Hacker News new | ask | show | jobs
by kelukelugames 3725 days ago
I love namecheap but 5 sounds like victim blaming. Come on.

EDIT: My use of the term is a bit strong. I feel frustrated that company execs cannot explicitly admit a mistake or apologize. I should have worded it differently.

EDIT2: just for Tamar. By explicit I mean literally using the words "sorry", "apologize", or "mistake". What we have is the standard corporate nonapology.

EDIT3: congrats to Tamar for being promoted to a Namecheap executive!
5 comments
coalescence 3725 days ago
Low end hosting doesn't generally have backups, because it's well, cheap. Extra overheads make the price increase, then you're not cheap and can't compete at that end.

Usually there are backup options included in the plan for upsell possibilities with these kinds of providers. Really, you should not expect a service that has 'cheap' in the name to offer any kind of backup.

link
drostie 3725 days ago
Furthermore, is Namecheap authorized to copy their clients' data by their terms of service? If not, automatic backups may bypass totally-reasonable expectations that other users have. Backups can potentially be a threat vector, for example. There might be many reasons why one of Namecheap's clients might say "you copied this data?! and now I have no control of the environment the backup lives in?!"...

An example would be if some service stored credit card information temporarily while waiting for transactions etc. to process but then purged each record after two weeks later. A compromise of the backups containing, say, weekly snapshots could then contain 90% of a client's ever-stored financial information whereas a compromise of the main site might only reveal a couple percent of them.

link
coalescence 3724 days ago
That's true, although we should be fairly concerned about a company using very cheap hosting on VPS with no form of encryption storing anything sensitive. You may also be breaching PCI DSS (fwiw) doing that.

In reality though, more companies do this than should be allowed. I worked for an ISP in a previous life and even on the super cheap shared hosting there were companies that were making a decent turnover and then using the cheapest possible hosting for their email/site. The quantity of these companies was a significant number too.

Especially when they were kicking off on the phone due to inevitable maintenance/downtime. Trying to appease customers that turn over 10 million a year and pay £5 a month for hosting is a bit wtf. You pay for what you get... that's no different in hosting.

link
ChrisDutrow 3725 days ago
> Really, you should not expect a service that has 'cheap' in the name to offer any kind of backup.

They never spell this out for you though, usually they imply that their service is just as good as their pricier rivals. As a result, many people get burnt before they get savvy. Some never get savvy, they just get turned off to the industry.

Not sure what the alternative is. I suspect a company that did clearly spell out their pros and cons would risk having stunted growth or go out of business entirely.

link
coalescence 3724 days ago
There are a couple of adages that may be valid.

"If it's too good to be true, it probably is"

and

"Cheap, Good, Fast - pick two"

link
matthewdrussell 3725 days ago
Everyone should practice a good backup routine and take responsibility for backups.
link
kelukelugames 3725 days ago
This is not good damage control/PR. You are letting ego get in the way.
link
matthewdrussell 3725 days ago
I respectfully disagree. I'm here, along with Tamar, reviewing and considering each point posted. There's some good suggestions and we're listening.

The opposite of what I'm suggesting is that people - individuals/companies - do not look after their own backups. That's a dangerous precedent.

link
peterwwillis 3725 days ago
Imagine you just lost two servers you can't replace, or you're a potential customer reading this thread, and are afraid of the same.

This is what they read as the company's response to this loss:

"Anyone with any self-managed server with ANY provider should always keep their own multiple backups. Dumbass."

Note the change I made at the end to reflect how some people [who are empathizing with someone who was attacked and lost their property] will interpret that statement. Did any of that statement help the situation at all? Did it help customers feel better? Or did it have the opposite effect? Would this be considered a good way to engender goodwill for your brand?

Now consider this reinterpretation of the statement:

"With self-managed servers, it is good best practice to keep multiple backups for yourself, no matter who your service provider is."

link
beeboop 3725 days ago
I am not sure why you would respond to an accusation about victim blaming by reiterating the exact thing that caused the accusation. You might want to reconsider continuing this particular aspect of discussion for PR reasons. It's not an argument you're going to win.
link
mindcrime 3725 days ago
It's not an argument you're going to win.

Unless you sign up for a managed service that claims to include backups or whatever, you are responsible for your own backups. What's controversial about that?

link
beeboop 3725 days ago
The issue is that Namecheap was the one that fucked up here, and now is not the time to emphasize "you should really be prepared for us fucking up in this manner". It's victim blaming. It looks shitty. The argument I refer to isn't "you should have offsite backups". The argument is that Namecheap is implicitly victim blaming, and they're not going to convince many people that they aren't.
link
mindcrime 3725 days ago
Eh.. I don't really agree that this is victim blaming. But then again, I find that I disagree with most uses of the phrase "victim blaming". Pointing out that somebody did something sub-optimal, while still acknowledging the mis-deeds, mistakes, etc. of other parties, is not "victim blaming" in my book. It's just pointing out the truth.

I mean, if you go for a stroll through the roughest neighborhood in town, unarmed, by yourself, at night, and you get mugged, is it wrong to point out that going for that walk was stupid? Saying so doesn't mean the the mugger isn't guilty or that what happened is right in any sense. It's just acknowledging reality.

link
rmellow 3724 days ago
I don't know where any of you live, but saying recklessness is "victim blaming" sounds like a first world privilege. Yes, in generally in the first world, screaming for your rights can actually work.

In other worlds however, the problem is usually too widespread. You might get a lot of attention, comiseration, etc. but in the end, being reckless goes against survival. People who point this out should not be shushed for pointing out what you need to do to survive.

