[swanson]

Some great language there: framing it as an attack by criminals (gains sympathy from users), explains in plain-terms what a DDOS is (front door analogy), emphasizes (twice!) that user data is safe, apologizes for the likely downtime, informs people where to get updates.

Probably worth bookmarking this for when you [hopefully never] have to deal with this same situation.

[pdeuchler]

I'm going to play devil's advocate and completely disagree with you here :)

Customers, especially non-technical ones, don't give a crap. What they want to know is when the service will be back up, and what steps you're taking to prevent it happening in the future, although I'm sure a certain percentage would be interested in why this is happening in the first place (not as in the technical breakdown, but why you didn't have a contingency plan).

If I'm a customer of Basecamp it looks to me like 37Signals is couching this as if they are the victims here, when really I am the victim. They're business isn't being disrupted... mine is! I pay them to abstract me away from the gory details... if I wanted to deal with that stuff I'd pay people to build it in house. My job as a customer isn't to sympathize with an outage, it's to move to a service that won't have one.

After turning in a term paper a day late a wise professor once told me "It doesn't matter if your excuse is true, it's still an excuse." The basic facts are the job didn't get done, and the person to blame is the person who didn't get the job done. Any modern web service that doesn't take the simple effort to sign up for cloudflare or their ilk to reduce attack surface doesn't deserve my money. (Admittedly a harsh perspective to take, but one many do take)

[davidw]

Reasonable people realize that unforeseen things happen, and might empathize with someone being targeted by a criminal enterprise a bit more than someone who just forgot to pay the electricity bill.

There is an entire movement in Sicily dedicated to highlighting and frequenting businesses that refuse to pay protection money, because in the past, paying was the norm.

http://www.addiopizzo.org/

Since that's not the kind of society I want to live in, I'd rather stand firm behind a company that refuses to deal with criminals. If companies give in as a matter of convenience to retain customers who turn a blind eye, that will only make the criminals stronger.

Now, certainly, there are measures they can take to mitigate the problem, but with all the things to do in a business, I suppose it's the kind of thing that might not be on the front burner until it happens. There are all kinds of bad, destructive things that could happen in the world, but if you spend all your time worrying about what could happen, you won't have a viable business. It's a tricky balancing act, and I'm willing to cut some slack to someone being targeted by criminals.

[pdeuchler]

I more or less agree with you, but that's kind of a false dichotomy, isn't it? Signing up for cloudflare or using a CDN isn't giving in, it's taking measures to protect yourself (and that's ignoring the other benefits you get). The unfortunate fact is DDOS attacks are becoming a daily occurrence, and if you have something to lose you should probably take measures to counteract any possible threats.

If 37Signals was a bitcoin exchange, aka a known target of DDOS attacks, the mood here would be drastically different... yet we've hit a tipping point where it seems everyone is equally at risk. DDOS attacks have become a sad cost of doing business on the internet, and just because you acknowledge that fact and try to prevent yourself from being a target doesn't mean you're capitulating to the criminal enterprise.

In fact, I don't see a better way of sticking it to the thugs than responding with "Hahaha, do your worst. We'd love to see if the money we're paying X COMPANY is worth it." And then you get to write a totally different blog post, one where you get to brag about your excellent foresight and how you have proven to your customers that the money they pay you buys a top-notch service.

[troels]

That's a bit naive though. People can always find ways to hurt you - it's a very asymmetric fight. With a complex application such as Basecamp, you can't really put everything behind a cdn.

[cft]

That's why I actually think that their thrust on pursuing the legal/FBI route is a good one, especially if they achieve any success there. This extortion/racket is indeed criminal and not tolerable. It would be good to catch the racketeers and make an example of them.

[jagath]

Disagree. Understanding the root cause helps even non-technical customers make the right decision. For example - "If I move to a different service (competitor of Basecamp), is there a chance that I will run into this issue there too? Answer is yes, based on how DHH explained the problem." Customers understand that shit happens. Particularly because many Basecamp users are business owners and can relate to shit happening in their business too. Explaining the root cause in plain language, and emphasizing that the user data is safe is a great way to deal with this situation.

