0. Production servers deleted
1. No logs, notifications or any indications of the issues
2. Can't get ahold of support on the free plan
3. Spend 1-2 weeks frantically trying to restore access to our customers
4. Find a random Auth0 support thread of someone who had the same issues
5. Auth0s response was to submit an affadavit to their legal team indicating I'm not sanctionable
6. Access restored after ~3ish weeks of downtime
Why was my SaaS caught up in sanctions?
I had a Russian developer deploy Auth0 two years ago (and hadn't logged in for 18+ months)
That was enough to get my production servers deleted with no warning.
Aren't the only people able to enforce the banning of automated enforcement, politicians, the very people that want the blocking done in the first place?
Is Cuba still being punished for daring to host Soviet missiles?
I think the way we've treated them is really terrible.
You can argue whether or not sanctions are an effective way to promote regime change, or if they just hurt the regular citizens of rogue governments. I think they are often quite ineffective.
But there's no defending the Cuban regime.
r/ShitAmericansSay
::walks away whistling hoping you don’t notice Iraq and Afghanistan’s blown up weddings::
https://en.wikipedia.org/wiki/Colonial_history_of_the_United... looks like it could get... expensive.
Isn't access control a set of patterns rather than a service? When did it stop being a core competency of web applications?
It transforms "Andy is andy@foo on service A, AndyA on service B, aaaandy on service C, maybe has two factor enabled on some of them and hopefully hasn't joined other groups to give them access" into "Andy is andy@company in Okta and we can turn services on/off and set policies as needed".
Turns out, login is surprisingly hard. It will be the first and most important focus point for attackers - SQL injections, DDoS attacks, captchas, griefers intentionally using wrong passwords to lock someone else out... with Okta and other products of its kind, all an application developer needs to do is to check some token.
Another huge part is that in the "old" world there was only one player for any kind of centralized authentication: LDAP. While there were and are multiple LDAP server implementations (OpenLDAP, MS AD, Samba and a bunch of smaller ones), only Microsoft's AD has a somewhat comfortable and usable management application - but even that is using old-school Windows UI and you need a MS desktop to manage it. Everyone else? Either use Apache Directory Studio, some barely working web management UI (phpldapadmin, GOsa) or heaven forbid plain LDIF files.
In contrast, working with anything of the "modern authentication" solutions is a breeze.
That last clause has also encompassed things like Hague prosecutors [0]. If your interpretation of these regulations depends on your assessment of the trustworthiness of the regulator, this is a very relevant datapoint.
Imagine major tech companies geoblocking United Nations offices. Is that far-fetched fantasy?
[0] https://www.hrw.org/news/2020/12/14/us-sanctions-internation... ("US Sanctions on the International Criminal Court")
In response to this announcement I've closed down my Auth0 experiments. I refuse to be held to US enforcement when I operate outside US jurisdiction. I know other SaaS will follow suit, but we have to oppose this somehow.
As far as I'm aware, the UK does not have any sanctions imposed against Cuba for example, so Auth0's active stance on this is inappropriate for those outside US border.
To take Iran as an example: when US sanctions prevent Boeing or Airbus from selling to them, I can understand why Embraer doesn't step in and offer to supply planes, because they are afraid of secondary sanctions affecting their business with the rest of the world.
But tech isn't like aircraft production — building a GitHub, Okta or Auth0 clone is a chunk of work but hardly infeasible — hell, most companies routinely built a partial Auth0 clone in-house until not that long ago. Many still do.
So why don't we see alternatives pop up that don't block Iran? It's a niche, but you get the whole niche to yourself, and Iran is not a small market.
From a legal perspective you would set up somewhere like UAE where they have a good climate for business but regularly do business with Iran, so that part shouldn't be an issue.
Network effects are a factor, but when you're blocked from the popular platform, you have a bigger incentive than usual to consider the less-popular one.
People didn’t learn their lesson from Facebook etc etc.
Which is problematic in a bunch of scenarios:
- US foreign policy (note: I don't really want to stick up for a bunch of the countries/regions on that list).
