
Stop using Digital Ocean Now For the greater good - sdogruyol
http://serdardogruyol.com/?p=122
======
raiyu
Our privacy policy prevents us from disclosing any account or personal
information so we can not speak to this customers situation publicly.

If the customer would authorize this disclosure then we can discuss it
publicly.

Otherwise, as much as it pains us to get negative feedback, whether or not it
is deserved, it is beyond our control as the privacy of our customers is the
most important issue at stake in a public discussion.

~~~
sdogruyol
Could you please give the specific details to me and to all the people waiting
for the answers. Thank you.

~~~
josh2600
Just in case this isn't clear, this is OP.

Now, can a lawyer come in and discuss whether or not this can serve as
authorization such that DO can't be sued?

~~~
theoj
The OP has deleted two posts so far in this thread, both saying that DO found
him to be engaging in a DDOS. This "authorization" could disappear soon as
well.

------
dkuntz2
This doesn't actually tell me to not use Digital Ocean. All it tells me is
that the author is trying to make an emotional appeal to other people, without
giving any information other than Digital Ocean locked his account, citing
violation of their TOS.

While I can't say that they're TOS violation claim is bogus, I also can't say
it's not bogus, because the author didn't publish (or, apparently, ask) for
that information.

Great, you've got a large number of users, and you used Digital Ocean to host
your backend. Why are they saying you're in violation of the TOS?

Ask the follow up, figure out why they're not pleased with you, and don't try
to appeal to emotion when you have no substantiating information.

As a side note, I have no horse in this race. I don't use Digital Ocean, and I
have no affiliation with them. I just don't see the author's claim as being
100% put together and honest.

~~~
scott_karana
As far as I'm concerned, it is _never_ acceptable to simply shut off service
with no explanation.

What if a site was compromised? What if an employee typoed the IP of an
abuser? What if, what if?

Their "fullstop" replies are not professional.

~~~
ZoFreX
Really? So if a customer was paying you $5 a month to run a VPS, you wouldn't
shut it down if say... it was hosting child porn? Or if it was sending so many
spam emails you were at risk of having all your other customers' servers
impacted?

And if you did have some automated system and various criteria for detecting
likely abuses, if someone got shut down under those terms, would you tell them
exactly where the line was? Or would you keep your detection methods to
yourself?

~~~
scott_karana
I would shut it off _with explanation_.

"Your site has been turned off due to hosting child porn, in contravention of
local/international law XXXXXX, per complaint YYYYYY".

Then they can at least dialogue.

Worst case scenario: the VPS is shut off automatically, I get a semi-urgent
notice, and I reply to the customer with further details as soon as possible.
And they would get a message letting them as much.

~~~
jasonlotito
Keep in mind that apparently the OP does know why he was shut off. From
another comment here:

[http://i.imgur.com/1pxIxiN.png](http://i.imgur.com/1pxIxiN.png)

Just because the blog post doesn't say why doesn't mean he doesn't know why.
Only that he's selectively sharing the information.

~~~
scott_karana
Yeah, I know there's more going on.

I still think it's important to reiterate as much as possible why a service
was shut off, both for a customer understanding viewpoint, AND from a "cover
your ass" viewpoint.

It can't hurt to say "As stated in the past email, your server was shut off
due to YYYYY", rather than just "Game over, man. Stop emailing us."
equivalents.

------
j_baker
Notice that the author doesn't address the issue of whether they actually were
violating the TOS and/or AUP, or what the alleged violations actually were. My
interpretation is that the author likely was legitimately violating the TOS,
because otherwise he would have mentioned how dumb the allegations are.

If the author was breaking the AUP, I don't feel very sorry for him. If
someone's doing something that legitimately violates acceptable use, they
probably should be shut down without prior notification.

~~~
sdogruyol
Hey thanks for the comment. To let you know the account has 2 droplets which
serves 2 mobile apps and does crawling 20-30 sites hourly. That's it actually
and also the Dropbox script that i mention.

