Can really spot someone who has never had to deal with OFAC with a comment like this. Even if I don't necessarily agree with the concept, or who is actually being blocked, my business is dead in the water if I'm a) sent to prison or b) fined out of existence.
Geographic IP information is one of our best tools to defend against those outcomes, and if anything it should be better.
On the other hand, GeoIP is arguably the reason you are in this situation in the first place, i.e., having to use it since it's there and everybody else is doing so as well.
Intentionally ambiguous regulations (in terms of how companies and individuals are expected to comply) backed by the existential threat of huge fines often lead to a race to the bottom in terms of false positives and collateral damage to non-sanctioned users.
If you were serious about limiting who uses your services you'd use an allowlist of ASNs. Even then, what about users using US-based residential proxies?
ASNs can obviously span multiple countries, and aren't a great way to gate this at all. While we block ASNs we KNOW are owned/operated by companies in limited countries, but I couldn't imagine a worse way to approach it at scale. Hate doing it, it's heavy-handed and wrong.
> Even if I don't necessarily agree with the concept, or who is actually being blocked, my business is dead in the water if I'm a) sent to prison or b) fined out of existence.
Is there some specific way we can get the laws like this to be gone? They're obviously useless (witness this very thread of people describing ways for anyone to get around them) and threatening people with destruction for not doing something asinine isn't the sort of thing any decent government should be doing.
The backlinks derived from PH are generally considered harmful, and rightfully so. It's gamed beyond belief. There is not much to gain from being at the top of PH other than talking about it to legacy VCs.
I couldn't imagine a better way to describe the current concept of grassroots marketing. Spam, and frankly heavy-handed and bad ways to resolve it (no links get traction, etc) have effectively closed the door here.
Anti-spam teams for a lot of social companies are under the umbrella of customer experience, and considered a cost center. The goal quickly becomes: be a hammer.
The impact to user experience, specifically around casual discovery has been profound.
We're working on the successor to Weebly, with https://www.articulationsites.com. My partner and I were founding engineers at Weebly. It's clear that the brand is in decline at the hands of Square, and it drives us every day to make a great alternative that Weebly users can rely on.
The sad truth is that for the most part, the web hosting industry has normalized a fairly lax approach to security, and sees settlements like this, and even breaches, as a cost of doing business. Look at Wordpress maintenance, for example.
It's a tough business hosting arbitrary UGC, and doing it well costs a lot of time effort and money (ask me how I know). But I fully agree: treating this as just another line-item cost is absurd.
Yeah, this is what it comes down to. WordPress has an incredible following for a great reason: it works well for the people that know how to use it.
Designers and agencies are more than happy to continue to use it, and frankly they should -- it is their bread and butter. The WP drama is news for us web-devs but will affect their market in no way whatsoever.
The language is intentionally vague, and leaves the determination on the person who has to check the box.
I have a competing product and shouldn't get too far in the weeds on what I truly think here, but the predominant feeling across people that have to interact with this is that it's done on purpose.
It's not so much that people don't understand what the word "affiliation" means, it's that you'd have to be completely certain that a lawyer, hired from what is clearly a litigious org, would have the same understanding.
This isn't a legal document from the federal government. There's no perjury risk. Just click the box and get what you need. What, is Matt paying for deep background checks on everyone that does check that box? It's one of the most ridiculous checkboxes on the interwebs
You’re thinking about this from the perspective of good faith. I think the people who are worried are looking at it from the perspective of no longer being comfortable saying something is too absurd to happen.
For example, say your company ends up on Matt’s legal radar and he trawls the logs looking for accesses from your IPs and says you violated CFAA – even if you’re totally comfortable that you’d prevail in court, that could be an expensive process and discovery might turn up things you’d prefer not to be public. In situations like that it’s easier simply not to risk dealing with him since people who are focused on vengeance will often waste resources on pointless activity just to prove a point.
maybe it's just me that always has that "under penalty of perjury" sarcastically running in my inner voice whenever I see these types of ridiculous EULA type of things.
Somebody should really force the issue to "have standing" to fight the ridiculousness. I'm shocked WP Engine hasn't already
Companies are absolutely allowed to arbitrarily ban certain people or groups of people from using their services, and if you sign a contract attesting to you being allowed to use the service, you can absolutely be found guilty and/or liable of breach of contract.
Some courts have interpreted the definition of "unauthorized access" in the CFAA pretty broadly. That checkbox about WP Engine is arguably an "access control mechanism" since you can't access the site without checking it. Maybe it's a stretch but it's not that much of a stretch.
IANAL either but I was under the impression that changed with the Van Buren v United States Supreme Court case [1]. If you register and accept a EULA, it’s no longer “unauthorized” access, regardless of whether you exceed EULA limits, as long as you’re using the authorized interface (as opposed to trying to get access to the servers via SSH or some other side channel). It’s not the criminal courts’ job to enforce access limits.
IANAL, not from the US either. But if you register, you are signing a legally-binding licence agreement. Doesn't lying or giving false information nullify this contract?
For example, if you register on wordpress.org while claiming you have no affiliation with WPE, but you did have any sort of affiliation, they could consider the contract null/void, and claim the access was unauthorised because the contract wasn't valid.
