Some hosting providers have implemented a policy where in order to enable ssh access for your account, you have to email or fax a copy of your driver's license or other photo ID. I'm going to talk about why this is a bad idea and sets up a false sense of security for these companies.

Their goal is to keep the large number of hackers out of their system that use stolen credit card numbers all the time. My guess is that these companies feel that by requiring a photo ID, they will believe to accomplish one of two things:

• Have some additional official information on the person so that they can take action through the government against people.
• Provide a "stumbling block" for people who just want to casually request ssh access. You might be able to keep some hackers out and probably will keep a lot of legitimate people out who don't want to bother or don't want to give out copies of their ID. This might also make it harder for people from countries other than the U.S.

I'd speculate that noadays, a lot of the people who would request shell access, are very conscious of problems with comprised personal information and would feel a bit nervous about giving such information to any company, especially if its sent through email.

It is trivial however, to scan in a driver's license and make several modifications to it, but keep the appearance in tact. This could easily fool any person who needed to check your credentials. Many hackers view such requirements as challenges to overcome instead of stopping points. In a matter of minutes, any skilled person could make a fake ID.

I wrote to one of the companies listed below and talked with their support person about this and his justification to me was "if we can prevent one DDoS attack, or one hack attempt in requiring a valid government issued ID, then it's been worth it". That may be a valid philosophy for stopping spam, but when it comes to server compromising, one is enough. They should not be thinking about stopping one, they should be thinking about stopping them all.

Hosting companies that have this requirement

• Hostgator.com
• Hostmonster.com

There are many providers out there that simply choose not to offer SSH. I am not critizing those companies that make that choice. I think thats an understandable solution to security problems.

Some other crazy things I discovered during my research

• hostexcellence.com and ixwebhosting.com are either the same company, use the same website template or copied each others faq pages. Compare this and this. And both get rated in the top 10 hosting companies. Give me a break.