Automated enforcement is evil and must be banned (except in situations when the violations themselves mostly are automated and come in unbearably huge quantities).
Cuba exports terrorism and misery across the region. The dictatorships in Cuba, Venezuela, and Nicaragua fly under the radar these days, but are no less noxious to humanity than the regimes in Russia, Iran, NK, etc.
You can argue whether or not sanctions are an effective way to promote regime change, or if they just hurt the regular citizens of rogue governments. I think they are often quite ineffective.
I think if we're going to root-cause this, what really got the ire of the Americans was good old fashioned land reform after the revolution. They hate land reform, happened in Guatemala too.
Okta just asked me to add a third authentication factor to my account. Now in addition to entering a password and authenticating via push notification I am also required to enter a code sent via SMS to the same phone that just answered a push notification. Sheer madness.
I think you're missing the point of okta. It's not for access control to your specific application. It's for companies to deal with many groups of users and on/off boarding easily.
It transforms "Andy is andy@foo on service A, AndyA on service B, aaaandy on service C, maybe has two factor enabled on some of them and hopefully hasn't joined other groups to give them access" into "Andy is andy@company in Okta and we can turn services on/off and set policies as needed".
> When did it stop being a core competency of web applications?
Turns out, login is surprisingly hard. It will be the first and most important focus point for attackers - SQL injections, DDoS attacks, captchas, griefers intentionally using wrong passwords to lock someone else out... with Okta and other products of its kind, all an application developer needs to do is to check some token.
Another huge part is that in the "old" world there was only one player for any kind of centralized authentication: LDAP. While there were and are multiple LDAP server implementations (OpenLDAP, MS AD, Samba and a bunch of smaller ones), only Microsoft's AD has a somewhat comfortable and usable management application - but even that is using old-school Windows UI and you need a MS desktop to manage it. Everyone else? Either use Apache Directory Studio, some barely working web management UI (phpldapadmin, GOsa) or heaven forbid plain LDIF files.
In contrast, working with anything of the "modern authentication" solutions is a breeze.
- "The Office of Foreign Assets Control ("OFAC") of the U.S. Department of the Treasury administers and enforces economic and trade sanctions based on U.S. foreign policy and national security goals against targeted foreign countries and regimes, terrorists, international narcotics traffickers, those engaged in activities related to the proliferation of weapons of mass destruction, and other threats to the national security, foreign policy or economy of the United States."
That last clause has also encompassed things like Hague prosecutors [0]. If your interpretation of these regulations depends on your assessment of the trustworthiness of the regulator, this is a very relevant datapoint.
Imagine major tech companies geoblocking United Nations offices. Is that far-fetched fantasy?
E.g. United States have withdrawn their signature from International Criminal Court and will refuse (and actively oppose) being bound by ICC sanctions.
I am generally pro-regulation in my politics (police for the rich and powerful) but I agree that the power can be and is often abused. Just like regular police, firewalls should be built to prevent politicians from abusing regulations for political purposes.
My view on this from the United Kingdom: I have no vested interest in any of the territories listed nor do I support them in any way, but my business should not be subject to the whims of overseas powers and foreign policy.
In response to this announcement I've closed down my Auth0 experiments. I refuse to be held to US enforcement when I operate outside US jurisdiction. I know other SaaS will follow suit, but we have to oppose this somehow.
As far as I'm aware, the UK does not have any sanctions imposed against Cuba for example, so Auth0's active stance on this is inappropriate for those outside US border.
But isn't Auth0 a US-based company? In that case, they are obliged to implement US sanctions, regardless where their customers are located.
That applies of course to any US-based company, so in that case you would need to avoid touching anything that is based in the US. That may be possible in some cases, but if you rely on the third parties, it's almost inevitable to completely avoid US.
>I refuse to be held to US enforcement when I operate outside US jurisdiction. I know other SaaS will follow suit, but we have to oppose this somehow.
I'm in the US, and I'm not so sure I want to be held to US enforcement. Our government has always been a little wacky, but it's really stepped up the jiggery-pokery during the past, well, 20 years.
