Hacker News new | past | comments | ask | show | jobs | submit login
Gandi loses data, customers told to use their own backups (gandi.net)
447 points by webrobots 13 days ago | hide | past | web | favorite | 372 comments

Whoops, so long with the "no bullshit" policy.

I stopped using them a while ago but for a different reason. I used to use their website to check availability/whois for domains that I was interested in buying. If it was available I didn't buy it at the time but until I finished the website/app whatever I was going to put there, this took me a few months obviously. It happened to me that when I was finally ready the domain had already been sold to someone else. This repeated five times during six or so years. Now, I know, "someone else could have thought the same thing" but I find it very hard to believe that it happens so often. These domains were a bit of niche words that were not hot topics at the time, some of them using fairly uncommon TLDs (like .one). Another weird thing is that they were always registered to someone living/or doing business at India, and it was a fairly simple landing page with a "contact me" link. I'm a bit superstitious so I don't think it was a coincidence.

Now, I don't think this is a GANDI problem per se, but my theory is that they share this information (who is looking for which domains) with marketers or something like that, or maybe it was a rogue employee trying to make some money squatting domains. I would have expected this from BigDaddy or similar sharks, but from a company whose motto is "no bullshit" I had much better hope. Anyway, I decided to move (to namecheap if you're wondering) and surprisingly the problem went away.

Domain registrars giving away domains to squatters when people search for them is a time honored practice. The advice I've seen is to not search for the domain first, just register it outright from the start. The domain registration business is run with all of the integrity and customer focus of TicketMaster.

Really? I may have just found myself a new hobby. Search for incredibly unique (and worthless to me) domains to see if I can get people to squat on them. Heck, it could be a game ... I could get all my friends to make bingo boards ... or maybe see if I can think of some scrabble like rules.

The squatters do a thing called "Domain tasting".

They buy domain X and then they put generic advertising, maybe keyword based, on a cheap bulk hosted site. They measure for a few days - is this bringing in lots of revenue? If not, they cancel the purchase, using a "grace period" available to users of the registry in case of mistakes - the purchase is unwound and they are refunded the fees. Domain X is now available again.

In principle this is forbidden for major TLDs but it's still possible and unscrupulous vendors help them do it, albeit it may now attract a fee if you do it enough that the TLD registry detects you tasting.

https://en.wikipedia.org/wiki/Domain_tasting explains about this and related practices.

There are slight transaction costs of $0.18 - $0.20 that is not refundable. Miniscule, but it prevents some domain tasting at scale.

I suspect a human gets a dump of them and decides which to pay the $10 for.

For example, asdasdahbdajsdbajdbhsbdahsdd.com... not worth the $10

ireallylikechicken.com... maybe worth the $10?

(ireallylikechicken.com is available, go squat it and get rich)

Someone did buy it it!

> Creation Date: 2020-01-09T19:37:01Z

Registered with Gandi, ironically enough...

And the domain is meta! Response from HTTP GET

> Location: https://news.ycombinator.com/item?id=22001822

er.... was it you?

It was not


ireallylikechicken.com owner.

I'll give you 20 for it?

I’ll give $1 for a 0.01% share.

I'll buy an option to take a 0.01% share in 12 months for $0.50

Only a 100% markup? I am sure it will be worth more than that in the future ;)

That’s what they said about Bitcoin last year

>That’s what they said about Bitcoin last year

Bitcoin price in USD on January 8 2019: $4004.12

Bitcoin price in USD on January 8 2020: $8045.51

But Bitcoin has increased by 100% over the past year.

I am sure, in the past, one of the domain registrars took the liberty of actually registering your searched domain, deliberately, so that you had to go through them to get the domain later on? - I can't remember who it was, but it was an automated process.

I know it was very shortly stopped once people complained, but it goes to show that it has been done before.

Getting rich off domain's - sounds like a solid business plan!

I've got no evidence except anecdptes, but I've heard claims that GoDaddy used to do this a lot. For this reason I've only searched a domain I was going to immediately buy, otherwise I'll do a whois lookup to see if it's registered.

Just looked about and found these:

"Does GoDaddy register domains you search?" (2011) https://news.ycombinator.com/item?id=2326790

Within this, was the comment that reminded me which company it was I was talking about (https://news.ycombinator.com/item?id=2327152) - Network Solutions used to do this - and there is a Wiki link in there which gives the process a name! TIL! :)


I remember something about registrars doing this so the domain you wanted wouldn't get snatched by someone else while you were in the process of buying it. Made more sense back in the time when far more basic names were available and such collisions were probably common for high-value domain names. Now it's two people finding the same needle in a haystack.

I knew a guy named pachell that did this from 1997-2001 until registrars changed the rule. pachell wherever you are, i miss you

hahahaha, the webpage redirects to this discussion!! WELL PLAYED!!! (sorry for the caps.. but wow!)

YW ;)

>The advice I've seen is to not search for the domain first, just register it outright from the start. The domain registration business is run with all of the integrity and customer focus of TicketMaster.

What if you don't want to cough up $10-$20 on a whim? Would doing a whois (using the NIC's whois site) suffice?

Doing an OOB whois search is almost certainly fine. It's when you search on godaddy.com or whatnot that you get burned.

What is an "OOB whois search"?

Out of Band. Registrars cannot intercept whois searches?

I've had this same scenario happen before, and since then I just issue a `whois` from the command line to bypass any potential frontend interception. Not sure if that is 100% full proof either though.

I have used whois cli since the early 2000s because I did not trust the registrars as domains I just searched ended up being registered. Never had that issue again since then.

Isn't the WHOIS query sent unencrypted? Can't it be intercepted in that case?

I use the whois command line tool when searching and have yet to get squatted. My experience is only about 500 domains over 20 years.

i use host -t NS cooldomain.example as a pre-filter. If a domain has NS records, it's definitely registered, although there are some registered domains without NS records (makes them pretty much nonfunctional, but if that's what the registrant wants, it's their business)

This is a neat trick, thanks. Adding to my toolbox

If I understand the domain name infrastructure correctly, that would imply that it's the registrar who is collaborating with the squatters. A command-line whois query would still have to query the servers of the registry for a particular domain (others on this thread speculate that it may be the domain registry that shares data with the squatters).

Curious about this as well. When you query the servers of the registry [gandi, namecheap, godaddy] for a particular domain example.com, doesn't it update the one of the datetime fields for last queried?

Then again, the squatter would have to know what to search. Isn't it against rules for domain registrars to publish their recent query history [private or public]?

Any more light on this subject would be greatly appreciated!

On Namecheap they have a "save for later" button per domain in your cart, so you can just pile them up for later.

Never had even 1 of my "saved for later" being squatted, for several years now, so I really have to trust and commend namecheap in that regard.

They never had a real "no bullshit" policy. When I had my domains with them, I had been asked to verify my identity 34 times in 12 months. 34 separate fucking times. Because "ICANN says so" or some stupid shit (their words, not mine). It stopped the moment I moved to Google Domains, where they asked once and never again.

EDIT: And, to make things worse, each time I was threatened with the "confiscation" of my domain, and the round trip on the tickets was so high that each instance took 2-3 days to resolve. Frustrating as hell.

