Comments by "" (@grokitall) on "Cloudflare: Pay Me 120k Or We Shut You Down" video.

  1. cloudflare have data centers in the us, and others here have said that trying to force a contract is clearly illegal in all 50 states. not being allowed to talk to anyone except sales, and 24 hours notice from saying it is mandatory to cutting you off while refusing to provide any information as to any issues and why and how the upgrade will mitigate those issues leaves them on shaky legal grounds. retaliating early for saying you are also looking for alternatives in case a solution cannot be found removes any realistic hope of a defense that cloudflare were operating in good faith. as has been pointed out elsewhere here, you can put whatever you like in the contract, but it does not make it legal until it has been successfully defended in court, as trump found out in his new york fraud case.
    7
  2. ​ @ChrisWijtmans they don't take it away from you that way, they deactivate your hosting then demand large fees to get control of the dns entries away from them. there is a similar problem of such disreputable practices with limited company formations in the uk.
    3
  3. as an aside, it is easy to spot which companies are good and which companies are bad. bad companies go for policies like adopt, extend, extinguish, and part of the extend includes making it slow and costly to migrate. good companies look to industry standards and best practice, and their unique selling point is around making using those things easy to attract customers, and making migrating away as close to trivial as possible to keep customers. if you have made it easy to leave you have a vested interest in making sure your service is so good nobody wants to.
    2
  4. yes, you moved, but only because you had already built your infrastructure to cope with not being on aws. not doing that was the casinos mistake, so they could not move at first lies, and had significant downtime after they were shut down reimplimenting everything.
    2
  5. ​ @ChrisWijtmans i think this should be viewed by the courts with scepticism, as the story clearly states that there was only one potential tos violation, explained by needing to do it due to differing regulatory environments and the blocking policies of differing countries around the stuff not targeted at those countries, thereby providing a valid reason for the behaviour bad actors also engage in. other than that, they refused to clarify what other potential breach was involved while trying to illegally force a contract. all their other bad acts were in furtherance of that illegal act. they also refused to provide any clarification of anything provided by the new contract which would make them not be in breach of the tos under the new contract. all the casino asked for was clarification of what the problem was, which was denied, and longer than 24 hours to move away after being informed that the new contract was mandatory, which after being informed of them also looking at other options resulted in what look like a clearly retaliatory early takedown of the sites. when they are clearly acting in bad faith, trying to say trust us does not come across as very credible.
    1
  6. it is not business ethics which require the shift your company policy, but the resiliency lessons learned after 9/11 which dictate it. many businesses with what were thought to be good enough plans had them fail dramatically when faced with the loss of the data centers duplicated between the twin towers, the loss of the main telephone exchange covering a large part of the city, and being locked out of their buildings until the area was safe while their backup diesel generators had their air intake filters clog and thus the generator fail due to the dust. the recovery times for these businesses for those it did not kill were often on the order of weeks to get access to their equipment, and months to get back to the levels they were at previously, directly leading to the rise of chaos engineering to identify and test systems for single points of failure and graceful degradation and recovery, as seen with the simian army of tools at netflix. load balancing against multiple suppliers across multiple areas is just a mitigation strategy against single points of failure, and in this case the bad actors at cloudflare were clearly a single point of failure. with a good domain name registrar, you can not only add new nameservers, which i would have done as part of looking for new providers, but you can shorten the time that other people looking up your domain cache the name server entries to under an hour, which i would have also done as soon as potential new hosting was being explored and trialed. as long as your domain registrar is trustworthy, and you practice resiliency, the mitigation could have been really fast. changing the name server ordering could have been done as soon as they received the 24 hour ransom demand, giving time for the caches to move and making the move invisible for most people. not only did they not do that, or have any obvious resiliency policy, but they also built critical infrastructure around products from external suppliers without any plan for what to do if there was a problem. clearly cloudflare's behaviour was dodgy, but the casino shares some of the blame for being an online business with insufficient plans for how to stay online.
