
Why we're leaving Heroku - rubbingalcohol
https://www.youbetrayedus.org/heroku/
======
tptacek
So far as we know†, CISA has virtually nothing to do with PRISM.

CISA enables information sharing only in the context of "cyber attacks" (a
term defined reasonably precisely in the bill). Essentially, what CISA says is
that companies can run intrusion detection systems (like they already do) and
then share the alerts with DHS.

PRISM is, as far as we can tell from the leaks, a tasking system for FISA 702
warrants. FISA 702 warrants can pertain to any foreign intelligence target.
They have virtually unlimited scope (as does foreign signals intelligence as a
whole).

I think this is a distinction with a big difference, but leaving that
difference aside: the mention of PRISM is clearly an emotional appeal, and
sets the tone for the rest of the open letter.

CISA is also at pains to avoid the sharing of PII (again: since CISPA, and the
Rockefeller bill before that, these bills have been intended essentially for
IDS alert sharing). It also does not shield companies from liability for
sharing information via FISA 702 requests: the only liability protection CISA
sharers get is for information shared _to prevent cyberattacks_.

† _Given the little we know about PRISM, that is._

~~~
belorn
If the shared information is only for IDS alert sharing where any irrelevant
information to cyber security is removed, then why do they need immunity from
privacy and antitrust laws?

Surely companies in the US can today report to the police if someone gain
illegal access to servers, do a DDOS, or sends fishing/malware to them. If the
police then involve the FBI with the case while requesting relevant customer
information, what laws would the company break from complying?

~~~
skissane
Surely the company can just go to the FBI/DHS/etc directly if they wish?
IANAL, but if a company has information which it reasonably believes to be
evidence of a crime, what court would find it illegal for them to volunteer it
to the federal government?

~~~
tptacek
No, they in the general case cannot.

~~~
skissane
What law would they be breaking? Criminal law? Contract law? Even if it were
technically a crime to tell something to the federal government, I can't
imagine the government would actually prosecute you for doing it (why would
they act against their own interests?) And, if a term of a contract prevents
you from providing the government with evidence of a crime, surely that
contract term is void as contrary to public policy. And any state or local law
which purports to prohibit revealing information to the federal government is
surely to that extent unconstitutional.

------
13thLetter
Unfortunately, most people upset about this issue right now will still
obediently walk into the voting booth next November and vote to re-elect
public officials (or at least the next candidate from the same party) who
supported this. Unless you're willing to put your vote where your mouth is and
thus make it clear that actions have consequences, nothing will change.

~~~
superuser2
What election outcome do you imagine is going to make this better?

~~~
aagha
The one where a candidate like Sanders, who has stood up against government
surveillance, takes steps to put a stop to it.

~~~
untog
What primary outcome are you expecting that results in Sanders being a
candidate you can vote for in the election?

In any case, this issue is so far down the list of things the average American
is concerned about that it's impossible to imagine meaningful change happening
because of it.

------
rdegges
I've got quite a lot invested in Heroku, it's honestly really disappointing to
see Salesforce do something like this. It's the responsibility of EVERYONE in
the industry (especially larger tech companies) to take a stand against
government, and help push for individual privacy.

~~~
erikpukinskis
I disagree. I think it's great that you want to push for individual privacy,
but I don't think everyone in the industry has a responsibility to push for
what you want. Everyone gets to choose what they want to advocate for.

~~~
PhasmaFelis
Working for a corporation does not relieve you of the basic human
responsibility to stand against evil. The fact that many, even most, humans
ignore this responsibility only makes it more important.

~~~
erikpukinskis
Every minute you're fighting for privacy is a minute you're not fighting the
evil I choose to focus on, which trust me is a far greater evil than yours.

You see how it sounds?

~~~
PhasmaFelis
Personally, I'm not saying everyone must spend every minute resisting evil.
I'm saying everyone is responsible for not _actively encouraging_ evil, which
is what Salesforce et. al. are doing. There's a difference between failing to
volunteer at a rape crisis center vs. actually raping someone.*

*Obligatory internet disclaimer: This is a analogy.

------
jsnathan
If you're in the U.S., please do what you can to help stop this beast 'CISA'.
Here is a starting point:

[https://act.eff.org/action/stop-the-cybersecurity-
informatio...](https://act.eff.org/action/stop-the-cybersecurity-information-
sharing-act)

------
Finster
I need a browser plugin or something to let me know when I'm visiting the
website of a company that has thrown in with gov't surveillance.

