Data Center Hub

It should seem obvious to most Americans that the cost of low skilled immigrant workers is greater than the benefits offered by having an inexpensive head of lettuce in the grocery store. Having cheap tomatoes for your taco bell burrito is also a falsehood. The fact is that having the cheap immigrant labor in the USA is exactly the same as corporate America BORROWING money from your children. As Americans we should simply not tolerate such bad behavior as hiring undocumented workers as it is against the law.

The folks over at heritage.org have written a paper regarding the true costs to American taxpayers of the benefits received by low skilled immigrant workers versus the taxes paid, the long term cost in the form of automatic citizenship for children born to illegal immigrant parents, and the policy of granting automatic citizenship to parents of Instant Americans. You may ask, what is an instant American? In my dictionary an instant American is any child born in the USA whose parents are illegal immigrants. It is a longstanding policy of the USA to automatically grant citizenship to any child born on American soil regardless of the parents’ citizenship. As a consequence of this policy many immigrants are encouraged to enter the United States illegally so they may create an instant American as a path to citizenship. Once they have created their own instant American, this child, at the age of 21, currently has the right to petition for automatic citizenship for his parents thus creating new liabilities to welfare and Social Security. According to the heritage.org report the true cost for each low skilled worker entering America is a net loss of roughly $20,000 each year. Here’s a chart. The figures increase exponentially once the child’s parents reach retirement age. Those cheap tomatoes will cost the average US taxpayer about $40,000 in the future. We need to stop this now.

Many people believe the United States is a democracy. We’re really a democratic Republic. What this means is in a democratic fashion we elect representatives who in theory know better what we need than we do as average citizens. The new immigration bill before Congress at the present time is one of those situations where the representatives believe they know better than we do as average Americans. What they are really doing is simply telling us what we would like to hear while catering to the needs of corporate America at the expense of the American citizenry.

America is a nation of laws, if a person does not follow the rule of law there are consequences in the form of punishment. For example if you attempt to navigate the interstate at speeds in excess of the posted speed limit, you can expect that the law will be enforced and you will be detained and issued a ticket for your violation. Unfortunately, at the Federal level, we seem to have a rather spotty record of enforcing laws in a consistent manner.

It should seem obvious that we have enough laws in place for immigration and that the issue is not actually immigration itself. The issue at hand is the obligation of the Federal government to protect our borders and enforce existing immigration laws. It should also seem obvious that if we cannot keep three million illegal immigrants from entering our country we certainly cannot keep terrorists from entering our country. So what should we do? As Americans we should insist that no new legislation be passed until the existing legislation is enforced in a consistent manner and enforcement of our borders is realized. It is a fundamental function of the Federal government to protect and enforce our borders as this is a job that individual states would not be able to do except within the bounds of their own borders. The failure of the U.S. government to protect our borders in an effective manner clearly indicates our lack of sovereignty. The United States appears to be the welfare agency of the majority of central and South American countries. While America has always desired to have good relations with our southern neighbors it has reached a point of abuse. This abuse is a condition which the average elected representative does not see on a daily basis. It is certain there are no senators who, upon entering a burger king and attempting to order a number two meal, have had the person at the register fail to recognize and understand what was said. It’s also certain that no senator has ever asked to speak to the manager of a burger king restaurant and been told “everybody speaks Spanish, you better get used to it”. I can certainly order a number two meal in Spanish- however I do not live in a Spanish speaking nation. I do not believe that people who are here as guest workers or people who are here to become Americans should force their values and their language upon their host. The very fact that the many of the newest wave of immigrants to the United States are not assimilating is in fact changing the USA into the very third world nation which they seek to escape. The subjugation of English as language of the United States may seem to be merely an annoyance as many of us do speak more than one language-the reason for this illustration is not simply the matter of the annoyance itself, but rather to illustrate the indignant right and expectation of entitlement that are southern neighbors are currently expressing. At some point there may be more Mexicans in America than in Mexico-so perhaps America should consider a course of annexation for the Mexican nation as they fail to enforce their borders as well. One forgets in the course of this discussion that there are two sides to each border. Our neighbors to the north in Canada do not seem to have the same border enforcement issues that are neighbors to the south have.

What can Americans do?

