0. Production servers deleted
1. No logs, notifications or any indications of the issues
2. Can't get ahold of support on the free plan
3. Spend 1-2 weeks frantically trying to restore access to our customers
4. Find a random Auth0 support thread of someone who had the same issues
5. Auth0s response was to submit an affadavit to their legal team indicating I'm not sanctionable
6. Access restored after ~3ish weeks of downtime
Why was my SaaS caught up in sanctions?
I had a Russian developer deploy Auth0 two years ago (and hadn't logged in for 18+ months)
That was enough to get my production servers deleted with no warning.
Aren't the only people able to enforce the banning of automated enforcement, politicians, the very people that want the blocking done in the first place?
Is Cuba still being punished for daring to host Soviet missiles?
I think the way we've treated them is really terrible.
You can argue whether or not sanctions are an effective way to promote regime change, or if they just hurt the regular citizens of rogue governments. I think they are often quite ineffective.
But there's no defending the Cuban regime.
r/ShitAmericansSay
::walks away whistling hoping you don’t notice Iraq and Afghanistan’s blown up weddings::
https://en.wikipedia.org/wiki/Colonial_history_of_the_United... looks like it could get... expensive.
Isn't access control a set of patterns rather than a service? When did it stop being a core competency of web applications?
It transforms "Andy is andy@foo on service A, AndyA on service B, aaaandy on service C, maybe has two factor enabled on some of them and hopefully hasn't joined other groups to give them access" into "Andy is andy@company in Okta and we can turn services on/off and set policies as needed".
Turns out, login is surprisingly hard. It will be the first and most important focus point for attackers - SQL injections, DDoS attacks, captchas, griefers intentionally using wrong passwords to lock someone else out... with Okta and other products of its kind, all an application developer needs to do is to check some token.
Another huge part is that in the "old" world there was only one player for any kind of centralized authentication: LDAP. While there were and are multiple LDAP server implementations (OpenLDAP, MS AD, Samba and a bunch of smaller ones), only Microsoft's AD has a somewhat comfortable and usable management application - but even that is using old-school Windows UI and you need a MS desktop to manage it. Everyone else? Either use Apache Directory Studio, some barely working web management UI (phpldapadmin, GOsa) or heaven forbid plain LDIF files.
In contrast, working with anything of the "modern authentication" solutions is a breeze.
That last clause has also encompassed things like Hague prosecutors [0]. If your interpretation of these regulations depends on your assessment of the trustworthiness of the regulator, this is a very relevant datapoint.
Imagine major tech companies geoblocking United Nations offices. Is that far-fetched fantasy?
[0] https://www.hrw.org/news/2020/12/14/us-sanctions-internation... ("US Sanctions on the International Criminal Court")
In response to this announcement I've closed down my Auth0 experiments. I refuse to be held to US enforcement when I operate outside US jurisdiction. I know other SaaS will follow suit, but we have to oppose this somehow.
As far as I'm aware, the UK does not have any sanctions imposed against Cuba for example, so Auth0's active stance on this is inappropriate for those outside US border.
That applies of course to any US-based company, so in that case you would need to avoid touching anything that is based in the US. That may be possible in some cases, but if you rely on the third parties, it's almost inevitable to completely avoid US.
This damages US businesses more than it does overseas businesses. Sure, UK banks lose some US customers. But actually they didn't have to lose those customers; all they were required to do was exercise enhanced diligence over the sources of funds transferred to USA. The UK banks chose to eject those US customers, because it was cheaper.
I don't know what to do about this. I think US legislators like extraterritorial legislation because it looks strong, and because it has a certain flavour of "fixing the world". Most USAians don't have overseas financial interests, so aren't impacted. But, for example, my US half-sister declined her share of my late father's legacy, because importing it to the USA would have been too costly as well as too much hassle.
This does not change much: a, say, French company is bound to follow US regulations anywhere (including in France, not to mention abroad) because the US would punish any interests of this company in the US.
This was the case with Iran, and with others.
If you are mid-to-small compared to the US/China, you are bullied.