Since you're giving a anecdote, let me do the same. I have about 30-40 domains with Gandi, and have been using it for about ten years. I don't remember ever verifying my identity, but guess I most have done it at least once. I have not been asked to verify anything for at least the last five years of using it.

Disclaimer: I don't work there or have any relationship, except I'm a happy customer

It was a matter of them refusing to keep my identity on file, and the threatening tone of each ticket. It grew tiresome quickly.

Sounds more like a bug than anything. Why would they want to not make it easier for you if they can?

Seems you missed my point though. Both of our anecdotes doesn't really say anything, in terms of if Gandi is good or bad.

His anecdote does say something though. It suggests that Gandi has a "if we have a bug, it's your problem not ours, sucks to be you" policy, which is exactly what has happened with this data loss issue as well.

Actions speak louder than words. Google famously has a "we don't have bugs, you just don't know how to use it, talk to the hand" policy for example. It is better to learn about the policies due to minor issues rather than major. OP learned of it early on and moved away with little trouble. Others did not learn until now and stayed, and now they are SOL.

I’m a gal, but exactly. I really wanted to support a company at the time who was supporting the community (they were a freenode sponsor), but I just hated dealing with the stress and potential that my domains could just disappear over night.

Same, I've been using Gandi for DNS and email for 9 years, without any issue or request on their side.

On the other hand, i've started using them more for DNS because the one time I forgot my password (typo in password manager I think) they made it very difficult for me to reset it, asked for pieces of ID, phone number registered in my name etc...

This is at the time of the stories of other registrars giving customer second and third chances to guess their PIN, or credit card or whatever mechanism they had, and resulting in domain hijacking.

> asked for pieces of ID

This is annoying for everyone but the adversary who can just spend $50 to buy a set of fake ids with your info.

Especially since Gandi doesn’t store your old IDs, they aren’t even going to check if the info on the fakes matches the ones you provided previously.

> phone number registered in my name

I can’t imagine this working very well, just give them a number from a country where they can’t verify who owns the number.

>They never had a real "no bullshit" policy. When I had my domains with them, I had been asked to verify my identity 34 times in 12 months. 34 separate fucking times. Because "ICANN says so" or some stupid shit (their words, not mine).

Can you elaborate what the "verification" entails? There is an ICANN requirement[1] to validate whois information, although I've only been asked to validate email (at another registar, not ghandi).

[1] https://www.icann.org/resources/pages/approved-with-specs-20...

Wanted photos of passports, but they would always reject the first one for an unknown reason. The second one would always go through, but I do not understand why they wouldn’t just keep it on file. It was more than twice a months usually, and that was absurd.

Jeez. Like most experiences I suppose, it's hit and miss. They've promptly resolved every problem I've had and I've bought plenty of domains through them.

They're still my go-to provider.

Gandi was deploying the ID verification as a bullying tactic long before anything like that was mandated by ICANN. (Not that ID verification is even mandated now)

I've heard that this isn't actually the registrar's fault, it's the registry's fault. So your TLD is sharing the "is registered" query with other parties. That said, everything about the domain registration industry seems designed to appear sketchy as all hell, so who knows.

If you want an alternative to searching with a registrar you can always type:

  whois mysupergreatcoolappidea.com
into a terminal window and see if you get back a result

WHOIS and DNS requests are made to nameservers run by the registry (not registrars), it's possible for the registry to front-run domains if they intend to.

This happened to me with GoDaddy and Namecheap before, which is why I switched to using Gandi for all my domain searches... Now I'm regretting it!

But as @Jasper_ said, this could be a problem with the domain name registry selling/leaking that info (AKA all their 'is_available' queries), and not the registrar.

At one point, I believe a GoDaddy VP was doing this as a personal side business. For many reasons, GoDaddy is the shadiest of them all.

You shouldn't regret it. GoDaddy was and still is way worse than this, there is no comparison.

I was always told that Namecheap does not engage in this practice.

It's a single data point, but I instructed a client to search for domains on Namecheap last year since they were undecided. I just didn't want them to use GoDaddy, and I warned them why. They settled on a domain but registered it months afterwards. It was still available.

I have the same story with Gandi. Searching for a domain (several times even, on a .com) and was still available months later.

It could be your local DNS resolution that is leaking to bad actors. It would be kind of stupid and self defeating for registrars to undercut their own customers. I would expect that some have done this in the past, but would be very surprised if it is done at Gandi with their knowledge... and undoubtedly French law would not smile kindly on such behavior.

Although the current issue with the irrecoverable data loss is terrible, I thought (in this case, at least) that they were surprisingly honest. They straight up said the data is gone (a VERY hard thing to publicly admit), and informed people they need to restore from their own backups. That seems pretty No Bullshit to me, no?

I have had a similar experience with other registrars.

Edit: Sad to hear of the data loss and for anyone affected. Trusting cloud providers doesn't always work out either.

Nice to know I'm not the only one! :D

Reports of reputable registrars front-running are persistent, but unfounded. Anytime I’ve looked into it, I’ve never seen any evidence for it.

If proven it would be a major blow to their business, so why would they try to snatch pennies from in front of a steam roller?

So I call b.s. on any reports of “the registrar noticed me searching for a domain and registered it”.

Um, NetSol settled a $1MM class action suit over exactly this about a decado ago.

It absolutely has happened and quite possibly still does.

Would `whois` be any better to prevent leakage of domains you intend to register?

Oof, this Twitter thread looks particularly bad, especially the response from the official Gandi account.


While I appreciate that there are real people behind these companies that are probably having a really rough time right now, the criticism that Gandi are getting as a company is justified - and if Gandi are truly a "no bullshit" company they need to put something out to their customers asap.

Screenshotted in case (when) they delete it https://i.imgur.com/s3R1VVc.png

Using memes after permanently losing customer data is extremely disrespectful.

"Julie Pelloille @juliepelloille Replying to @gandi_net @andreaganduglia and 4 others

This post was disrespectful. It's not an excuse, but this is a stressful situation and the thread was getting heated. Either way, I truly regret posting it and it was my decision alone to do so. Please don't take this as representative of the high standard Gandi sets"

"That said, for the sake of transparency, we won't be deleting the tweet -- Julie"

I like that. Honest mistake. Simple, truthful apology. Transparency for the record. Julie's one of the good guys.

Whatever the context / stakes (doesn't change anything in this case), this is how people should behave in life (not just online).

So what. Just because you send a retraction doesn't justify it or make the apology any better. That sounds like they allow some people too much freedom as if they ran this business in their parents garage.

Why are they going out of their way to be disrespectful to their customers during a crisis? This is bizarre.

Probably because “they” == some individual social media rep

There's at least two of them going out of their way to be snide and snarky there - Julie and Stephan.

Stephan is the damn CEO of Gandi! Unbelievable.

Is is what happens when a CEO thinks everyone else is just under him/her, including their own clients.

They start thinking they are beyond the normal people and that everything is a joke.

That's a wild assumption to make from a few tweets. It's just a stressful situation for both sides that leads to rough comments.

Eh, he sounds more frustrated and snippy to me. Still rude and unprofessional behaviour, of course.