~~~
j_baker
$20 says you're ignoring someone's robots.txt.

~~~
Ellipsis753
As far as I'm aware you're never actually required to follow it? It's just
good manners.

------
arxanas
I've just skimmed over the TOS. It seems a bit atypical:

> DigitalOcean reserves the right to modify the Terms of Service without
> notice.

Well... that more or less invalidates the sanctity of the terms.

> DigitalOcean also reserves the right to terminate a customers account if
> they are targeted by malicious activity from other parties.

What is the justification for that? Simply being the target of malicious
activity means that your account can be terminated? It's not as though one is
responsible for malicious activity directed against them.

> DIGITALOCEAN DISCLAIMS ALL WARRANTIES, EXPRESS, IMPLIED, OR STATUTORY,
> REGARDING THE SERVICES PROVIDED HEREUNDER, INCLUDING ANY WARRANTIES OF
> MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE ...

I see this a lot with software, but doesn't this mean that DigitalOcean has no
actual obligation to provide the cloud or VPS services they advertise? I
didn't see any such clause in the EC2 TOS, but I did not look very hard.

Is this the usual sort of agreement for such a service?

~~~
aroch
>Well... that more or less invalidates the sanctity of the terms.

You'll find the plurality (if not majority) of ToS's out there include such a
statement.

>What is the justification for that? Simply being the target of malicious
activity means that your account can be terminated? It's not as though one is
responsible for malicious activity directed against them.

They don't want to deal with the networking implications of a large scale
DDoS. They're providing low priced VPS services, not high bandwidth, high load
custom racks. Also, they "reserve the right" not the "always exercise the
right". DO likely won't kick you for a small DoS/DDoS but sustained attacks
take much more manpower to deal with than you're paying them for.

>I see this a lot with software, but doesn't this mean that DigitalOcean has
no actual obligation to provide the cloud or VPS services they advertise?

No, it means you can't sue DO because your VPS went down and you lost 10K is
sales because customers couldn't access your storefront. It's an indemnity
clause.

>Is this the usual sort of agreement for such a service?

Yes, unless you're paying a good deal of money for something like a Colo with
1hour SLA or an AWS instance with a high SLA.

------
retlehs
This happened to a friend who runs a DO server on July 22nd. The server had
been running for several weeks when it was suddenly taken down out of nowhere
for over 4 hours to "verify" the account. There wasn't any warning and my
friend immediately provided what they had requested.

Their response? They shut down the server because of "unusual traffic" coming
from the server which wasn't even being used yet.. but there was "outbound
traffic about 977.38 Mbps at its peak at around 2013-07-22 14:50:00UTC"

They need to fully verify accounts before letting anyone create a server. You
shouldn't just take down a server out of nowhere, for several hours, after
it's been running for weeks.

~~~
reycharles
> "unusual traffic" coming from the server which wasn't even being used yet..

Does this not sound suspicious to you? Maybe the server was compromised.
"Unused" servers usually don't generate 970 Mbps traffic randomly.

------
lucidrains
I've been unfortunate enough to be DDOS-ed on both linode and digital ocean
for some of my sites. suffice to say, linode handles the ddos much more
gracefully than digital ocean. digital ocean promptly bans you for TOS
violation and locks your account after 3 DDOS attempts. I know most people
don't have sites that are DDOS-ed often, but if you do run that risk, just
know that digital ocean will most likely have you moving pretty quickly.

~~~
manojlds
That is troubling to know. I have my pretty important website running on DO,
and though this is only for the short term, I might have to accelerate my
plans to move off DO.

------
cobrabyte
I sure wouldn't mind hearing the other side of the story. I use DO for a few
servers and recommend their services to people all the time.

~~~
sdogruyol
I also want to hear their story. But they are really not letting me know
anything.

~~~
cobrabyte
Sorry to hear that. Surely they'd at least let you know which part of their
TOS/AUP you violated.

I had to go through their 'verification procedure,' as well. I thought it was
odd but if it keeps prices low due to fraud, I really don't mind.

------
pfortuny
Using a smiling icon like the fish and then issuing a copypaste/boilerplate
message is insulting. If you are going to deliver non-informing messages, do
not SMILE in you icon.

This is nitpicking but in the end, you (DO) have a smiling icon because you
expect you support group smiles. If your support group is a machine, well
then... use this one.

    
    
              ##      ## 
            ##############
          ####  ######  ####
        ######################
        ##  ##############  ##  
        ##  ##          ##  ##
              ####  ####

------
dmak
"Please Provide us with the following: ... 1\. Your public Twitter handle 2\.
Your blog 3\. Your company or personal website 4\. Your public Facebook
profile"

What? Is this a common procedure now?

~~~
evandena
I guess I'm a spambot. I have no twitter handle, no personal blog, my company
website is a large corporate site with no mention of me, and my facebook
profile is completely barren.