- Chinese (and other countries) with censored internet.
- GDPR reaching far further than the EU borders.
- Badly written cryptography laws[0]
I don't really see a solution to this problem though. It's more of a problem when there is no transparency or ability to provide feedback and move democratic mechanisms toward "correct" solutions.In the case of Okta/Auth0, however they've segmented their business (I use their EU region) they're still at the end of the day a US company with US board and directors. They can make a "service region" that respects EU laws because they don't contradict US laws (mostly), but there is nothing in EU laws mandating offering services to these regions. ¯\_(ツ)_/¯
[0]: https://www.eff.org/deeplinks/2018/09/australian-government-...
If you have a US-Okta and a non-US Okta and both ultimately are "Okta", then if the non-US Okta does not follow US regulations, the US-Okta will take the whip.
- To inconvenience the institutions of the occupier just in that area (Why just there? To avoid removing their incentives to change and to avoid crippling your own companies who provide a service there. If you sanction the occupier fully, they'll double down, perceive it as an escalation, and your own companies will be significantly hurt. They'll find an alternative, and once they do, they won't need your service any longer, so you lose leverage.)
- To frustrate the local populace so that even the milder ones have additional incentives to oppose the occupying regime.
I would think they have a lot more to worry about than okta authentication.
That's of course per-24-feb open russian invasion of those regions. There's been some people such as visiting their elder relatives during winter holidays and now stuck there.
I wouldn't say for removing ocuppied regions of Ukraine from the list but instead adding aggressor to it.
Inb4 cries of whatboutism, no I'm just pointing out the hypocrisy.
see Roblox, Valve (Steam), Cloudflare, Patreon and many more who didn't leave Russia: https://som.yale.edu/story/2022/over-1000-companies-have-cur...
^ Not on the same level as IBM working with Nazis, but still morally questionable
- Have a copy of all your users e-mail within your own infrastructure (DB)
- Have proper backups in place
- Verify regularly that your backups function correctly (backup AND restore)
In case your account get's deleted, you can rebuild from these.
Do these sections even slow them down?
(Real question, please don't start a flame wars, I don't want this account to be disabled)
our new Tutmoses is AUKUS + EU.
But the story repeats itself.
I am a EU citizen. I only have EU bank accounts. The app I used was of a EU bank. There are no EU sanctions against Cuba at this time or at the time I was there. I also have no relation to the USA, I was never there or have business there.
A few days after opening my bank app ( again, read only, no transaction ) I received a threatening email from my EU bank saying I might be in violation of sanctions and it is prohibited to use the bank in a list of jurisdictions ( basically the ones mentioned in the post minus the last thee ) and the bank reserves the right to terminate my account.
As you can imagine, this was very concerning. Fortunately nothing came of it.
But still, I find it ridiculous the bank threatened to close my account just for being in a country that, at least for the jurisdictions that concern me, is a normal country.
I have no doubt this was an automated message. The only thing that prevented my bank account from being terminated was the suspicious activity flag triggered the email handler and not the delete account handler.
I find this to be utterly dystopian.
That applies of course to any US-based company, so in that case you would need to avoid touching anything that is based in the US. That may be possible in some cases, but if you rely on the third parties, it's almost inevitable to completely avoid US.
This damages US businesses more than it does overseas businesses. Sure, UK banks lose some US customers. But actually they didn't have to lose those customers; all they were required to do was exercise enhanced diligence over the sources of funds transferred to USA. The UK banks chose to eject those US customers, because it was cheaper.
I don't know what to do about this. I think US legislators like extraterritorial legislation because it looks strong, and because it has a certain flavour of "fixing the world". Most USAians don't have overseas financial interests, so aren't impacted. But, for example, my US half-sister declined her share of my late father's legacy, because importing it to the USA would have been too costly as well as too much hassle.
This does not change much: a, say, French company is bound to follow US regulations anywhere (including in France, not to mention abroad) because the US would punish any interests of this company in the US.
This was the case with Iran, and with others.
