Over the years, we’ve gained a reputation for providing support that is above average for the hosting industry. Obviously it helps that the average is really quite low, and simply providing helpful answers in a timely manner puts you some way above it, but we’re proud of this reputation and work hard to provide the best support that we possibly can.

@Mythic_Beasts Not just the best support of any tech company, but the best support of any company that I have ever dealt with. Superb.

— John Robinson (@torrlaneHartley) October 12, 2022

So what do we do differently?

Perhaps the biggest thing is that we don’t have any dedicated support staff.

Our support rota

Our support queue is staffed by a rolling rota that includes all of our technical staff. The staff responsible for managing our routers, running our DNS servers, developing our control panel and maintaining all our other infrastructure, all take it in turns to do regular days on “first line support”. And, yes, this includes our founders & directors.

The most obvious benefit of this is that customers get straight through to someone who can actually deal with their issue — all tickets are effectively escalated to what might elsewhere be considered second, or more likely third, line support, but without the hassle of fighting your way past chat bots and scripted replies.

There’s no need to say “Shibboleet” to our staff.

That’s obviously better for the customer, but conventional wisdom is that good technical staff are too expensive to put on first line support, and you won’t retain them if you do.

Our company trades on its reputation for good support, so cost cutting here would be a false economy, and you only have to look at the likes of Stack Overflow and Quora to see that many technical experts enjoy using their knowledge to help others.

It is true that our staff probably wouldn’t want to do support full-time, but mixing support with normal responsibilities actually provides some useful variety, and has a number of other benefits.

Been so impressed with the quality of support from @Mythic_Beasts while we moved Libreture to our new server with them.

I always aim to support independent businesses, whether buying ebooks or hosting websites. And Mythic Beasts make it an easy choice.

— Libreture – your ebook cloud library (@libreture) July 13, 2022

Direct customer feedback

One of the most valuable benefits of this arrangement is the direct contact between our technical staff and our customers. Our staff get to see directly what our customers want to do, and what parts of our website and systems our customers find confusing. They’ve also got a strong incentive to improve them so that they don’t find themselves answering the same simple questions again and again when on support, and because our “support staff” are also the people responsible for those systems, they’re in a position to actually fix them.

Perhaps one of the best measures of how well this works is that the average time to deal with a support ticket has gone up over the years. All the easy support tickets that we used to be able to clean up before the first coffee in the morning have gone, because the customer did it themselves the night before. The tickets in the support queue are getting harder, and this is good thing (and yet another lesson in the hazards of optimising for KPIs).

I have the dubious honour of causing a domain registration issue so awkward and peculiar that even @Mythic_Beasts hadn’t seen it before. Their support and advice was excellent though as always, can’t recommend them enough.

— John Leach (@johnleach) August 17, 2022

Why we prefer email support

Our rolling rota of support staff is one of the reasons why we insist on email for support. Having a written record of all communications on a ticket makes it much easier to hand tickets from one person to the next. Customers don’t have to spend time explaining an issue each time it’s passed to a different member of staff – although for more complicated tickets, we do quite often ask the person who first picked it up to carry on with it, even if they’re no longer on support.

How far will this approach scale?

We’ve operated this system for quite a few years and the amount of time we spend dealing with support queries has grown steadily with the company.

We’ve no plans to change this approach, but it’s quite possible that there will come a point where it makes sense to hire staff whose primary role is support. Like all things, the more you do, the better you get, and one of the costs of our approach is that using non-dedicated staff is inefficient — they’re more likely to have to look things up or check with colleagues when responding to tickets.

We have already taken the step of splitting out finance-related support tickets into a separate queue, which is dealt with by our finance staff.

If we do ever take that step of employing dedicated support staff we won’t compromise on the quality of support that we provide, and it’s likely to be in addition to, rather than instead of, our rolling rota, because of the benefits it provides to both us and our customers.

I’m struggling to fit into a tweet a satisfactory expression of the level and quality of the support @Mythic_Beasts provided to a party twice removed from myself (the account holder).