~~~
borplk
Same here I don't have any of the mentioned items.

It's so weird to see things like 'Twitter account' and 'Facebook account'
being 'assumed'.

They are just two private companies why should we (directly/indirectly) force
everyone to have one?

Email I'm fine with, it's a open technology.

It's only a matter of time until we turn Twitter and Facebook into more open
technologies like email. I sure hope to see that happen.

------
aroch
Yes, let's refuse to support a company that is held in fairly high regard
because of one data point, displayed in a highly one-sided way

------
gexla
I think their service being so cheap is more reason for a plan B in case one
of your accounts go down. There are so many options for making this happen.
And again, all pretty cheap. With a good back-up / fail-over plan, this
shouldn't even be much of a blip. Personally, I never contact support. If I
have a problem with one provider, I'm a button push / command line command
away from moving everything over to another provider.

~~~
gexla
> First of all, the support which was really helpful and kind at the beginning
> has became much worse and somewhat hard to understand.

How many times do you contact support? For me to contact support, there has to
be a problem with the actual service itself. That is, it's an obvious problem
that is outside of my control. I have been running VM's with quite a few
providers, certainly all the big names. I almost never have to contact support
(I would have to think pretty hard about a time that I have done this.) These
services are usually quite solid and if there is a problem, usually there is
some sort of status which lets you know there is a problem so that you don't
have to ask.

For me, having to contact support even once would be a big problem. Having to
contact support often enough that I have noticed that support was once good
but then turned bad would have been enough for me to have long since moved on.

------
gamegoblin
I run my website on a DO VPS. I have been supremely satisfied with the
service.

Did you find out what the breach of terms of service they spoke about was?
Unless I missed it the article...

~~~
mark212
I think that was the core of the OP's complaint: he was shut down without any
explanation. Would be interesting to hear DO's side of things.

~~~
gamegoblin
I feel like there is more to this story than we are being led to believe. I'll
definitely keep a eye on this as it develops. So far I've found DO support to
be heavenly.

------
csomar
There are many illegal things you can do with a web server, and this puts the
hosting company at risk

1- Host/distribute copyrighted material

2- Run a torrent client and distribute copyrighted material

3- DOS attacks (especially when you can create several droplets for a limited
period of time)

The hosting provider is like a bank, and has the right to ask you where you
got that information from; and for what you are using it (though a bank
doesn't ask you what you use your money for)

I think it's acceptable that the hosting provider ask for your activity and
you provide a response for that (which you didn't).

~~~
AsymetricCom
So what am I paying for if the hosting providers are just passing off their
own problems to me?

~~~
ceejayoz
If you're breaking their TOS, having your account suspended is your problem,
not theirs.

------
TechMafia992
Either way, this is NOT how you deal with a customer who supposedly violated
terms and conditions. That email response was atrocious. Arrogant and
bullying. No sensitivity to whatever plight he may have, or reprieve offered.
No 'we'll call you directly'. Nothing! I am about to make a BIG decision for
my company and DO was in the discussion. It is not, not! Companies like this
irritate the heck out of me and have no place doing business on a large scale.
Keep up the attitude boys! ;)

------
donniezazen
Situations like this will keep getting worse and worse with our current
attitude towards personal data on cloud. My personal thought on situations
like this has always been that locking somebody's data is both unethical and
should be considered a crime by law. Service providers have full rights to
refuse providing servicing to somebody but they don't have a right to seize
somebody's personal data.

------
tarituor
Still waiting for an answer from raiyu. On my point of view, the problem is
here DO did not notify DO user before blocking their account. It's an
unexpected situation for business owners. As sdogruyol mentioned he has 25K
users responsible for. At least he deserves a meaningful explanation and a
notification before blocking his account.

~~~
evv
I am also eagerly waiting for an answer.. I hope DO makes an official
statement on this matter.

Personally, I have had a great experience using digital ocean. Now I am
terrified of moving forward with them if they proceed with this "shut down
first, ask questions later" pattern.

------
jlgaddis
It's irrelevant, I suppose, but I'm sorta curious how big this database was
(or, more specifically, how much traffic he was generating to Dropbox).