At this point it feels an awful lot like a past-their-prime pop star getting screechy and demanding about the brown M&Ms in the dressing room.
One thing I've always been curious about is why the opportunity created by this sort of thing doesn't seem to be taken advantage of.
To take Iran as an example: when US sanctions prevent Boeing or Airbus from selling to them, I can understand why Embraer doesn't step in and offer to supply planes, because they are afraid of secondary sanctions affecting their business with the rest of the world.
But tech isn't like aircraft production — building a GitHub, Okta or Auth0 clone is a chunk of work but hardly infeasible — hell, most companies routinely built a partial Auth0 clone in-house until not that long ago. Many still do.
So why don't we see alternatives pop up that don't block Iran? It's a niche, but you get the whole niche to yourself, and Iran is not a small market.
From a legal perspective you would set up somewhere like UAE where they have a good climate for business but regularly do business with Iran, so that part shouldn't be an issue.
Network effects are a factor, but when you're blocked from the popular platform, you have a bigger incentive than usual to consider the less-popular one.
In Iran there are alternatives to many services. There are domestic cloud providers, a domestic android marketplace, there was a domestic Apple marketplace (and will show up again when Apple opens the platform to alternative stores), alternative video sharing platform, etc.
Working in/with Iran has other difficulties in addition to sanctions. Iranian government has total control over what services from outside Iran are accessible to Iranians. They also use this control elaborately, in some fields whitelisting services rather than blacklisting them. So if you want to work with Iran from outside, you are always at the mercy of the government to block you.
If working from inside, you are under pressure to share people's private information with the government en masse. You have no way to resist that. The courts are puppets, price of resistance can be anywhere from takeover of your business, to prison, to death.
Oh and from outside, you have the problem of exchange rate: due to 40+years of 40+% inflation, what you earn from there cannot even cover your costs outside the country, unless you do the entire business from another country with similar economy.
You don't even need to jump through this many hoops - somebody from Iran can just do it. And maybe they do, but overall I don't think the market is that big. All of these companies operate globally because it's otherwise difficult to make a profit.
In other news, setting up businesses that go around US sanctions is not something the US will just wave off. Bullies don't accept their authority questioned.
Most of the time these sanctions are global in nature and various treaties that US has with different countries prevent companies in those countries also doing business with sanctioned nations.
I’ll take SSO over manually logging into 8-10 company apps I use. If the team implementing an onprem SSS/IDP solution has deep domain knowledge and sys admin skills go for it. Had issues before and cloud based providers like Okta were much better, IMHO.
This is very different than Facebook. This isn't a company that also happens to provide auth to get more tracking for their main product. The auth is the main service for okta and it's used by people making decision about whether they want to build this in-house or outsource it.
Wow, and here I thought Okta had split up their service into US and non-US, like many other big companies, but seems they have not, so now just because the US has some arbitrary list of who can be a user, everyone using Okta needs to follow that... Seems like the laws are a bit outdated and haven't really been updated for a global internet, hope we see some changes in that direction.
I don't get it. If we're insisting that Crimea, Lugansk and Donetsk are Ukraine and the people are Ukranian, then why block/sanction people there who have no control over the situation?
They had plenty of time to move to whatever they prefer - unoccupied territories of Ukraine or legitimate territories of Russia. As far as I know they traveled both ways routinely but returned voluntarily every time.
I don't understand the reason for that. Somehow it is OK to do business with Cuba which are not threatening anyone but not with Russia that is killing people en masse?
They probably don’t draw much revenue from those countries anyways. The dollar is pretty expensive there. Well, let’s send a gesture to the relevant customers then (including governments).
"In support of our customers’ and Okta’s existing contractual obligations with respect to U.S. export control laws, Okta customers are not permitted to access the Okta Service (including the Auth0 Platform) from Cuba, Iran, North Korea, Syria, the regions of Crimea, Luhansk or Donetsk without prior approval from the U.S. Government. This restriction applies even if a User is temporarily visiting any of the aforementioned regions."