Customer service is King.

— Adam K Dean (@imdsm) June 26, 2022

The rest room has a nice view, proper coffee and our branded mugs

Since the announcement we’ve been working hard to figure out not only how to replace the space in MER, but also how to make the most of this chance to configure and kit out new space exactly as we want it.

A key part of the plan is taking on a presence in a new London data centre so that we retain three separate sites in London, and we’re very pleased to announce that our new suite in Redcentric’s City Lifeline (CLL) data centre in Shoreditch is now live, and that our migration out of MER is well underway.

Our CLL presence is connected back to our other two London data centres, Digital Realty’s Sovereign House (SOV) and Equinix LD8 (aka Harbour Exchange/HEX), via a lit fibre ring. The new space allows us to offer dual, redundant 10Gbps to servers, as well as dual redundant power feeds. As with all our data centre space, we have switched PDUs, enabling power to be remotely controlled via our control panel, and remotely accessible serial consoles, so that almost all server issues can be resolved remotely.

If you have services in MER and haven’t already heard from us we’ll be in touch soon to discuss migration plans. We’ve been working hard behind the scenes to minimise disruption to services from the migration out of MER. This includes network upgrades to enable IP portability between MER and CLL so that servers will not need to change IPs during the move and our team are doing a lot of late nights to reduce the impact of any unavoidable disruption.

If you’re interested in taking on new colocated or dedicated servers, please do get in touch as we’ve now got lots of capacity.

One of our most common support requests recently is for PHP 8 on hosting accounts. Until now, our policy has been to run our hosting servers on a stable release of the Debian operating system, and to only install operating system-supplied packages. The ensures that we have a reliable, stable platform that it is fully covered by Debian’s security updates process.

Our hosting servers are currently on Debian 10 (Buster) which means PHP is stuck on version 7.3. Debian takes a pretty conservative approach to updates. Not so much “if it ain’t broke, don’t fix it” but more like “if it’s broken, but not a security hazard, still don’t fix it”. This is an excellent way to manage a stable, reliable operating system.

On the other hand, PHP 8 was released at the end of 2020, and it seems that an increasing number of developers are now dropping support for PHP 7 in their products. We find it odd that developers would drop support for a current stable version of what is probably the world’s most widely use server-side OS, but nonetheless we can’t ignore the increasing number of our customers who need a more recent version.

Choose your own version

We decided that if we were going to support newer versions of PHP, we’re going to do it properly and it’s now possible for users of our hosting accounts to select which version of PHP they use using our control panel.

The PHP version can be selected independently for each website hosted, and changes take effect immediately, making it easy to test migrations to a newer version, and roll-back if problems are encountered.

Our hosting accounts support unlimited hosted websites, so if you want to test whether your site will work with a newer version, you can always spin up a staging site on a sub-domain and switch the PHP version for just that site.

Supported versions

We currently support PHP 7.3, 7.4 and 8.1 on our hosting servers, and are considering adding support for 8.0. If you have a requirement for a specific version, please drop us an email.

deb.sury.org

The thing that makes this possible is the excellent work of Ondřej Surý, long-term maintainer of Debian’s PHP packages. In addition to providing the official Debian packages, Ondřej also provides deb.sury.org, a private repository providing Debian packages for multiple versions of PHPs, built and maintained to the same standards as the official Debian packages.

Raspberry Pi Desktop is now available as a supported image in our Raspberry Pi Cloud on all Raspberry Pi 4 servers, providing a true remote desktop.

This is set up with the standard desktop operating system, a virtual 1080p monitor attached and VNC set up for immediate desktop access, and is secured using an SSH ‘tunnel’ to access your desktop so everything is encrypted between the client and server.

Install the desktop edition on your Raspberry Pi:

Add your SSH key:

Power the Raspberry Pi on:

You can then connect to the Rasberry Pi as normal, but now add “-L 5900:localhost:5900” to the SSH command line, which will bind port 5900 (the default VNC port) on your local computer to port 5900 on the Raspberry Pi on the other end of the SSH connection.

