You are viewing a single comment's thread from:
RE: Steemit.com is experiencing a DDoS attack.
What is the worst case scenario if we NEVER do that?
Seriously, though - this is a rare occurrence. If we do none of that, then what is the delta between doing all of that? There are some major security considerations involved in doing that that Twitter and GitHub don’t have to contend with.
We are different than other companies, and will likely do a lot of things differently than people are used to. Some will be better, some will be worse. In this case, though, I ask you to consider the alternative. It’s confusing for the subset of active users for the subset of time we are down. What is the harm done?
That Twitter thing was a straight fuck up, though.
Worst case? The company and the site will not be taken seriously by professional investors and brands who might otherwise integrate and risk their brand reputation by being associated with this project. I know that's an extreme case, but please hear me out.
This, I think, gets at the core of concern I've been hearing from the community over the past year+ I've been here. 10 hours of down time for a brand is serious harm done. Any and all downtime that isn't well-communicated and explained is harm done. Most professional companies fully and completely understand this. If Steemit, inc does not, that's really concerning. People that may have been supporters of the platform may never come back because of that failed first impression. It seems more shady if the site returns a default browser error than if the site has a status page and explains a professional team of developers know about the issue and are working on it. If people can't review a history of previous downtime on a status page, they can't evaluate if the site is legit or a scam during those outages. Too many people already think anything cryptocurrency related is a scam and impressions like this don't help improve that perception.
I have to respectfully disagree. Being out this long due to a DDoS attack, yes, that's very rare. Seeing a 5XX response on steemit.com? Unfortunately not very rare. Over the past year, it has happened many, many times to me and others. IMO, it's well past time to have a status page and a professional 5XX response page. For each hard-fork that I can remember, the site experienced some issues. IMO, it would be much better to display a status page instead of a broken site.
GitHub deals with PCI and HIPPA compliant source code for companies processing billions and billions of dollars worth of transactions. They have very serious security considerations. Same for Twitter. Can you imagine the brand fallout (or even global fallout) if the Twitter account of the president was hacked into?
I think I understand your perspective, but I hope you're open to hearing an outside perspective as well. What you're saying sounds elitist to me. Arguing Steemit has more advanced security concerns than other sites and therefore can't have a global CDN or a professional status page doesn't make sense to me. You have vendors for your web servers, your DNS, your image hosting, etc, etc. As I said before, if you don't trust your vendors then you need new vendors. If you do trust them but a status page, professional 5xx landing page, and clear communication are not priorities, then just state that instead of bringing up security concerns that, to me, don't make much sense.
I'm open to being completely wrong here and not fully understanding the unique challenges you face with this site, but so far, what I'm arguing for here seems pretty obvious to me.
I know I'm being tough, but I really am on your side. I've always been a big supporter, and I regularly get flak about it in the chat rooms. I really want Steemit, Inc to succeed. Unfortunately, too many people use the term "STINK" instead. IMO, being humble about weaknesses and open to criticism and improvement suggestions (and implementing them) will go a long way towards improving community relations.
Thanks for responding. I love that I can openly (and hopefully respectfully) voice my concerns and be heard directly by you and your team. I look forward to hanging out at Steemfest2 and meeting you all in person so we can tell war stories of major site outages I've experienced as well.
Tossing around PCI and HIPAA (not HIPPA lol) without understanding the specific security requirements of steemit.com in this instance just tells me “I don’t know what I’m talking about”.
That’s not elitist, it’s just you not understanding the specific risks to this site.
I’m happy to take some time at steemfest to explain in depth to you why what you’re proposing is a bad idea.
I think that’s vastly overblown, and I think you’re making it up to win an argument. Any downtime, splash page or no, harms the brand. I asked for the delta.
Sorry for misspelling HIPAA, thanks for pointing that out. I have some slight dyslexia, so it's unfortunately common for me to mix letters up like that.
I think the community would benefit from understanding more about the specific security concerns of this website. If I, a ten year veteran of my own software as a service company which deals directly with security, am ignorant of it then most others are as well. If our frustration is based on ignorance, please help remove that frustration through education. I'd really appreciate reading a post by you or the steemitdev account so I can better understand what makes Steemit so different.
Is this something you or your team will put together? Communication is key, and I keep hearing from the community how people want more of it.
I don't understand what you mean about a delta. You asked for the worst case scenario. I tried to come up with one like you asked. Then in a separate paragraph mentioned a delta. What do you mean by delta? Do you mean what's the difference in harm between going down without a status page, site down page, or clear communication about the outage, what caused it, and how it was resolved compared to having none of that like we do now? IMO, it's quite large. People are left with the impression this site is not professional and not ready for mainstream adoption or integration.
It seems the site is down right now again. I'm glad to see a Tweet about it, but without a status page or a static site down page, how is anyone supposed to know your team is working on this and taking steps to ensure it won't happen again?