[+] [-] nickfromseattle|3 years ago|reply
0. Production servers deleted
1. No logs, notifications or any indications of the issues
2. Can't get ahold of support on the free plan
3. Spend 1-2 weeks frantically trying to restore access to our customers
4. Find a random Auth0 support thread of someone who had the same issues
5. Auth0s response was to submit an affadavit to their legal team indicating I'm not sanctionable
6. Access restored after ~3ish weeks of downtime
Why was my SaaS caught up in sanctions?
I had a Russian developer deploy Auth0 two years ago (and hadn't logged in for 18+ months)
That was enough to get my production servers deleted with no warning.
[+] [-] qwerty456127|3 years ago|reply
[+] [-] TheAdamist|3 years ago|reply
[+] [-] icare_1er|3 years ago|reply
[+] [-] ClumsyPilot|3 years ago|reply
Is Cuba still being punished for daring to host Soviet missiles?
I think the way we've treated them is really terrible.
[+] [-] ceejayoz|3 years ago|reply
[+] [-] dt3ft|3 years ago|reply
[+] [-] lovellcw|3 years ago|reply
You can argue whether or not sanctions are an effective way to promote regime change, or if they just hurt the regular citizens of rogue governments. I think they are often quite ineffective.
But there's no defending the Cuban regime.
[+] [-] pessimizer|3 years ago|reply
[+] [-] smcl|3 years ago|reply
[+] [-] bantunes|3 years ago|reply
[+] [-] maxk42|3 years ago|reply
[+] [-] refurb|3 years ago|reply
[+] [-] benjaminjosephw|3 years ago|reply
Isn't access control a set of patterns rather than a service? When did it stop being a core competency of web applications?
[+] [-] viraptor|3 years ago|reply
It transforms "Andy is andy@foo on service A, AndyA on service B, aaaandy on service C, maybe has two factor enabled on some of them and hopefully hasn't joined other groups to give them access" into "Andy is andy@company in Okta and we can turn services on/off and set policies as needed".
[+] [-] mschuster91|3 years ago|reply
Turns out, login is surprisingly hard. It will be the first and most important focus point for attackers - SQL injections, DDoS attacks, captchas, griefers intentionally using wrong passwords to lock someone else out... with Okta and other products of its kind, all an application developer needs to do is to check some token.
Another huge part is that in the "old" world there was only one player for any kind of centralized authentication: LDAP. While there were and are multiple LDAP server implementations (OpenLDAP, MS AD, Samba and a bunch of smaller ones), only Microsoft's AD has a somewhat comfortable and usable management application - but even that is using old-school Windows UI and you need a MS desktop to manage it. Everyone else? Either use Apache Directory Studio, some barely working web management UI (phpldapadmin, GOsa) or heaven forbid plain LDIF files.
In contrast, working with anything of the "modern authentication" solutions is a breeze.
[+] [-] pelagicAustral|3 years ago|reply
[+] [-] perihelions|3 years ago|reply
That last clause has also encompassed things like Hague prosecutors [0]. If your interpretation of these regulations depends on your assessment of the trustworthiness of the regulator, this is a very relevant datapoint.
Imagine major tech companies geoblocking United Nations offices. Is that far-fetched fantasy?
[0] https://www.hrw.org/news/2020/12/14/us-sanctions-internation... ("US Sanctions on the International Criminal Court")
[+] [-] atemerev|3 years ago|reply
[+] [-] guelo|3 years ago|reply
[+] [-] antonyh|3 years ago|reply
In response to this announcement I've closed down my Auth0 experiments. I refuse to be held to US enforcement when I operate outside US jurisdiction. I know other SaaS will follow suit, but we have to oppose this somehow.
As far as I'm aware, the UK does not have any sanctions imposed against Cuba for example, so Auth0's active stance on this is inappropriate for those outside US border.
[+] [-] tut-urut-utut|3 years ago|reply
That applies of course to any US-based company, so in that case you would need to avoid touching anything that is based in the US. That may be possible in some cases, but if you rely on the third parties, it's almost inevitable to completely avoid US.