If you are mid-to-small compared to the US/China, you are bullied.
If you are very small (like a blog or local newspaper) you may not give a fuck.
There's some choices in the market, and beyond the behemoths it is still possible to avoid the US. The challenge is finding one that isn't owned by a US company and will end up with the same restrictions (like Gigya is now owned by SAP) - but any company serious about security will do the due diligence and know who own who.
I'm in the US, and I'm not so sure I want to be held to US enforcement. Our government has always been a little wacky, but it's really stepped up the jiggery-pokery during the past, well, 20 years.
At this point it feels an awful lot like a past-their-prime pop star getting screechy and demanding about the brown M&Ms in the dressing room.
Working in/with Iran has other difficulties in addition to sanctions. Iranian government has total control over what services from outside Iran are accessible to Iranians. They also use this control elaborately, in some fields whitelisting services rather than blacklisting them. So if you want to work with Iran from outside, you are always at the mercy of the government to block you.
If working from inside, you are under pressure to share people's private information with the government en masse. You have no way to resist that. The courts are puppets, price of resistance can be anywhere from takeover of your business, to prison, to death.
Oh and from outside, you have the problem of exchange rate: due to 40+years of 40+% inflation, what you earn from there cannot even cover your costs outside the country, unless you do the entire business from another country with similar economy.
In other news, setting up businesses that go around US sanctions is not something the US will just wave off. Bullies don't accept their authority questioned.
Before Trump nixed the JCPoA, Iran had a firm order with Boeing for $16.6 billion worth of aircraft, and a firm order with Airbus for $25 billion worth of aircraft. Taken together, that's one of the largest aircraft orders of all time. Iran is not a small market.
> In other news, setting up businesses that go around US sanctions is not something the US will just wave off. Bullies don't accept their authority questioned.
Businesses in the UAE regularly trade with Iran (and Russia, for that matter) in the normal course of business.
Because it is is not necessary. Setting up something like Github onsite takes 1 hour. Network effect really is overrated.
Where it hurts are payment systems, credit cards etc.. And there are alternatives.
Problem is, that people think they are a grift.
> Why are we blocking Users from access to Okta Service? > In support of our customers’ and Okta’s existing contractual obligations with respect to U.S. export control laws, Okta customers are not permitted to access the Okta Service (including the Auth0 Platform) from Cuba, Iran, North Korea, Syria, the regions of Crimea, Luhansk or Donetsk without prior approval from the U.S. Government. This restriction applies even if a User is temporarily visiting any of the aforementioned regions.
Total utter bs. Next they will start filtering your business, customers etc.. Then just stop all together, because there's always something not right within larger orgs.
> Can Okta handle these OFAC controls for me? > As a Customer, you are responsible for ensuring your own compliance with applicable laws. As outlined in the Okta Master Subscription Agreement, you must use the Okta Service in compliance with applicable laws.
How can you be responsible if you don't have the power to make decisions anymore? If they think they know better, they should face the consequences when something goes wrong (some north Korean login for example)
US export controls don't apply to other countries. Why don't they have foreign entities for this? Because even if they have, they don't want to, because they became a political vehicle. A political vehicle for the CEO who thinks he's smarter than anybody who has a different opinion or who wants more power/influence, or maybe some bribes, I mean lobbyists at the door.
These days everybody seems to be a politician, pro athlete, doctor, scientist, code, entrepreneur, etc.
1) let a third party handle authentication (Code)
2) let a third party handle authentication (SSO)
Number 1: don't do that Number 2: Only do that if you are in control of SSO, or if you are very certain you won't have problems contacting the provider. (so not google in this case)
There are global trade and sanction contracts between USA and eu fyi and the financial sector is even more strongly regulated.
(As a Canadian I've been to Cuba many times with no issues; however a friend's father worked for a nickel mining company and spent time there overseeing their operations in Cuba and he can no longer travel to the US among other things.)
What seems more likely to me is, a request came from my app to some bank server. The server detected the request coming from Cuba and flagged the account as having suspicious activity, that in turn triggering an automated message.
