updates as they
become available to our status weblog:

http://www.dreamhoststatus.com/

Thank you for your patience. If you have any questions or concerns,
please let us know.

– DreamHost Security Team

I dutifully changed all my passwords and fixed all the damage. Next day my account was compromised again and my files tampered with again. At this point I decided to jump ship and move all my sites to pair. I’ve totally lost confidence in Dreamhost.

A couple of other things to note:

1) Dreamhost was storing all user passwords in plaintext.
2) They had the audacity to blame users for the compromise.
3) Rather than fixing the broken FTP daemon through which accounts were compromised they have just added an option to disable plaintext FTP for user accounts.
4) They still haven’t notified me that my site was compromised a second time.
5) A lot of people I know have had their sites compromised and files changed. I’m rather sceptical of their claim that only 0.15% of their sites had files changed. Here is but a small sample.

I’m willing to tolerate some inconvenience to save a few bucks but seriously no savings is worth this kind of hassle.

So that’s it. Goodbye Dreamhost.

I’m a father!

On 29 May 2007, Zainab and I were blessed with a beautiful daugther, Rashida Ebrahim. She was born in Westminster, UK.

On 29 May 2007, Zainab and I were blessed with a beautiful daugther, Rashida Ebrahim. She was born in Westminster, UK.

Crucial.com gives Firefox users a discount?

I was buying RAM today for a friend, and I noticed something quirky going on at Crucial.com. When I was at his house, I noticed that the stick of RAM he needed was $67.97. When I got home I went to order it, the price had ‘dropped’ to $65.93. I figured this was just due … Continue reading “Crucial.com gives Firefox users a discount?”

I was buying RAM today for a friend, and I noticed something quirky going on at Crucial.com. When I was at his house, I noticed that the stick of RAM he needed was $67.97. When I got home I went to order it, the price had ‘dropped’ to $65.93. I figured this was just due to volatile RAM prices. I placed the order at $65.93 and didn’t think much of it.

Later on, out of curiousity I checked the prices again, and I happened to use IE for this. Price was back to up $67.97. I thought this a little odd, so I checked again in Firefox, and the price there was still showing $65.93. I checked in Opera, and prices were $67.97.

The part in question, CT522745 is a 512MB upgrade for a Dell Dimension 4500. Screenshots from Firefox and IE are below:

Screenshot of Crucial.com showing RAM prices in Firefox

Screenshot of Crucial.com showing RAM prices in Internet Explorer

Are Firefox users getting a hidden discount?

UPDATE: It looks like Firefox users are not being singled out for a discount, but rather that I had a cookie set in Firefox by them (it’s been years since I ordered anything from them) and when I cleared this cookie, pricing went back to ‘normal’. False alarm, but if only I had saved the cookie… 🙂

Server Name Indication (SNI)

I was browsing through Yusuf’s blog today and read in his post about enabling cheaper SSL hosting for the first time about Server Name Indication (SNI), as specified in section 3.1 of RFC3546.

Anyone who’s had to set up an TLS/SSL (let’s say secure) site knows that currently, a secure site must be hosted on a unique IP. If you need to host more than one SSL site, you need to have separate IPs for each secure site hosted. This requirement is present because pre-SNI, the server name is negotiated based on the DNS hostname only. SNI elegantly works around this requirement by adding another step to TLS negotiation. As part of the TLS handshake, the client tells the TLS server which hostname it is trying to connect to, and the hostname thus knows which certificate to present to the client. This is explained a lot more elegantly by Paul Querna.

SNI makes life better because secure hosting becomes more affordable. The cost of a secure certificate is often no longer the largest cost that secure sites must bear to be secure. One can get a certificate for $20/year. However, dedicated IPs are expensive. On a host such as Dreamhost, unique IPs cost $4.95/month. Add this up and it’s almost $60/year. If this extra cost can be eliminated a lot more businesses might be tempted to go secure, and this is a good thing for everybody.

So what’s the current state of browsers?

It’s no secret that as far as end users are concerned, backend features are not as sexy as features which are exposed in the UI, but I wonder whether if SNI support is added to Gecko/NSS before IE, if Firefox will suddenly become a lot sexier to businesses who don’t have an arbitrarily large IP space but are looking to standardise on a browser, or recommend one to their clients. Hey, it’s a much better solution than forcing an upgrade to Vista.

Community Building

A couple of months ago I blogged about the challenges faced by community projects. Something one of my friends who works on a mutual community project with myself and others wrote has driven me to write a little bit about what works well with community projects, because what he wrote resonates with a lot of my experiences:

[Our] volunteers come from varied backgrounds. Our earliest graphics work and page layout was done by someone going to medical school (cutting and slicing cadavers in the morning and slicing and dicing page-layouts/photographs at night). Our resident layout maestro who has a knack of determing browser bugs via impressive test-case reduction is an economics graduate. There are the usual suspects who have some paperwork by which they claim to know Computer Science 🙂 but they are very much a minority.