1. Contact your senator and express your opinion very loudly regarding enforcement of existing laws and protecting our sovereignty -a nation at war which cannot control its borders has lost any conflict whether the conflict exists directly at the borders or not.
2. Wait for your elected representatives to do the right thing. For example, the annexation of Mexico solves the problem permanently and ultimately gives the USA a much smaller border to the south. We are already at war so expanding the scope to include those who are actively supporting an invasion of our nation does not seem unreasonable.
3. Move to the European Union and forget about being American; skip that idea, due to immigration quotas you probably will not be allowed to move to most EU countries, although I hear Sweden is accepting many of the casualties of our war on terror. Forget about migrating to Canada too unless you have lots of education and money.

One thing is clear to me; Canadians and EU residents get more respect than Americans. I wonder why? Is it because they enforce their borders better than the USA or is it because they enforce their laws?

Who needs IT security policies and what types of organizations must comply?
Regardless of the size of your company, you should have an IT security policy in place. Even if you’ve not put one in writing yet, you have a policy already. In most small companies the policy is an island approach where every individual is left to his or her own devices and while this has worked well in the past, it must change in the future. In the past, with the exception of burning down your offices, damage from a single employee’s actions would usually be limited to their own files and sphere of influence. Today, the actions of one can affect your entire IT structure and wreak havoc and even destruction or disclosure of your data. Running your business without a policy in place is akin to setting sail in a boat with no rudder. The winds may carry you safely somewhere, or smash you into the rocks at any time. At a minimum the security policy should act as a guide for your business. If you have more than one employee, you should have a policy in place. For companies with up to 200 employees, the ISO 17799 standards allow management to have a better awareness of IT security and for larger organizations, the standards should allow the creation of a mature and compatible IT security culture within the company.

What organizations are required by US law to have IT security policies? The short answer is all public companies and virtually all companies in the health care business who handle electronic patient data.
The Sarbanes Oxley Act (SOx) section 404 requires public companies to document their IT and financial controls as well as issuing an annual statement of the effectiveness of the controls. Whether your company is large or small, if you make periodic filings under section 13 (a) or 15 (d) of the Exchange act, you’ll need to comply with SOx.

HIPAA Subpart C Section 164.306 (c) requires covered entities to apply specific security standards regarding all protected health information.

How does one implement a policy and what standards are involved?

Of course, you can go the the ISO web site, purchase a copy of the ISO 17799:2005 standard in PDF, and write your own policies from scratch. Or you can start based on templates created by others.

One of the simplest ways to get started is by evaluating a sample policy based on ISO 17799. There are two easy ways to do this. One is to purchase a commercially available template system, and the other is by using Open Source documents as a starting point for your policies. The Lazarus Alliance started a wiki for this purpose about a year ago and while it’s a work in progress, reviewing the ISO 17799 documentation in the wiki should give you a good start towards ISO 17799. Bear in mind that the wiki is a work in progress and may not offer a policy as comprehensive as a commercially offered set of templates.

For commercial templates, there are quite a few revealed with a simple search on Google. The majority of those in the top results appear to be from the same creators with similar descriptions and pricing. The hype of this creator lends me to have a jaundice eye towards the product (for example they claim Patriot Act compliance- unless you are an ISP, you need not worry about this act. Having said this please note I am not an attorney). I personally would demand a review period to evaluate the quality prior to committing money to the e-janco templates. Another sample template system is available for a free review in PDF format from RUSECURE. Having reviewed this template, I can opine on the quality and thoroughness of the policies in their templates. At half the price of the Janco templates and with a seven day money back guarantee it would be hard to go wrong with this template set.

You may also consider buying a software solution to generate your security policies. One such solution is produced by Callio though you will find many others on the market for a DIY approach.

Another option is to hire a consultant to do all the steps for you. In most cases, the consultant will likely start with a software toolkit or templates and customize them as needed for your business. This is by far the easiest way to get a policy in place but do remember to do your due-diligence on the consultant and inquire as to his background, qualifications, and real-world experience prior to hiring. A good consultant should also be able to provide a clear detailed proposal covering costs and milestones prior to beginning work. One last bit of advice: never pay the full consultant fee in advance. My experience from both sides of the table indicates structured payments based on milestones with a final payment upon full deliverables works best for all concerned.

The best reason to be Section 508 compliant (besides the Law) is increased visibility in search engines and better usability for your visitors. Another benefit is the ability to have your content viewed in a wider variety of User Agents (such as cell phone based web browsers).

It is almost ten years now since the US Congress amended the Rehabilitation Act requiring agencies to make their electronic and information technology accessible to people with disabilities.