~~~
jbraithwaite
If you supply me with a list, I'll build it

~~~
zobzu
that would be cool actually, but where would one find such a list?

~~~
forgotmysn
I'm sure if you guys emailed the EFF with your idea, they would be happy to
help put one together.

------
redbergy
Why are the larger tech firms like Microsoft and Apple supporting CISA when
they opposed previous incarnations of the bill like SOPA and PIPA?

~~~
tzs
SOPA and PIPA are not previous incarnations of CISA. CISA has nothing to do
with SOPA and PIPA.

------
hapless
Why are we back here every year, like clockwork?

This is what, the 4th incarnation of this bill?

~~~
MCRed
Because government wants control, and while we have to raise a lot of
awareness in a short period of time to bring pressure to the politicians on
this issue... those who propose this legislation just go back when "Defeated"
and rewrite it, put it forward under another name etc.

I believe a lot of the stuff that was "defeated" in the past, got inserted
into the recent "net neutrality" ruling that had the internets cheering! (800
pages if I recall, so I didn't read it to find out for sure.)

They will not stop-- law enforcement types have permanent jobs and they're
there each year claiming they need more and more control/surveillance.

~~~
protomyth
Yes, but the other thing is the short period of awareness does not end with
the political destruction of the sponsors of the bill. We defeat the bill but
the sponsor walks away unhurt. Why are they not vilified for their anti-
constitutional behavior?

~~~
ionforce
All of this stuff takes effort. That people aren't willing to expend.

~~~
protomyth
add #JohnDoeHatesTheConstitution to your tweets for minimum effort - at least
mention the bad players

A company or institution cannot introduce or vote on a law, a Representative
or Senator can

------
lucisferre
> Salesforce joined Apple, Microsoft, and other tech giants last week in
> endorsing the Cybersecurity Information Sharing Act of 2015 (CISA).

Is there a complete list of who endorsed this? Google is turning up very
little.

~~~
jsnathan
I cannot find a complete list, but it has been endorsed by the BSA trade
group. You can see a list of its members on WP [1]. Besides Microsoft and
Apple, it also includes Adobe, Intel, IBM, Oracle, AVG, McAfee and Symantec
(and others).

[1]:
[https://en.wikipedia.org/wiki/BSA_%28The_Software_Alliance%2...](https://en.wikipedia.org/wiki/BSA_%28The_Software_Alliance%29#Members)

~~~
jgrowl
I don't think I've heard the BSA mentioned since I was in college arguing with
a teacher about how the BSA's piracy numbers were completely over inflated and
made up.

The teacher used those number in her argument that piracy was _literally_ the
same as stealing a car, while admitting that even she did it.

It makes me depressed that major companies still support such an idiotic
organization.

------
protomyth
Look, this "get in touch with your representative / senator" is not going to
do it. Can we start mentioning the sponsors and bad amenders of these bills?
Nowhere in this letter does it mention the sponsors of the bill. Yeah, the
business may loose a little business, but some other damn corp or group will
sponsor this bill.

I know in some districts electing a member of the opposite party (and this
being a cross-party issue that can be a crap shoot) is not going to happen,
but we can work to primary-out the damn fool. The only way politicians are
going to listen is if you take their seat away. If you make them fear you if
they even think about introducing legislation then you win.

~~~
JustSomeNobody
Too many citizens think their favorite party is better for the country than
the other party. They'll never actually be objective in who they vote for.

~~~
protomyth
Given that, this is a non-party issue. Plenty of blue and red on the good and
bad sides. You primary-out the offenders and don't worry about party. The
issue matters.

------
dmichulke
From a company point of view, supporting CISA might well make sense in order
to avoid the legal problems they are bound to have due to being coerced to
cooperate with the government.

From a consumer point of view, it also makes sense to avoid "officially
tapped" (read "US") services.

In the long run, it looks to me that gov't is laying the foundation of the
demise of its own surveillance program because no one in his right mind would
want his data in the US anymore, even less so if you're _not_ an American
company. Except for the German government, of course.

~~~
greatthanks
> Except for the German government, of course.