(If you’re using PuTTY or a similar SSH client, you should be able to find the relevant setting in Connection>SSH>Tunnels – you’ll want to set the source port to be “5900”, and the destination to be “localhost:5900″.)

Next, connect to the server (substitute ”1234″ for your SSH port, found in the control panel, and use the name of your hosted Pi) as root to establish the connection:

$ ssh -L 5900:localhost:5900 -p 1234 root@ssh.yourserver.hostedpi.com
The authenticity of host ...
ECDSA key fingerprint is SHA256:.....
Linux rpi-bullseye-arm64-vnc...
....

Then, set the password for the Pi desktop user:

$ passwd pi
New password: 
Retype new password: 
passwd: password updated successfully

And finally, connect with a local VNC client to “localhost” and up pops a desktop:

Raspberry Pi virtual desktop running on a real Raspberry Pi in our cloud.

A log cut into snail shells (public domain image from Simpon Speed)

On Friday 10th December we became aware of an extremely serious security issues in Log4J, a logging component in widespread use by applications written in the Java programming language.  The vulnerability has been nicknamed Log4Shell.

What is Log4Shell and Log4J

Log4J is a library to make writing data to a log file easier. It’s highly configurable to make it easy to send the right level of logging data to the right place and it includes bits of intelligence so you can log placeholders and have Log4J fill in the correct value for the environment. So if you’re logging an error in your application and you want to know what version of java is currently running your application you can log:

${java:version}

which will be replaced with the currently running version number of Java.

However, it is very common for log messages to contain user-supplied data.  For example, a login form might log the username from a failed login attempt, and many applications don’t check the data the user supplied for magic values like this.  So, if I were to attempt to log in with a username of ${java:version} instead of Pete, the logfiles will say:

Failed login attempt for user: "OpenJDK Runtime Environment (build 11.0.11+9-Ubuntu-0ubuntu2.20.04)"

rather than what the application developer expected which would be:

Failed login attempt for user: "${java:version}"

One of the other magic strings uses LightWeight Directory Access Protocol (LDAP) to look up data from a remote server and the remote server can specify additional software to install and run in order to process the answer from the LDAP server.

If an end user can set something that will go to a log file to a magic LDAP string pointing at a server they control they can make the java application request code from that server and make the target system execute code they just supplied. This effectively hands full control over the java application to the person that logged the magic LDAP string. Effectively you can turn a piece of data that is logged into an administrative shell on the target server, hence the name Log4Shell.

The vulnerability is very nasty for a number of reasons. Firstly, it’s a trivial-to-exploit remote code execution vulnerability. You literally send the application a URL to the code you want run and it runs it. Secondly, Log4J is very widely used, including in custom software, and many applications are likely to be vulnerable.

Managed customers

As part of our server management service, we monitor and assess all security advisories for operating system packages, applying serious 0-day vulnerabilities immediately to customer servers.

Unfortunately, Java applications almost never use system-provided libraries, and will instead bundle their dependencies as part of the application. From the point of view of our managed service, updating Java applications with an embedded Log4J is the technically the responsibility of the customer.

However, given the severity and ease of exploit of this vulnerability, we’ve been doing everything we can to help customers who may not even know that they’re reliant on Log4J, let alone where their application is vulnerable.

Going above and beyond

As part of our managed service we install an internally written package called Mythic Reporter. This logs a lot of data from servers every day about what the servers are doing. We then have a centralised process that reads the reports and automates auditing for common issues. With this we can spot things like:

• One of the hardware devices in your storage array is broken or is in a pre-failure state.
• Database replication appears not to be working.
• A filesystems has gone read-only.
• You have mirrored filesystems but not mirrored swap space.
• The cryptographic keys used by ssh that are weak or are blacklisted.
• You have a database running but no backups configured.
• You’re using the stock i40 network module for Debian which is unstable.
• Your server has thermally throttled.
• … and many others.

