New on LowEndTalk? Please Register and read our Community Rules.
All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
Comments
I don't really know the VestaCP situation but AFAIK it did get patched, so somebody must be maintaining it. cPanel has had plenty of security failures of its own, maybe even more than VestaCP has had, so the best you can say about it is that maybe it gets patched faster.
I'd need to see numbers before accepting such a claim even a posteriori. To say that the expected cost was higher before the incident is even further fetched. cPanel is bloody expensive if you have enough instances. And I don't see where the reputation damage is. If Jarland took his VestaCP stuff offline when the bug surfaced, he did the right thing and is A-OK in my book and I don't have any hesitation about continuing to use his stuff. He'd have had to take cPanel offline the same way. At best he might have been able to bring cPanel back a little bit faster.
I do use some ultra cheap shared hosting under VestaCP (not with Jarland) and I didn't even notice the outage. Even if I did, though, it would have been in "ok, stuff happens" territory. If the provider refunds customers affected by the outage who request it (or even just compensates them with service credits), and can manually handle important requests through the ticket system while the control panel is down, they've done everything I can expect.
You're in the wroooooong neighborhood.
Francisco
cPanel has a bounty program and patches them promptly. Vesta was given list of issues by Rack911 and until today they are not patched AFAIK. That’s over a month. So my point stands.
Reputation damage from the Customers who chose to chargeback - do you really believe they don’t talk about the experience with their friends and peers ? They do.
Naturally numbers are not public in this case so I can’t say for sure and I’m speculating naturally one chargeback fee is about the cost of a monthly cPanel license not to count the lost revenue. I don’t however understand why you’re having a go for providers charging a little bit more than the very rock bottom? Forum is called Low End Talk. Low End is not exactly the cheapest, it’s a range, and the bottom of this range is where the unsustainable deals are. Based on your posts over the past 48h I can’t help the feeling that You seem to have an issue with anyone charging anything above the very rock bottom prices. This seems weird and is pushing the hosts delivering sustainable services at low end pricing bracket away.
I don’t want to be rude nor to pick a fight with you. I firmly believe that there’s enough space for everyone here.
Maybe. Maybe not. Feeling good here, prefer here to WHT ;-). We have plenty of very nice Customers from here too, among others, so there’s clearly enough room for sustainable deals in the low end price bracket.
AMD EPYC 7451 and EPYC 7501 have now been spotted on Linode host nodes as well, so it's spreading
my god, what has this thread turned into...
TLDR?
And what are shortcuts you're accusing me of taking? You don't have magical hardware or software, you're as at risk for vulnerabilities as everyone else. Taking shots at others because you won this year's dice roll will come back to bite you a lot harder when you inevitably lose one, whenever that is (not if, but when). I've taken those shots and my licks.
As for VestaCP I know the attack vector that I was worried about and I was never vulnerable to it due to customizations. Having imperfect coding standards reported about the product doesn't make every visible opening a viable attack vector either.
No problem, let me break it down for you...
@sureiam
I would love to see AMD gaining more market share and I guess --but don't know-- that AMD's current processors are less vulnerable than intel's.
Wrt. memory encryption I don't bet much on it because like with basically all security related problems the trouble doesn't come from the design but from the implementation. Just look at the recent intel mess. The design was probably OK but the implementation was poor.
Adding encryption to the whole memory mechanism also means adding a lot of complexity and complexity is the fertile generator for implementation problems.
No not at all, I don't have issues with anyone's prices. Rock bottom prices are great, higher margins with nicer setups are also great. I'm fine with the whole spectrum. Rather, it's you who's taking issue with the low cost suppliers and their customers, not just in the past 48h but over a period of months, calling the suppliers unsustainable and implying that their customers are pursuing false economy. That's what I have trouble with: beyond sounding like sour grapes from a whiner, it even comes across as an attack on LET principles which (in my view) say that there's something for everybody.