If you are very small (like a blog or local newspaper) you may not give a fuck.
There's some choices in the market, and beyond the behemoths it is still possible to avoid the US. The challenge is finding one that isn't owned by a US company and will end up with the same restrictions (like Gigya is now owned by SAP) - but any company serious about security will do the due diligence and know who own who.
I'm in the US, and I'm not so sure I want to be held to US enforcement. Our government has always been a little wacky, but it's really stepped up the jiggery-pokery during the past, well, 20 years.
At this point it feels an awful lot like a past-their-prime pop star getting screechy and demanding about the brown M&Ms in the dressing room.
To take Iran as an example: when US sanctions prevent Boeing or Airbus from selling to them, I can understand why Embraer doesn't step in and offer to supply planes, because they are afraid of secondary sanctions affecting their business with the rest of the world.
But tech isn't like aircraft production — building a GitHub, Okta or Auth0 clone is a chunk of work but hardly infeasible — hell, most companies routinely built a partial Auth0 clone in-house until not that long ago. Many still do.
So why don't we see alternatives pop up that don't block Iran? It's a niche, but you get the whole niche to yourself, and Iran is not a small market.
From a legal perspective you would set up somewhere like UAE where they have a good climate for business but regularly do business with Iran, so that part shouldn't be an issue.
Network effects are a factor, but when you're blocked from the popular platform, you have a bigger incentive than usual to consider the less-popular one.
Working in/with Iran has other difficulties in addition to sanctions. Iranian government has total control over what services from outside Iran are accessible to Iranians. They also use this control elaborately, in some fields whitelisting services rather than blacklisting them. So if you want to work with Iran from outside, you are always at the mercy of the government to block you.
If working from inside, you are under pressure to share people's private information with the government en masse. You have no way to resist that. The courts are puppets, price of resistance can be anywhere from takeover of your business, to prison, to death.
Oh and from outside, you have the problem of exchange rate: due to 40+years of 40+% inflation, what you earn from there cannot even cover your costs outside the country, unless you do the entire business from another country with similar economy.
In other news, setting up businesses that go around US sanctions is not something the US will just wave off. Bullies don't accept their authority questioned.
Before Trump nixed the JCPoA, Iran had a firm order with Boeing for $16.6 billion worth of aircraft, and a firm order with Airbus for $25 billion worth of aircraft. Taken together, that's one of the largest aircraft orders of all time. Iran is not a small market.
> In other news, setting up businesses that go around US sanctions is not something the US will just wave off. Bullies don't accept their authority questioned.
Businesses in the UAE regularly trade with Iran (and Russia, for that matter) in the normal course of business.
Because it is is not necessary. Setting up something like Github onsite takes 1 hour. Network effect really is overrated.
Where it hurts are payment systems, credit cards etc.. And there are alternatives.
Problem is, that people think they are a grift.
People didn’t learn their lesson from Facebook etc etc.
> Why are we blocking Users from access to Okta Service? > In support of our customers’ and Okta’s existing contractual obligations with respect to U.S. export control laws, Okta customers are not permitted to access the Okta Service (including the Auth0 Platform) from Cuba, Iran, North Korea, Syria, the regions of Crimea, Luhansk or Donetsk without prior approval from the U.S. Government. This restriction applies even if a User is temporarily visiting any of the aforementioned regions.
Total utter bs. Next they will start filtering your business, customers etc.. Then just stop all together, because there's always something not right within larger orgs.
> Can Okta handle these OFAC controls for me? > As a Customer, you are responsible for ensuring your own compliance with applicable laws. As outlined in the Okta Master Subscription Agreement, you must use the Okta Service in compliance with applicable laws.
How can you be responsible if you don't have the power to make decisions anymore? If they think they know better, they should face the consequences when something goes wrong (some north Korean login for example)
US export controls don't apply to other countries. Why don't they have foreign entities for this? Because even if they have, they don't want to, because they became a political vehicle. A political vehicle for the CEO who thinks he's smarter than anybody who has a different opinion or who wants more power/influence, or maybe some bribes, I mean lobbyists at the door.
