Hacker News new | past | comments | ask | show | jobs | submit login
DigitalOcean: Introducing Our London Region (digitalocean.com)
93 points by CarlHoerberg on July 15, 2014 | hide | past | favorite | 63 comments



"We will need you to send us a high quality scan of a government ID or passport in order to verify your account. Please send the picture, or a link of the picture, to:"

No thanks.


Unfortunately we deal with a large amount of abusive and fraudulent signups which leads to a bunch of abuse on the network such as mining, port scanning, and flooding. We do everything we can to filter out abuse automatically and then determine whether or not a customer is legitimate outside of that but unfortunately that information isn't always available or conclusive.

We'd love to hear suggestion on how we can improve that without resorting to requesting an ID because obviously that isn't something that's ideal.


I am a current DigitalOcean client and I was recommending DO to my friends and professional contacts.

New policy of requiring scanned documents is unacceptable in the environment of pervasive nation-state level monitoring and destruction of privacy. If this is a permanent change, I won't recommend DO any longer.

The solution is extremely simple: accept bitcoins for payments and/or fair use verification for free tiers. Also there is a market for forged document scans, just read krebsonsecurity.


Same here. DigitalOcean can't verify if a document is real (vs photoshopped) so the requirement might as well be sending a letter head. I'm glad I got access to all levels of VMs early by asking nice (for legitimate adhoc large data processing that required lots of RAM).


I don't understand why a scan of a passport or ID of someone signing up is required when it cannot be verified.

The reasons are this:

Banks are legally required to conduct some kind of Know Your Customer where an individual has to physically present themselves so their provided ID is matched against their physical person. So KYC is done by a bank. And I'm paying with a bank / credit card.

In the case of someone opening an account by using a fraudulent card, it is trivial to attach what looks like a mediocre scan of a passport or divers licence.

Notarised IDs are not requested, so there is no way to verify with a lawyer. And Notarisation is expensive, so it will turn almost all customers away.

Closing circle: If the name on the card matches the ID provided and it is not a case of a fraudulent transaction, the individual can be pursued via their bank. This is probably not worth it at a time vs reward level, unless the abuse of the network is such law enforcement should be involved, but is not something for you to do, but for your bank, as correspondent bank, to do.

While obviously a liability in terms of information security and the risk of a breach, requiring such personal information is a precedent: If all companies did so for low value transactions, then this information would end up in thousands of online repositories (and therefore of large scale, opposed to, say, a hostel seeing a handful of customers per day keeping paper records) which would surely have leaks. The risk becomes systematic. Which increases fraud.

Let the banks do KYC. Let the hosting company ensure the network is monitored in the way they desire.

Edit: Having worked in a couple of banks at a middle management level, and covering regulatory, compliance and information security roles, what really helps when regulators or general law enforcement audit or inspect a function, what really matters is showing both internal policies showing banking regulations are drilled into employees, and anticipative policies where regulations are not yet set in stone are also followed. If you don't have internal policy documents on how your network is monitored and a kind of minimum standards dashboard, make one and keep records, as it can be invaluable as defense against accusations nonfeasance, misfeasance or even malfeasance.


I've requested scan of ID in the past for suspicious sign-ups, the reasoning is that almost all malicious people would just move on at that point to another target.


SMS verification of a phone number?

Barring that, detect mining and terminate it with system monitoring tools, and prevent port scanning/flooding at your network border (your netops team is active on NANOG and seem to know what they're doing).


How does SMS verification help ? You can just buy a prepaid phone.


How does using ID verification help? I can just use a borrowed/stolen/pilfered ID?

At some point, you're hitting diminishing returns in your verification requirements.


I assume they look for name on ID that matches name on payment method. That's what I used to do when I worked in a hosting company ~10 years ago.

This way, if someone has a stolen credit card, there's a very good chance, they won't have a matching government ID with same name. Hence obvious fraud.


Does a prepaid card name verification occur during an auth? Also, does Digital Ocean disallow prepaid cards from being used to pay for service?

Their pricing/billing page indicates they'll accept these cards if the payment is made through Paypal, which will shield them from payment fraud, but not if the card is prepaid but the users actions on the instance are malicious.

https://www.digitalocean.com/help/pricing-and-billing/


Here you see the complexity of the process in that anything that is added or used can be circumvented, including IDs and so forth.

In regards to pre-paid and debit cards we saw a very high incidence of abuse related to those cards specifically so we've had to put certain restrictions on them as well.

We're going to look for other layered approaches that can be created programmatically to increase the authenticity of a user and need to get that implemented asap because I'm in agreement that this ID request is a horrible workflow and also it still isn't fool proof so its just doubly bad.

Running the product prioritization meeting today so we'll bring up a couple of solutions and begin to prioritize and implement.


I've founded a startup that might be able to provide some help in this space. It's basically a mix of being an OpenID Connect provider that does authenticity checks on any information that users provide and makes the results of those verifications available to third-party-sites, all while protecting the actual information itself.