There was also no mention in this article (except in one of the screenshots)
about whatever -- "[a] UDP flood or so" "at the beginning of this month".

It would certainly suck to have your account locked out when you're serving
production sites but it sounds like we haven't heard all of the story (we
obviously haven't heard DO's, of course).

~~~
sdogruyol
The DB is pretty small actually just 10 MBish. Is this really a traffic flood
for DO ?

~~~
rb2e
10MB once no, but lets say hypothetically, if the dropbox api returned an
error or wasn't available which denied your request but your script didn't
account for it and it constantly kept making the request over and over and
over. The 10mb would soon add up.

Also, are you sure it wasn't something else, not the dropbox db script which
could have caused problems?

~~~
sdogruyol
I'm pretty sure that it's nothing else and i've never used the Dropbox script
after i got the first ticket.

------
polymathist
Anyone still lingering here will probably want to see the new post from OP:
[http://serdardogruyol.com/?p=137](http://serdardogruyol.com/?p=137) and the
corresponding discussion:
[https://news.ycombinator.com/item?id=6447152](https://news.ycombinator.com/item?id=6447152).
DO has responded directly.

------
rapid_snail
I run a site on DO for about 2 months - last week I got a similar mail to
"verify" my account. Luckily they had not taken down my droplet. I am willing
to give them the benefit of doubt here - but I am preparing my Plan B right
now in case they decide to "verify" me again and take my server down.

We really need to hear from DO to hear the other side of the story though.

------
kidh0
Probably they "think" (never thought that I would use it in the IT world) that
you are running some torrent client or anything like that. It's very common in
EU to use this kind of hosts to download torrents and avoid problems with the
law

------
poxrud
My (a couple weeks old) Ubuntu 10.04 server locked up, no ssh or VPN access
but could ping it. I contacted support and was told to destroy the droplet and
create a new one. Still have no idea why it happened or how to avoid it on my
production server.

~~~
yardie
I had the same problem. I was messing with my iptables and messed something up
to the point where there was no network. I contacted support and they
installed a Ubuntu Live image. (Something that has to be requested)

I used the Live image of my droplet to mount the disk, copy the databases, and
websites. Once I was satisfied I got everything I destroyed the droplet.

Before you destroy your droplet, request this!

~~~
_JamesA_
DO doesn't have a console access utility like Linode's [Lish]?

[Lish]: ([https://library.linode.com/using-lish-the-linode-
shell](https://library.linode.com/using-lish-the-linode-shell))?

~~~
poxrud
Yes they do, but it wasn't working and would time out.

~~~
yardie
Try a different browser. I've used Chrome Mac, Firefox Win, Firefox Mac,
Safari. I just logged in using Safari (mac) 6.0.5 and found it working while
6.0.4 did not.

------
Executor
For $5 Digital Ocean gives me 20 GB of storage. But Dreamhost shared hosting
gives me UNLIMITED disk storage for the same price. Does this mean that I
should write off VPS/dedicated servers since they give such poor disk space?

------
gopher1
By this standard nobody should use Google, Paypal and many other services.

~~~
nilved
...which is true.

~~~
gopher1
Agreed, just pointing out that the lack of support for free services is not
specific to DO.

------
haroldp
On a side note, I looked through that database dumper script and isn't it just
a giant hassle to script non-interactive authentications with OAuth? Hope I
never have to do that again.

------
wil421
Dumping your DB daily to dropbox doesnt sound like a production solution. It
looks like you violated their TOC somehow but dont state what you did.

This honestly sounds like growing pains, now that we are "taking off" we need
to make sure users arent abusing our service. Lets do a user verification
process for certain instances that are flagged for whatever reason.

I have experienced similar verify account problems with Pay Pal/eBay. While
its a burden on people who are doing legitimate business, if it keeps
spammers/scammers off of a service then it is worth it.

------
sgustard
If I stop using any hosting provider that someone has complained about online,
what exactly are my options now?

------
brubaker
So OP went public, then claimed he didn't want to go public (deleted message)
but still encourages people to drop DO based on his unhappiness..

Op seems very childish and not very forthcoming.

------
cliveowen
Good to know, I'll migrate and spread the word, this is not acceptable.

~~~
lucisferre
Or you could wait for some sufficiently concrete details as to what really
happened and make an informed decision instead of a knee-jerk response.