[beachstartup]

> "It doesn't matter if your excuse is true, it's still an excuse."

you're seriously comparing handing in a term paper late to being targeted for extortion by an international crime syndicate?

of course handing in a term paper late is unexcusable - it's just a fucking essay and there's no reason why it should be late because you probably had weeks to do it.

waking up to find your entire network infrastructure under siege (and anything ELSE you put up as a contingency, because it's on the internet, remember?) is not some shit you can be "no excuses" hardcore about because this is in the real world which is complex, unlike slacking on a paper, which is very simple.

reasonable people know this, which is if you read their TOS and other SLA agreements, this is all spelled out for you. nobody wants ot hear "NO EXCUSES!" from some guy paying $50/month while gigabits worth of malicious traffic is pounding at your door.

the truth is it's YOUR business, just like basecamp is THEIR business which they are QUITE obviously in the middle of running. if you're concerned your $50 saas product is not delivering the goods, it's on YOU to find an alternative.

[Rotten194]

> It doesn't matter if your excuse is true, it's still an excuse.

That's not wise, it's just being an asshole. Reasonable people understand that things happen sometimes despite our best efforts. You can spend your life railing at people getting hit by metaphorical meteors, until you're hit by one yourself, or you can take a minute to work with people, be a little flexible, and win your time "investment" back many times over in return.

And Cloudflare is hardly a panacea for DDOS attacks.

[booruguru]

It's not as if this service failure is due to incompetence. And we don't know what counter-measures they used to mitigate this attack. It's impossible to be unaffected by a DDoS unless your Google or Facebook (with warehouse-sized server facilities).

I think most Basecamp users are savvy enough to understand that there's nobody to blame except for the extortionists responsible for this attacck.

[ksk]

So if a pizza delivery guy gets shot on the way do you still demand better service? Just trying to see if you believe in the principle or just the practical aspect. :)

[josefresco]

Better analogy would be if the "criminals" flooded the streets with bicycles or cars preventing the pizza delivery guy from delivering your order.

Straight up murder doesn't quite fit the situation here.

[ksk]

Yes, that would be a better analogy. However, I was not trying to make an analogy. I was testing if the person held a principled (absolute) or practical (relative) view.

[josefresco]

I'm guessing relative.

[bdcravens]

Customers, especially non-technical ones, don't give a crap.

The fact that this is on a Github Gist, as opposed to a static page (like on s3), suggests an audience that would understand those subtleties.

[gnaritas]

> If I'm a customer of Basecamp it looks to me like 37Signals is couching this

Basecamp is actually the name of the company now, they aren't 37Signals anymore.

[rgbrenner]

Not sure why you got voted down (hopefully my vote will put it back at 1). I think it's a legitimate point of view. I can certainly imagine some company out there mad at 37signals because they can't get work done because of the attack, wasting thousands of dollars of labor.

[locusm]

I always liked how the Japanese apologised. There is no excuse as its irrelevant, all you get is an apology, compensation and how/why it wont occur again. Not sure if that was an industry specific thing but it sure was effective.

[joshdance]

Some customers don't care. Many do. I personally do. When a business can explain what happened it makes me not only like them more, but become a little more loyal.

[kd5bjo]

I agree, though blackmail seems inaccurate. I've always understood blackmail to be a demand backed by a threat to reveal secret information[1]; this sounds more like an extortion racket[2].

[1] http://en.wikipedia.org/wiki/Blackmail#United_States

[2] http://en.wikipedia.org/wiki/Extortion_racket

[yogo]

Yea, extortion seems more apt here. It's like a square and rectangle. All blackmail involves extortion, but not all extortion is blackmail.