Section 508 was enacted to ensure people with disabilities are not excluded from accessing information by requiring the elimination of technology barriers. The barriers most often encountered by the disabled on the Internet are excluding technologies such as Java, JavaScript, and the overused technology of Flash animation. First, let me say I am not an anti-Flash extremist. I have in fact used Flash technology in designs and find there are many compelling applications for it. YouTube is a fine example; as are interactive training applications. The NOAA web site illustrates the proper use of Java technology in a 508 compliant manner well. Unfortunately, most of the applications of Flash and Java technology are gratuitous and seem implemented by otherwise well meaning web designers, much to the detriment of both the web site and the disabled visitors (customers) of the site. The most significant sight impaired visitor your web site will ever have is a search engine robot. You should always design your site as if the robot were your prime audience FIRST and then add the eye-candy (read Flash) later.
Here are some reasons and places on your site not to use Flash:

* Navigation. You should never make your web site navigation accessible only via Flash. This is a sure way to eliminate the disabled visitors of your site from navigating it. It also eliminates spiders from crawling your site if the only links are embedded in Flash.
* Content. Embedding content is a sure way to control the presentation of your site and also a sure way to prevent most search engines from including your site in their results. If a person is sight impaired they may not be able to access your content no matter how pretty it may appear to the sighted.

Other design errors to avoid for Section 508 compliance include the use of Frames and lack of a text equivalent for every non-text element such as images or Flash animations. I suppose at this point the quickest way to demonstrate what not to do would be by an example and illustration of what the sight impaired person (or search engine robot) may “see”.

Here is an example of what not to do for a Section 508 design: City of Stuart, FL Web Site

Here is a nice screen shot of this web site rendered in a (sight impaired) text based browser. As you can see from the image, the sight impaired get a message of “go away” rather than the alternate content which should be there. Of course this should bring home the fact that frames are possibly the worst thing you can do for your web site.

Now let’s go a little further and follow what links we DO have. The first is labeled “banner”.
I won’t bore you with an image of the banner frame- the frame contains this text: [banner_rev2_web.jpg] -which should drive home the reasoning behind the ALT requirement for non-text elements. An alt tag should be there to label the image with something such as “The Official City of Stuart web site” or similar.

Following the main frame link we have this page rendered in the Lynx browser:

You should see the first thing on the page is navbar.swf - a Shockwave/Flash file containing the navigation for the web site. Most search engines (and virtually all sight impaired visitors) will not be able to navigate the rest of the site other than the regular links on this frame page. The item on this page labeled EMBED is ironically a request to take a survey for feedback on this web site. The form posts to a simple FrontPage web bot save results component so the use of Flash here is gratuitous. A text link to the survey would work much better. In both cases where Flash is used here, GIF images with alt texts could have done the job with widespread support for virtually all user agents, even for the site impaired.

The fact that the designer took the time for a survey on her site indicates her care for the improvement of her customer’s experience with their web site product. Unfortunately, this site needs much improvement and perhaps more so is typical of the implementation seen with many service oriented web sites. It is important to remember the site exists solely to serve the visitors and failing that service leads to increased load on your staff as well as other costs. A Section 508 compliant web site has many benefits and chief among them is the saving of your resources when visitors can locate and access information quickly without tying up your staff on the phones, with email, or Faxes.
You may be wondering how you can check your site for Section 508 compliance. A quick check can be done using Cynthia Says which has an automated Section 508 test. It should give you a quick checklist of issues to resolve with your web designer should the test indicate failure. Most web sites will not pass all the tests and you should use the results as a guideline rather than looking for strict compliance. You can also find more information on the Official Section 508 website.

On Windows Server 2003 with IIS 6.0 when trying to run a perl CGI (cartit.cgi) which has

use Crypt::SSLeay;

I get the error: “Can’t load ‘C:/Perl/site/lib/auto/Crypt/SSLeay/SSLeay.dll’ for module Crypt::SSLeay: load_file: access is denied” in the web browser after first installing Crypt-SSLeay.
I had already installed a precompiled Crypt-SSLeay package for Windows from: http://theoryx5.uwinnipeg.ca/ppmpackages/

Testing the script from a command prompt gave expected results with no error messages but it refused to run from IIS.

It seemed as if this was a permissions issue, however, based on my solution- it may be the source was linked to some dependency of OpenSSL as it was a requisite for the machine which compiled the Crypt-SSLeay Perl module I am using.