What do you mean?

~~~
dmichulke
They don't care whether Germans' phone calls are tapped, the chancellor's
phone is tapped or German companies are subject to industrial espionage.

Each of the above provably happened and the responses were (in descending
order of their "strength"):

\- the chancellor cancelling the phone contract with Verizon

\- asking the US for an apology (didn't happen)

\- asking the US to sign a no-spy treaty (which would be purely trust-based -
no control possible and still the US refuses to sign it)

\-- end of list --

Note the absence of lawsuits, demissions / resignations and "diplomatic
tensions".

~~~
glitchdout
Don't forget

\- Not caring that its intelligence agencies are selling their own citizens
metadata (and content _)

[http://www.zeit.de/digital/datenschutz/2015-08/xkeyscore-
nsa...](http://www.zeit.de/digital/datenschutz/2015-08/xkeyscore-nsa-domestic-
intelligence-agency)

[http://arstechnica.com/tech-policy/2015/08/germany-hands-
ove...](http://arstechnica.com/tech-policy/2015/08/germany-hands-over-
citizens-metadata-in-return-for-nsas-top-spy-software/)

_This has not been proven (yet).

------
snug
Why would a company want to endorse this? What is the upside for them?

~~~
alexfoo
Not being blackballed for any Government contracts?

~~~
tptacek
Or a variety of other reasons that we can, like that reason, simply make up.

The funny thing about your made-up reason? It's actually forbidden _by
statute_ in the very bill we're discussing.

~~~
pkinsky
Gee, I'm glad the US government takes so much care to follow not just the
letter but the spirit of the law.

~~~
Retra
You're absolutely right. Why don't we just throw every law in the trash
because someone might not follow it.

~~~
pkinsky
Ok, so let's say you don't agree to participate and suddenly stop getting
government contracts for some notionally unrelated reason. What do you do?

------
irq-1
If the NSA can't steal the data, then companies will provide the data. Same
thing they did with phone "meta" data; shift responsibility to the companies.

This is the new peace. The NSA won't attack your business, and your business
will become a part of the national security apparatus.

------
MCRed
I followed the link and clicked on the letter from the BSA. I did not see any
reference to the CISA in the letter. It seems to be endorsing more
restrictions on government surveillance, not less. (at least, thats what the
letter claims.)

~~~
bgentry
In the section where they are requesting immediate congressional action, they
list "Cyber Threat Information Sharing Legislation". This is CISA.

------
jacques_chester
The Paasify link seems to compare Heroku and Pivotal Web Services by default.
Note that the last update to that page was 2 years ago, according to the link.

Disclaimer: I work for Pivotal Labs, PWS is run by another division of the
same company.

------
SteveLAnderson
[http://www.salesforce.com/company/news-press/press-
releases/...](http://www.salesforce.com/company/news-press/press-
releases/2015/09/150925.jsp)

“At Salesforce, trust is our number one value and nothing is more important to
our company than the privacy of our customers' data,” said Burke Norton, chief
legal officer, Salesforce. “Contrary to reports, Salesforce does not support
CISA and has never supported CISA.”

------
kkamperschroer
CenturyLink Cloud AppFog is a good alternative. I know, I know, it's
CenturyLink and that's concerning to you. Cloud is like a different company
entirely.

Disclaimer: I helped build AppFog as a contractor.

------
Zaheer
Anyone have experience with Heroku alternatives like Openshift Origin?

~~~
bdcravens
Cloud66 is a pretty close match to Heroku.

~~~
kasia66
Cloud 66 provides full stack container management as a service in production,
that offers Heroku-like functionality on any cloud provider or on your own
server, [http://www.cloud66.com/](http://www.cloud66.com/) (Disclaimer: I work
at Cloud 66)

~~~
rip747
Is it standard nowadays to charge customers for support? Checking out the
pricing (and correct me if I'm wrong), does it really cost $5000/month to have
24/7 support? That seems crazy to me.

Now granted I pay about $300/month for the VM I have with my hosting provider,
but I can pick up a phone at any hour and talk to a tech when things go south.

I really don't care how good a service is, I want to talk with a breathing
human being when my business is down.

~~~
joshmn
> $300/month for the VM

High-availability, automatic failover, managed, with diamond-cut SSDs I hope?
Who are you with? For that money you should just pick up a box.

~~~
bdcravens
When a typical developer or admin cost is $50 or so an hour, $300 isn't a
material amount, and there are use cases where it's not just about whether a
single VM less or more than the cost of a single physical server.