[bduerst]

It is extortion, not blackmail. While blackmail is a form of extortion, it's as you say - threats to reveal potentially damaging information.

[jebus989]

They use "criminals" 5 times in that short statement. IMO the overuse of emotive language is unnecessary and belies the emotional state of the author. Stay professional and detached—it's a DDoS, I've no doubt it's frustrating but they happen.

I prefer Github's recent response [0], clear and helpful but without the rhetoric.

[0] https://github.com/blog/1796-denial-of-service-attacks

[Karunamon]

Rhetoric? You've got people who just attempted to blackmail you and then take your service offline when you refuse. The descriptive term "criminal", i.e. one who breaks laws, is perfectly valid IMO.

[jebus989]

Of course it's valid, rhetoric != lies.

[belorn]

While I agree, the term blackmailer or extortionist would had been better.

[mhurron]

Which are just specific types of criminals. I don't see the problem.

[pessimizer]

Criminals are just specific types of people, and people are just specific types of mammals. Being more specific sometimes aids understanding.

[derefr]

I think I get what you're saying here; it's an example of the non-central fallacy[1]. Calling someone "a criminal" calls to mind a set of stereotypes, to which blackmail/extortion don't quite fit (most crimes for which one gets called "a criminal" as a generic term are violent, for just one thing.) Calling them "a blackmailer" or "an extortionist" calls to mind a more accurate set of stereotypes, clustered more closely with how you'd react to kidnappers, con-artists, etc. than how you'd react to, say, a mugger.

[1] http://lesswrong.com/lw/e95/the_noncentral_fallacy_the_worst...

[joevandyk]

Not all blackmail is a crime.

I blackmail my kids all the time... ("Wash your hands after using the bathroom or you will put 25 cents in this jar")

[josefresco]

That's not blackmail ... "wash you hands or I'll tell your sister that you killed her pet fish" ... is blackmail. What your describing is more like extortion.

[pizza]

it's just framing the scenario in good guys vs bad guys terms, it's childish regardless of how accurately the term describes the actors involved..

[JasonFruit]

Why is it childish to point out when someone is acting criminally — in a literal sense being a bad guy? Is it somehow more adult to act as though you are morally equivalent to an extortionist?

[derefr]

I think people might be being offended-by-proxy by a sort of status-shift 37s is trying to work into its language. Calling someone "an extortionist" still implies a sort of high-status white-collar cunning-and-intelligence, of the kind you'd expect of a person in the tech industry. An evil person, surely, but the respectable, movie-villain-you-love-to-hate kind of evil.

Calling someone "a criminal", meanwhile, degrades their status to that of a common mugger; someone in the lower class who needs to commit crime to survive, and who doesn't have the intelligence required to come up with a clever crime.

Hackers are generally aesthetes--we tend to value our intelligence, curiosity, etc. more than we value our moral fibre. We can appreciate stories like "A hacked into B to see if it was possible, and reported the vulnerability all responsible-like, but then they threw him in jail! How horrible!" because we think the positive-status from the display of intelligence makes it less likely, rather than more, that they were genuinely seeking to harm the people they hacked.

Because of this, I think we here are scared of being potentially associated with dumb, low-status, lower-class criminals more than we are of just being considered evil. People hire "evil, black-hat" hackers. Nobody hires a dumb hacker.

[kaliblack]

Calling someone a criminal degrades their status from someone who doesn't commit crime to someone who does. It degrades them from someone who adds value to someone who takes value.

There is moral judgement involved with calling someone a criminal, and rightfully so. Taking what other people have created by force or extortion degrades society.

[febeling]

I agree with your general sentiment wrt to good and bad, but saying these people are criminals is just plainly accurate, and specifically not attributing "badness" at all. It's extortion, which is forbidden for very good reasons and as far as I know, uncontroversially so.

I was actually marveling at how precise the wording is in this piece. Curious how different these things can come across.

[gnaritas]

That is the scenario, it's not just framing it that way, it actually is that way. There's nothing childish about it.