The contract can be null and void but if you can still login, it’s not unauthorized access. The burden is on the company to pursue breach of contract. That’s my reading of the decision but again, IANAL.
It is not illegal to beach a contract. You can be held liable for damages but there is no criminal penalty and some judges think beaching contracts can be good (so called efficient breach)
As both an interviewer and interviewee at Weebly, I'm pretty confident in saying I prefer our approach of the trial week. It really gives a great opportunity for the candidate to show off their skills without the on-the-spot pressure of a coding interview. A great side-effect is the candidate gets to determine if they like the team, and vice versa. I honestly wouldn't work somewhere else where I couldn't come in for at least a few days to meet and work with the team.
Instead of repetitively saying that you went through this same gauntlet yourself, how about an argument for how you think this is possibly a valid strategy for attracting good already-employed developers?
As I see it, there are 2 huge barriers to me ever doing a trial week while currently employed:
1. If it doesn't work out, I've just burned 1/4 of my vacation time for the year. That's a pretty massive ask for a company to make. I could do a bunch of math with expected values, but I'm sure it would work out to Weebly having to have insanely great compensation (>$300k) for me to do it.
2. Even if it does work out with Weebly, it makes it impossible for me to concurrently solicit and evaluate multiple offers, which I absolutely do when looking for a new position.
How do you overcome those problems which make it very unlikely that 99% of employed developers will do your process?
Of course, it could also be that this is a brilliantly designed strategy for weeding out expensive employees by focusing on the unemployed and unsavvy.
> Of course, it could also be that this is a brilliantly designed strategy for weeding out expensive employees by focusing on the unemployed and unsavvy.
This is the result, intended or not.
The problem is, the good people usually don't need a job. So the more of a gauntlet you make your hiring process, the less likely it is you'll get one of those already-employed, perfectly happen and great employees. You're selecting the people who couldn't get jobs at your competitors (modulo the false-negative rejects).
I did something similar with another company wherei did remote part time work for 2 months to see if they would like me and vice versa.
Didn't end up working out so I was glad it was only part time and I didn't make the jump. If I made the jump directly, I likely wouod have been laid off and unemployed.
<em>I'm pretty confident in saying I prefer our approach of the trial week.</em>
A full week is pretty close to insane. It means that application is effectively limited to the currently unemployed (or those who are willing to burn what might be all the vacation they can take for months).
That said, it does make pretty clear that Weebly doesn't give a single shit about employee's lives; so it's kind of Weebly to make clear, right out of the gate that they expect to be the only thing that matters in your life.
As a pretty happily employed Weebly for a few years now, I'm frustrated that you think that, but I'm glad that you went out of your way to register an account to reveal your thoughts. In this case, I guess we'll just agree to disagree.
How would you handle the currently-employed with a such a setup? Having to either give notice or use up a week's worth of vacation days just for an extended interview at a single company sounds like a real horror show from the interviewee end.
Contract-to-hire at least gives you a couple months of fairly sure income.
I was employed when I did my trial week at Weebly, and I had to use a week's vacation to do it. Weebly paid for my time, not to mention the trip to SF. Obviously it was worth it to me, but I can see where you're coming from.
I took a week off at my previous job to trial at Weebly. My previous job had a very strict vacation policy, but I knew the importance of what I was doing.
Weebly has an unlimited vacation policy, so, it worked out pretty well.
You've mentioned this twice. Yet, it means nothing for vast majority of people in the workplace. The majority have to be at work programming instead of interviewing for programming positions. They neither have unlimited vacation time nor a 100% guarantee using a vacation for some interviews will go anywhere. If anything, the OP's post shows quite the opposite for them in common case.
So, how does a trial week work for candidates committed to another job? If anything, it seems to self-select for part-time or remote workers that are already in a position with time on their hands. The best I know don't fit into that category: you'd miss them.
EVERY job switch has inherent risks. It's unreasonable to expect otherwise. No one can help that and OPs situation wasn't crazy. He/She took a risk and it paid off. The downside is just a lost week of PTO? Not too crazy and anyone with a full-time job and some PTO could do this. I'd even get 'really sick' if I had too.
It's true that every job has risks. Where do you see me (or OP) say otherwise? The question is should every candidate give up a whole week of his or her time knowing it will get most people nowhere. That method's benefit is almost entirely rigged for the hiring party with huge potential for waste for other party in any environment with multiple, decent candidates. A few anecdotes that worked out don't change that.
So, the question is: "Should employers put this kind of burden on every candidate or try a method which demonstrates skill with less time?" I push for the latter.
What a disaster though, if you didn't get the job.
1) Lose a week of PTO, and
2) Feel really bad that the people you spent a week with didn't think you were good enough.
Also, from the Weebly end of things, what if you know a couple days in that the candidate isn't going to work out? Cut them off right then or finish out the week?
How many interviews can you afford to have like this?
Likely, the decision was already made by you being willing to risk the week of vacation and put in the effort to get hired, while they showed a similar regard.
You might be able to get away with 1 or 2 of these things a year... but it's a REALLY good way to burn bridges.
Geographic IP information is one of our best tools to defend against those outcomes, and if anything it should be better.
reply