Maybe there was indeed a guy somewhere in an office who saw one request to my account coming from Cuba and decided to have some fun and said he’ll turn my account off. I don’t know. Whatever it is, it’s creepy it happened.
Companies are required to do due diligence to determine that they aren’t engaged in activities that are sanctioned. GeoIP is less than 100% accurate… but so is comparing first and last names. Unreliable data is not something inherently unique to the internet.
Anyone can say anyone else is bad and "take action" against it. What matters is whether the rest of the world agrees with you or not.
> https://twitter.com/toddmckinnon/status/1544046909307752448 Things about abortion, inclusive blabla, political stuff
> https://twitter.com/toddmckinnon/status/1539642789864312834 gov identity, political stuff
He seems to have been corrupted right after his gov talk.
W E A K
In reality: you do this if TCO of doing it internally < TCO of doing it externally + risk. There's quite a few people who estimate the risk is worth it.
I am not rich but I would agree to double and triple on my internet subscription if the Internet would be made significantly better (scarce and exclusively curated non-intrusive ads, no tracking, no DRMs, no forced/nudged "engagement", no automated enforcement, no paywalls, everything easy to download and or syndicate, etc.).
In fact I would already pay Google and Facebook if they would seriously stop treating me as a product and would consider me a client whom they would act in best interest of. Yet they don't even offer, even those who actually pay them get blackholed routinely.
I understand there are poor countries where people really can't pay so I don't insist the business model has to change for everybody everywhere.
They do. But their customers are their advertisers, not their users. Their users are literally the product. Their public services are bait for eyeballs.
If you were a fish, on a hook, would you offer to pay the fisherman for better tasting bait? The fisherman isn’t concerned about the bait as long as it’s good enough to catch you and send you to market.
Crist couldn't even beat Rick Scott for the Senate, and Scott was one of the least popular governors in the country at the time of the election.
Edit: It was actually Bill Nelson who lost to Scott in 2018, my bad. Crist has been hiding out as a US Rep in Saint Pete since losing the governor's race to Scott.
Can you use AD on Chrome in Windows to login to a web app? Would it be for internal apps only?
The question is a) "why is Cuba singled out over places like China that do similar (and often worse) shitty things?" b) "why are we ignoring decades of failure of the embargo to induce any meaningful change?"
I think Obama at least sensed that the best way to get Cuba into a more functional state and better neighbour was to take the "but we're embargoed!" excuse away from the regime there. Trump undid that.
BTW the only time I came across sex tourism in Cuba, it was indeed a creepy guy with two young (probably minor) girls. In a cafe in Havana. But the guy was not Canadian, he was American. And repulsive.
Feel free to start a discussion on US aggression, if you honestly feel strongly about it.
Otherwise you're blatantly trying to whitewash decades of systematic oppression from totalitarian bloodthirsty regimes, and in the process support all the human rights violations they're continuously subjecting their population to.
How do sanctions help an average Joe stuck living under such a regime?
Now they are even poorer, have worse nutrition and medicine.
Think about it, Soviet Union was not just knowing what you did last summer; it knew what you would be doing a summer 40 years from back then.
...except they weren't criticizing. Much like in this case, their intention was to divert the attention on their cruel and inhumane practices by picking any distraction they could find out, with the goal of perpetuating their abuse without being subjected to criticism.
It's the same reason why nowadays you have Putin's regime posting bullshit about how the people of the UK and Germany are somehow suffering from hardship to deflect the attention from the impact that international sanctions is having in it's economy. The target and substance of their attacks is immaterial, and their goal is to divert attention.
It is supposed to mean the rhetorical trick of using other’s faults to distract from and normalize one’s own wrongdoing.
It is not a general defense against accusations of hypocrisy leveled by a third party.
The US has zero moral authority to impose sanctions based on violations of human rights while simultaneously violating human rights on a global scale.
Additionally, we have seen the effects of sanctions, the average people suffer even more, and the regime stays the same.