Yes there's occasionally offers and requests that are crazy and unrealistic, and those do get deservedly called out. But saying things like that about WSI: what are you on about? They have scale economies (their own DC, i.e. the building, the land underneath it, and the fiber coming out of it), technical ingenuity (they got those weird surplus E5-2670 servers working as regular dedis when others found it impossible), business chops (tax abatements etc), cheap power, etc etc. I don't have direct knowledge, I only know what I read on LET, but it seems like a sweet sweet combination. They have the improvisational ability of the smaller companies and the resources of the bigger (well less-small) ones. They are probably more sustainable than any of the normal LET suspects who are renting DC space or even renting hardware. So sniping at them and implying that they don't know what they're doing is pathetic. It's better to play to your own strengths and let others play to theirs.
That it's what you want today doesn't make it not a knee-jerk reaction. It's because you've accepted immediately a claim that this will solve problems that you don't really know if it will long term. That's why it's a knee-jerk reaction. You need to give these CPU vulnerabilities more time to play out before you declare a safe path forward. You're jumping the gun and falling for marketing. You don't even know the full scope of all discovered major CPU vulnerabilities right now (neither do I). You may think this CPU you're hyping today is vulnerable trash in 3 months. Now isn't the time to pick winners in the CPU battle, now is the time to watch decades of threads unravel and see what remains when all the pieces are fully publicized and understood.
It's really got nothing to do with cost, it has to do with due diligence. If the technology you're hyping is the answer to every major CPU vulnerability then great, let's all get on board. Let's not just jump on the first product to have a YouTube video that sounds convincing. Not after what we've been through recently with having our worlds shattered by these vulnerabilities.
Pfft. Nothing ever goes wrong with first generation kit...
https://www.sysgen.de/as-1013s-mtr-1u-server.html
Barebone 16 core 1u server for 1,500 euro doesn't sound too bad to me. Of course that's without drives or memory but that would be the same expense between on either platform
Disagree. There are indeed users only or for bottom of the barrel but also plenty looking for great deals for quality hosting. It's a dis service to companies like quadranet and others here. Additionally LET is a unique platform with active providers and users here that discuss their products and plans. That's all we are doing.
You and @Jarland are basically saying the same thing. "Oh it's too new to know it's worth while. Oh it might her flaws"...
AMD isn't the new kid on the block. They've been around for decades. The fact that your suspicious of AMD products is more a testiment to Intel's marketing ability and your inability to test anything or think independently outside of what you've done.
Memory Encryption isn't some magical invention that No one has ever considered. We've been encrypting data on transit and rest for years now. To say it isn't worth testing and implementing for your customers is as I noted previously just being lazy and unwilling will try something because it requires extra work.
It's not a knee jerk reaction to request a feature on a product that's been out for a year and has many years of research and design behind it that's been released specifically for the enterprise environment I'm not coming here and telling anyone to consider the Ryzen consumer CPUs but the enterprise processors available.
Furthermore I not even saying to convert all the existing nodes. But that memory encryption of VMs is something we as consumers want. It's avaliable and has been tested. The LET providers are nimble, knowledgeable and capable group that tend to take on opportunity as it comes! I don't think paying 1,500.euros for a barebone EPYC 16 core 1u server is outrageous. Furthermore the argument of it being new and were scared is inappropriate murmuring from a place lacking in experience. Every write-up on EPYC in the server space is positive... why don't you true out EPYC for yourself before you start saying unknowledgeable things like "oh it's not ready for prime time".. That just sounds like something a billing person with little knowledge in the technical space would say, not an experienced systems/network admin.
Last but not least to circle to my point to begin with.. **Encryption of VMs memory along with its stored data is excellent practice to protect against future unknown bare metal exploits. ** this isn't theoretical science it's common sense. Just because you've never implemented it doesn't mean it's not worth it to users.
We have a handful of Custoemrs running Epyc now for various environments - from a classic web hosting with bloated Wordpress sites through VMs to some magic number crunching, so far absolutely zero complaints and everyone is happy after receiving significantly better Quote on Epyc as opposed to the Quote in Intel for the same number of cores, capable of handling the same number of NVMe drives.
heh... fun thread, brb just need to go and buy £100,000 worth of AMD kit over night after reading this.
bad intel... bad!
