All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
Quality of LowEndBox frontpage posts
In short: it's still abysmal.
So, a quick run-down of the most recent posts, and some glaring issues with them. Note that this list contains every single non-offer post back to September.
- October 27, 2016: 3 Free Control Panels for VPS Administration - Recommends fucking ZPanel. Of all possible fucking places, it's unbelievable that this would be posted on LEB, given that it's right here on LET that it was torn apart as being horrendously insecure to the core. Rectified as "ZPanel is unmaintained", but no mention of the severe security issues, which existed regardless of the maintenance status.
- October 22, 2016: How to Harden the Security of MySQL on your VPS - Recommends security through obscurity in "changing the root username". Unfixed.
- October 16, 2016: Setting Up An Encrypted Volume on your UbuVPS - Aside from the newly coined "UbuVPS" term, it wrongly claims that full-disk encryption can protect you in a breach. It does not. Unfixed.
- October 10, 2016: How to Install & Configure Jabber on your VPS - Incorrectly claims that "Jabber is based on the XMPP protocol", which it is not - Jabber was renamed to XMPP. Unfixed.
- October 5, 2016: Setting up Git for Free on a VPS - "An example of what you could do with the free version of Git would be [...]"; this wrongly mixes up Git and GitHub. Unfixed.
- September 29, 2016: MariaDB: Installation, Optimization and Tuning - Recommends running a third-party script directly without verifying its contents. A lot of grammar errors, but the content itself looks okay at a glance.
- September 20, 2016: Host your own DNS, now with 100% more ad block! - Again recommends running a third-party script directly without verifying its contents. Content seems otherwise okay, although the formatting is a mess, and the article fails to address why one would want to use this approach over an ad-blocking plugin.
- September 15, 2016: https://lowendbox.com/blog/open-source-powershell-on-linux/ - Formatting is a bit off, but content looks fine.
- September 8, 2016: How to Send SMS Messages from Your VPS using TextBelt - Formatting is completely wrong, font is too small. Content seems fine.
- September 6, 2016: Enabling Encryption (SSL) on Apache and Nginx - Respun content from a DigitalOcean tutorial, more about that here. Still available on the LEB blog, thus unfixed.
The vast majority of these posts has content problems. Many of them have formatting issues. Some provide outright dangerous advice. One issue has been fixed poorly, everything else remains unfixed.
What the hell is going on here? Despite this place being owned by ColoCrossing, I don't want to assume the worst - but this is sure as hell starting to look like a content marketing game. Paying peanuts to get the bare minimum of readable text into a post, with zero quality control. ColoCrossing's recent IPv6 blog post stunt further supports this theory.
And before I get the usual "send an e-mail if you want to write for LEB and improve it": I last replied to @jbiloh on September 14, after several exchanged e-mails, attempting to establish payment terms and exact license. I have not heard back since.
Comments
Surprise
@Joepie91 thank you for the feedback, we will review your notes.
Okay, but are you actually going to change and fix things? I've complained about the content in the comments section for multiple posts. In one case, you even responded to the thread, so clearly you were aware of the (still unfixed) content issue before this thread existed. And now again, I get a completely non-committal response.
So what assurances do I have that something will actually be done about it this time? Why does this need to be re-emphasized again and again?
This kind of reactive attitude really isn't going to fix anything - I shouldn't have to point out every. single. problem. on your own site before you start fixing them, and the past criticisms should've already been a cue for you to review your policies and editorial process.
@Joepie91, I've taken over controlling more of the publishing elements, and have since scheduled out the next 1.5 months of posts.
I'll spend some time cleaning up the past posts you mentioned.
Thanks much for your notes.
Low hanging fruit, I'll grab that.
Perhaps if I have less time to write, I at least have some time to look for things to tweak for perfection.
I've already run through some of these and made some improvements, thanks again @Joepie91 for this excellent list.
I also dropped a thank you here: https://lowendbox.com/blog/host-your-own-dns-now-with-100-more-ad-block/ near the bottom.
Again, thanks!
One more special mention for you @Joepie91: https://lowendbox.com/blog/setting-up-an-encrypted-volume-on-your-ubuvps/
Thanks again. For now, bed time for me.
And you put at the bottom, assuming they've already followed and run the scripts, "please always remember to check the content of third party scripts before run-time" sigh
@Gcat
Step 1. Log in to your ColoCrossing-hosted VPS
Step 2. Use any LEB tutorials
Step 3. Realize that whatever you executed was malicious and encrypted everything on the disk
Step 4. Read the footnote
Step 5. Shrugs - oh well it was a cc vps they don't care about malware
So dramatic, check the post again :P
If it was, it seems that the DO article has been edited because they look quite different now. Obviously I could find out but I'm content with the content difference right now. Of course, similarities will inevitably exist in such a simple process regardless.
Fixed.
Fixed title. Disagree on second part. It says "can." Breach is a word that can describe a variety of scenarios, and disk encryption "can" provide some protection for some scenarios. It does not imply that it protects in all scenarios. I think that's reading too far into it, but the words don't imply that to me.
Replaced with VestaCP.
That's fine. At that point you have to assume a script has privileged execution on the system because the tutorial already advised against remote root MySQL access. In such a scenario, having details that vary from defaults can be instrumental in discouraging simple automated attacks. Unlikely variables? Sure. Completely unhelpful in every possible situation? That would be a bit naive to think. Obscurity has purpose, I will never agree with you that it does not. It's just not the means of security, but merely a step in a process. Considering it wasn't mentioned as THE path to security, I believe this is not inappropriate, though admittedly unnecessary any any situation I've encountered.
This to say that if you've followed the guide thus far, this step is not hurting your security, and following that step has a higher theoretical probability of preventing a very specific compromise (that I've never seen happen) than not taking that step would have under the same theoretical compromise (that I've, again, never seen happen). All while simultaneously not creating additional theoretical threats by this action alone. So the best argument is that it's of too little theoretical relevance to matter, but not that it's a problem when following better advice.
Note added.
I think that's everything. My alcohol is wearing off. Thanks for the tips @joepie91 and I'll also try to be more observant of these things moving forward as well. I admitted my inability to solely maintain LEB but I still want to be able to do little things to make it better where I can.
Disappointed, but not surprised.
I don't know why, but I think, just maybe, it sunk in this time, I almost cracked a smile.
And ...... It looks like you found exactly what LEB needs, an editor!
Paying for content that is incorrect and having to rewrite/fix it. Bargain!
You have waaaay too much time
It wouldn't be low end if it wasn't screwed in one way or another
Advertising Stealth Blocking is unacceptable. This article also encourages people to send their dns queries to google.
I would replace this article by this line:
apt-get install unbound && echo -e 'nameserver 127.0.0.1\nameserver ::1' > /etc/resolv.conf
Great to see that the admins actually care.