Arguably the people of Cuba are worse off after sanctions than before.
So far so good.
Then the US said that everyone must leave Iran, and if they do not, their presence in the US will be harmed and they will not be allowed to trade in USD.
We asked the EU for help. The EU said that this is really [bad|unfriendly|unethical|immoral|whatever] of the US to behave that way and that we are, collectively, definitely offended. But that they cannot help.
So we left Iran, together with the rest of EU companies.
---
This is just one example of the extraterritoriality that the US does, without any special concerns for international law or relations. One could say "[US|China]are big and strong so they rule", which is true. Not the kind of relationship I would like to have on a personal level.
We frown at bullies in everyday life, but accept this on a national scale.
Being gay is illegal in some parts of the world but my gay friends don't care because they don't do business with those countries, don't participate in any commerce that does business in those countries, etc. Your country will cease being bound by US law when you cease to rely on the US for whatever.
If USA starts treating other countries in a biblical "don't do to others what you don't like to be done to you" sense, the world would be a much better and safer place for everyone.
As a u.s. citizen, this resonates. I'm deeply troubled by the fact that we've been led by war criminals in my lifetime who got off scot-free.
Mind you, I'm not defending Cuba's human rights violations - I agree that things should be done to mitigate those. However, we should clean our own house first.
It's also been posted elsewhere in this thread, that sanctions haven't appeared to be effective. I think it's hard to argue otherwise, especially if you believe that the awful-dictator situation still persists, as we've had Cuba under sanctions for a while now.
You're rephrasing it to make it sound like its something materially different, yet it's the same thing that goes against the spirit - and likely the letter - of the law.
I find it highly amusing how "exporting people" is suddenly portrayed as being an achievement, as if being exploited as an indentured servant is something praiseworthy in the 21st century.
In other contexts this is referred to as human trafficking and exploitation, but being Cuba this is suddenly something to brag about?
I lived in a country where the national health service resorted to hiring cuban "doctors" to fill in vacancies in deserted areas. The Cuban regime ripped them off out of a big chunk of their pay, they had no right to work beyond the job program, the national certification board had to bend over backwards to allow cuban doctors to practice as all they had was a mere 4 year degree whose scientific basis was questionable, and their role in the healthcare service was basically triaging patients to hand over cases to other doctors.
The "Cuba exports doctors" myth doesn't hold to scrutiny. I guess that even Dr Nick Riviera is a godsend in third world countries where people have to walk for hours to get basic medical care, but let's not pretend that Cuba does not coherce undereducated professionals to play a role whose value-added is highly dependent on the development status of the country that pays for this service.
It's not an achievement.
It's a sign of how hard the USA-based bullying had come so that a country cannot export goods or services so it has to export people.
It's indentured servitude. It's exploitation that treats the fellow man as nothing more than an exportable good whose role in life is to be abused to cater to the whims of despots.
You cannot deflect the blame of these subhuman practices onto foreign regimes just because you feel a specific oppressive regime that you support could use some extra cash.
Source: I was born and raised there my entire life, and just came from there last weekend.
"Desantis won by tight margins [..] and has consistently worked to gerrymander and restrict voting rights for those who'd vote against him."
When pressed for details on this bizarre claim, it was pointed out that voting rights for felons was not expanded and that the status quo remained under Desantis. Thus he only refused to expand voting rights.
Now you are trying to rephrase the original claim to make it appear to be less false than it is, when all you need to do is scroll up to see the original claim.
It's not a bad thing either, you can live your life like a saint and still die young of cancer. I think we're focused on physical instead of mental health too much sometimes.
If people like to live a certain lifestyle and know the risks, just let them.
Well, except you are. You're trying to shift the attention away from Cuba's track record on human rights abuses by arbitrarily picking distractions that frankly you care nothing about, as if pointing out these distractions justified Cuba's long history of oppression and abuse.
The irony of complaining about human right abuses in Cuba and at the same time operating Guantanamo on Cuban land...
That's trying to answer abuses with more and harsher abuses.