The first market we were planning on targeting was for Bitcoin related services that require KYC verification, but we also are planning on targeting any other services that need to know that their users are not bots and that if they ban a user they stay banned.

We just got some Series A funding and we're doing a crowdfunding from people who want to operate their own Identity Registrar. We should be launching our basic services in a month, and the franchise partners that are planning to participate will be able to do so in about two months.

If your problem can wait until summer is over, we'll be able to have a solution that would be free so anyone with a BlockAuth account can log in with a standards-compliant OpenID login form and you can be assured that they've been verified as being a real and unique person and all of the details they've submitted have been put under a microscope.


An idea to automate part of the verification process is to have a "fill as much as you can or want" form asking for public accounts (facebook, G+, twitter, github, personal web site, non-free email accounts etc) and then generating a confidence score used for a pass/no pass/id required. A service (API) for this is one of the multiple ideas I haven't acted on.


If capturing an ID is important, I'd suggest a solution like jumio.com which when integrated, is pretty seamless.


Why is mining in particular disallowed? Aren't you allocating a set amount of CPU to a paying customer?


Just a guess: mining produces less than $5 per month of bitcoins, so it's fairly strong evidence of a fraudulent credit card or hacked account.


Ah, if it's indeed related to fraud that's a fine reason generally.

I'm worried about a company restricting usage to resources which you have been allocated, as I thought we were well past the problems of shared hosts with the rise of virtual machines / linux containers.


> Aren't you allocating a set amount of CPU to a paying customer?

I doubt they are. While DO boxes aren't bad, in terms of the "bad neighbor effect", I think they very much are oversold. Also, the virtualization tech is a continuum between complete and proper isolation of resources and time slicing of the CPU cycles on the one end, and Linux container style resource sharing on the other. Basically, the more isolated your VM is, the slower it will run. I don't believe DO is using any type of really strong isolation. Because of this, if you start mining BTC on your droplet, you will suck the CPU cycles from all the neighbors.


Softlayer also introduced a London region a few hours ago. http://blog.softlayer.com/2014/london-just-got-cloudier%E2%8...


And cheaper if you use a lot of bandwidth. They throw in 5 TB of outbound with their cheapest VPS. ~$28/mo compared to $70 with DO.


But if you don't, it is pretty expensive:

80$/mo DO: 8GB RAM, 4 Core, 80GB disk, 5TB

163$/mo Softlayer: 8GB RAM, 4 Core, 100GB storage, 5TB


The biggest thing that should be celebrated about this announcement is the availability of IPv6 addresses. Hopefully the rest of the regions will be enabled soon too!


We are in the process of opening up in datacenters in NYC and AMS which will also feature IPv6 and then we'll be retrofitting the remaining datacenters for that.

Thanks!


At least one other region has had them for a while (Singapore I think).


If by "a while" you mean less than a month: https://www.digitalocean.com/company/blog/announcing-ipv6-su....

I am a customer of DO's but I am not a happy one since I have to muck around with 6in4 tunnels just to get this basic stuff working.


Long time customers have had access to it since early May.. https://assets.digitalocean.com/email/ipv6-grandfathered.htm...


So a small number of customers had IPv6 access in one of seven data centers for just over two months. Sorry, but I don't see this as a big redeeming correction (though it is factual).


Just did a quick test from London, comparing lon1 to ams2. Pleasant increase in speeds (25 MB/s up, 20 MB/s down vs. 15 MB/s each way for ams2, though these fluctuate) and a nice decrease in ping (3.5 ms vs 8 ms). Nice to see.

Not sure what the legal/regulatory differences are for hosting in London compared to elsewhere?


One thing I wish were available with many of these US-based services is billing in GBP.


On the other hand, one of the nice things with using US services that bill in USD (apart from the current exchange rate benefit) is there's no VAT to pay. So, UK retail customers at least, get a 20% discount compared to using home grown offerings.

Personally, I love being able to spin up Linode (and now DO) vms in London but pay USD prices.


Whether or not VAT is payable is independent of what currency is used to bill in. If you're using a VPS in the UK then there's almost certainly VAT payable by the vendor. If they are in another EU country, and you're VAT registered, and they have your VAT number they can zero-rate the transaction.


Yeah, I'm talking for retail customers who don't have a VAT number and can't benefit from the reverse charge scheme.


They can do that if you're in the same country too.


There is VAT to pay and these companies are required to register for VAT and charge it I believe. Eg see http://webarchive.nationalarchives.gov.uk/20110202144320/htt...


That doc is dated 2003 so I guess the regs have changed (and there have been some pretty major changes recently like CA2006 and FA2011). I certainly don't get VAT invoices from the US suppliers I use (linode and digital ocean for example).

Edit: The 4th paragraph here seems to settle it: http://www.hmrc.gov.uk/manuals/vatpossmanual/vatposs14300.ht...

The reverse charge mechanism places the burden for accounting for VAT on the recipient if the supplier is outside the UK.


I have a more up-to date reference

http://www.hmrc.gov.uk/vat/start/register/when-to-register.h...