...not losing data is the ONE thing I expect companies to get right. I could handle downtime, circular customer support, high prices, horrible UX, and all that. But losing or corrupting data? Heck no.

A company that loses customer data in production is the exact type I would expect to mock their customers using memes.

I don't blame the communications rep. From her perspective, she's probably been told what the CEO believes - Gandi lost data, but they never promised backups so it's not a big deal. They responded to someone that is being extremely critical. The rep (Julie) did the right thing and apologised after others criticised her tweet, and also kept the response up to illustrate the mistake. While a meme is bad taste, I can somewhat understand the reaction.

IMO, the blame lies solely with the CEO, because he is still to retract his statement regarding snapshots not being backups (despite their site selling them as backups to the end-user), and for not accepting the fact that for someone controlling business data that creating backups AND regularly testing them via restores is 100% essential. Culture trickles down, and if the CEO only accepts blame and not the reason for the blame then it's a sign that they won't learn from the problem - and that's the biggest red flag you will ever see in ANY business.

I can only see one way back for them that won't taint their reputation completely. They need to:

* Post a full post-mortem of what happened, how it happened, how they fixed it, and what they're going to do to ensure it never happens again.

* Issue a full apology for the problem. Accept full blame, and accept (including the CEO on Twitter) that Gandi failed to follow accepted industry standards.

* Sit down with the engineers that work at Gandi and hear their grievances. While I doubt that their engineers knew this would happen, I'd be willing to bet that there is at least one person there that had raised the lack of off-site backups and no recovery mechanism. That person needs a promotion, and whatever resources needed to fix Gandi.

* Issue a full refund to those that lost data - not a small discount, as already reported. A discount is a kick in the teeth, whereas a full refund is the start of a real apology for failing the customer. If you go for a meal at a restaurant and find broken glass in your food, the first thing the server will do is give you a full refund, no questions asked, regardless of how expensive your parties order was. Gandi need to take the hit, and live to fight another day.

Yeah, that's not a great way to win back the trust of your customers.

I'm going to look at moving my domain registrations away from them.

I am moving my business away from them. Even if I didn't care about the backup situation, the PR response is stupidly immature and not worthy of reward.

Your mouse pointer.. it looks familiar! https://i.imgur.com/XGK3tFT.png

KDE users unite (:

omg wow! when will people start being held accountable for the BS they put on twitter?!!

Meh. It's Twitter. They lost data but arguing on Twitter circularly forever with these people solves nothing.

It has long been the platform of choice for those seeking a response or to resolve issues. The tone of those ill mannered tweets reveals incredibly bad optics and serves as a reminder for those, who haven't encountered any issues thus far, that we could be treated in a similarly shoddy manner.

Yeah, but then he should shut up.

Ironic considering her twitter profile's description says "Responsable #communication #socialmedia #digital #innovation ⌨️#webmarketing #inboundmarketing #qvt #GOT et #TWD fan"[1]

[1]: https://twitter.com/juliepelloille

Why are they @&$ing around on Twitter when they should be fixing the damn problem. Unbelievable.

It's almost as if the person managing the official media accounts is different than the person working on fixing the problem. Almost.

Well, that is explainable, unlike not making backups; they have what's called a PR or media team that gets updates and details from developers while they work on this.

Additionally, data recovery is a lot of waiting in most cases, there isn't much to do as your business burns down around you

This is god damn unbelievable

"Andrea, sorry about that and the incident. If we led you to believe that you had nothing to do on your side when warned multiple times to make your back ups, then we'll have to make it clearer, and stop assuming that it's an industry wide knowledge."

Big words for a company that's in trouble for not backing up data themselves.

Most web hosts have some courtesy backups, but it does sound like the Twitter user they're responding to fundamentally doesn't understand that snapshots aren't backups, and the screenshoted page explicitly states that the snapshots are for you to back up. Which he presumably did not do.

The idea that someone would entrust their sole copy(s) of critical business data to a service provider is insane to me. Always keep your own backups.

> The idea that someone would entrust their sole copy(s) of critical business data to a service provider is insane to me. Always keep your own backups.

You can consider it insane, they still sold snapshot as being backup. Insane or not, it doesn't change that's what they sold wrongfully.

Can you point me where that screenshot show what you say it does? The user goes further to specify that you CAN'T download theses snapshots.

Companies should be called out when they lie about what they sell, I hope you understands why it's important.

1. He says he has made regular backups, but now needs to restore all VPSs

2. The website says "Snapshots allow you to create a backup copy."

3. He says "No they do not allow snapshots download."

It sounds like snapshots are directly reachable from within FTP in a directory. Snapshots are a clean copy of the file system you can back up, but they are not backups.

He also states he has his backups, so he's mostly just whining because he's annoyed he has to reupload stuff. Which I get, but again, he should understand what snapshots are and aren't.

You do the same mistake as the other guy in the twitter thread, you mix Simple Hosting snapshots and the Cloud hosting volume snapshot.

Here the right one which state that they are backup: https://docs.gandi.net/en/cloud/volume_management/volume_sna...

Here's the one that you quote (which isn't the same service): https://docs.gandi.net/en/simple_hosting/common_operations/s...

Be careful next time judging with that little knowledge of the issue.

Interestingly, this page has been edited to add a warning: "A snapshot is a frozen version of your volume that allows you to restore it to a previous state. It should not be regarded as a backup of your volume. If your volume is deleted, all related snapshots will be deleted too."

Here's the page as of earlier today. https://web.archive.org/web/20200109194005/https://docs.gand...

As @dwild stated, that's the other type of snapshots used for web hosting (which I assume are copy-based backups due to how little storage sites usually use). These snapshots are never reachable directly to the customer; at best, they can restore a volume back to the snapshot's state or create a new volume at that state and attach it to a VM.

> He also states he has his backups, so he's mostly just whining because he's annoyed he has to reupload stuff.

Or they're annoyed that they paid for a service, at the very least billed as backup, only to be told "welp, it's gone".

That's such an obnoxiously passive-aggressive response from the CEO. Bit of a red flag for the company culture.

After another support person made a joke in response to his very serious post.

This is one of the worst responses I’ve ever seen from a company, and I’m not being hyperbolic.

Seeing the thread I couldn't believe they are being serious. Feels like they are playing a tasteless prank. Such crass and careless attitude is downright repelling.

Sorry, not sorry.

The number of people who have control of social media accounts for companies who do not understand how to relate to people / basic customer service / can predict how their post will be received is shocking.

I worked at a company of 5K+ people and one of the folks in control of the twitter account(s) would come to me with questions.

Now I applauded them for coming to me for technical questions before posting, that was great, but they absolutely did not have the self awareness / understand what to say / when to say it and etc.

But hey they were tied to a high ranking person (who also had no clue) so they had access to the account.

In my early days I worked PC customer support... I feel like that comes in handy all the time.

> can predict how their post will be received

That's an AI-hard problem and remains unsolved.

if positiveReception < 100 postMemes = 0

Wow. I've never used Gandi but I have seen it recommended before as a low-cost option. I will actively encourage people to avoid it from now on. That's scary.

Gandi has never been a low cost option, they've always been on the high to extreme higher end of things for individual cost...

Especially for random ccTLDs, they're often significantly more expensive than the alternatives.

