I have not detected any dishonesty on [MT's] part

That just shows you haven’t put much effort into your attempt to detect dishonesty. As I previously noted, MT first blamed WordPress specifically, then backed off, then claimed they never blamed WP. The claim that they never blamed WP was 100% false. Travis even said We quickly realized that this was falsely blaming WordPress itself.

So while you may be honest in your statement, it’s not accurate. Even MT admitted that they were falsely blaming WordPress.

I don’t know if it’s anything to do with the grid system but I am aware that MT is not the only host to be targeted. That tells me that the grid system is no less secure than any shared environment out there (the ones that are set up correctly).

Sorry, but that’s just bad logic. Unless you’ve done a full security audit on every host out there, you can not rationally claim that MT is “no less secure than any other shared environment”. The fact remains that the vast majority of hosts were not impacted by this exploit. It does appear a couple were. All that means is that the exploit was shared, not at what level the exploit took place or where the fault is.

Now, I can’t claim that MT’s service is the source of the issue. There are several comments on the web about this exploit taking place even when sites were “disabled”, but obviously I can’t verify those (nor exactly what “disabled” means to them.)

But I can point out, and will continue to do to anyone who wants to argue the facts with me on this matter, that MT botched this whole situation, wrongly pointed the finger at WP… and previously I could say that MT was still not learning from all this, and still spewing spin… but after the last response from Travis I was at least happy to see some admission of guilt at least as to how this whole issue was handled.

Ideally they’d come back and be able to give a detailed explanation as to the specifics and thus know exactly how the hack took place. Right now it seems like they’re still of the mindset “we can secure our system, but not third party systems (eg JS, MySQL…) against attacks.” If they want to say there, fine. I realize that’s the status quo for the industry and can’t fault them for that.

After the last response from Travis, I had let this issue go. I was glad to see his response, and know that more comments, traffic, keywords… to this page just make it come up more in Google searches which is what they don’t want, so I was trying to give them that.

PS. Gemma, notice I never stooped so low as to sling insults MT. I suggest if you want to have this conversation, you do the same.

whatever the problem is, media temple isn’t handling it very well.

Travis, don’t bother trying to bend over backwards to please someone who clearly just wants an argument. You guys know your stuff the best and I have not detected any dishonesty on your part. I can see the bigger picture as well as the details and I know you guys are doing all you can to pinpoint the source of the hacks. I don’t know if it’s anything to do with the grid system but I am aware that MT is not the only host to be targeted. That tells me that the grid system is no less secure than any shared environment out there (the ones that are set up correctly).

I’m with A Small Orange at the moment while I’m building and developing my WordPress site, but after it grows a fair bit, I’ll be considering MT for my future hosting needs. By then the hack issue should (hopefully) be dealt with.

First, let me apologize for the tone of my previous response. It comes off as incredibly aggressive and that is not what I wanted. I simply want to make sure the correct information is getting out.

It is clear to me that we have lost your trust. For that, I’m truly sorry. I’m sorry that you feel we have been less than forthcoming with the truth about this entire situation. That’s a clear failure with our communications and it is something that we’re trying to improve.

As big a company as (mt) Media Temple is, we’re not a monolithic Fortune 500 company with a PR Firm on retainer to spin our crises into gold. What we are, is a group of support technicians, system engineers and customer service reps who simply want to provide the best hosting solution for our customers possible.

I still feel like you have unanswered questions. I know that you’re leaving our service, but I still feel that you have a right to know what happened. The offer still stands to speak with our VP of Customer Service. You can also contact me any time at travis at mediatemple dot net. Let me know what your questions are and I’ll try and find someone not associated with (mt) Media Temple who can answer your questions.

Let’s be clear, it is possible to inject malicious code into a website through a PHP form, regardless of it being a form on a WordPress site or not. I’m pretty sure that everyone would agree this is a possibility. Also, I never said, nor did anyone else state, that this is how sites on our system are being exploited, it’s simply a way they could be exploited.

Perfect example of just another attempt to spin the situation. In the information MT provided for the first month + after this issue started occurring, MT flat out blamed WordPress for the exploit and flat out blamed third-party scripts for the exploit. Now that it’s been pointed out MT also said they didn’t know how this exploit is taking place, you’re basically saying “well, all that info we posted on what happened and why it’s not a problem on our end, wasn’t how it actually happened, just how it could have happened.” It could have been an evil plot carried out by other hosts to tarnish MT’s reputation as well. Or maybe it was aliens.

I would like to know what the “false statements” made by us previously in this post are.

As you later noticed, one is further back in this thread. More to be brought up below.

I can assure you that everything we have stated is true.

This is just a prime example that you’ve been traveling down a path of untruth so far that you’re now lost in it. MT has both specifically said that:
- This exploit was specific to WordPress
- Is [WordPress] specifically vulnerable? No

So which is it? You can’t have it both ways. Up until at least late July MT was saying it was specific to WP, and now MT is saying it’s not. So if everything MT has said is true, then how are these two contradictory statements possible?

We are not changing our story either. However, as the situation is ongoing, the story is evolving as more information becomes available.

Are you serious? You’re not changing your story, but the “story is evolving”? Evolve = change. Do you not see how completely ridiculous it is to say that you’re not changing your story, but in the very next sentence say that it’s “evolving”? Does that not sound like spin to you?

it’s possible you were wrongly told that WordPress was the “source” of the problem.

