First, I don't know much about the business relationship, so this is all speculation. But I do see opportunity for $$, justified (pardon my politics) by fear, uncertainty and doubt about security. After all, they were hacked, files missing, and down for over a day. Who knows what else, forensics was not performed, only recovery.
You said you manage the site. I presume you get paid. They didn't pay you enough to keep current with software versions. Their bad. But that is tempered by the understanding they had when they entrusted the site to you, do you 'own' the security? Did you give them assurances? Or was it overlooked and now a problem.
If you have time (if you don't, subcontract it), figure out what needs to be done to update the box to current standards, including the web pages/apps (if you do those, or even if not) and send them a total estimate. They will 'negotiate', but mostly they need to understand: _this_must_be_done_ to prevent recurrence. They will pay if the website draws business to them (read: $$$$). Temper this suggestion by how important is it to them.
I see money in your future with a serious reason for doing so [security]. Please include a monthly fee to stay current on software/apps (15-20% maintenance). You will take care of them better if they pay as a monthly customer, your relationship will be more important both ways.
If you are doing it for a co-worker/friend/family or such, then I wouldn't be so harsh. But for arms length business arrangements, I'd say cha-ching. And it would be money well spent (on both sides).
Ron
________________________________
From: [email protected] on behalf of Jonathan Hutchins Sent: Fri 2/25/2005 5:42 PM To: [email protected] Subject: Re: Server Saga
On Friday 25 February 2005 05:22 pm, Geoffrion, Ron P [ITS] wrote:
One plan I think is rather valuable is to simply run the server and watch it very carefully.
That would make it a honey pot in production. I would advise more active measures (if you have access/control/contact over the network/firewalls).
I'm open to suggestions; I certainly didn't imply that was the _only_ thing I'd be doing. I do need to maintain the server in production; I do not control the firewalls but they are well managed. _______________________________________________ Kclug mailing list [email protected] http://kclug.org/mailman/listinfo/kclug
Ron, I appreciate the spirit of your message, but let me correct a couple of things.
On Friday 25 February 2005 07:15 pm, Geoffrion, Ron P [ITS] wrote:
they were hacked, files missing, and down for over a day.
About fifteen hours, actually.
They didn't pay you enough to keep current with software versions.
While I haven't performed a release upgrade due to various compatability and hardware reasons, the system is kept current on available updates, including security patches.
Believe me, they're glad to have me working for them. Compared to other servers that have been hit this week, they came off golden.
-
Geoffrion, Ron P [ITS] -
Jonathan Hutchins