[+] [-] deltarholamda|3 years ago|reply
I'm in the US, and I'm not so sure I want to be held to US enforcement. Our government has always been a little wacky, but it's really stepped up the jiggery-pokery during the past, well, 20 years.
At this point it feels an awful lot like a past-their-prime pop star getting screechy and demanding about the brown M&Ms in the dressing room.
[+] [-] jhugo|3 years ago|reply
To take Iran as an example: when US sanctions prevent Boeing or Airbus from selling to them, I can understand why Embraer doesn't step in and offer to supply planes, because they are afraid of secondary sanctions affecting their business with the rest of the world.
But tech isn't like aircraft production — building a GitHub, Okta or Auth0 clone is a chunk of work but hardly infeasible — hell, most companies routinely built a partial Auth0 clone in-house until not that long ago. Many still do.
So why don't we see alternatives pop up that don't block Iran? It's a niche, but you get the whole niche to yourself, and Iran is not a small market.
From a legal perspective you would set up somewhere like UAE where they have a good climate for business but regularly do business with Iran, so that part shouldn't be an issue.
Network effects are a factor, but when you're blocked from the popular platform, you have a bigger incentive than usual to consider the less-popular one.
[+] [-] aljgz|3 years ago|reply
Working in/with Iran has other difficulties in addition to sanctions. Iranian government has total control over what services from outside Iran are accessible to Iranians. They also use this control elaborately, in some fields whitelisting services rather than blacklisting them. So if you want to work with Iran from outside, you are always at the mercy of the government to block you.
If working from inside, you are under pressure to share people's private information with the government en masse. You have no way to resist that. The courts are puppets, price of resistance can be anywhere from takeover of your business, to prison, to death.
Oh and from outside, you have the problem of exchange rate: due to 40+years of 40+% inflation, what you earn from there cannot even cover your costs outside the country, unless you do the entire business from another country with similar economy.
[+] [-] locallost|3 years ago|reply
In other news, setting up businesses that go around US sanctions is not something the US will just wave off. Bullies don't accept their authority questioned.
[+] [-] zeroth32|3 years ago|reply
Because it is is not necessary. Setting up something like Github onsite takes 1 hour. Network effect really is overrated.
Where it hurts are payment systems, credit cards etc.. And there are alternatives.
[+] [-] pritambarhate|3 years ago|reply
[+] [-] jbverschoor|3 years ago|reply
People didn’t learn their lesson from Facebook etc etc.
[+] [-] wil421|3 years ago|reply
[+] [-] viraptor|3 years ago|reply
[+] [-] capableweb|3 years ago|reply
[+] [-] cpursley|3 years ago|reply
[+] [-] myth_drannon|3 years ago|reply
[+] [-] wil421|3 years ago|reply
I would think they have a lot more to worry about than okta authentication.
[+] [-] qwerty456127|3 years ago|reply
[+] [-] trhway|3 years ago|reply
[+] [-] fefe23|3 years ago|reply
[+] [-] dvfjsdhgfv|3 years ago|reply
[+] [-] aborsy|3 years ago|reply
[+] [-] lakomen|3 years ago|reply
[+] [-] jbirer|3 years ago|reply
[+] [-] imwillofficial|3 years ago|reply
[+] [-] chinathrow|3 years ago|reply
- Have a copy of all your users e-mail within your own infrastructure (DB)
- Have proper backups in place
- Verify regularly that your backups function correctly (backup AND restore)
In case your account get's deleted, you can rebuild from these.
[+] [-] mugivarra69|3 years ago|reply
[+] [-] mdrzn|3 years ago|reply
[+] [-] buzzwords|3 years ago|reply
Do these sections even slow them down?
(Real question, please don't start a flame wars, I don't want this account to be disabled)
[+] [-] throwaway4good|3 years ago|reply
[+] [-] Sebguer|3 years ago|reply
[+] [-] pkz|3 years ago|reply