I'm a big fan and critic of apologies. This one is pretty good.<p>They admit the mistake was theirs and they take responsibility for it. They say sorry. They explain what they're going to do to fix the situation. They say they're going to learn from this and not have similar mistakes in the future. Pretty solid.<p>The only thing that is missing, in my view, is personalization. Tell me who you are, speaking for the organization. This humanizes the apology, and also gives a face to who it is saying they're going to improve. Ideally the CEO.<p>Still, I give it 8/10.
This is yet another good reason to prefer decentralized networks. When Slack or Facebook or whomever agrees to block someone there is no resolution other than appealing to a company with a closed decision making process, something I don't think any of us really want.
> We will soon begin blocking access to our service from IP addresses associated with an embargoed country. Users who travel to a sanctioned country may not be able to access Slack while they remain in that country.<p>Is Slack legally required to do this? As long as they aren't knowingly accepting payment from these countries, shouldn't they be in the clear?<p>How are other tech companies dealing with this? Does Google block access from embargoed countries? Does Windows refuse to work?
It’s still profoundly disturbing to my eyes.<p>Technically their underlying problem is relying on IP ranges, wich is flawed and raises false positives all the time.<p>They seem to recognize they shouldn’t be doing irreversible and critical action with only that info, yet will still use it to drop traffic.<p>To me their message is “sorry we screwed with your accounts, going forward we’ll only screw with your messages”. Am I supposed to be that reassured ?
What changed recently that hadn't been the case for past years that made them add these new measures? A true, earnest apology would at least touch on the justifications for the changes more than just "become legal". But I understand that, sadly, that kind of transparency is a bit much to ask of any company these days. Still curious though if it was just an internal decision or spurred via government/legal threat/request.
My theory: Slack did this rough shot to get a deal signed with a major new client and to support the due dil.<p>Also note that all the major cloud providers in the US do not do business with embargoed countries. They all block IP from Iran, et al. to compute within the US, but allow it to compute within other geos, this extends to tech support, sales, etc.<p>I'm honestly surprised that Slack users within Iran could access the service running in US to begin with. In all likelihood they could only access edge servers located in other geos in APAC or the EU.<p>Look closely at everything Slack says in this message and others. "Enterprise Software" is tossed around a lot. They want to be the communications platform for the enterprise and have to meet these standards to compete with other offerings that exist today.
> Users who travel to a sanctioned country may not be able to access Slack while they remain in that country. However, we will not deactivate their account and they will be able to access Slack when they return to countries or regions for which no blocking is required.<p>So why ban <i>any</i> account? Why not just drop connections from IP addresses in embargoed countries?
While "banning by ip" will work for discouraging most users, a VPN service or a Proxy service (Socks, ssh, etc)
would make it irrelevant if someone wants to use a service like slack, facebook or google...It just inconveniences those
who do want to use it bad enough. To me, it's a "band-aid of compliance" to whatever agency has requested them to do a ban on certain countries IPs.
This disturbs me.<p>So Slack is a communications platform.<p>If we have an embargo against a country, we have to shut off any services we offer to that country? Including communications platforms.<p>Doesn't seem like that will help improve things in that country, or help the people in that country communicate.<p>I'm all for not sending a dictatorship steel or guns, but why would we cut off communications platforms? That seems batshit.
I wonder why Slack so cares about blocking poor Crimeans from its service and at the same time Visa and MasterCard are accepted freely in any town of Crimea. Why these payment schemes are allowed to work there despite the embargo?
Sanctions and embargos are getting out of hand. Blanket, rather than targeted individual sanctions/actions, truly only harm the people of a country that have little to no say in what their government or country does.<p>As seen here, sanctions turn companies that provide services into poor customer service scenarios through forced compliance for what reason ultimately? All that does is make it harder to track since we now live in a surveillance society. What a waste of time and energy. We are living in an age of the abuse of economic sanctions, that ultimately harm the wrong people and make companies/products look bad.
What does Slack propose to do about access through a VPN so your real IP is hidden?<p>Of course in the long term this is just incentive for countries to support balkanisation of the Internet.
I understand the necessity of embargoes, but I’m a little torn on this one, given the ubiquity of Slack, IP crackdown mistakes aside.<p>Hypothetical: If you build a product meant for use in other countries than (also as well as) the one it’s been built in, should you be allowed embargo its use based on the (possibly arbitrary) politics of a single one of those countries?<p>I suppose the makers can do as they please/are required to in their home country.<p>However, it opens another costly-to-startups hypothetical: If the politics of our home country swing to the (insert x-axis direction) and we decide (insert country Y) are baddies, do we have the resources to comply with an enforced embargo?
Reports from the affected are a bit imprecise and often heated. Do we know whether Slack here banned based on IPs from the past and if so, do we know how long they keep that data?
I'm curious whether IP blocking is actually enough to comply with the <i>spirit</i> of a trade embargo.<p>Surely, the point of "not trading with Iran" is to avoid, through one's economic activity, enriching the <i>citizens</i> or <i>corporations</i> of Iran; and has nothing to do with preventing access to people who just happen to currently be within the geographic boundaries of Iran. (So: email blocking by detection of Iranian-ISP mail host = sensible; Iranian IP blocking = not-so-much.)<p>Unless, I suppose, you expect that a tourist accessing your service through an Iranian ISP, will be enriching the Iranian ISP to exactly the degree that you are serving them, and therefore, you are legally required to not serve the tourist, lest <i>they</i> enrich the ISP thereby. (<i>That</i> would be a hard point to prove.)<p>But actually, even if it was just the letter of the sanctions that you had to obey, I would expect that "not trading with Iran" would be a lot <i>harder</i> than it sounds—it would require, for example, that you do not trade with an Iranian citizen who is currently geographically located in, say, Mexico. How would you know? Your random IM webapp would need a KYC process (submission of ID documents, etc.) to be "sanction-compliant", wouldn't it?
"Mistakes were made" is a good apology, but with no personalization, no reparations for the people impacted, and no reflection on the process and context that allowed those mistakes to happen, it still leaves Slack in a lower place in my mind compared to where it was before this incident.<p>It may sound like there's no way to win for them, but well, mistakes have consequences. Time will heal the wounds.
Does an IPv6 world prevent IP-based location sniffing?<p>It seems odd to me that IPs can still be used to (semi-)reliably determine a client's geographical location.<p>With the immensely larger address space that comes with IPv6, does that give the Internet a chance to completely sever the link between geography and IP address? Or do we still have issues with aggregating routes in a space-efficient way?
As apologies go, this is a decent one.<p>But they still say:<p>> We would also like to notify our users that as we continue to update our systems over the next several weeks, we will soon begin blocking access to our service from IP addresses associated with an embargoed country.<p>I'm no expert, but I did spend a couple months checking alleged locations of VPN servers. I compared: 1) location alleged by the VPN provider; 2) location from various geolocation databases; and 3) ping results from several hundred servers (from various providers).<p>Bottom line, locations alleged by VPN providers and locations from geolocation databases were generally in agreement. But for some VPN providers, such as HideMyAss, ping results demonstrated that those locations were very often implausible. Because they implied signal transmission faster than the speed of light.<p>So anyway, basing life-altering decisions on IP-based geolocation is an <i>extremely</i> stupid (or at least, unjust) thing to do.
Iran is a terrorist state and anyone providing aid to them can be tried under the PATRIOT act: <a href="https://en.wikipedia.org/wiki/Providing_material_support_for_terrorism" rel="nofollow">https://en.wikipedia.org/wiki/Providing_material_support_for...</a>
I want to see a post-incident analysis, like GitHub published: <a href="https://blog.github.com/2018-10-30-oct21-post-incident-analysis/" rel="nofollow">https://blog.github.com/2018-10-30-oct21-post-incident-analy...</a>
Bad apologies make things worse, but good apologies don’t make things better.<p>Actions speak louder than words. Blocking people accounts was a management level decision that they are only regretting due to this coming to the public’s attention.
What countries are embargoed for chat?<p>I work in banking, and when we discuss certain kinds of remote access, it's notable that there is no "OFAC" list. There are shit tons of lists for different things. I wonder which list Slack uses.
Slack missed an excellent opportunity here: to be first US company to suspend services momentarily due to egregious and broken* sanctions imposed by the US on other countries.<p>* Broken in that they are levied against random individual citizens of sanctioned countries instead of groups trading with or state entities otherwise interacting with the US.
> In fact, we also apologize to the people whose accounts we intended to disable in order to comply with these regulations<p>Misguided politics of the Trump 'administration'. This stuff is highly unpopular outside the US.<p>For me a reason to avoid US services which actually enforce these politics. Slack can do whatever they want, but these actions make sure that I never want to be a customer of theirs and I would never recommend to use their services.