I think you could get a reasonable response to an ongoing crisis out in less than a day. They should have discussed this last night, as soon as it broke, with CEO, HR, legal, her, etc.
Being deliberate is fine, but when you make something a priority, you can get to the bottom of it faster and still get the right response.
Until they got DDoSed to hell, this apparently wasn't a serious priority for them.
I guess this depends on your definition of responsible. Something like this however is bad enough that users should be informed right away so that they can take steps necessary to secure themselves. Assuming they were responsive I'd have given them the 10 days to confirm it was an actual issue, but I'd have expected them to notify the pubic and their users of the issue and mitigation steps within a week.
This seems a reasonable timeframe to me given the scale of the impact.
Security issues are obviously very important, but equally I would be worried if they started acting impulsively immediately after discovering the issue, because there would not have been time to understand the problem and consider the options. If you jump on a solution without giving it a bit of thought first it's too easy to exacerbate the situation.
This is pretty much exactly what they should be doing. The fact that it took them several weeks to do it is what constitutes a poor response to the crisis.
Regardless, it looks like they're doing what they should be doing, and I hope it works out both for them and their customers.
They have also answered me on twitter and email. All within several hours or less. But anyway, even if such terrible situation really happened, two weeks? I would have changed provider the next day. Not counting the fact I duplicate critical production deployments and replication on two providers always.
Yeah, it's totally reasonable that they won't have a timeline the day they got the report. And if they fix it the next day, who cares that they didn't give an ETA? Clearly they had better things to do than reporting back.
7 hours, on a Friday night in the headquarters time zone. This issue is resolved and is clearly not wide spread, so does getting a response on Monday or Tuesday vs right now make any difference?
Companies are made of people. Let the people have a life. Their night is shitty enough as is after this, I guarantee you.
The post you're replying to is pointing out that multiple days without reporting out a preliminary root cause analysis is so absurdly below the expected level of service here that it would prompt them to reconsider using the service at all.
2 days is outrageous here, I have to imagine whoever thinks that is acceptable is approaching this from the perspective of a company whose downtime doesn't affect profits.
Because people have work to do, rather than sitting around checking Twitter, HN, and TC all day long? It's not like something's going to happen if they don't respond ASAP. As long as they'd gotten something out by the end of they day, they'd've been fine.
And yet maybe they could have personally responded to the impacted customers with informative, timely updates instead of waiting several days and then sending automated replies from templates.
This story broke less than 2 weeks ago. So 10 business days (minus holidays) to put together a corporate response that affects hundreds of millions of devices seems pretty damn quick.
I would start by assuming it will naturally take them more than one week to completely fix this problem, and ask if the fault is so severe that it would be better to take the service down until it's fixed, both from the company's viewpoint, and that of an external entity able to force it being taken down even if it kills the company.
If the answer is no to both, it's not that dire and they can be given 3 more weeks, precipitate action would not seem to be required.
As for deadlines, experience shows they are so frequently required that you will need to set one; there's a lot that's been written about this so I'd look for that.
Good point, although the way it's described it sounds like the problem cropped up right after deploy. So they would have been watching it actively. But as said above, 17 minutes to notice, figure out what's going on, decide what to do, and propagate the resolution seems reasonable.
I didn't expect any "3 minute solution", but realistically they didn't even have to get the problem fixed. They could have pledged to assist youtube-dl by now, helped them file a counter-notice sometime this week (surely they can get 1 lawyer's time for pressing PR matters), and figured out how to deal with the human resource situation over the coming months.
Instead they found a million dollars (!!!), wrote a blog post with explicit commitments, but then waited on somebody else to step up. It just doesn't add up.
Well, if they responded within a day, the answer would be something like "we'll look that up".
Because they waited for almost a month, they can confidently say something like "we thought about your issues thoroughly and we are ready to take some actions to resolve them".
So 3 days is not really that long for a honestly a pretty small team. They got the fix out and most servers updated right away. I fail to see the problem but the author acts as if they should have gotten an immediate response. Gotta chill there my dude.
Agreed - the timeline is over the most popular period of the year when most 'back office' people (i.e. IT teams, management, and others not involved in direct customer service) are away. The least the OP could have done is waited until mid-January to release to public to allow them time to get some resources onto the problem IMO.
Being deliberate is fine, but when you make something a priority, you can get to the bottom of it faster and still get the right response.
Until they got DDoSed to hell, this apparently wasn't a serious priority for them.
reply