TLDR
I believe that memory encryption of VMs can protect users from bare metal exploits that are becoming more common since spectre.
AMDs EPYC processor SEV is currently the only enterprise solution with this ability..
You have a mix of providers now that argue its to expensive. So I point out it's about $1,500 for a barebone 1u 1 socket 16core version of it. In line if not cheaper than Intel at 1 socket 12core or 2socket 2x 8core Intel.
So then you have providers saying it's too new and we're scared. To which I reply it's a tested enterprise solution chip with the backing of the community that's already published testing data and isn't a consumer chip. There isn't really any risk.
Then it somehow went to @jarland comparing it to vestaCP which is a free software panel platform maintained by a few people. It obviously has nothing to do with a hardware solution created by hundreds of talented engineers from a company that created the modern x86-64bit platform (AMD64) THAT'S CURRENTLY IN USE IN EVERY INTEL AND AMD CPU IN THE WORLD. but i guess AMD doesn't know what is doing right?..
That then spiraled into a provider tiff into providing services too cheap such as those via VestaCP vs What would be considered "sustainable". They went a bit off topic there then circled back around to say virtual memory encryption hasn't been done before and their scared to do it.
Thanks for your insightful experienced response! EPYC has been out for almost a year not and your experience is exactly the same to others that have given EPYC a shot.
How about you just start with one at least at 1,500 euros for 16cores and nvme raid built in?
https://www.sysgen.de/as-1013s-mtr-1u-server.html
Fwiw, I agree with you in principle, and I will be switching to AMD for future products, you just need to accept, even if you don't understand or agree that this won't happen overnight.
It is pointless comparing prices on stuff and saying that amd is better value if we have ALREADY bought the intel kit, that essentially makes it twice the price.
Definitely, not possible overnight.
I don’t think switching should be a goal either. Making either of them a monopoly will stall progress, as e witnessed over past few years with Intel. Every monopoly is bad.
It should however be a consideration for future purchases.
I've said multiple times throughout this thread that I don't expect people upgrade existing nodes to EPYC but to consider it for the next expansion. Many providers here add new nodes as the business grows. They aren't just cramming it all onto existing nodes. So as a consumer I'm putting in my 2cents directly to the providers here to consider it and that it can even be a marketing advantage to offer more secure VPSs via AMDs SEV. Many of us would even pay a premium for it.
I'm Also hoping to educate the users here on the continuing developing exploit situation and offer my opinion on a way to protect their data. Memory encryption is the next logical step in enterprise. Yet I see no discussion of it anywhere.
I don't think we need to worry about AMD becoming a monopoly in the server space. Intel will always find a way to bribe OEMs like they did during the Athlon 64 days and were heavily fined by the US, Asian, and European trade commissions...
Many providers here already have new AMD kit??? List to me the ones that are not LARGE CORPORATIONS (OVH, Hetzner, Online.net, Leaseweb, etc) or don't have high end business here that have afforded such kit? I am interested to know which LET providers here care so little about their customers that they spent their entire bottom line on new AMD kit, so I can avoid them as they will most assuredly deadpool in the near future. I guarantee most of the real LET driven hosts are not going to be affording new AMD kit in the near future, just look at the comments from @KuJoe and @AnthonySmith in this thread as an example.
If you are afraid of the Intel exploits and you really think the above it true to the effect that you think its going to magically prevent someone with the skills needed from executing an attack to access your memory or server is silly. There are many low level attacks out there against systems that are not published, this is just one of the many they have, in an attempt to drive market prices. Give it a while and something for AMD will surface when it means something to AMDs bottom line.
I am sorry, I just can't buy into your paranoid delusions here. Even if every provider switched to AMD I wouldn't per se feel any better (honestly, I would more so wonder how they are paying their bills). I would still choose a provider that has proven to be trustworthy, who actually monitors their machines actively so that I don't have to worry about these types of issues because they are stopped before they happen. If you have data that is as valuable as you suggest, then maybe you should step up and pay enterprise prices for your services and pay a provider you can trust to do the same for you instead of expecting the world for $7.00.
my 2 cents.