[octo_t]

It is criminal behaviour. It reinforces to clients that the attack is not legal, and that they are not to be tolerated.

(and as a message to the DDOSer - they're likely to be reading this too and reminding them it is criminal and law enforcement is involved might make them reconsider the attack)

[izietto]

Yes, but you don't have to repeat it five times; it seems that you are pushing the thing

[coldtea]

>Stay professional and detached—it's a DDoS, I've no doubt it's frustrating but they happen.

Burglary and murder happen too. No reason to hold your language back. Not even lawyers and prosecutors do, and they deal with those everyday.

For the company loosing millions or the Basecamp client whose unable to enter his account, that "those things happen" is not much of a response.

[ganeumann]

I like the "criminals" language. It's unfortunate they need to use it, because it points out that many people think this sort of thing is more like youthful hijinks--a type of vandalism, say--as it was when the Internet was younger. Repeating the word criminals is an excellent way to change the tenor of discussion on this topic in the public mind. I hope all companies that are ddos'd will do it, until it becomes redundant.

[bertil]

Actually, it’s not ‘a DDoS’ but a blackmail attempt, using a DDoS. That’s like confusing someone open-carrying a gun and an armed robbery.

> This attack was launched together with a blackmail attempt that sought to have us pay to avoid this assault.

[chipotle_coyote]

While I know this is a little pedantic, I'm pretty sure the analogy falls down a bit -- denial of service attacks are often illegal (for instance, in the US it's possible for them to be prosecuted under the Computer Fraud and Abuse Act or even under trespassing or contract laws). Even without the blackmail attempt this could still be considered a criminal act.

[bertil]

So are open carry in most countries. You don’t come off as pedantic, just US-centric.

[mpyne]

The US is far from the only country to make DDoS a crime or tort in various situations.

[bertil]

Of course not, and that was not my point.

The original comment said that because DDoS could be illegal, is was different from openly carrying a fire-arm; that assumes that openly carrying a firearm isn’t illegal. It often is, outside of the US -- hence my response.

I would have appreciated you didn’t downvote me before you understood that.

[shaneofalltrad]

Personally I would rather them show some emotion, as it shares their frustration and anger at these idiots. Also, "criminals" reiterates to the attackers and potential copy-cats, this really is a criminal act and you can be punished.

[mikeryan]

Github's response would be a whole lot of technical, unhelpful nonsense for most basecamp users.

There's certainly a bit of knowing your audience here.

[futurist]

Yes, "criminals" is much too harsh. Let's replace it with "unfortunately misguided souls xoxo".

[mbesto]

Except GitHub's audience is very different from Basecamp's. The first rule of any communication is - know your audience. Well played by DHH.

[jeremymcanally]

Yup, they're doing a great job in couching it in language that their customers can understand regardless of technical background. It's easy to forget that services like Basecamp service a huge swath of people who wouldn't necessarily understand what's going on without that sort of copy massage.

[elwell]

Actually, I see the word 'attack' as an emotional trigger and maybe not ideal. I much preferred their analogy that assures non-technical users (on github???) and makes sense:

> This is like a bunch of people blocking the front door and not letting you into your house. The contents of your house are safe -- you just can’t get in until they get out of the way.

[forgottenpass]

Some great language there

It is. Only 4 words into the DDoS announcement and I rolled my eyes. I think that's a record for DHH.

[sosborn]

Sounds like your issue is with DHH and not necessarily the copy.

[forgottenpass]

Totes true. His selection of words is in one of the bombastic veins that rubs me the wrong way. It goes beyond just one piece of writing, that does make my issue with the writer.

[kristiandupont]

>"His selection of words is in one of the bombastic veins"

I am not completely sure what this even means, but I am sure there is irony in there!

[teemo_cute]

I agree that DHH is such a great writer. He used the metaphor of a people blocking down your house so that non-technical users can easily understand what he's saying.