Random selections for domains: .ru is $1-3 most anywhere else, Gandi is $18.

High to extreme higher end would be something like MarkMonitor.

Gandi might be better than some of the other low touch, self service domain providers but its definitely still in the same ballpark. $18/year still means they're losing money if they ever need to pick up the phone for you. It's not a price point that works with "higher end".

> High to extreme higher end would be something like MarkMonitor.

Being a registrar is only a side effect of their business though, not really comparable.

They used to be very good if you wanted a non-scammy registrar with a huge selection of TLDs and ccTLDs. However, in recent years, success seems to have gone to their head and the service is nothing like it used to be (plus their latest control panel UX is an abomination).

Feels like the CEO has made his money, forgotten the company's roots in the process and is happy for Gandi to be just another generic, overpriced registrar running on auto-pilot.

Guess they cut cost by not doing backups

I don't get the criticism.

If they lost all the data, then obviously the only option for customers is to either use their own backups if they have them or accept that the data is permanently lost.

One can criticize their lack of additional redundancy, but don't see what's wrong with the response.

Sure, if the data is lost there isn't much that can be done to go back and fix it. However, the company response appears very dismissive/flippant which sends a bad message.

The tone any company hosting customer data should take in the event of data loss is along the lines of 'regretfully... we screwed up... unfortunately... steps we are taking to ensure this doesn't happen again...' i.e. the company should either be humble and apologetic or they should expect to lose a large chunk of their customers after something like this. This isn't merely to say the right thing, it is to demonstrate that they acknowledge this was their issue and something they need to fix going forward rather than a 'sucks to be you' customer issue. This is basic customer relations / crisis management stuff.

So you're saying you want the bullshit? Look Gandi doesn't have it. What more do you want from them? They lost it, they're not gonna bullshit about it.

The customers are being stupid and rude: assigning blame, asking redundant questions, making threats. Nothing in any of the twitter threads I've seen has any potential to solve any problems, they're yelling thinly veiled abuse at support.

The industry standard is sucking up to them and groveling, and it's led to customers being very badly behaved.

The trouble is no one has a good working alternative to the industry standard.

Gandi certainly doesn't, they're not responding in a well thought out manner, they're losing their cool and getting angry with their customers. That's a quick way to go out of business.

The alternative is simple: always behave professionally, and if they are abusive, point at the ToS that forbids that and fire them as customers.

Here I'd just avoid engaging one-on-one at all, just broadcast the situation status.

i mean, this is customer support 101. always be respectful even when your customer is angry -- they are probably angry for a reason.

answering with memes is the absolute opposite of this, specially when your customer has all the reasons to be angry.

It's justified in being called simple if companies are actually doing this.

I did find HubSpot[1]:

> We may limit or deny your access to support if we determine, in our reasonable discretion, that you are acting, or have acted, in a way that results or has resulted in misuse of support or abuse of HubSpot representatives.

I'm still skeptical because actually enforcing that clause seems like it could lead to an expensive lawsuit. The angriest customers are naturally the most litigious ones, too.

[1]: https://legal.hubspot.com/terms-of-service

I’m pretty repelled by their tone in that thread. Sweeping it under the rug (could’ve happened to anyone / shit happens) instead of just owning up to it. Throwing in that completely inappropriate meme. Contradicting their marketing material when it’s convenient (are snapshots backups?) and general passive aggressiveness.

Julie Pelloille, responsible for comms, appears to be going a bit too far with this.

Wrong or not let’s be careful about using full names as it’s how these things get whipped up into pile-ons.

The Cersi thing is wrong on so many levels.

Just to play devil's advocate: This is in no way different to how Azure, AWS, and GCP operate. They don't have backups either. They too rely on n-way replication, a bit like a distributed RAID.

All cloud providers make it absolutely clear, in black & white, that protection of your data is your responsibility, not theirs.

What I find hilarious is that most cloud providers only provide built-in backup functionality for a tiny subset of their services.

Ask Microsoft if you they have a "backup" button for Azure DNS Zones. Or Azure load balancers. Or anything else that isn't a VM disk, App Service, SQL Database, or a Secrets Vault.

I mean, look at this insanity: https://docs.microsoft.com/en-us/azure/backup/backup-azure-f...

"Backup for Azure file shares is in Preview."

After 10 years of operation, this trillion-dollar company has only a use-at-your-own-risk beta for data protection!

Don't be too hasty to point fingers at Ghandi and laugh about how they're unprofessional. Whatever you're using is essentially the same.

Ask yourself this: Could your organisation recover if some malicious admin simply deleted all Azure Resource Manager resources in one go using PowerShell?

Everything you say here is true, but at the same time it's just a fact that Gandi lost a lot of customers' data, and AWS, GCP, and Azure have never (as far as I know) lost a significant amount of it at once. You can talk about theoretical responsibility for data, and it's true, you are responsible for having backups of your data, no matter how many "9s" the service has, but the basic fact is that some services have been consistently good at not losing customer data, and others haven't. Even though I'm going to back up my data no matter where it is, I'd still rather use the service that's got a better track record with it.

I haven't ever even lost a file on Google Drive, which as far as I know provides no reliability guarantees at all.

Back in the early days GMail lost customer data due to storage corruption. It has happened.

The rarity is immaterial, the responsibility for data protection lies with you, not them.

> The rarity is immaterial

Of course it's material. If a provider has a 0.001% chance of losing some of my data in a year, I'm an idiot for not having backups. If a provider has a 10% chance of losing some of my data in a year, I'm an idiot for not having backups and for using that provider.

GMail is (usually) not an enterprise product and not a paid service, and provides no reliability guarantees. And yet it seems to be pretty damn good in practice.

Well to be fair Gmail was still in Beta ;)

I believe since then they had similar events but were always able to restore from tape. So GMail definitely has proper backups, even for free accounts (maybe not tape anymore, not sure).

That's kind of like saying there's no difference in safety between an airliner and the winged contraption that my idiot brother built in his garage.

After all, they both have wings and will both kill you if they fall out of the sky, and I don't see Airbus or Boeing guaranteeing that their planes will never crash, so they must be essentially the same.


That just confirms the parent comment

> Ask yourself this: Could your organisation recover if some malicious admin simply deleted all Azure Resource Manager resources in one go using PowerShell?

We have streaming replicas for hot data AND regular snapshots shipped to offsite cold storage, because RAID is not a backup. If we experienced an equivalent event, we'd be fine.

The equivalent scenario to recovering from a bulk erasure of all Azure RM resources is this:

How long will it take you to recover if someone deleted your switch configs, reset the SAN to factory defaults, wiped you firewall rules, deleted you Active Directory accounts (or equivalent), and then ran a secure erase on every every physical server just to raze everything to the ground and salt the earth?

I mean in wall-clock time, how long would it take your team to even figure out what is going on? Where would you start?

Would you recover the switch first, or the server that you use to authenticate to it using RADIUS or LDAP?

How will you securely connect to servers if your CRL and OCSP servers are down?

How will you get access to your passwords if your file server where the key blob is stored is saying "Insert boot disk"?

People think that disaster recovery is for "I deleted a folder".

Disaster recovery is for disasters.

Removing all Azure resources wipes everything. Your vNets... Poof! Your public IPs... Poof! Your internet-facing DNS zone... Poof! Your authentication credentials... Poof! Gone, gone, gone.

How do you plan to restore dynamic IP addresses to their original values?

How do you plan to restore DNS Zones that get assigned to 1 of 10 randomly selected server pools and hence have a 90% chance of requiring a change to the NS server glue records on restore?

Do you even know which order things would have to be restored in to prevent failures during a restore?

Could you possibly work out what is missing if you log on to your cloud portal and see the "Welcome to Azure, to get started click here" splash page?

Get it?

> The equivalent scenario to recovering from a bulk erasure of all Azure RM resources is this

It just occurred to me how much easier it is to wipe everything in the cloud age than the on-prem age. Doing all the things you said for on-prem takes some serious effort. Some, like factory resets, may be impossible without individual physical access. You would probably be discovered and stopped before you can inflict much damage. In the cloud age however, it takes orders of magnitude less time and effort to inflict the same damage.

It is kinda like how much easier it is to steal data now. Before the digital age, stealing as much data as Equifax hack would have required moving truckloads of paper without being discovered. It was simply impossible to pull it off in reality. In the digital age, however, we have accepted massive data leaks as not only possible, but unavoidable.

> It just occurred to me how much easier it is to wipe everything in the cloud age than the on-prem age.

It's easier for physical facility damage to a single facility (whether hostile action or natural disaster) to wipe everything out in an on-prem setup than in the cloud, where multi-DC redundancy is a click away. But, sure, it's easier to wipe out data without physically destroying equipment in the cloud.

I think you're moving the goalposts. Gandi didn't lose all their servers and all the networking hardware and all the storage. They lost what sounds like a single replicated volume. If, y'know, all of their datacenters burned down at once, or an attacker got access and deleted their PaaS account, I think we'd all be a lot more sympathetic

My point is simply that the larger commercial cloud vendors aren't magically immune to bulk data loss, particularly in the face of internal threats.

Consider the current tensions between Iran and the US. If Iran decides to retaliate with cyberattacks, major cloud vendors could suddenly have multiple regions go up in smoke concurrently.

They'll just shrug their shoulders and say that it's the customers' responsibility to protect their own data, and that they're just offering platforms for rent.

"We have 'Data gone? Sucks to be you!' as translated by our VC's lawyer buried in our T&Cs" -- most "disruptive startups", probably...

If you have a proper disaster recovery plan then yes. All of the configuration of the entire system should be documented at least, if not generated by version controlled code. Then the only thing that needs to be backed up is actually data storage on volumes with snapshots or block storage services.

Maybe not even malicious, maybe they just put in the wrong subscription ID :(


This thought occurred to me when I was testing a bulk resource creation script.

My workflow in my lab tenant was:

1) Bulk create hundreds of resources 2) Bulk wipe everything 3) Go to step #1

Turned out, I had some objects with globally unique names that were now conflicting in the production tenant, so I had to wipe my lab.

I had already logged on to the production tenant, and I was so "trigger happy" that I very nearly ran my bulk-erase script against the wrong subscription.

It was a terrifying moment of clarity.

Dear customer,

This mail is a follow-up to the previous email we sent (on January 8th, 2020) on this topic. As a reminder, yesterday, we experienced an incident on a storage unit at our LU-BI1 datacenter, located in Luxembourg.

Despite the replication systems in place, and the combined efforts of our technical teams throughout the night, we were unable to reover the data that was lost on the impacted storage unit.

We sincerely apologize for the inconvenience that this situation has caused. This type of incident is extremely rare in the web hosting industry.

In the event that you have a backup of your data, we suggest that you to use it to recreate your server at a different datacenter.

To help you in this, we have provided you with a promo code that will give you one free month for an instance, so that you can create a new Simple Hosting instance in a different datacenter:


Wow, for a company that boasts "no bullshit", only offering a month after destroying data and backups seems a little tone deaf

Edit: in fairness, I'm not sure how exactly you would quantify such a loss anyway...

It sounds like they didn’t have any backups at all but rather relied on a active-active replication link to a secondary storage.

Edit: who knows it may be related to the HPE issue.


In other words, RAID is not backup.

What baffles me is that there seems to be no way for either the customer or a data-recovery company to flash a new firmware onto the drive after it has failed. Someone there wanted to spare the few millicents of copper trace for a JTAG port?!

Probably to prevent supply chain firmware changes for hacking, espionage, etc.

Hmm... I wonder what the "incident" was. If it involved something akin to an "rm -rf," then of course their replication link didn't protect them.

Perhaps they were depending on snapshotting and were not prepared for some kind of hardware failure taking out the entire storage system.

Reputable hosting providers typically don't try to quantify such a loss, but rather outright offer a credit/compensation that is very obviously generous (say, a year or even two of free service).

Especially when a small set of your customerbase is affected, it won't cost you that much, and "overcompensating" like that means that virtually noone is going to criticize you for quantifying it wrong; instead, the public narrative will be centered around "well, shit happens, they did their best and generously compensated".

I could understand the incident (I would _at least_ start questioning myself about the quality of the service I'm paying), but IMHO this is not something that can be addressed with a casual e-mail that contains few lines of excuses and a "promo code" like it's everyday business. That's astonishing.

Worse than a bad incident there is only bad management of the following situation.

> This type of incident is extremely rare in the web hosting industry.

Why would they include that sentence? Are they trying to imply it is rare for them because it is rare for the industry? Are they saying they are not as good as the industry, so customers should move to other providers? Or are they trying to show they apply the same inattention to their customer communication as they apply to their data backup/recovery practices?

This kind of data loss should simply never happen. It’s one thing to say “it will take us up to 30 days to restore your data because our fast recovery options aren’t working and we have to bring up cold archives”, it’s entirely another to say “your data is gone, tough”.

I'm not sure why you've been downvoted for this. I thought the same.

I read it as: "This type of incident is extremely rare in the web hosting industry, because apparently the overwhelming majority of our competitors aren't capable of fucking up as badly as we just did."

Doesn't inspire confidence at all, IMO.

> Why would they include that sentence?

They're a French company; it may be a non-native speaker not catching the implication.

It's also possibly an editing error, e.g. they started writing something like, "these types of incidents are extremely rare and when they happen etc" and most of it was dropped without considering how that changed the implication.

I think they're referring to the "incident" that they experienced (on the storage unit in the datacenter), not the situation as a whole. The implication is meant to be that they prepared for many things, but not something as unlikely as this.

I think it was meant to say "nobody is infallible", these events are extremely rare, but they /will/ occur, even if you're a customer of the best and biggest players.

If you're not paying for backups... what archive?

They say you can backup by using their snapshoting tool, but they lost those snapshots too.

The bright side is that now if anyone asks me why we would ever need the 3-2-1 backup protocol, I have a beautifully worked example.

oh damn

A promo code in exchange of your data loss. What a bargain!

“Please keep trusting us to host your data”

You really shouldn't trust anyone hosting your data. Always have backups!

Often times the backup provider is the hosting provider, whom you have to trust. (This extends all the way from big clouds like AWS and GCE to small providers like Linode and DO). Having an external backup can be unreasonably expensive due to ridiculous egress costs.

If your business can't afford external backups then you don't have a viable business in the first place. And of course egress costs have to be considered when choosing a hosting provider.

Not everything that’s hosted in the cloud is a business. In fact, the Internet wasn’t even created for the purpose of profit-generating business.

The Internet was created by the military, so yes it was.

You can still back up to the same providers' different data center. Two data centers failing simultaneously is very unlikely.

Not always an option. For instance, I use Linode’s backup service and it can only back up to the same data center (although it is said to live on a separate system).

You can, and should, back up your irreplaceable data elsewhere using a custom solution. Unless it's some service that doesn't allow you to export the data at all, it may be inconvenient, but it is an option.

Coming from a Linode employee, I can confirm this is true. Linode's backups live in the same data center as the server, but the systems are separated so that they don't directly affect one another.

Do they have separate power supplies? Have steps been taken to ensure that fire can’t spread from one room to the next? What would happen if there was an explosion?

In all seriousness, these are good points. I'm not a data center expert by any means, but here's what I know: The data center hardware has failsafes present by design, but they aren't disaster-proof being that they're in the same building.

To answer your questions: Yes, the backup storage box is in a separate chassis than the host machine that the Linode lives on; they have separate power supplies. The DCs themselves also have some sort of fire suppression. I don't know what would happen if there was an explosion.

Same data center is a single failure zone if simply because of:

1. Power delivery systems that bring power to the buildings - see issues at 111 8th Ave failures during Sandy.

2. Power systems inside the data center. Blast radius there is rather nasty. See the infamous Internap blow up around 2015(?).

3. Fire suppression/firefighting protocols.

They could mean using regular data transfer (i.e. using something like rsync instead of the provider's backup service). Maybe egress costs among servers from the same provider are reduced or nullified.


> Traffic over the private network does not count against your monthly quota.

I wonder how private addresses are setup by Linode.

[1] https://www.linode.com/docs/platform/billing-and-support/net...

Each data center has an internal private network with a pool of private IPs available for assignment. If a private IP is assigned to a server, it then has access to the private network.


This becomes very difficult as your data grows. If you live in AWS world, imagine periodic snapshotting from EBS, S3, RDS(and other data stores), EFS etc. For most people a different DC of the same cloud provider should be enough. If you have to put this into a different cloud provider it is a big cost drain and difficult to manage let alone if you want to have your own physical backups.

AWS has tools around this (lifecycle manager) that you can easily leverage for simple site backups. Or you can roll your own, honestly it is not that hard to take rolling snapshots.

Obviously hosting providers do not make it easy to extract your data because that's their vendor lock.

Also, always make sure you're testing your backups by restoring to a non-production space, and ensuring that customer services are still available.

Gandi has never explicitly said they never had their own backups, just that they don't offer backups as a service. It's entirely possible that they did have backups, but couldn't recover/restore them.

"...marginally more than rolling your own or another cloud provider."

And to "trust marginally more" simply means:

    gandi_cost_per_month + P(gandi_fails_per_month) * cost_recovery
    alt_cost_per_month + P(alt_fails_per_month) * cost_recovery

> This type of incident is extremely rare in the web hosting industry.

I read this as "so maybe you should consider one of the other web hosting companies that doesn't have problems like this."

Interesting. The public status page says they’re still waiting for the recovery process to complete.

Is this a response from the company or are you putting it forth as an example response for how to handle this incident better? It’s unclear from your post.

Looks like their backups only consisted of in-region backups on systems that were homogeneous. Common pitfall. While technically a 3-node distributed system may provide disaster recovery from one node failing, in practice, an accidental rm -rf from an ansible script targeting all three machines, or a bug in the software that's doing the replication, will leave you without a backup plan.

If you're in such a situation, The easiest is to do filesystem level backups with something like zfs and ship the backups to a third-party system that only has write/append-only semantics (better yet, use a write-once-read-many (WORM) disk to really guarantee it.).While there will still be _some_ data loss, it'll let you recover since the last snapshot.

If you don't have zfs, a database backup that runs the db dump script and scp/sftps it to a server running as a cronjob can also be an immediate remedy while you get your shit together (and by that I mean buy yourself a product with an immaculate reputation like aurora or cockroachdb to manage the db for you)

Harder but better would be to tee the log of the changestream (all distributed systems have such a log) to a third-party system. This is ideal because if it's done synchronously it'll let you recover since the last committed transaction.

And of course, test your backups, because backups are subject to code rot as well.

What backup strategy are you implying for the case of cockroachdb? Streaming the changefeed (including timestamps) to an external append-only system while slowly and incrementally iterating through all tables using as of system time to reduce impact on active transactions and know how late this shard of a "full backup" can be inserted into the "agumented" changefeed you'd generate by interleaving these shards into the changefeed. For replay you'd use the stream from the oldest shard up to the select min(a) from (select max(timestamp_resolved) as a from changefeeds group by table) newest timestamp you know you have the transactions complete changesets for (the resolved timestamp can be periodically emitted to confirm that no further records in the same feed(/table) could have a transaction timestamp earlier than it, inducing a partial ordering).

You could replay the (combined,sorted,agumented) changefeed in-order, or shard it on the table's primary key to ensure per-key monotonicity when applying the streams in parallel threads/transactions/nodes.

Gandi have something of a cult following, but in my only experience with them they literally lost my domain name during an inbound transfer.

Their response was awful and rude and completely unprofessional. I never got my domain back.

Based on that experience, this incident doesn’t surprise me at all.

I’ve always been a little confused about their cult following given their unfriendly terms — arbitrary domain cancellation based on adult material for example — which are fair terms to have if that’s their ethics but it seems at odds with the typical pro freedom expectations many people in technology hold.

They put a rude word on their homepage, that makes them edgy and cool and anti-corporation!

"No bullshit" is up there on my corpro-speak charts right along with "synergy" and "innovation".

Everyone's website says they're "no bullshit". It's all bullshit.

When my daughter was in high school she was doing an IT subject, for fun I told her to try using "synergy" in one of her assignments. She got an A, its a magic word.

"No bullshit" works when it's an SME talking, but once a company reaches a certain size then all bets are off

It was founded by pioneers of the Internet in France who where involved in non-profit/hacker/open source circles, which is where it got its cult following from.

But at the end of the day it's a cheap provider with, ahem, French-style support so I'm not sure what people were expecting out of them.

Any details on this? All I found while searching for this was Gandi explicitly advertising gTLDs designed for adult content...

Do they have that in their terms? Independently of that, do they have a history of doing that?

Why do they have a cult following? I never heard about them and reading all this here, I cannot say I understand why anyone uses them at all.

Edit; I use (and have been for a very long time) namecheap for registration and (recently) Cloudflare for DNS. I used to host all DNS myself, but that became a bit of a pain with many domains as that's definitely not my core business.

They were a freenode sponsor.

I very recently transferred a few domains to Gandi, and they also managed to lose one. I had to contact their customer support and they were able to restore it - it was all very strange. Combined with this incident and their responses on social media I'm getting the feeling that I should move them elsewhere again...

what can you recommend as an alternative?

