Recently Dean Shareski wrote about an issue he was having with his blog at Bluehost. The short story is his site got hacked, which happens to all of us. It’s the struggle of the web. But what was crazy was how his host reacted. Bluehost basically shut down his site, and said no access until he cleans it up. If you aren’t a sysadmin, cleaning up your site is something you need to learn, and doing that under the gun is no fun. So Bluehost suggests they use a service like Sitelock. They charge something like $200 to clean your site, and then an extortion of $150 a month to keep the service (which you need to do once you have been hacked). It’s effectively subscription based ransomware. What’s crazy is it is not just Bluehost, Host Gator does the same exact thing, and guess what, they share the same corporate overlord EIG.
When I heard about Dean’s situation from Tim, and the fact that despite paying Sitelock his site was still hacked and offline, it smelled like a first-rate scam, and it looks like it is. The worst part about it is these web hosting companies are colluding to manufacture a need. This blog post by Dumitru Brinzan is the most clearly documented case I have read on the internet of how this scam plays out:
In order to remove the restrictions we’ve placed, you must resolve the security issue and remove what malicious content was listed. If you do not believe you can do so on your own, you may use a reputable third-party security service, such as SiteLock, who can be reached directly at 877-563-2849. Please note that repeated reports of malicious content on your account within 60 days of an initial notice will lead to further action being taken, including permanent suspension after failing to professionally clean the account.
The dreaded email that your site is suspended until you clean up your shit comes with no warning, and is followed by an inline ad for a company that is claiming insane growth numbers to the investment world: Sitelock. It’s about as scummy as scummy can be, and reaches the level of scam when you learn that many of these accounts are false positives, but the default response, at least at Host Gator, is to suspend and collect. And this is not an isolated case by any means, just read the comments of the blog or look at other posts like Jennifer Ellis’s examination of how she was pushed to get Sitelock because a link on her site was to an infected site. That’s concerning, corporate driven takedowns because you may be linking to an infected site is certainly scam:
Once I got over my panic and took a closer look at my site, do you know what I found? The terrible, critical, scary alerts involved the fact that my site has a blog post. On that blog post I linked to a company’s website. Apparently, that site is blacklisted on Google at the moment. That site must be infected. That problem requires the following steps:
- Go to the blog post
- Remove the link
- Update the blog post
Yup. SiteLock wanted to charge me $199 to remove a link from a blog post. My site didn’t actually need any cleaning. There was nothing wrong with it.
This is a really good example of the worst of these web hosting scams. Preying off customers who may not be able to understand it or do it themselves is an abuse of power, and the idea should be you turned to this web host to protect you from these things, not to hijack your online world. Quite frankly we see this type of predatory selling, I think Mike Caulfield called it “hate-selling,” and a lot of domain scammers do this, but it is even worse to have your own hosting company taking it hostage. This also speaks to the broader problem with only basic literacy around the managing of your online life. The LMS, Lisa M. Lane argues quite eloquently, is stealing some of the mot germane opportunities we have to teach students about the web by defaulting to the ever abstracted and simplified LMS:
Increasing numbers of students have no conception of what constitutes a website, or a link, or a browser. With no understanding of how to navigate a complex web page or database, students have become unable to comfortably navigate a complex online course, regardless of the LMS. It is possible that only students with more sophisticated web skills are able to benefit from the learning pathways we design. As instructional designers remove more and more of our responsibility to construct these pathways ourselves, the “best practices” encourage computerized learning goals such as chunking, instant feedback, and tightly controlled pathways at the expense of discovery, integration and community.
If we don’t even take the basics steps towards a general literacy of how the internet, and more specifically the web, works across higher ed, then how can we ever expect broader understanding of how and why sites are online, no less what to do when they get hacked? Is this the domain of higher ed? I want to think so given there are some basic elements of identity and power relations at work online that need to be contextualized for all of us historically. This is the amazing works folks like Audrey Watters and Kin Lane have been doing for many years now. A frame for empowerment becomes ever more important as people use knowledge and ignorance to control judgement through fear as a means to push you into something—a quick “solution” to a broader issue of online identity, and all its concomitant problems. It is crucial people are encouraged and invited to expose themselves to how the web works so they can cut through the fear-based marketing that drives large parts of the web. So, I hate scams like this because they operate on fear and loathing, not the idea of curiosity and possibility, and the domain of education should be to battle the former with the latter.