I do get them from pingdom, and AWS. I do not get them from Mailchimp or hostgator.


It may also matter that the service being provided by Digital Ocean is in the UK as well, although I haven't had a chance to read all this yet.


Could be because Pingdom is a Swedish company and AWS is Amazon, which has a presence in Europe?


How is there a benefit at the 'current' exchange rate? If the price isn't set in GBP, what have you got to compare against, regardless of the rate right now?


You compare against previous payments...

If you were never in that situation, my experience is in paying less over time as both GBP/EUR have been getting stronger than USD.

Plus, pricing in the home currency is usually larger than the exchange rate (i.e. $10 = £5.83, so pricing would probably be something like $10, £6. Or even more - if not $10/£10 - you know who does that!...)


I'm working on the assumption that if they suddenly started offering services in GBP, they'd price at £5 rather than $5 (like virtually all companies do). Meaning the same service would end up costing £2/month more than it does atm with the current exchange rate.


At the moment all of our billing across all of our geographies is done in US dollars, which given the exchange rate of the UK and EU is usually within your favor.

Is there a conversion charge that your credit card company levies on you for paying in US$?


I'm not sure how the dollar price would be in my favour, if you've not specified what the GBP price would be? Sure, once you've set the price it could go either way.

Anyway, as others have said, there are charges and spreads on foreign currency banking. It also adds complications to my otherwise very simple accounting needs.


AFAIK, every bank (including for instance Paypal) charges a fee for conversion.

At least, it's the case with my French and my Dutch bank.

That's one of the great benefit of the Euro when shopping in the EU (well, except for our British friends :) )

Edit: corrected a typo


I'm not speaking for Marco, but another issue with dollars is tax accounts (and especially VAT accounts) for British companies have to be in pounds, so there's overhead in doing the conversions, tracking the exchange losses/gains, etc. We also have to reverse charge the VAT on those transactions as well (though I'd be surprised if the majority of business owners know they have to do that).

About 90% of my company's expenses are in dollars, so I've had to become proficient at dealing with it, but I imagine it's more annoying for companies who only make the occasional USD transaction, especially as they may have smalltime accountants unfamiliar with or unwilling to deal with the exchange rate stuff properly.


Can't you just use the monthly tables published by HMRC for the exchange rate (IIRC, packages like Xero do this automatically for you?). For the reverse charge, wouldn't that always just balance out i.e. input and output tax are always the same?


Its not in our favour unless our exchange rate appreciates every month more than our fees. And yes we get charged just like you would if I charged euros to your card.


Most good US cards don't charge an extra fee for non-USD transactions.


They do, they just hide it in the applied exchange rate.


This is not true. All Mastercard and Visa cards charge a rate that is specified my Mastercard and Visa on a daily basis. I've been tracking this rate for a few months now, and it's consistently been awfully close to the rate I find on xe.com.

The CARD Act of 2009 mandated that credit card issuing companies clearly describe the fees associated with foreign transactions.

Visa/Mastercard charge a cross border origination fee of 0.80%. However many credit cards (all cards by Captial One for example) waive this fee, and do not charge any fee of their on on top of this.


Regardless of the company, there is always a conversion charge around 2% and the rate applied is never the actual rate, banks usually calculate a rate using some kind of moving average.


My bank will charge £1.50 plus a variable commission for paying in anything but GBP.


Who's that? Halifax? They're great for everything else but non-GBP debit card transactions, and why I moved to HSBC and Co-Operative Bank.

CaxtonFX are also really good for foreign currency cards (2% markup, which is lower than I get with any of my British banks) and have really good customer service too.


Ouch. Seems credit cards out of the US are nowhere near as good, common there to have no foreign transaction fees (apart from probably some margin on the exchange rate).


If you shop around in the UK for a credit card, you will get one with zero fees and an excellent exchange rate on foreign currency transactions.

I use the Halifax Clarity card and I believe The Nationwide and the Post Office do a good card too.

I'd never use a Debit Card for foreign currency transactions though, they always seem to have fees involved.


> I'd never use a Debit Card for foreign currency transactions though, they always seem to have fees involved.

Nationwide used to have commission-free cash withdrawals on their debit cards abroad, but I think it was abused by people who had second homes in other countries so withdrawn a year or two ago. I believe they still offer a commission-free credit card though.


My impression was that the banks made a lot more money from the spread than they did from the commission, so I kind of find that surprising. In Canada it's easy to find commission-free cards. The spread is a hidden fee though, so the banks have hiked that up several times.


The commission-free withdrawals abroad were offered at the wholesale VISA rate. Nationwide didn't take any vig.

Their "Select credit card" still offers EUR and USD purchases with no surcharge and no vig.


I'm pretty sure the Halifax card I mentioned gives the Visa wholesale rate too. I generally get same rate as quoted on FX sites anytime I've checked it.


Digital Ocean is the promoter of low prices VPS, many thanks!


your IPs are resolving to Netherlands :(


Usually takes a bit of time for the registrars to update the Geo information.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: