Hacker News new | past | comments | ask | show | jobs | submit login
Why we're leaving Heroku (youbetrayedus.org)
379 points by rubbingalcohol on Sept 22, 2015 | hide | past | favorite | 74 comments

So far as we know†, CISA has virtually nothing to do with PRISM.

CISA enables information sharing only in the context of "cyber attacks" (a term defined reasonably precisely in the bill). Essentially, what CISA says is that companies can run intrusion detection systems (like they already do) and then share the alerts with DHS.

PRISM is, as far as we can tell from the leaks, a tasking system for FISA 702 warrants. FISA 702 warrants can pertain to any foreign intelligence target. They have virtually unlimited scope (as does foreign signals intelligence as a whole).

I think this is a distinction with a big difference, but leaving that difference aside: the mention of PRISM is clearly an emotional appeal, and sets the tone for the rest of the open letter.

CISA is also at pains to avoid the sharing of PII (again: since CISPA, and the Rockefeller bill before that, these bills have been intended essentially for IDS alert sharing). It also does not shield companies from liability for sharing information via FISA 702 requests: the only liability protection CISA sharers get is for information shared to prevent cyberattacks.

Given the little we know about PRISM, that is.

If the shared information is only for IDS alert sharing where any irrelevant information to cyber security is removed, then why do they need immunity from privacy and antitrust laws?

Surely companies in the US can today report to the police if someone gain illegal access to servers, do a DDOS, or sends fishing/malware to them. If the police then involve the FBI with the case while requesting relevant customer information, what laws would the company break from complying?

Surely the company can just go to the FBI/DHS/etc directly if they wish? IANAL, but if a company has information which it reasonably believes to be evidence of a crime, what court would find it illegal for them to volunteer it to the federal government?

No, they in the general case cannot.

What law would they be breaking? Criminal law? Contract law? Even if it were technically a crime to tell something to the federal government, I can't imagine the government would actually prosecute you for doing it (why would they act against their own interests?) And, if a term of a contract prevents you from providing the government with evidence of a crime, surely that contract term is void as contrary to public policy. And any state or local law which purports to prohibit revealing information to the federal government is surely to that extent unconstitutional.

Unfortunately, most people upset about this issue right now will still obediently walk into the voting booth next November and vote to re-elect public officials (or at least the next candidate from the same party) who supported this. Unless you're willing to put your vote where your mouth is and thus make it clear that actions have consequences, nothing will change.

What election outcome do you imagine is going to make this better?

The one where a candidate like Sanders, who has stood up against government surveillance, takes steps to put a stop to it.

What primary outcome are you expecting that results in Sanders being a candidate you can vote for in the election?

In any case, this issue is so far down the list of things the average American is concerned about that it's impossible to imagine meaningful change happening because of it.

Any election outcome where politicians who fail to oppose this, whether Democratic or Republican, are out of office and replaced with those of a different party, is the path to making this better.

If you keep throwing the bums out -- and don't tell me that's impossible, no matter how many ads they buy they can't directly control what vote gets cast -- eventually you'll have bums in office who have a better sense of self-preservation. There's a very smart epigram along the lines of, the way to get good policy is not to elect good politicians, because such beasts hardly exist or get corrupted fast: it's to give bad politicians an incentive to act good. Let's give our bad politicians a nice strong incentive to oppose the surveillance state, hey?

You seem to imagine that the public overwhelmingly opposes surveillance but politicians are simply ignoring its wishes.

The public is clearly capable of voicing moral outrage: see gay marriage, abortion, and the Black Lives Matter movement. Where are the protests about surveillance? Why haven't the data-driven, opportunistic people who run campaigns identified this opportunity and seized it? Where are the people who care outside of HN and the rest of the internet libertarian community?

If you could find the votes to enact such a strategy in a way that politicians would understand they were being punished for surveillance and not just subject to the irrationality of the American people like they always are, wouldn't it be much simpler to rally those people around support for a candidate that will actually dismantle the national security apparatus?

> You seem to imagine that the public overwhelmingly opposes surveillance but politicians are simply ignoring its wishes.

Not so! I think that the number of people who care about surveillance is small, and the number willing to change their vote because of it is microscopic. But, you know what? Nobody said lobbying for political change is easy.

