[shan199105]

I want to say that I hate Digital Ocean as well. I am a University of Waterloo Computer Science student. I have CS 458 (computer security) this term. We had an assignment last month asking us to get all the users permission without knowing their password for a web app. Then I wrote a script. The use of the script is to use curl one time per second (may be longer, due to the connection issue) to guess all the different combination of the password. Of course I was using that script on Digital Ocean!

After running it two days, I receive an email saying their router find out that I was doing the DDOS and ask me to stop it. I stop the script immediately and reply them my reason telling them that I was doing it for University Assignment and I don't know that I was not allowed to do this. However, my account got suspends anyway. No matter how I send emails to beg them to give back my files in the server (I use the server for emacs and tmux to write codes for school projects), they just told me that sorry but my account is suspend. No matter how I beg them, all I received back from the email is just a max two line saying that my account is suspend. They do tell me that it suspends forever. After several days they deleted my account with all my files in it. Now I have no ways to get any of my files back! I feel ... so angry and hate so much about the digital ocean.

Is this how a normal American Company does? Will a normal American Company suspends customers account because that customer use it to do university work? I can understand it suspends me if I violate any laws but I was just doing an assignment and not violates anything. It also ignore the apology from the customer. Any evidence the customer provides is ignored gets well. Even that after couple days, digital ocean deleted that customer's account with all his files permanently!

This is my story. This is the reason why I hate Digital Ocean!!!!!!

[bigiain]

As another Digital Ocean user - I'll just say I'm happy to hear that other people running DDOS and/or dictionary attacks from the same IP pool I'm relying on get slapped down _hard_, and that excuses like "but I'm doing this for a Uni assignment!" don't give you a free run to be a bad actor in their (and "my") netblock.

Do you _really_ think you have a "right" to run a dictionary attack from someone else's network? _Seriously?_

Personally - from looking at my fail2ban logs, I wish Amazon - and even more usefully, large residential cable/adsl providers - would implement this sort of pro-active monitoring of user/customer behavior.

[shan199105]

I think you are misunderstood. The target for that dictionary attack is the UW virtual hosted machine!

[shan199105]

Sorry that I didn't read your post carefully. I did not know that I cannot run a dictionary attack from their network. I admit that I made the mistake. I do tell them that I was wrong and stop the script immediately after I receive the notice. It's just I do not think that I deserve a penalty with destroy my account and all my files.

[bigiain]

So what penalty do you think you deserve?

What penalty do the people attacking my clients' WordPress sites or SSH ports deserve? Would that penalty change if they mailed Digital Ocean saying "No, it's OK - me attacking that website is part of my Uni assignment!"? Who'd be responsible for checking that claim, and how much time would it take? And remind me again how much you'd spent with Digital Ocean?

You fucked up big time - deal with it and learn from it. There's clearly a whole bunch of things you didn't even think about before doing this (ad that you're still whining about and failing to accept responsibility for). Be glad it bit you on the ass for something as unimportant as a uni assignment - imagine how much worse this could be if instead of a few assignment files, you'd lost 6 months of your startup's code - because you hadn't bothered reading the TOS you agreed to and didn't bother keeping off-site copies of important files.

Sorry this is harsh - but seriously, think about this from anybody else but your perspective. You behaved like a jerk, then tried the "But I didn't know! Sorry, I'll stop now." justification. And you're _still_ whining that you're being treated unfairly.

[aroch]

So, you violated their ToS, specifically that you're not allowed to do things that are abusive. Attempting to bruteforce a login is abusive. You admitted that you were in fact doing something against their ToS to them in a ticket. They don't know it's for a university assignment and chasing down your professor to confirm it is an assignment isn't something that's reasonable for you to expect them to do.

You violated their Terms, plain and simple. They don't owe you a second chance or your data.

As a side note, surely a CS major knows they should keep backups of every thing. Better yet, shove your text/code files into git and have backups AND versioning.

[shan199105]

I do tell them several times and apologies for 5 times. Also I provide my student id and assignment page.

They told me that my files are safe at first. However they still deleted my account with all my files in it

[shan199105]

I do have version control but backups. I am just angry with their attitude on how they talk to a customer

[harshreality]

Who ran the webapp and its server? Did that person know that there was a class assignment to brute force passwords?

If so, who complained to digitalocean?

If not, your professor should be fired, because the assignment encouraged students to break the law. Forget DigitalOcean's TOS. Attacking a server without permission is a crime.

[shan199105]

The University of Waterloo hosted the virtual server for assignment use. The webapp is made for the assignment host on that virtual uml server. That server is the server I do the brute force.

No one complained to digital ocean. The digital ocean told me that they detected the attack by their router.

I am not attack any other servers. What I attacked is the specific virtual server hosted by university of waterloo itself.

[asb]

This is absolute rubbish. Let's have a look at the Waterloo CS 458 assignments: <http://www.math.uwaterloo.ca/~dstinson/CS_458/F13/F13-slides.... Every one of those assignments that has you do practical work has you do it against a Waterloo-hosted virtual machine (as obviously anything else would be potentially illegal).

[shan199105]

I think there are some kind of misunderstand here. What I did attacking is the Waterloo-hosted virtual machine! I was brute force the password of users of a web app hosted on that machine. I ask the professor before doing that and the professor said i am allowed to do that

[gummydude]

Wow, now i wonder what would happen if i use their droplet as a crawl server for my vertical search engine.. hmm

[asb]

You're right, I did misunderstand. Sorry.

[oahziur]

well, this should be another case that digital ocean sucks. bad customer services plus not return important files after suspend.

[mikeyen]

I like to see DO put a process in place to resolve this kind of issue by require the user to have recorded Skype/google hangout session to verify I'd, credit card, etc. once the id is verified, face recorded , user is understand and agree fix the ddos type errors, the account should be restored.

[oahziur]

good point, I think this user deserve a second chance in this situation.

Another thing is they should not say that the files are safe in first place, and then destroy them afterward. Maybe this user trust them and wait for the files to submit his assignment.

[shan199105]

Exactly. When I receive the ticket, it says all my files are safe. Since I stop the script immediately after I receive the notice, and apologies to them at first place, I am pretty sure that they will recover my account. However, I didn't know they eventually destroyed my account.