When I read this, I couldn’t help but also think of the Mozilla community, which is comprised of a hugely diverse set of people with varied backgrounds and interests, but all of whom share a common goal. When you look at a project like Firefox (or really any community project), I think there are two major (and related) barometers of its health:

  1. The ability of a project to draw contributors from outside its immediate field
  2. The ability of a project to harness the capabilities of its contributors and channel it into useful activity

The first of these has to do with the pull that a project has on people who have no intrinsic connection to it. One of the reasons that Firefox has been so successful is that it has drawn people who would not ordinarily be interested in a web browser and made converts out of them. Not only has it made converts, but converts who believe strongly enough in the software that they are willing to donate their time in order to make it better. It’s pretty easy to convince a developer that tabbed browsing is a great idea, but a lot more difficult to convey the same message to others. Yet, to a large extent Firefox has succeeded in this; and it has certainly succeeded in drawing active contributors, many of whom have never taken part in an open source project before (or any software project for that matter).

The issue of contributors aside, why has growth slowed from how quickly it was growing before? Because for the majority of web users, a web browser is boring. Users don’t care what program you enter the URI into, as long as the page loads. Apathy is now the biggest the biggest barrier, because now we have to win over the segment of users for whom computers are not a passion, but simply a tool (or even worse a chore). How does one win over the masses of people for whom anything to do with computers is executed from rote memory, rather than any sense of intuitive understanding (don’t underestimate the size of this group). Do we even want to cater to this group? I don’t really have a good answer for either of these questions.

The second barometer, how a project harnesses the eagerness of its potential contributors is really the crux. My understanding of Firefox contributors is that you can categorise them into four broad groups:

  1. Highly skilled, paid contributors
  2. Highly skilled, unpaid contributors, who donate significant amounts of time
  3. Less skilled, but enthusiastic and eager to learn unpaid contributors, who donate significant amounts of time
  4. Less skilled (or unskilled) unpaid contributors, who want to help in a small way that doesn’t require a large commitment

As always, the first three groups combined do the lion’s share of the work, but are always outnumbered by far by the fourth group. The first three groups can work without hand-holding and still work productively. It is the fourth group who need channeling. Because they want to help out in the short-term or just as a one-time thing, they often do not have an understanding of the project, and thus their genuine efforts are misdirected. As a worst case scenario, their attempts to assist can actually hinder the first three groups from going about their work. I remember during early 2004 when Firefox was picking up steam, all of a sudden Bugzilla’s “Today’s Bugs” lists became a swamp of rubbish, and significant efforts were required to parse through and sort out the useful from the garbage. A perfect example of misdirected efforts—people trying to help but actually hampering progress.

The situation has improved significantly. Efforts have been made to channel contributions to where they are most helpful, and as a result Reporter and Hendrix now exist. Systems such as these not only channel efforts to where they are required, but also provide useful information in aggregated form to the skilled contributors who are in a position to act on the feedback. When channeled in this manner, the fourth group of contributors become enablers. They provide supplementary data that helps the skilled contributors to triage problems and improve the product.

How well the capabilities of these passerby contributors is harnessed can make the difference between creating a group of enablers and creating pandemonium.

Going back to where I began, I think it is clear that variety amongst contributors is a hallmark of success. However, with variety comes a necessity to actively manage contributions so that they are complementary to each other.

The original post that sparked this one is part of a relatively new blog that talks mainly about the technical considerations that have gone into creating a community website and server infrastructure.

Getting Married and other Tidbits

My last blog entry was on July 8, a good two and a half months ago, I think my longest hiatus yet from blogging. Since then, things have been sort of a whirlwind on all fronts (in a good way, of course). Most important on the list is that I got married on 15 August … Continue reading “Getting Married and other Tidbits”

My last blog entry was on July 8, a good two and a half months ago, I think my longest hiatus yet from blogging. Since then, things have been sort of a whirlwind on all fronts (in a good way, of course).

Most important on the list is that I got married on 15 August 2005, to Zainab Currim (now Ebrahim), who I have known for the last five years and been engaged to since December 2002! We had both been waiting for this for a long, long time, and it is amazing to finally be married.

When I say that I got married on 15 August, I should qualify this statement, because marriages for Muslims and Indians don’t work in the same way as they do for many of you who have grown up in a Western environment. For many of you, after the marriage ceremony in a church, there is a reception, and then that’s it. For us, it’s a bit more complicated. First we have what is called the nikah, which is the marriage contract itself, and is executed between the groom and the bride’s appointed representative, which is usually her paternal grandfather or father. Once the nikah is complete, the couple are legally married. However, that’s not the end of the deal. Prior to and after the consummation of the marriage, there are other traditional ceremonies that also take place, and it is these ceremonies that constitute the wedding celebrations.