> If you could find the votes to enact such a strategy in a way that politicians would understand they were being punished for surveillance and not just subject to the irrationality of the American people like they always are, wouldn't it be much simpler to rally those people around support for a candidate that will actually dismantle the national security apparatus?

It would be simpler, but it would be less likely to succeed. Even if you find such a candidate, and even if they were sincere in their promises, they're still likely to end up steamrollered by all the other politicians who don't meet those standards. If you change the incentives, though, you've changed the entire system and now all the insincere politicians -- which is 95% of them -- are on your side. Victory will inevitably follow.

I've got quite a lot invested in Heroku, it's honestly really disappointing to see Salesforce do something like this. It's the responsibility of EVERYONE in the industry (especially larger tech companies) to take a stand against government, and help push for individual privacy.

I disagree. I think it's great that you want to push for individual privacy, but I don't think everyone in the industry has a responsibility to push for what you want. Everyone gets to choose what they want to advocate for.

Working for a corporation does not relieve you of the basic human responsibility to stand against evil. The fact that many, even most, humans ignore this responsibility only makes it more important.

Every minute you're fighting for privacy is a minute you're not fighting the evil I choose to focus on, which trust me is a far greater evil than yours.

You see how it sounds?

Personally, I'm not saying everyone must spend every minute resisting evil. I'm saying everyone is responsible for not actively encouraging evil, which is what Salesforce et. al. are doing. There's a difference between failing to volunteer at a rape crisis center vs. actually raping someone.*

*Obligatory internet disclaimer: This is a analogy.

If you're in the U.S., please do what you can to help stop this beast 'CISA'. Here is a starting point:


I need a browser plugin or something to let me know when I'm visiting the website of a company that has thrown in with gov't surveillance.

If you supply me with a list, I'll build it

that would be cool actually, but where would one find such a list?

I'm sure if you guys emailed the EFF with your idea, they would be happy to help put one together.

Is there an updated list somewhere?

I think the list of the ones not complicit acquiescent with some government somewhere would be shorter.

On a sidenote, I think this kind of thinking has the potential to stray into a purist and idealist kind of dead-end exercise in frustration.

Why are the larger tech firms like Microsoft and Apple supporting CISA when they opposed previous incarnations of the bill like SOPA and PIPA?

SOPA and PIPA are not previous incarnations of CISA. CISA has nothing to do with SOPA and PIPA.


This still is totally unrelated to SOPA.

Also, the blog you linked to is from the same organization that wrote the article we are looking at.

Here is the bill's actual text: https://www.congress.gov/bill/114th-congress/house-bill/234/...

Corporate double speak.

Why are we back here every year, like clockwork?

This is what, the 4th incarnation of this bill?

Close; it's (I think) the third incarnation.

Fun fact: the third incarnation is much worse than the second, which EFF/FFTF vigorously (and, I think, dishonestly) campaigned against.

Virtually nobody who campaigns against these bills ever takes the time to read them, despite how remarkably easy it is now to read not only the bills but the amendments it collects as it goes through the legislative process.

And still, as you can see on this very thread, most of what we get in the way of commentary is stuff about how this is being "snuck past the American people" --- as if 85%+ of Americans wouldn't automatically favor anything with the word "cybersecurity" in it.

(I was ambivalent about CISPA, and am not ambivalent about CISA; CISA is a bad bill. I think CISPA's opponents bear some small responsibility for that badness.)

> despite how remarkably easy it is now to read

You must have more free time than I do. I'm satisfied to let the EFF read it and base my conclusions off of theirs.


Because government wants control, and while we have to raise a lot of awareness in a short period of time to bring pressure to the politicians on this issue... those who propose this legislation just go back when "Defeated" and rewrite it, put it forward under another name etc.

I believe a lot of the stuff that was "defeated" in the past, got inserted into the recent "net neutrality" ruling that had the internets cheering! (800 pages if I recall, so I didn't read it to find out for sure.)

They will not stop-- law enforcement types have permanent jobs and they're there each year claiming they need more and more control/surveillance.

Yes, but the other thing is the short period of awareness does not end with the political destruction of the sponsors of the bill. We defeat the bill but the sponsor walks away unhurt. Why are they not vilified for their anti-constitutional behavior?

All of this stuff takes effort. That people aren't willing to expend.

add #JohnDoeHatesTheConstitution to your tweets for minimum effort - at least mention the bad players

A company or institution cannot introduce or vote on a law, a Representative or Senator can

It isn't "government," it's a handful of politicians who've been bribed (legally, by way of campaign contributions).

Want to stop this from happening, and make our elected officials more responsive to the people who elect them? Fight for campaign finance reform. That one fight will do more to "fix government" at all levels (i.e. make it responsive to the people) than just about anything else.

Because there actually is a problem here that needs solving, but all the drama mongering keeps getting in the way?

Because there's effectively no barrier to keep pushing this stuff over and over until it finally takes hold, whether out of outrage fatigue or dumb luck.

Because that's the way democratic legislatures work. If your law does not get approved, it means there's something in it that a majority does not like. Therefore there is an iterative process, actually in two parts, the first being amendments added as the bill is read, the second being re-submission of a modified version that it is hoped will be more appealling. The fact that something is submitted again and again with various modifications each time is not unusual, it is just government working as intended, making sure the things that become laws are, in fact, things we want to become laws.

My understanding of American politics is that often then amendments have very little to do with the law being enacted beyond their being the pay representatives get for voting the law in. I may be completely wrong on that, but if it is the case then I can't help feeling American politics is utterly corrupt.

"Why are we back here every year, like clockwork?"

Because the people who want this as law are assuming that at some point they'll be able to sneak it past the American public.

> Salesforce joined Apple, Microsoft, and other tech giants last week in endorsing the Cybersecurity Information Sharing Act of 2015 (CISA).

Is there a complete list of who endorsed this? Google is turning up very little.

I cannot find a complete list, but it has been endorsed by the BSA trade group. You can see a list of its members on WP [1]. Besides Microsoft and Apple, it also includes Adobe, Intel, IBM, Oracle, AVG, McAfee and Symantec (and others).

[1]: https://en.wikipedia.org/wiki/BSA_%28The_Software_Alliance%2...

I don't think I've heard the BSA mentioned since I was in college arguing with a teacher about how the BSA's piracy numbers were completely over inflated and made up.

The teacher used those number in her argument that piracy was literally the same as stealing a car, while admitting that even she did it.

It makes me depressed that major companies still support such an idiotic organization.

Look, this "get in touch with your representative / senator" is not going to do it. Can we start mentioning the sponsors and bad amenders of these bills? Nowhere in this letter does it mention the sponsors of the bill. Yeah, the business may loose a little business, but some other damn corp or group will sponsor this bill.

I know in some districts electing a member of the opposite party (and this being a cross-party issue that can be a crap shoot) is not going to happen, but we can work to primary-out the damn fool. The only way politicians are going to listen is if you take their seat away. If you make them fear you if they even think about introducing legislation then you win.

Too many citizens think their favorite party is better for the country than the other party. They'll never actually be objective in who they vote for.

Given that, this is a non-party issue. Plenty of blue and red on the good and bad sides. You primary-out the offenders and don't worry about party. The issue matters.

From a company point of view, supporting CISA might well make sense in order to avoid the legal problems they are bound to have due to being coerced to cooperate with the government.

From a consumer point of view, it also makes sense to avoid "officially tapped" (read "US") services.

In the long run, it looks to me that gov't is laying the foundation of the demise of its own surveillance program because no one in his right mind would want his data in the US anymore, even less so if you're not an American company. Except for the German government, of course.

> Except for the German government, of course.

What do you mean?

They don't care whether Germans' phone calls are tapped, the chancellor's phone is tapped or German companies are subject to industrial espionage.

Each of the above provably happened and the responses were (in descending order of their "strength"):

- the chancellor cancelling the phone contract with Verizon

- asking the US for an apology (didn't happen)

- asking the US to sign a no-spy treaty (which would be purely trust-based - no control possible and still the US refuses to sign it)

-- end of list --

Note the absence of lawsuits, demissions / resignations and "diplomatic tensions".