    1
  7. ​ @MrSnivvel yes there will be rework, but you are talking the difference between preventative maintainence and emergency rework. the first is always cheaper a d performed better. its like the arguments about test first development, where you trade regression tests against bug hunting after the fact. same applies in many other fields of endeavor. there are often tradeoffs, which you then need to make a deliberate proactive choice about, rather than waiting until you are about to go over the cliff and only then thinking about what happens next.
    1
  8.  @MrSnivvel  what you are talking about is called resiliency planning, which a lot of people regard as making sure nothing can go wrong. unfortunately for them, it actually means planning for everything that can go wrong and putting preferably automated plans in place for gradual degradation and rapid recovery when it does. the way this is achieved is using something called chaos engineering, the most well known example of which is the simian army of tools at netflix. it has been rendered much more important due to the realisation of just how expensive not having it was in the aftermath of 9/11.
    1
  9.  @MrSnivvel  it did not seem to me like it was taking the import of the issue seriously enough. nothing you said was exactly wrong, but to me it came across more as "yeah its a good idea, but whenever is fine" and to me it is more like making sure that you have enough insurance on you billion dollar factory, or having a will when you have major assets. the but whenever approach is far to prevalent and tends to push my buttons.
    1
  10.  @ChrisWijtmans  i think it should not be legal, but know of multiple cases where having become your authorised agent they charge very large fees to hand control back to you. with limited company formations, it is by delaying your ability to file your tax returns and company accounts, with domain management it is done by blocking you from updating the dns info. in both cases it is trying to use the nuisance value to extract wildly overinflated fees. most people either pay, or aband9n it and get a new one from a reputable company.
    1
  11. it clearly stated that the first email was saying there was a problem affecting the network, and when they turned up it was a meeting with a completely d8fferent department, sales, and that there was no problem. also no mention as to the enterprise offering being mandatory. at that point i would return to my company and start putting resiliency measures in place with the intent to min8mise exposure to cloudflare with the intent to migrate, but the option to stay if they were not complete dicks. the second contact was about was about potential issues with multiple national domains, with a clear response that it is due to differing national regulations requiring that. the only other issue mentioned was a potential tos violation which they refused to name, and an immedia5e attempt to force a contract with a 120k price tag with only 24 hours notice and a threat to kill your websites if you did not comply. at this point i would then have immediately triggered the move. on the legal view, they are obviously trying to force a contract, which others have said is illegal in the us where cloudflare has its hardware based. it is thus subject to those laws. by only giving 24 hours from the time that they were informed it was mandatory, they are clearly guilty of trying to force the contract, and thus likely to win. if they can win on that, then their threat to pull the plug on their business on short notice in pursuit of an illegal act also probably makes them guilty of tortuous interference, for which they would definitely get actual damages, which would cover loss of business earnings, probably get reputational damages, probably get to include all the costs for having to migrate to new providers, and legal costs. when i sued them, i would also go after not only cloudflare, but the entire board individually, seeking to make them jointly and severally liable, so that when they tried to delay payment, you could go after them personally. the lesson is clear, for resiliency, always have a second supplier in the wings which you can move to on short notice, and have that move be a simple yes or no decision that can be acted upon immediately. by virtue of this, don't get overly relient on external tools to allow the business to continue to be able to work to mitigate the disaster if it happens. also keep onsite backups of any business critical information. m9st importantly, make sure you test the backups. at least one major business i know of did everything right including testing the backup rec9very process, but kept the only copy of the recovery key file on the desktop of one machine in one office, with the only backup of this key being inside the encrypted backups. th8s killed the business.
    1
  12.  @NicoJuicy  while that might be plausible, the point is that cloudflare did not make that arguament until after shutdown, only offering it as one of the undeeded selling points of the upgraded offering. remember the whole flow was around trying to upsell while refusing to state that there was a specific problem with their existing service, which is why the potentially illegal forced contract come up.
    1
  13.  @NicoJuicy  yes they did, but not until the final day, and not as a requirement, only as an advantage to the upgrade.
    1