Welcome to NexusFi: the best trading community on the planet, with over 150,000 members Sign Up Now for Free
Genuine reviews from real traders, not fake reviews from stealth vendors
Quality education from leading professional traders
We are a friendly, helpful, and positive community
We do not tolerate rude behavior, trolling, or vendors advertising in posts
We are here to help, just let us know what you need
You'll need to register in order to view the content of the threads and start contributing to our community. It's free for basic access, or support us by becoming an Elite Member -- see if you qualify for a discount below.
-- Big Mike, Site Administrator
(If you already have an account, login at the top of the page)
Thanks Mike - I won't worry about bruteforce physical access thing. If you are correct that once I change the admin password and make sure there are no more accounts on the box, then Sam028 has no access. Then it is great and it addresses my concern. It will be great if Sam028 can confirm this (Sam if you are reading this).
Let me point to another thread outside of futures.io (formerly BMT) (hopefully it is ok) that has caused me to wonder on this aspect of the security. The writer below runs a VPS firm. He clearly suggests that staff at the firm have a "support" password. He explains in detail about the processes that they typically have at VPS firm to ensure some staff doesn't steal IP from the virtual machine. However, he nowhere mentions that something as simple as just changing the admin password will render it impossible for VPS company staff to access the VM. So, it appears from reading his comments, that even after changing admin passwords to your VPS, admins retain access to it through some support password. If my understanding is wrong on this aspect, I will be happier.
Can you help answer these questions from other members on NexusFi?
That is just that company insisting on having a backdoor. I wouldn't use such a company. No one has access to my boxes but me, and I am sure @sam028 is the same way.
I can confirm that I'm asking each new user, when he begins its one week trial, to change this password.
I also mention in the introduction email that we are not doing backups of our users VPS, so we can't have access to their data. A small tool is installed on our VPS to block each IP trying to log in more than 3 times with a wrong password.
When a guy is losing its Administrator password (like someone in this forum who decided to change its password after a long party with a lot of alcohol it seems ), we usually re-install a new VPS.
So the support do not have our customers password, and if they want us to take a look at their VPS, they change the password and we check what we have to check. It can be done with the customer seeing what we're doing, but most of the time I do this alone, with their approval. It's also because they know me a bit, enough to trust me.
In my case, I'm also selecting my customers: I have to trust them (no pirated software, IRC servers, game server, torrents download, ... on the VPS, it's made for trading), so they should trust me a bit too.
I won't go into details, but it should be possible to crack a VPS Admin password, when you're admin of the physical server. Not easy and long, but possible.
But let's see what happen, if someone have access to, let's say 200 systems.
What next?
Use all these systems? Backtest and opimize them one by one?
What are the good parameters/instruments?
Ready to risk real money with someone else ideas, risk tolerance and start capital?
Nobody will do that, unless being really insane.
Just for the story, on of my customer asked some help and advice for his strategy, which was running in simulation on a VPS. After some time we talked a bit, I help him to check his results (which were very good), and to thank me he offered me to use his strategy myself, for my own accounts. I told him that I won't use it, because the contract traded was too big for me, it was not my idea so I'll never 100% trust it, and for few other logical reasons.
If a system thief can think a bit, he'll do the same, that's why I don't think it's so critical to have a strategy/system stolen, if it happens. The real risk is someone connecting on your account, and blow it for fun, or trying to steal the money's account, but with only an access to the machine, it's impossible (if you have to give, like for IB, your birth date, your first pet name, and a ton of personal questions).
BTW, I'm not sure to understand why the other VPS company needs to have an access, but I don't think we have the same kind of users, as it seems to be more Forex/MT4 oriented (small accounts, young guys who wants some fun an emotions losing $0.002 ), and they accept everybody.
I don't think I have a single MT4 customer, but mostly futures/stocks/options traders, and some small hedge funds.
And last word (I didn't expect to be so loooong....), if you're really paranoid with a server, just unplug the power cord and the ethernet cable .
Thanks Sam for this thoughtful response. I'm not yet in the market for a VPS, but you almost already sold me one.
On a more serious note, would it be possible to limit the VPS log-ins to a certain range of IP Addresses? For example, wouldn't it be safer for your own VPS if you exclude all non-French visitors from accessing the VPS in the first place? Or would this give a false sense of security, since a hacker can than use a French pc to attack you?
You can allow the connection to only some specific IP ranges, so if you have the IP range of a single country, that's is possible (in theory). But these IP geo-location stuff is not 100% reliable.
The best solution is, IMHO, to let your VPS act as VPN server, and then connect to your VPS using your client VPN network interface to log in.
I started to write what's in place to avoid hacking, but finally I won't give too much details for security purposes.
I'm sorry but it would be a project of undertaking beyond my time and means. I think it's better to be honest about this than promise anything and fail to deliver. Thanks for your appreciation.
Sam, I am having some issues related to loss of information in high data times, the CL EIA report, for example. I have been talking to my ISP about bumping up my service, but already run at 20mbps service and receiving about 16mbps on a test to Chicago or New York from Orlando. Pingtest shows me to be about 70-80 ms.
Would running on a VPS help me get better resuts than I am getting now? I just leaned about it this morning, and your thread here was the first thing I saw that made some sense to me. I saw the "free trial" mentioned and am curious. Thanks.
Your problem is maybe not the bandwidth itself, but the latency and the quality of your data feed provider.
16 mb/s is more than enough for market data burst.
Send me a PM if you want to try a VPS, or use the contact page on my (ugly) web site, futures.io (formerly BMT) fellows are always welcome .