So my nikah was performed on 15 August, but the wedding celebrations are yet to take place. They’ll happen this December in Mumbai (most of my extended family lives there) and Kolkata (Zainab’s family lives there), both in India.

The venue of our nikah was Najam Baug, a Dawoodi Bohra community hall that my great, great grandfather originally built along with his brother-in-law in 1886, and was recently rebuilt by our family and inaugurated on 15 August 2005 (my nikah took place during the inauguration).

I took on the task of designing the website for Najam Baug, and just completed it a couple of days ago. It’s the first website that I’ve designed from scratch (though I did use a CSS trick or two from ALA), and I’m pretty happy with the result. Designing the website just reminded me what a pleasure it is to design for standards-compliant browsers such as Firefox and Opera.

When it comes to rendering standards-compliant pages, these browsers Just Work™. Internet Explorer drove me crazy with its Screw Standards™ rendering mode. I spent hours making IE not totally screw up floats, and also a long, long time trying to figure out why content was just plain vanishing in IE. As it turned out, the vanishing content bug was IE’s notorious Peek-a-boo bug, which I was able to fix using Matthew Somerville’s line-height hack. After making all these efforts, the website now displays only acceptably in IE, but still not perfectly. For those of you who have IE, you’ll notice that there is a lot more whitespace than you see in other browsers. I still haven’t figured out how to fix this.

There’s still a lot more that’s happened in the past couple of weeks to talk about, but for now this is all I have time for. I hope that over the few days I can write a couple more entries. One of the things I want to write about is about using Firefox at work, and a few observations and challenges I’ve faced in being able to use it 100% of the time.

Heading Home

This morning I officially graduated from my one-year Mandarin language course at the Beijing Language & Culture University. After five years away from Hong Kong, tomorrow I finally return home permanently, and am looking forward to starting at my new workplace. 在北京语言大学学了一年汉语以后,我终于毕业了。今天早上我拿到了我的进修证书。我在2000年离开我家去美国上大学。在2004年为了学好汉语我来到北京。暂留了五年以后我明天才往家回去。回到了家以后,我快要在我家庭的公司开始工作。

This morning I officially graduated from my one-year Mandarin language course at the Beijing Language & Culture University. After five years away from Hong Kong, tomorrow I finally return home permanently, and am looking forward to starting at my new workplace.

北京语言大学学了一年汉语以后,我终于毕业了。今天早上我拿到了我的进修证书。我在2000年离开我家去美国上大学。在2004年为了学好汉语我来到北京。暂留了五年以后我明天才往家回去。回到了家以后,我快要在我家庭的公司开始工作。

ebrahim.org Turns Six Today

As a matter of pure coincidence, yesterday while I was renewing ebrahim.org’s domain registration, I noticed that ebrahim.org turns six years old today. Six years is a long time, especially in the internet world, where it’s an eternity. When I first registered ebrahim.org back in 1999, I knew nothing about web or email hosting. On … Continue reading “ebrahim.org Turns Six Today”

As a matter of pure coincidence, yesterday while I was renewing ebrahim.org’s domain registration, I noticed that ebrahim.org turns six years old today. Six years is a long time, especially in the internet world, where it’s an eternity.

When I first registered ebrahim.org back in 1999, I knew nothing about web or email hosting. On the recommendation of a friend, I bought ebrahim.org and purchased one POP account from Network Solutions, my first domain name registrar. I also had a one page “Under Construction” website at www.ebrahim.org (then, now). Things have come quite a way since then. I now host with a real hosting company, use ebrahim.org to host email for my family members, and also for this blog.

UChicago to Distribute Firefox and Thunderbird

Every year the University of Chicago’s Networking Services and Information Technology department (NSIT) distributes a connectivity package (CP) to all incoming students. This CP is also used by departments throughout the university. The CP, amongst other things, contains a web browser and an email client. Starting this fall, all incoming students will receive a CP … Continue reading “UChicago to Distribute Firefox and Thunderbird”

Every year the University of Chicago’s Networking Services and Information Technology department (NSIT) distributes a connectivity package (CP) to all incoming students. This CP is also used by departments throughout the university. The CP, amongst other things, contains a web browser and an email client.

Starting this fall, all incoming students will receive a CP that is built around Firefox and Thunderbird. This means that any student who pops NSIT’s CP into their computer to set up university email services will have Firefox and Thunderbird installed on their computer! The same CP is also likely to be targeted at university departments for new deployments.

I graduated from UChicago last year, and it’s great to see my alma mater supporting and taking advantage of open source projects in this manner. UChicago is fortunate to have a group of people working at NSIT who understand the value that open source projects can offer them.