Cheers!
Neither is Intel and that's the point. You should be suspicious of everything right now precisely because these companies have been around for so long and doing things so wrong all this time. You shouldn't trust one of them to fix it all overnight, not before we even know the details of every way they've been caught failing.
If you don't trust your hosting provider then it's time to switch.
No, you should continue using their services, but look at them with distrust from literally every angle. For example:
node reboot - they're stealing your data
new node announcement - they're setting up a new place to transfer your stolen data
no ticket response for 5 minutes - they're too busy selling your data
generated invoice - they are stealing your money as well
df doesn't show ext4 root partition on openvz - they've hacked into your very own, personal, file system
export vm functionality in control panel - so they can easily steal your data
you have been provisioned public ipv4 address - so everyone can hack you, that's how they get ya
you have been provisioned public ipv6 address - that's how they get ya, 1.5 times faster
plan upgrade, with more resources - so they can take even more of your data
there are more than one people on a host node - they're doing this to all of us
Am i being virtualized?
https://serverfault.com/questions/485843/am-i-being-virtualized
Damn, they've deleted it, i can't find the whole text anymore.
The paranoic way is more fun, the truth is out there.
Probably owned by a vps provider. Trust no one.
Pardon me? I suggest you cool down quite a bit. This is no war and I'm not your adversary. In fact this post is typed on a AMD Ryzen so you can be sure that I'm not anti-AMD or not trusting them.
It seems you have not understood what I said. Let me explain.
Yes, AMD is not new or lacks experience but implementing memory encryption was quite new for them to do. And it's virtually always the implementation that creates security problems. FWIW I actually do agree with your demand and think that memory encryption would be very nice to have but I also see the problems and am therefore cautious. Just remember Meltdown and Spectre both being well established concepts and designs and both in use for years and years - and then bang.
Why do I bring up Spectre and Meltdown? Because the kind of problem is quite simple. After all mem. enc. isn't simply about encrypting RAM but about one process not being able to read anothers memory. Unfortunately processors don't work with RAM but with registers and even the prefetch logic works with caches. I hope you see now how close we are to Spectre and Meltdown in terms of the problem class. It was exactly that "keep processes and their resources apart" logic implementation that blew up.
Somewhere in between the circuits that calculate and fetch data from RAM and put them into caches and the core those data must be decrypted and encrypted. We KNOW that some of the memory related mechanisms are very very complex and in case some forgot that Spectre and Meltdown reminded them.
Turn and bend it as you like but the fact is that now yet another "sub processor" is added to and mixed into that already very complex mechanism. Increasing complexity is the single most important creator of problems. And keep in mind that 99.9% correct might sound acceptable but actually isn't when talking about security and billions of instructions per second.
In case you think "but they tested it!" you are not quite right. They tested what could be tested. But there is always one more test a final one: Millions of users aka customers using their system over years.
That said, there are other reasons to currently prefer AMD over intel and you mentioned some of them like more lanes. Maybe in some years we have enough practical experience to add encrypted memory to that list.
That is it I am going back to a 1990's era Cyrix chipset.
It is interesting that after searching through all this walltext I didn't find these three magical characters - PSP. I don't know if this memory encryption thing is done through Platform Security Processor, but it doesn't matter if provider uses AMD or Intel because both CPUs have proprietary dangerous junk in them. AMD got inspired by Intel and adopted this "Security through obscurity" rule which results in many processors not updated against vulnerabilities and I am sure PSP has as many security holes as ME. The only processors I see as safe are those without PSP or Intel ME -> most AMD non-ryzen processors and Intel CPUs before 2008
AMD is not new, but Ryzen is new, and it had serious bugs when it was first introduced (causing Linux kernel lockups etc). I don't know to what extent they are now fixed. Also when Spectre and Meltdown were announced there was a "lol Intel good thing AMD isn't vulnerable" response except whoops, it is.
libgmp.org reports the following about Ryzen:
There is no magic fix.