These days everybody seems to be a politician, pro athlete, doctor, scientist, code, entrepreneur, etc.
1) let a third party handle authentication (Code)
2) let a third party handle authentication (SSO)
Number 1: don't do that Number 2: Only do that if you are in control of SSO, or if you are very certain you won't have problems contacting the provider. (so not google in this case)
Which is problematic in a bunch of scenarios:
- US foreign policy (note: I don't really want to stick up for a bunch of the countries/regions on that list).
- Chinese (and other countries) with censored internet.
- GDPR reaching far further than the EU borders.
- Badly written cryptography laws[0]
In the case of Okta/Auth0, however they've segmented their business (I use their EU region) they're still at the end of the day a US company with US board and directors. They can make a "service region" that respects EU laws because they don't contradict US laws (mostly), but there is nothing in EU laws mandating offering services to these regions. ¯\_(ツ)_/¯
[0]: https://www.eff.org/deeplinks/2018/09/australian-government-...
If you have a US-Okta and a non-US Okta and both ultimately are "Okta", then if the non-US Okta does not follow US regulations, the US-Okta will take the whip.
- To inconvenience the institutions of the occupier just in that area (Why just there? To avoid removing their incentives to change and to avoid crippling your own companies who provide a service there. If you sanction the occupier fully, they'll double down, perceive it as an escalation, and your own companies will be significantly hurt. They'll find an alternative, and once they do, they won't need your service any longer, so you lose leverage.)
- To frustrate the local populace so that even the milder ones have additional incentives to oppose the occupying regime.
I would think they have a lot more to worry about than okta authentication.
That's of course per-24-feb open russian invasion of those regions. There's been some people such as visiting their elder relatives during winter holidays and now stuck there.
I wouldn't say for removing ocuppied regions of Ukraine from the list but instead adding aggressor to it.
Inb4 cries of whatboutism, no I'm just pointing out the hypocrisy.
see Roblox, Valve (Steam), Cloudflare, Patreon and many more who didn't leave Russia: https://som.yale.edu/story/2022/over-1000-companies-have-cur...
^ Not on the same level as IBM working with Nazis, but still morally questionable
- Have a copy of all your users e-mail within your own infrastructure (DB)
- Have proper backups in place
- Verify regularly that your backups function correctly (backup AND restore)
In case your account get's deleted, you can rebuild from these.
Do these sections even slow them down?
(Real question, please don't start a flame wars, I don't want this account to be disabled)
our new Tutmoses is AUKUS + EU.
But the story repeats itself.
I am a EU citizen. I only have EU bank accounts. The app I used was of a EU bank. There are no EU sanctions against Cuba at this time or at the time I was there. I also have no relation to the USA, I was never there or have business there.
A few days after opening my bank app ( again, read only, no transaction ) I received a threatening email from my EU bank saying I might be in violation of sanctions and it is prohibited to use the bank in a list of jurisdictions ( basically the ones mentioned in the post minus the last thee ) and the bank reserves the right to terminate my account.
As you can imagine, this was very concerning. Fortunately nothing came of it.
But still, I find it ridiculous the bank threatened to close my account just for being in a country that, at least for the jurisdictions that concern me, is a normal country.
I have no doubt this was an automated message. The only thing that prevented my bank account from being terminated was the suspicious activity flag triggered the email handler and not the delete account handler.
I find this to be utterly dystopian.
There are global trade and sanction contracts between USA and eu fyi and the financial sector is even more strongly regulated.
(As a Canadian I've been to Cuba many times with no issues; however a friend's father worked for a nickel mining company and spent time there overseeing their operations in Cuba and he can no longer travel to the US among other things.)
What seems more likely to me is, a request came from my app to some bank server. The server detected the request coming from Cuba and flagged the account as having suspicious activity, that in turn triggering an automated message.
Maybe there was indeed a guy somewhere in an office who saw one request to my account coming from Cuba and decided to have some fun and said he’ll turn my account off. I don’t know. Whatever it is, it’s creepy it happened.