But wait a second, above you said “I can assure you that everything we have stated is true.” So which is it? Can you assure me MT has been truthful, or are you now saying it’s possible MT has been untruthful about the matter?

We quickly realized that this was falsely blaming WordPress itself

So how does “falsely blaming WordPress” constitute “everything we have stated is true”?

Thanks for the invite to talk to your VP of customer service, but you’ve clearly demonstrated that MT is a company that believes true = false, and among other issues, I’m not going to spend more of my time on MT other than moving a client from MT and making sure others are aware of your corporate values.

At a certain point I hope you guys notice just how badly you botched this whole situation, especially by pointing fingers.

I think enough people were affected to point to a possible problem with MT.

Why do we suspect this?

1. Other big hosts (like Network Solution) messed up recently and allowed one hacker to attack everything. Who else, was it Godaddy? MT has an awesome track record–BUT you got to admit, MT is a big target, like these other big hosts that were targeted. We would like to think MT is smarter than Netsol (for reasons I need not explain) but is that really a valid assumption? If it looks like a duck, quacks like a duck, etc.

When you’re big you attract enemies, that’s life. The nail that stands up gets pounded down. ALSO we (the unwashed masses) have no idea how the “grid cluster” thing works. We have pretty diagrams–as of the Cluster 6 storage meltdown–but seriously, we have no idea what’s really going on under the covers. I read all the “gs” marketing gibberish with glee but afterwards I’m still thinking I’m on a shared server. Once I had a PHP script go into a big nested loop and a tech told me I took down 80 servers on the grid or something absurd–COME ON seriously? I’m not buying it. I admit the “(gs)” marketing dept. inspired diagrams are cool looking–but I digress.

Let’s not beat around the bush–Matt was very pissed he was blamed for Netsol’s ineptness. And I applaud Matt for standing up against those accusations. He’s got a great reputation–the guy is practically a superhero of the Internet. So I think MT is hesitant to pick a fight with Matt in any way, shape or form, because they know a storm of bad press is just around the corner if any accusation is unfair. Think about it–how many times has your host accidentally changed all your permissions, breaking your code? It’s happened to me more times than I care to remember. Oops. Hosts make mistakes like this all the time–that’s just the nature of this business.

I give MT a lot of credit–they seem to have smart minds running the show–but anybody we can name specifically? MT doesn’t have an Internet super-action hero we can rally around, that I know of.

2. I open a support ticket about this and a tech admits one bad one user *could* affect the entire grid. I would post a quote but it’s not worth my time. So how is this “secure” architecture? Seriously, tell me. Either you’re secure or you’re not. You need to get your story straight with your employees, or admit you are “not sure” you are secure.

In my opinion, this is the problem with businesses today. No integrity. I haven’t taken a survey, but it seems most people hate deception. Not only that–it’s a great way to start a fight. Some fool this morning quoted my wife $49 for an oil change. Slick guy thinks he’s going to take advantage of a young woman adding extra charges beyond what he quoted her. I walk in and he’s trying to educate me about the extra charges. I say to him, “What did you quote her?” That shut him up because he’s not going to call my wife a liar. You quoted her $49 and that’s what I expect to pay, I don’t care what planet you’re on. So you think you can make a few extra dollars jerking people around? How many times has this happened to you lately? Let me tell you, it may fly for a while, but in the end you’re up against the truth, it’s not a sliding scale. It’s not about the money, it’s about the right thing to do–tell the truth as best you can. If you ignore that basic principle, even if you live in Culver City, you’re halfway up Sh** Creek. Probably your mom told you this when you were 5 y/o (age of reason? LOL) but I think some people need a reminder. A reality check is a good thing. How do you define “secure” well now you’re playing word games–please tell me what I’m missing here.

3. Back to technical details. Only my dad’s blog was affected and he had WP version 2.8.6 running on MT. Not other scripts or sites besides boring non-executable HTML. No hardening besides the defaults. Maybe this information will help you locate the attack vector? I doubt it. Obviously it’s a somewhat dated version. It was using a default Kubrick theme and no plugins besides Akismet. That’s all I have on MT at this time–I moved all my other blogs to Linode several months ago. Why didn’t I upgrade him past 2.8.6? Besides backups, the easy ability to move elsewhere and avoiding unnecessary upgrades, the only real threat I’ve heard about, in recent history, was for blogs that allowed open registrations. The last attack WP was found at fault for–as far as I know (and I do follow these things more closely than most people) was this one checkbox “Anyone can register” where you allow anyone to register to post comments–this is really the only way to hack WP that I’ve heard about within recent history. If this box wasn’t checked you’re pretty much safe, besides brute force attacks on your password. The attacker registers to post a comment or whatever, then somehow changed his userlevel–Yes I think it was some form injection trick. If you can show me where 2.8.6 is really open to a database attack–I wouldn’t mind reading that info out of curiosity–not that it affects me much. I really don’t have much skin this game here or any personal gripe with MT, besides finding the truth about what happened. In any case, I have millions of visits on 2.8.x and 2.9.x and never any problems. But is 2.8.6 really the problem here? Is this what all the chatter is about? Were all these other MT customers using 2.8.6 through 2.x.x? I doubt it, or we would have heard something more definitive by now.

thanks man!!