Its amazing to see that this "victim blaming" mentality is growing in Brazil. Violence here is out of control. You might get mugged/shot/kidnapped for no reason, or not displaying any wealth. Having been kidnapped myself, and chatted with the kidnappers, they do look for signs of wealth before pouncing. Therefore, yes, the victim does has an ounce of control over their risk and it's not wrong to point that out.

It does not solve violence, and attackers will just look for other victims regardless of their reward estimate. However, would you tell your children not to not show affluence/vulnerability in shady places just because you don't want to "victim blame"?

link
beeboop 3725 days ago
>I mean, if you go for a stroll through the roughest neighborhood in town, unarmed, by yourself, at night, and you get mugged, is it wrong to point out that going for that walk was stupid?

Yes, this is the textbook example of victim blaming. Placing any amount of blame on the person who is the victim in this situation is saying that they don't have the right to walk down a street and not be mugged. I am admittedly not the best at describing this because up until recently I had the same thought process as you. I would encourage you to find better explanations than what I can offer and be willing to have your beliefs challenged.

link
tamar 3725 days ago
It's not victim blaming. It's simply a reiteration that it helps to have this in place if you are specifically opting to rent/lease a server that does not offer it.

Also, it's stated in the knowledgebase that it is advisable to set up server backups of your own if you do not have a managed server: https://www.namecheap.com/support/knowledgebase/article.aspx...

link
beeboop 3725 days ago
I don't believe you properly understand what victim blaming is or the argument I am making here, hence the reason I recommended you and your CIO don't bother continuing trying to discuss this. You're giving people reason to dislike Namecheap for no gain to yourself and your brand.
link
TheSockStealer 3725 days ago
Agreed. However, is this messaged anywhere in your documentation or setup instructions? Do you provide instructions how how to set this up with a 3rd party or list of 3rd parties?

Although backups are #1 item on any list of best practices, making an easy, and tested, implementation method would be a good practice on your part.

link
tamar 3725 days ago
Yep, it's said here: https://www.namecheap.com/support/knowledgebase/article.aspx...
link
endemic 3725 days ago
When the product is an unmanaged VPS, I think certain assumptions can (hopefully) be made about the capabilities of the customer.
link
tamar 3725 days ago
I don't think it was personal, simply a reminder that it always helps to have good backup procedures in place.

Even my managed services have offsite backups. Better be safe than sorry, I always say.

link
kelukelugames 3725 days ago
"Better be safe than sorry" - namecheap for when you lose your stuff on their services.

I don't think the best way to respond to a public vent is "Here's what you should have done instead". Responses might be technically correct but they lack empathy for the customer.

link
tamar 3725 days ago
That comment I made refers to data integrity across platforms. You should be smart about data, no matter where it arises, if it is important to you.

For example, let me give you a look at what my Windows hard drive looks like.

My important files are stored locally, on Dropbox, and on CrashPlan. Some is also on Google Drive. I also run an offsite backup of my own to another local Linux box.

Don't make this specific to Namecheap, @kelukelugames. It's always smart to have good recovery systems in place. If you care that much about your data, you will protect it at whatever cost.

So yeah, I repeat, better to be safe than sorry. Your mileage may vary.

link
HemanHeartYou 3725 days ago
"Hard drives never fail" - kelukelugames
link
dang 3724 days ago
We've banned this account for repeatedly violating the HN guidelines. If you don't want it to be banned, you're welcome to email hn@ycombinator.com.
link
tamar 3725 days ago
Doh.
link
tamar 3725 days ago
Re: Your edit - just a note, it is very clear here that in points 1-4, Namecheap has acknowledged a mistake. That's exactly why there was a lot of training (and retraining) internally to ensure this mistake does not recur. But we do acknowledge it is an isolated incident. That doesn't mean it's not less important - we're fully aware of what happened here and it will not recur.
link
tamar 3725 days ago
Thanks for edit2 :) I see us having used the word "mistake" many times here! But yes, we apologize that this happened as well.
link
kelukelugames 3725 days ago
The namecheap CIO never uses the word mistake. The execs rarely show any remorse. Best case they delegate to underlings like the social media guru.
link
tamar 3724 days ago
Let's not throw personal attacks at me (and the tongue-in-cheek "congrats for being promoted to executive!" comment). There's plenty of remorse and there's plenty of acknowledgment of mistakes here. That said, as we acknowledged elsewhere, we're responding to the matter across several different platforms and specifically say we're rushed in trying to get out some basic insights behind what happened and transpired. A more well crafted blog response for all to see (this time from the CEO) has been published to https://blog.namecheap.com/social-engineering-issue/
link
kelukelugames 3724 days ago
It's a common practice. I don't see how it is personally offensive to you. My description was for the CIO and execs in general, yet you insisted they were for you. So maybe you should stop making tongue-in-cheek comments. In fact, I am moving my domains off of Namecheap because I don't think Namecheap is very good at handling customer relations, particularly on social media.
link
tamar 3724 days ago
(the reply link didn't show up before, so I don't know if you saw my response posted right after this)

To be fair, your third edit was only for me. And that was the only comment I was replying to.

As I said, we are working to respond to hundreds of comments across dozens of platforms. I certainly respect your distaste in the more rushed responses in order to address all of the deluge, and that is why we were also simultaneously working on a longer and more thoughtful response that speaks for all of us at the company via that blog post (in a far more emotional tone).

It certainly is difficult to envision the challenges of responding to dozens of responses if you're not in our shoes. But I genuinely thank you for the feedback - and we're noting this (as well as the feedback all have been sent to date; a lot of that was factored into policy adjustment and our blog response) for handling it differently next time.

link