For domain registrations I use a mix of Namecheap, Cloudflare, GoDaddy and Name.com, and haven’t had issues with any of them.

Gandi is the only domain registrar I’ve had an issue with.

I've been burned by both Namecheap and GoDaddy, along with losing a few domains in the infamous registerfly scam in the early or mid 00s. Namecheap may have been simple cock up, rather than systemic pattern of intentionally fucking over every customer. Avoid GoDaddy at all costs.

I consider GoDaddy to be one of the worst companies in existence, as bad as anyone else you can think of, as free of corruption as current ICANN and as fraudulent as registerfly. Clients looking at available domains have found them immediately registered and squatted at {hundreds}% markup. Their incompetence lost me a few domains, and several freelance clients reported similar -- all of whom were paying vastly over the odds for what they were getting. GoDaddy make Gandi look an exemplar of ideal behaviour for behaving as people are reporting in this HN post.

Their previous CEO had domain squatting and a complete lack of personal ethics as sidelines. That's quite apart from their horrific upsells making a simply renewal a 22 page nightmare of deeply dark patterned "no" clicks against atrocious value "offers".

> Namecheap, Cloudflare, GoDaddy and Name.com

Avoid GoDaddy at all costs!

GoDaddy at least is very customer support focused AFAIK.


Been using iwantmyname for the past few years. Smooth sailing all the way.

easyDNS for domains

Keeping registrar and hosting separated seems like a good idea.

In the year 2020, it's becoming increasingly impossible to trust anyone to do nearly anything (in my opinion of course).

The courts are too expensive. The culture of taking pride in one's work maybe is disappearing.

For the most crucial parts of doing business/living life, we are required to trust someone else. For example, I can't just go and make my own cell phone tower or ICANN.

And yet I can't even trust those entities to get it right.

Decreasing trust increases transaction costs.

There's got to be a measurable (negative) economic impact.

I don't have hosting with Gandi, but I do use them for domains and DNS. I'll be considering migrating my domains from them after this.

Their response to this is exceptionally poor. To say essentially "this could happen to any other web host" it nonsense. I've never had this happen with any of the providers I've used for hosting and I'd be very angry if I had just lost an entire VPS. The fact that they've lost all snapshots as well (which are advertised as backups of the underlying volume) is unforgiveable.

I had an incident similar to this with linode, which is why I use and recommend Digital Ocean nowadays.

My machine going away because you had hardware issues isn't my problem, and I'll spend my money on a more competent company.

I had the exact same experience on Digital Ocean. Attempted to resize a VPS, the process got stuck for eternity, and support tells me all data is lost.

Always have your own offsite backups.

To be clear, disk corruption can happen anywhere due to many reasons, in particular when VM disks map to local disks on an hypervisor, which gives you fast SSDs without network latency. Probably that the resize command had an issue and corrupted the image on disk. Then there's not much that can done aside from restoring from a backup. Having had backups enabled on the droplets, they would in all likelihood not have been corrupted since backups with DigitalOcean are stored offsite. In such case they could have been used to restore the droplet.

In some extreme cases, a concert of bad luck may coincides to ruin things despite multiple levels of redundancies. But that's extremely rare, especially nowadays. However DO is much larger now than it used to be, so the odds of hearing about extreme accidents increase.

disclaimer: I used to work there.

When I worked at the WordPress hosting division of Copyblogger, we always had issues like these with Digital Ocean. They would email us saying that the node had a problem, and we had to recreate the server on our own.

Good thing we only kept caching servers in Digital Ocean, so those were easily recreated, but that always kept me away from DO, personally.

In fairness to them, though, DO do not claim to keep backup of the servers, as far as I know.

DO has a service to automate backups. You can't download them or snapshots though, so you if you want a off-server copy you have to do it yourself.

I use Gandi for domains & DNS too. I've never had any problems so far but I don't want any surprises... Where do you want to migrate? What is a better alternative?

I like Cloudflare and find them to be a very good value proposition. They have a domain registrar now as well, though I haven't tried that yet. https://www.cloudflare.com/products/registrar/

Cloudflare DNS is free, and they support DNSSEC (unlike Digital Ocean). The web UI is good, and there's an API, and Terraform provider.

Most providers (notably: AWS) don't support DNSSEC, because DNSSEC doesn't matter.

I moved a couple Namecheap domains to Cloudflare's registrar when they launched, no complaints here. One domain took a bit longer to transfer, but the first took only a few minutes so I didn't mind it at all. I already used them for DNS so it felt like a no-brainer.

I use Hover for DNS and domain registration, never had a problem and their interface and support is top-notch.

Same here. Wondering what alternative there is. Heard good things about https://porkbun.com/

I'm using Porkbun and like it. I've used Namecheap, Cloudflare, Alibaba Cloud, and Gandi. I prefer Porkbun to all of them, but I'm a fan of simple, no-frills stuff.

I've used support twice when transferring domains into Porkbun and they were good. I transferred a domain out and has no issues. Their 2FA options are really good. They frequently have the best prices around (tld-list.com).

I wish porkbun allowed easier DNS record management. It's very cute, but I cant edit a bind style file, which means a lot of extra clicks.

I used to use Gandi for all my domains. I've switched to OVH though. Their DNS also propagates in like a minute.

Same boat. As much as I hate to give Jeff Bezos another penny I can't look further than AWS for everything at this stage.

Don't worry, if you purchase a domain with a .biz (or 300 other junk-tier tLDs) extension from Amazon Route 53, Gandi still gets paid[1].

[1] https://docs.aws.amazon.com/Route53/latest/DeveloperGuide/re...

Huh. I wonder how they will react to this. Thanks for highlighting that.

FWIW, I've found GCP a pleasure to work with in comparison to AWS.

Same here, of the big three (AWS, Azure, GCP) I found GCP's panel to be the most comfortable. The recent news of unjustified Google account closures and billing mishaps are putting me off moving there, though.

I found their dashboard pretty sluggish in some parts.

I had one weird incidence with trying to host wireguard on it, I couldn't get it to work reliably even after changing MCU to suit them or trying other fixes.

I've used it and it's not near as good as AWS. Plus Google have a habit of shutting stuff down so I have basically given up on them for critical stuff.

I've been burnt several times now by smaller players claiming a higher degree of privacy that suddenly charge high fees, sell to a competitor, or sell my data. As of last month, I've moved my domains to Google. Better the devil you know than the devil you don't.

TIL that gandi was bought by a private equity firm around a year ago.[0] This may explain some things...

[0] https://news.gandi.net/en/2019/02/futureofgandi-the-adventur...

Where does it say it was bought? It talks about a new investor:

> we have found a new investor in Montefiore Investment, who have replaced our former shareholder!

Am I missing something?


That's a very strange blogpost.

Interesting reaction. Is the highly negative reaction correlated with US culture maybe ?

I've used them for many years and had several complex support interactions with them.

Their customer service policy is very "API-like" in that you get exactly the t&c you paid for and nothing more. Hand-holding and soothing noises are not included in the t&c. They fuck up you get a refund, you fuck up they'll tell you exactly that. Outside that they're very casual relaxed humans to communicate with.

I find that far more trustworthy (in the mathematical sense) than a "slick" twitter feed.