We can also utilise this dataset for other things. We log the full process list and listening network sockets for every managed server every day. So it’s a small matter of scripting on our reporter server to find the full list of client servers that have a network listening application written in Java. One staff member set about writing a customer notification, one understanding how nasty the security issue was and one building the full list of likely affected customers.

To every managed server customer running a java server process, we sent this email:

We have become aware of a serious security vulnerability in the log4j
logging package for Java. You're receiving this email because our 
records show that your managed server is running Java.

At this point, a full list of applications that are affected by this
vulnerability is not available, but given the widespread use of log4j, 
the severity of the vulnerability (remote code execution) and the
typical ease of exploitation, we strongly recommend investigating
proactively whether any Java applications that you are using are
vulnerable.

Your Mythic Beasts managed service includes monitoring and upgrading of
operating system packages, but does not cover software installed by
other means.  Java applications typically rely on JAR files that are not
provided by system packages, and in this case we are not able to detect
or apply necessary upgrades.

You can find more information on the vulnerability, and the affected
versions of log4j, here:

  https://www.lunasec.io/docs/blog/log4j-zero-day/

Whilst we cannot assess whether your server is vulnerable to this
vulnerability, we are happy to provide advice based on the information
that we have.

We detected Java running on the following servers:

-- list of servers --

We then opened tickets in our ticket tracking system for all affected customers so we could close them off once we’re confirmed they were either not vulnerable, or had been patched.

Auditing

We then started auditing the identified customer servers, scanning for installations of the Log4J library and notifying customers as to whether the libraries they have installed are vulnerable or not. We utilised reports from software providers to prioritise fixes. For example Jenkins may be affected depending on the plugins used.

We have worked through the list contacting every customer to confirm if we or they could upgrade the affected component or if we could mitigate through configuration changes, and this afternoon we have been chasing likely affected customers who haven’t responded to encourage them strongly to work with us to fix this issue.

If you run Java-based services and you’re not already a customer of our managed hosting service, then you’ve probably been quite busy over the last few days. If you haven’t been, then you may want to consider signing up.

Dependency management

Log4Shell is a somewhat vicious lesson in dependency management. Every time you import third party code, you need a process for monitoring security advisories for it, and for updating it as required. This is why we have a strong preference for using operating system packages wherever practical, as this delegates the whole problem to the operating system maintainers and makes automatically finding and updating affected libraries trivial. Being able to automatically find vulnerable packages is critical, as you can be guaranteed that when a serious vulnerability is discovered, the bad guys will automate it.

Yesterday (7th December) we attended the virtual IPv6 forum annual meeting. We were delighted that our director Pete Stevens has been added to the IPv6 Hall Of Fame as an IPv6 Deployment World Leader.

Unlike most awards we turn down, you can’t win this one just by paying for a hugely expensive table at an awards ceremony.

We also got an update on how IPv6 deployment is going through the UK. Happy to hear from BT that they’re making excellent progress replacing all the old HomeHubs with new IPv6-capable consumer routers. Sky Italia has deployed a consumer broadband network that’s effectively IPv6 only – IPv4 is provided as a service on top with MAP-T. As this is a form of carrier NAT they’ve managed one IPv4 address per 16 subscribers. This compares with their initial dual stack rollout we reported on from the 2019 council meeting.

Lastly it was noted that the cost of an IPv4 address on the open market is now around $60; increasing numbers of server providers are following our lead and making an IPv4 address an additional and removable option on the order form.

We’re delighted to announce our sponsorship of Organic Maps. Organic Maps is a simple, user-friendly application that downloads complete Open Street Map data to your phone, allowing you to use their mapping application offline complete with route planning from the on-device database.

This is a wonderful application. It doesn’t track you, advertise at you or flood you with non-notifications, and it works without mobile data and conserves battery life. So if you’ve ever been lost without signal or somewhere where roaming data is prohibitively expensive, or to a very busy location where the mobile networks were overloaded this application is genuinely better than the alternatives.

While the app avoids the need for mobile data, this comes at the cost of a significant up-front download of all the mapping data that you may or may not use offline. This won’t trouble typical home broadband, but for the servers at the other end it adds up quickly. We’ve stepped in and offered two 4GB virtual servers with 400TB/month of free bandwidth to Organic Maps, split between our London and Amsterdam zones, reducing the reliance on a traditional and bankruptcy-inducing large cloud provider.

“Use the cloud, it’s cheap,” people often say, incorrectly.

A competing quote from a slightly cheaper large cloud provider

At our list prices this would be somewhat cheaper:

Being 90% better value is achieved in part by not having to fund our own space programme.

We’ve just rolled out a new addition to our range of APIs for managing services: the Domain Management API. This new API allows you automate management of your Mythic Beasts domain registrations.

Access to the API is controlled by API keys, which can be managed in our customer control panel. As for our DNS API, the keys provide fine-grained control over access, allow you to grant permissions on individual domains, or all domains on your account, and to restrict a key’s access to specific actions.

Fine-grained access control

The API gives access to information about your domains, such as the expiry date, nameservers, and domain status.

At present, the API only supports a small number of actions, although we intend to expand this in the near future. At present, the following actions are supported:

• Setting nameservers
• Setting DS records
• Locking/unlocking domains (where supported)

The ability to set DS records makes it possible to automate DNSSEC key roll-over, although it’s worth noting that we offer a free managed DNSSEC service which takes care of this for you, so you’ll only need to use this if you particularly want to control your DS records yourself.

The API is currently in public beta, and documentation can be found on our support site. We’d very much welcome feedback on the API, including suggestions for operations that you’d like to see supported. If you have any feedback, please contact us on support@mythic-beasts.com.

A small galaxy hit the bullseye of NGC922 about 330m years ago. More information: www.spacetelescope.org/images/heic1218a/
Credit:
NASA, ESA

Congratulations to the Debian team for their new release of Debian Bullseye (11). Just over two years of hard work have resulted in over 40,000 package updates and 10,000 additions.

We’ve made images for our VPS cloud that are available in all regions and included the install ISO for customers who prefer to build their own OS images. Sympl, a management package for web and email hosting that we maintain has been updated to support Bullseye with packages available for download.

Our mirror server is up to date with the Debian Bullseye packages. We’ll now be looking at deploying new systems on Debian Bullseye and starting our upgrade program for Debian Stretch and Buster systems.

The UK Debian folks will be having a small party in Cambridge in a few days time and we’re sponsoring the beer to say thank you. It’s a weekend full of beer and barbeques.

Our Pi 4 servers all wear the Power over Ethernet HAT to provide power and cooling to the CPU.

Since the launch of the 8GB Raspberry Pi 4 we’ve had many requests to add these to our Raspberry Pi cloud. Meanwhile many Raspberry Pi users have read about overclocking the Raspberry Pi and running at a higher clock speed.

Overclocking further increases the computing power of the Pi, but brings significant operational issues for our Pi cloud. Not all Raspberry Pi hardware will run reliably at the higher clockspeed and the higher voltage required to support it. Increasing the clockspeed and voltage significantly increases the power consumption and thus the cooling requirements necessary to prevent overheating. We’ve spent a considerable amount of time testing and we’re now ready to launch our first 8GB Raspberry Pi 4 cluster. We’re offering them at two clock speeds: the stock 1.5GHz and overclocked to 2GHz.

The overclocked Raspberry Pis have all been run at a significant CPU load for several weeks to test their stability before release. Any that failed the stability test have been added to the cloud at the normal 1.5GHz clockspeed.

The 8GB Pi is available at 1.5GHz and 2GHz clock speeds. Supported operating systems are Raspberry Pi OS 64 and Ubuntu 64.

Larger fans provide more cooling to our 8GB Pi4 cloud so we can run at higher clockspeeds.