This one had me going around for a bit. Here is what I found. You must install the binary OpenSSL for Windows before installing Crypt-SSLeay otherwise the results will not be what you expect. So if you installed Crypt-SSLeay without FIRST installing the OpenSSL
binary version, you will need to remove the package in PPM. You should then install OpenSSL from a source listed here: http://www.openssl.org/related/binaries.html and finally reinstall Crypt::SSLeay from command prompt as below:

C:\ppm install http://theoryx5.uwinnipeg.ca/ppms/Crypt-SSLeay.ppd

I uninstalled the PPM, installed the OpenSSL binary version, and finally reinstalled Crypt-SSLeay again. Now at the command prompt when I run the script I get a dialog box stating:
“MSVCR71.dll was not found. Reinstalling the application may fix the problem.”

At which point I went to dll-files.com and downloaded the msvcr71.dll file and placed it in a folder that is in the path (Thanks dll-files.com!). Now the script works from the IIS web server as well as the command prompt.

There are times when drives start to kick out hard read errors. On FreeBSD and most UNIX-like operating systems, you get the errors logged so you have a heads-up before the drive simply dies. With the exception of power surges, ESD, and lightning strikes, hard drives seldom die instantly. They most often carp warnings on errors while continually reallocating data to good sectors silently for days or weeks before giving up completely. Once you see hard error messages though, it is time to replace the drive. Don’t reboot the system if it is running and complaining; rather instead get your new drive prepared by doing a base install of the same version OS with similar partitioning and slices of equal size or greater. Then shut down the system. I usually do not try to fsck the drive if the system has not crashed (in the case of hard errors the drive can no longer tell the good sectors of the disk from the bad sectors -so don’t run fsck as it worsens the data loss). After the new drive is prepared in a new machine, you should be ready to try copying the data over from the old. The information here covers rescuing a FreeBSD system but the basic steps should apply to any OS. It’s not meant to be a step-by-step howto but rather a general overview of the process with some details omitted. If you’re attempting to save a drive, you should already have some detailed knowledge of the process involved so take your steps carefully to avoid data loss. When the machine is still running (and it’s a UNiX-like OS) you may want to try a dump of the file systems over the network to a machine with sufficient capacity for the job. For speed however, copying locally seems to be much faster.

I tend to use dd for saving damaged drives by copying the contents of the old drive to a new one. If you have had a serious amount of errors (and lots of time) you can also try the spinrite program to recover data but if you have hard errors you should simply try to get data off drive as fast as possible using dd to do a sector by sector copy.

We use the dd switch ‘conv=noerror’ to prevent it from dieing on errors and ’sync’ to pad input block to the input buffer size. Don’t specify a block size (bs) with no conversion values other than ‘noerror’, ’sync’, and ‘ntrunc’ and you should have no aggregation of short (empty) blocks which might be safer for copying partitions.

1. Do a base install of target OS so you have the partitions ready first or manually create partitions.
2. Boot in single user mode. (boot –s) freebsd
3. Use dd if=/src of=/dest conv=noerror,sync where src is for example /dev/ad0s1g

Mounting and fscking a bad FS seems to only make the drive worse. Move off data ASAP and then tend to the bad/missing files.

Data transfer from IDE to IDE proceeded for me at about 1.9 MB per second with the bad drive in place so copying 60G of data may take a full workday to copy this way.

Other things to try (Linux):

http://www.garloff.de/kurt/linux/ddrescue/

http://www.kalysto.org/utilities/dd_rhelp/index.en.html A front end for dd_rescue

http://www.simplicidade.org/notes/archives/2005/02/recover_day.html a dd_rescue story

Also you can try this:

Install the new drive in the computer either with the existing drvie as the master or do a fresh base install of the new OS same version as you are replacing.

Boot single user at: ok boot –s

Hit enter for /bin/sh shell, fsck –yp, mount –u / , mount –a , swapon –a

Run sysinstall from /stand/sysinstall or /usr/sbin/

Go to Configure-> Fdisk and add the new drive device. (eg ad2 for secondary master)

In fdisk chose A for auto defaults for entire disk, enter Q to quit

Install standard boot manager when prompted

Returning to sysinstall choose Label for disklabel

Copy the label as closely as possible from the original fstab in /etc/fstab

Create your new partitions on the new drive and use M to re-label / (eg /dev/ad2s1a) only mount point to /mnt and all others as regular /var, swap, and /usr. Type Q to quit and exit sysinstall

Now mount the new file systems eg:

mount /dev/ad2s1a /mnt

mount /dev/ad2slf /tmp

mount /dev/ad2s1g /usr

mount /dev/ad2s1e /var

copy the existing filesystem using tar

# tar –cfk - –one-file-system –ignore-failed-read –C / –exclude=’mnt/*’. | tar –xpvf – C /mnt

# tar –cfk - –one-file-system –ignore-failed-read –C /usr . | tar –xpvf – C /mnt/usr

# tar –cfk - –one-file-system –ignore-failed-read –C /var –exclude=’mnt/*’. | tar –xpvf – C /mnt/var

Shutdown and remove the old drive. Boot the new one single user and fsck it fsck –p and mount it. Reboot and all should be well again.

I was asked by a customer today to add driving directions to live classes listed on their website.

It seemed a job tailor made for the Google Maps API so I went ahead and got an API key to start developing a test page. While the API offers many features, the one I needed- routing and driving directions- is not part of the actual API (correct me if I’m wrong).
It turns out to be dead simple to implement driving directions by simply creating a form which does a GET to maps.google.com/maps and having the form open a new window using target=”_blank” (yes, I know this is deprecated but on a production site you sometimes must “engineer” a solution which works even if not 100% standards compliant).

For my client’s site, all the class locations are already in a database and the pages are generated from there so all I needed to do was write a few lines of code.

Of course if you only need one destination address such as your office you can simply hard code the value into the destination address (named daddr) field.

Here is an example of how to get to the Saint Lucie County Fairgrounds.

Show me directions to the Saint Lucie County Fairgrounds in Fort Pierce, FL (Opens a new window).

Here is the live site where I implemented Google Maps driving directions:

http://www.educationprograms.com/safefood/store/index.php

The code is not the prettiest around but it does work. You should be able to view the source to quickly see how the form works.

Installing OpenSRS RCL Version 2.95 gives the following error:

Ciphertext does not begin with a valid header for ’salt’ header mode at ./verify_install.cgi line 621

This occurs because CRYPT CBC 2.17 and higher use salt by default. The OpenSRS scripts need to use randomiv headers.

Solution: edit your CBC.pm file to use randomiv as the default header.

In the CBC version 2.2 CBC.pm change line 55 to use randomiv instead of salt as the default.
50 # header mode
51 my %valid_modes = map {$_=>1} qw(none salt randomiv);
52 my $header_mode = $options->{header};
53 $header_mode ||= ‘none’ if exists $options->{prepend_iv} &
& !$options->{prepend_iv};
54 $header_mode ||= ‘none’ if exists $options->{add_header} &
& !$options->{add_header};
55 $header_mode ||= ’salt’; # default

new line 55 should read:

55 $header_mode ||= ‘randomiv’; # default

and of course you should now find this error resolved. Hopefully you don’t have others as well.

I sometimes tire of the constant amateur brute force attempts to break into my machines. One of the ways to limit these attempts in FreeBSD 6.X and PC-BSD as well as other UNIX like OS machines is by using denyhosts from within tcpwrappers in inetd. denyhosts can be configured to automatically deny SSH or ALL services to a particular host which is busily banging away at an attempt to break into your machine. Naturally, good strong passwords are the best way to limit the possibility of brute force breakins. But denyhosts also has the benefit of simply cutting them off and I like that.
On PCBSD you have denyhosts already set up for use except for changing the name of the default config file. On standard FreeBSD you’ll need to add denyhosts from ports or packages (see further down). Depending on your Linux distro you may already have it. You’ll have to research that on your own and remember the file locations here are for FreeBSD.
cp /usr/local/share/denyhosts/denyhosts.cfg-dist /usr/local/share/denyhosts/denyhosts.cfg

then

vi /usr/local/share/denyhosts/denyhosts.cfg

to check the defaults. I allowed mine to fetch data from the sync server

# To enable synchronization, you must uncomment the following line:
#SYNC_SERVER = http://xmlrpc.denyhosts.net:9911

then /usr/local/etc/rc.d/denyhosts.sh start

[root@PCBSD /usr/ports/lang/php5]# tail -f /var/log/auth.log
Apr 13 08:30:54 PCBSD sshd[84345]: Failed password for root from 69.15.145.108 port 55955 ssh2
Apr 13 08:30:55 PCBSD sshd[84347]: Failed password for root from 69.15.145.108 port 55986 ssh2
Apr 13 08:30:56 PCBSD sshd[84353]: Failed password for root from 69.15.145.108 port 56017 ssh2
Apr 13 08:30:57 PCBSD sshd[84355]: Failed password for root from 69.15.145.108 port 56048 ssh2
Apr 13 08:30:57 PCBSD sshd[84357]: Failed password for root from 69.15.145.108 port 56079 ssh2
Apr 13 08:30:58 PCBSD sshd[84359]: Failed password for root from 69.15.145.108 port 56110 ssh2
Apr 13 08:30:59 PCBSD sshd[84361]: Failed password for root from 69.15.145.108 port 56140 ssh2
Apr 13 08:31:00 PCBSD sshd[84367]: Failed password for root from 69.15.145.108 port 56173 ssh2
Apr 13 08:31:01 PCBSD sshd[84369]: Failed password for root from 69.15.145.108 port 56203 ssh2
Apr 13 08:31:01 PCBSD sshd[84371]: twist 69.15.145.108 to /bin/echo “Server sshd denied from 69.15.145.108″

