[akronim]

Having backups that are accessible if you get hacked doesn't really cut it. I'm guessing there wasn't a huge amount of data involved here, and if there was a set of tapes in a safe somewhere a lot of people would be much happier right now.

Maybe this isn't viable for budget hosting. But even the host's website is unavailable, obviously that is critical for their business and it appears it itself wasn't securely backed up. And this is hardly a totally unexpected scenario, it should have come up pretty quickly in a "what could go wrong" stage of their backup planning.

[parallel]

Yeah, I agree completely. What they had wasn't adequate and the proof is the outcome.

All I'm saying is that from the outside it's easy to take a fairly simple view and propose a technical solution. This looks like a very malicious attack designed to take down the business, the sort of thing that doesn't happen without a reason. If this is the case here then the prolem changes from one that's purely technical to something bigger. Something that can't have a purely technical solution. (Note: I'm not part of distribute it as a may be suspected by the fact that I'm new to HN.)

[thaumaturgy]

You're right but...

IMO, anybody that decides to venture into hosting should behave as though they've just walked into a warzone with a huge red bullseye on their back, and take precautions accordingly. Yes, there are certain things that just aren't immediately feasible before you launch, but the goal should be to get basic redundancies online quickly while you're operating.

By the time you have 4,000 customers, if you don't have backups for your backups, you're being negligent. And I say that without any malice whatsoever ... my experience with a lot of hosting companies, both big and small, is that Distribute wasn't doing anything out of the ordinary.

The thing is, targeting backups isn't new at all. It's been done before, and made the news before; at this point, it's not something that should surprise a sysadmin. i.e., the thought process immediately after setting up your backups should be, "OK, now what happens if a hacker tries to hit them too?"

So, yes, this is armchair quarterbacking, and yes, this is common behavior in the industry. But that still doesn't make it excusable in the least.

EDIT: Just to expound a little more on this, the reason I have such a hard-line stance on this is that, as a hosting provider, you are effectively taking responsibility for your customers' data and, in some cases, their livelihood. Yes, ideally, every customer would have their own backups and could move themselves to another host within an hour, but the reality is that it doesn't happen that way. Customers often have websites whose only copy is on your systems, email that's stored only on your systems (because they habitually use webmail, a service that you provide which makes that problem possible). Having "not our responsibility" in your TOS is very much not enough; you must be taking every reasonable precaution to safeguard your users' data, and in this case, Distribute -- along with many, many other hosting providers -- was not, because they did not have secured backups.