Don't forget

- Not caring that its intelligence agencies are selling their own citizens metadata (and content)



This has not been proven (yet).

Why would a company want to endorse this? What is the upside for them?

Quest CEO stood up to the NSA a few years ago. Got blackballed with all kinds of shit and ended up going to jail.


Also agrees with the other answer that goverment contracts will be dropped.

Well, according to the EFF's summary:

> granting companies blanket civil and criminal immunity from any existing privacy law in the process.

Immunity from civil and criminal liability is something companies might unsurprisingly be interested in.

One doesn't need to suppose dramas where they are worried about being blackballed from government contracts unless they support it, as other commenters do. Their self interest in the provisions of the law itself which lessen their vulnerability to civil lawsuits or criminal prosecution seems sufficient. It's more of a bribe than a threat.

Not being blackballed for any Government contracts?

Or a variety of other reasons that we can, like that reason, simply make up.

The funny thing about your made-up reason? It's actually forbidden by statute in the very bill we're discussing.

Gee, I'm glad the US government takes so much care to follow not just the letter but the spirit of the law.

You're absolutely right. Why don't we just throw every law in the trash because someone might not follow it.

Ok, so let's say you don't agree to participate and suddenly stop getting government contracts for some notionally unrelated reason. What do you do?

If the NSA can't steal the data, then companies will provide the data. Same thing they did with phone "meta" data; shift responsibility to the companies.

This is the new peace. The NSA won't attack your business, and your business will become a part of the national security apparatus.

I followed the link and clicked on the letter from the BSA. I did not see any reference to the CISA in the letter. It seems to be endorsing more restrictions on government surveillance, not less. (at least, thats what the letter claims.)

In the section where they are requesting immediate congressional action, they list "Cyber Threat Information Sharing Legislation". This is CISA.

The Paasify link seems to compare Heroku and Pivotal Web Services by default. Note that the last update to that page was 2 years ago, according to the link.

Disclaimer: I work for Pivotal Labs, PWS is run by another division of the same company.


“At Salesforce, trust is our number one value and nothing is more important to our company than the privacy of our customers' data,” said Burke Norton, chief legal officer, Salesforce. “Contrary to reports, Salesforce does not support CISA and has never supported CISA.”

CenturyLink Cloud AppFog is a good alternative. I know, I know, it's CenturyLink and that's concerning to you. Cloud is like a different company entirely.

Disclaimer: I helped build AppFog as a contractor.

Anyone have experience with Heroku alternatives like Openshift Origin?

I've worked on Cloud Foundry. It has the fastest growing sales of any open source product in history.

Mostly, I trust the way it's built. Apart from components integrated from upstream, every line is TDD'd and 100% pair programmed.

You can use public installations on Pivotal Web Services (by the company I work for) or BlueMix (by some plucky startup from Armonk). Or you can install your own on OpenStack, vSphere or AWS.

Cloud66 is a pretty close match to Heroku.

Cloud 66 provides full stack container management as a service in production, that offers Heroku-like functionality on any cloud provider or on your own server, http://www.cloud66.com/ (Disclaimer: I work at Cloud 66)

Is it standard nowadays to charge customers for support? Checking out the pricing (and correct me if I'm wrong), does it really cost $5000/month to have 24/7 support? That seems crazy to me.

Now granted I pay about $300/month for the VM I have with my hosting provider, but I can pick up a phone at any hour and talk to a tech when things go south.

I really don't care how good a service is, I want to talk with a breathing human being when my business is down.

(We've been customers for well over a year, close to 18 months I think)

You do get support for no additional fee, but you can pay for additional access to support staff. That said, they've always been quite responsive to our requests, with a fairly short turnover time by email.

It is however customary in the industry to pay for additional levels of support:

https://aws.amazon.com/premiumsupport/ https://www.heroku.com/critical

> $300/month for the VM

High-availability, automatic failover, managed, with diamond-cut SSDs I hope? Who are you with? For that money you should just pick up a box.

When a typical developer or admin cost is $50 or so an hour, $300 isn't a material amount, and there are use cases where it's not just about whether a single VM less or more than the cost of a single physical server.

Applications are open for YC Summer 2021

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact