I'm going to play devil's advocate and completely disagree with you here :)
Customers, especially non-technical ones, don't give a crap. What they want to know is when the service will be back up, and what steps you're taking to prevent it happening in the future, although I'm sure a certain percentage would be interested in why this is happening in the first place (not as in the technical breakdown, but why you didn't have a contingency plan).
If I'm a customer of Basecamp it looks to me like 37Signals is couching this as if they are the victims here, when really I am the victim. They're business isn't being disrupted... mine is! I pay them to abstract me away from the gory details... if I wanted to deal with that stuff I'd pay people to build it in house. My job as a customer isn't to sympathize with an outage, it's to move to a service that won't have one.
After turning in a term paper a day late a wise professor once told me "It doesn't matter if your excuse is true, it's still an excuse." The basic facts are the job didn't get done, and the person to blame is the person who didn't get the job done. Any modern web service that doesn't take the simple effort to sign up for cloudflare or their ilk to reduce attack surface doesn't deserve my money. (Admittedly a harsh perspective to take, but one many do take)
Reasonable people realize that unforeseen things happen, and might empathize with someone being targeted by a criminal enterprise a bit more than someone who just forgot to pay the electricity bill.
There is an entire movement in Sicily dedicated to highlighting and frequenting businesses that refuse to pay protection money, because in the past, paying was the norm.
Since that's not the kind of society I want to live in, I'd rather stand firm behind a company that refuses to deal with criminals. If companies give in as a matter of convenience to retain customers who turn a blind eye, that will only make the criminals stronger.
Now, certainly, there are measures they can take to mitigate the problem, but with all the things to do in a business, I suppose it's the kind of thing that might not be on the front burner until it happens. There are all kinds of bad, destructive things that could happen in the world, but if you spend all your time worrying about what could happen, you won't have a viable business. It's a tricky balancing act, and I'm willing to cut some slack to someone being targeted by criminals.
I more or less agree with you, but that's kind of a false dichotomy, isn't it? Signing up for cloudflare or using a CDN isn't giving in, it's taking measures to protect yourself (and that's ignoring the other benefits you get). The unfortunate fact is DDOS attacks are becoming a daily occurrence, and if you have something to lose you should probably take measures to counteract any possible threats.
If 37Signals was a bitcoin exchange, aka a known target of DDOS attacks, the mood here would be drastically different... yet we've hit a tipping point where it seems everyone is equally at risk. DDOS attacks have become a sad cost of doing business on the internet, and just because you acknowledge that fact and try to prevent yourself from being a target doesn't mean you're capitulating to the criminal enterprise.
In fact, I don't see a better way of sticking it to the thugs than responding with "Hahaha, do your worst. We'd love to see if the money we're paying X COMPANY is worth it." And then you get to write a totally different blog post, one where you get to brag about your excellent foresight and how you have proven to your customers that the money they pay you buys a top-notch service.
That's a bit naive though. People can always find ways to hurt you - it's a very asymmetric fight. With a complex application such as Basecamp, you can't really put everything behind a cdn.
That's why I actually think that their thrust on pursuing the legal/FBI route is a good one, especially if they achieve any success there. This extortion/racket is indeed criminal and not tolerable. It would be good to catch the racketeers and make an example of them.
Disagree. Understanding the root cause helps even non-technical customers make the right decision. For example - "If I move to a different service (competitor of Basecamp), is there a chance that I will run into this issue there too? Answer is yes, based on how DHH explained the problem." Customers understand that shit happens. Particularly because many Basecamp users are business owners and can relate to shit happening in their business too. Explaining the root cause in plain language, and emphasizing that the user data is safe is a great way to deal with this situation.
> "It doesn't matter if your excuse is true, it's still an excuse."
you're seriously comparing handing in a term paper late to being targeted for extortion by an international crime syndicate?
of course handing in a term paper late is unexcusable - it's just a fucking essay and there's no reason why it should be late because you probably had weeks to do it.
waking up to find your entire network infrastructure under siege (and anything ELSE you put up as a contingency, because it's on the internet, remember?) is not some shit you can be "no excuses" hardcore about because this is in the real world which is complex, unlike slacking on a paper, which is very simple.
reasonable people know this, which is if you read their TOS and other SLA agreements, this is all spelled out for you. nobody wants ot hear "NO EXCUSES!" from some guy paying $50/month while gigabits worth of malicious traffic is pounding at your door.
the truth is it's YOUR business, just like basecamp is THEIR business which they are QUITE obviously in the middle of running. if you're concerned your $50 saas product is not delivering the goods, it's on YOU to find an alternative.
> It doesn't matter if your excuse is true, it's still an excuse.
That's not wise, it's just being an asshole. Reasonable people understand that things happen sometimes despite our best efforts. You can spend your life railing at people getting hit by metaphorical meteors, until you're hit by one yourself, or you can take a minute to work with people, be a little flexible, and win your time "investment" back many times over in return.
And Cloudflare is hardly a panacea for DDOS attacks.
It's not as if this service failure is due to incompetence. And we don't know what counter-measures they used to mitigate this attack. It's impossible to be unaffected by a DDoS unless your Google or Facebook (with warehouse-sized server facilities).
I think most Basecamp users are savvy enough to understand that there's nobody to blame except for the extortionists responsible for this attacck.
So if a pizza delivery guy gets shot on the way do you still demand better service? Just trying to see if you believe in the principle or just the practical aspect. :)
Yes, that would be a better analogy. However, I was not trying to make an analogy. I was testing if the person held a principled (absolute) or practical (relative) view.
Not sure why you got voted down (hopefully my vote will put it back at 1). I think it's a legitimate point of view. I can certainly imagine some company out there mad at 37signals because they can't get work done because of the attack, wasting thousands of dollars of labor.
I always liked how the Japanese apologised. There is no excuse as its irrelevant, all you get is an apology, compensation and how/why it wont occur again.
Not sure if that was an industry specific thing but it sure was effective.
Some customers don't care. Many do. I personally do. When a business can explain what happened it makes me not only like them more, but become a little more loyal.
Customers, especially non-technical ones, don't give a crap. What they want to know is when the service will be back up, and what steps you're taking to prevent it happening in the future, although I'm sure a certain percentage would be interested in why this is happening in the first place (not as in the technical breakdown, but why you didn't have a contingency plan).
If I'm a customer of Basecamp it looks to me like 37Signals is couching this as if they are the victims here, when really I am the victim. They're business isn't being disrupted... mine is! I pay them to abstract me away from the gory details... if I wanted to deal with that stuff I'd pay people to build it in house. My job as a customer isn't to sympathize with an outage, it's to move to a service that won't have one.
After turning in a term paper a day late a wise professor once told me "It doesn't matter if your excuse is true, it's still an excuse." The basic facts are the job didn't get done, and the person to blame is the person who didn't get the job done. Any modern web service that doesn't take the simple effort to sign up for cloudflare or their ilk to reduce attack surface doesn't deserve my money. (Admittedly a harsh perspective to take, but one many do take)