as you can see from the logs- it stopped an attempt within seconds.

denyhosts contains the deamon log entries.

[root@PCBSD /usr/ports/lang/php5]# tail /var/log/denyhosts
2007-04-13 10:36:38,269 - denyhosts : INFO send daemon process a TERM signal to terminate cleanly
2007-04-13 10:36:38,269 - denyhosts : INFO eg. kill -TERM 92229
2007-04-13 10:36:38,272 - denyhosts : INFO monitoring log: /var/log/auth.log
2007-04-13 10:36:38,273 - denyhosts : INFO sync_time: 3600
2007-04-13 10:36:38,274 - denyhosts : INFO daemon_purge: 600
2007-04-13 10:36:38,275 - denyhosts : INFO daemon_sleep: 30
2007-04-13 10:36:38,276 - denyhosts : INFO purge_sleep_ratio: 20
2007-04-13 10:36:38,276 - denyhosts : INFO denyhosts synchronization disabled
2007-04-13 10:46:38,310 - denyfileutil: INFO purging entries older than: Fri Apr 13 10:26:38 2007
2007-04-13 10:46:38,313 - denyfileutil: INFO num entries purged: 0

this is configured by /etc/hosts.allow - make sure you have these entries:

# denyhosts
sshd : /etc/hosts.deniedssh \
: severity auth.info \
: twist /bin/echo “Server %d denied from %h”
: deny
sshd : ALL : allow

If you’re not familiar with twist, it is part of tcpwrappers. The twist directive replaces the requested
service with some other actions. You can also expand with this directive to include the daemon process (%d) and host name (%h)

See the docs at http://www.freebsd.org/doc/en_US.ISO8859-1/books/handbook/tcpwrappers.html
for more details.

On standard FreeBSD 6.x you should find denyhosts in /usr/ports/security/denyhosts or you may add it as a package with
pkg_add -r - you’ll still need to rename the dist config file as above.

Good luck and may your log files now be shorter.

I frequently am asked about what open source web hosting control panels are available for different platforms and purposes.

Here is a list of some I have found in my travels (in no particular order).

ISPConfig for Linux under BSD License

AlternC for Linux under GPL

GNU Hosting Helper for Linux under GPL

VHCS Virtual Hosting Control System

Web-CP is one of only a few CPs which support FreeBSD as well as Linux. While not a fast moving project, it seems directed by individuals who are seasoned professionals.

RavenCore is a relative newcomer but looks like a promising control panel for Linux based hosting.

ZPanel seems to support Microsoft® Windows® as well as Linux. Some of the features listed seem a bit odd such as “track where your clients while they’re logged in” - I am not sure why I need to know this as an owner of the control panel. Anyway, so far this is the only free (open) Windows CP I’ve found - though I don’t see the license terms on the site.

I saved the most frequently mentioned control panel for last. Webmin is the oldest project and most mature control panel for a Linux or FreeBSD server. While it is mature and configurable, it is designed more as a sysadmin helper tool than as a monolithic web hosting control panel. There is a commercially available CP based on webmin named CP+, it is offered by Comodo and is tightly integrated with their Trustix Linux distribution. CP Plus also supports FreeBSD with slightly less automated installation of programs.

Admittedly it would be hard to keep synchronized backups of 700G of email, but the story below should turn some heads (perhaps side-to-side), regarding the human nature of being a sysadmin.

According to theRegister, PlusNet has deleted hundreds of gigabytes of its customers’ email during a storage update. The blunder also left about half its 140,000 customers unable to send and receive new email until this morning.

In case you’re wondering; the Jesus Factor is reserved for those times when something breaks and you say “Jesus…” which is a good reason not to put every service on one server (or storage medium).
It could be worse; they could be trying to explain why the server crashed after someone knocked over their Slurpee into it while visiting the Data Center.