Politness does not imply trustworthiness.

Gandi is the absolute worst.

The last time I tried buying a domain through them, they took my money and then demanded "identification" via government ID (citing some bullshit in their ToS). I refused, so they closed my account and took the domain with them.

Based on that, I'm not surprised at all by their CEO's response to this incident[0]:

>If we led you to believe that you had nothing to do on your side when warned multiple times to make your back ups, then we'll have to make it clearer, and stop assuming that it's an industry wide knowledge.

[0]: https://twitter.com/StephanGandi/status/1215287619938062342?...

I had exactly this problem too but with NameCheap. Told them to put their id request and my money somewhere and left for Gandi.

After more than 8 years with Gandi, not had a single issue with them.

I understand people might be upset because they lost data, but as a sysadmin, my reaction is "ooh shit, poor guys, that must be a horrible week"...

And honestly, if you don't keep data of stuff you host on a server provider like this, you kind of get what you deserve...

No you don't. While agree everyone should have their own backups, you should expect your hosting company to properly replicate and backup their datacenters.

I don't, actually, expect them to do so. But even if I would, and Gandi, here, were doing backups and replications, no one is immune from errors and catastrophes.

Pretending that the cloud is permanent in infallible is extremely dangerous. I would seriously question the competence of any sysadmin relying on this as a base principle.

Sure, they screwed up, but this stuff happens. We should actually be happy it happens "only" on a "small-ish" provider like Gandi and not an entire AZ at Amazon.

Can't wait for that shoe to drop, I'll bring the popcorn, if there's anything left of civilization then...

> Gandi, here, were doing backups and replications

As far as I understand correctly they only made snapshots on the same machine, which is why there's trouble to begin with.

Considering they're currently "reminding" customers that backups are an industry standard right after losing data due to missing backups I wouldn't just shrug it off.

That's probably because they bought into the sales pitches of the likes of EMC. It's a nice pitch and in most of the cases it works exactly like EMC promises. Snapshots work great, data is always recovered, etc, etc, etc.

The fun, of course, starts that one time when it does not work and you realize that no one looked at the corner case that bit you.

Where does this come from?

That is not the industry standard for web hosting. Never has been, never will be.

Backups aren't free. Replication isn't free. DR isn't free. If a customer isn't paying a premium for them, they aren't getting them. Read the terms of service.

In this case, the customer did pay for it: https://twitter.com/andreaganduglia/status/12152083871699804...

See full thread. Snapshots are marketed as backups.


Intelligent people can argue all day about whether a snapshot should be considered a backup or not, but it won't change the fact that a snapshot doesn't provide any protection from a failure in the underlying storage and it's ridiculously foolish for the owner of data to solely rely on snapshots as their backup strategy.

They literally use the word "backup." I wouldn't _normally_ expect snapshots to function as backups, but once they market them as such, I do. Yeah, sure, it's probably yet another case of a sales team getting over eager and taking over the company, but that's why if you value your ethics _at all_ you keep tabs on WTF the sales are doing.

So you're saying, against your admission of knowing better, that you can be literally swayed that a snapshot is a proper backup in the independent-of-the-original-storage sense, because their documentation equated the two?

The difference between a snapshot being a backup and not being a backup is literally the guarantees made by the provider. If the snapshot feature is documented as a backup, it is DOCUMENTED AS A BACKUP. Unless, of course, I suspect the provider of using the words as a way of confusing me, BUT THAT'S BAD. Like go read yourself a few times, you're literally defending them by claiming it's reasonable to treat them like scammers.

They can document it as anything. A backup has to be isolated; different physical location, different medium, different provider. What if the technical infrastructure works as advertised, but the company goes into receivership for whatever reason?

Having cloud provider X say they moved the bits from one place to another should not be considered a backup by anyone, regardless of what they advertise.

>snapshot doesn't provide any protection from a failure in the underlying storage

That depends on how snapshot storage is implemented by the hosting provider. They can use different storage for it, or tapes or whatever. On AWS I can easily have my snapshots on Glacier or copy them to a different data center.

How do you move your EBS snapshots to Glacier?

Use an Amazon S3 lifecycle.

Can you link any docs for that? I believe a lifecycle is attached to an S3 bucket, and there's no bucket for EBS snapshots as they're tied to EC2.

IIRC you can do this by using AWS Backup. There's a setting in the... Plan? Policy? Sorry, it's been a while and there was a weird mismatch between the terraform documentation and the official Amazon documentation... anyways, there's a setting somewhere that says to move the backup to cold storage after a certain amount of time.

I'd be interested in more on this claim.

- Was this mostly a power loss or a data loss?

- If data loss, did this affect EBS (which has had a claimed annual failure rate of 0.2% - 0.5% or so if I remember) or S3 (much lower failure rate). Remember, EBS WILL have volumes go bad - that's in the docs, they recommend snapshots, aws backup manager etc if you need higher durability.

The sysadmins over there probably have a whole list of stuff that should actually have been done, but management never gave them time to do. Then this happened and they were proven right. Their reward? Working a lot of overtime probably.

> And honestly, if you don't keep data of stuff you host on a server provider like this, you kind of get what you deserve...

While I agree that everyone should have their own off-site backups, this does come across as incredibly crass victim blaming.

At least then now we know what kind of service we may expect from Gandi... Shit happens to everyone, it is in the cleaning up you learn who you're dealing with, is my personal view on that.

> You get what you deserve

Sure, let's blame the victims here; that's effective and helpful.

culpability isn't zero-sum, everyone can have some. some entities deserve a lot, others deserve just a teeny tiny little bit.

for purposes of keeping your data safe, your cloud provider is just one, single, copy of your data. all of their redundancies and backups and whatnot are for _their_ convenience, not yours, regardless of the marketing copy.

(they can decide to intentionally delete your data because they think you didn't pay. no amount of RAID and georedundant backups on their part will help you then.)

Oh god, the victims, really? You host your data on someone else's computer to save on costs and get rid of the burden of dealing with metal and stabbing yourself with screwdrivers , and you're the victim when they fuckup?

Give me a break... It's not like anyone died here. There's a reason I host my own shit. Problems happen, errors are made, and data is lost. It's also your responsibility to deal with data permanence, even if your provider has all the promises in the world.

Well yea that’s why you pay them, to do a job. That payment comes with certain expectations and when they aren’t met you incur cost. In this case downtown and effort and time to restore from your own backup. Victim may be a bit strong but of course it’s Gandi’s fault and not their customers’.

> You host your data on someone else's computer to save on costs and get rid of the burden of dealing with metal and stabbing yourself with screwdrivers , and you're the victim when they fuckup?

A company violates their agreement with you in a way that costs you time, money, and potentially business, and you're not the victim?

Exactly, its like you somehow give your original private keys to a cloud hosting provider or a service like Gandi, they have a problem and lose your mission critical data and you later blame them for their responsibility.

They are fools on their side for failing to preserve user data, but you end up being the bigger fool for trusting them to do this for you without preserving a backup plan yourself.

Shit does happen, but pretending like it's not a big deal and not providing a solid RCA seems to be what's really annoying about their reaction.

Even if it is a bad practice not to have your own backups, no one is at fault here but Gandi

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact