Although transparently self-serving, this seems like a perfect time to say, "Hey, this couldn't happen to you at Mattermost because we A) have a free tier, and B) allow you to export your data."
We've had administrative error in our compliance automation. If you received an email from compliance@mattermost.com on June 23, 2022 titled "Our limitations due to new United States sanctions" please disregard it.
I think the most interesting part about OP’s story is the question about how did self-hosted solution notify Mattermost server about potential Russian/Belarus connection? Even if the compliance automation was faulty, it’s still interesting how Mattermost found out of a Russian connection at all. (I am assuming this compliance email wasn’t sent out to everyone/larger group of people by mistake, and the OP happened to have a Russian user)
Mattermost CEO here,
Thanks for the question. Like many companies we use a 3rd party service to check if someone we’re doing business with a company that has been flagged on export compliance.
HN has a lot of people building SaaS and open core companies, so hopefully this thread is a good way to learn about export compliance, which is something we've been doing for many years, though it's gotten extra important in 2022 due to so many new sanctions showing up.
Think of it this way (in a simplified, high level view that doesn't capture all the detail, but intended to share the aesthetic):
1. When you're an early stage company based in the U.S. starting to sell open core licenses or SaaS you typically hire a lawyer to do the legal agreements and help negotiate contracts.
2. If it's a good lawyer, they might talk about "export compliance" and how your company might need to think about doing an assessment on how your product is classified in the context of U.S. export compliance restrictions.
3. If they're a really good lawyer, they may even recommend an export compliance consultant for you to use.
4. After you get your export compliance classification, you're going to need a way to implement the right checks to ensure you're not violating U.S. export compliance laws based on your classification and your customers.
5. You quickly realize you need to buy a tool to do this--not only to check at the time of transaction, but also to alert you if the status of a customer changes (for example, if a customer is added to a list of organizations flagged by public sector organizations).
6. You look at different options, and end up purchasing one and integrating it with your other systems, including Salesforce (sales automation) and Marketo (email automation). In this case, we purchased a subscription to Descartes.
Hopefully that helps share context. Please feel free to ask other questions here.
Ian, you might want to clarify that the only thing submitted to the 3rd party service is the company name of the customer and there was no submission of any customer logs.
Some other commenters in this thread think that you log their ip and submit their ip.
It's a pretty reasonable conclusion when the vendor claims to know where you're using the software, and the evidence is that the vendor claims to know where you're using the software.
My impression from the OP is that the company does not claim to operate out of Russia or Belarus. Presumably, neither would the website. Clearly there's some other method by which that third party makes that determination, and clearly that method produces false positives.
This is the thing that keeps me from recommending Mattermost in education. We had no end of trouble with MS Teams for the same reason. Students logged into our instance couldn't access their work systems. MS has made some progress to fixing this, though it has a way to go before it's as easy as Slack/Discord etc.
In my mind the gold standard is Discord. One login/password/mfa and I have access to hundreds of "servers". I have over 30 slack passwords and MFA tokens in my password manager and I know people with many more. Though I suspect the ability to self host Mattermost will make it more like Slack than Discord there.
I would also like to say thank you. Mattermost is one of the few products I've seen that doesn't lock MFA behind an enterprise subscription. I can't stress enough how happy I was to see that.
Discord still has basic usability issues there if you want to, for example, keep your work and personal accounts separate. Slack is really the gold standard because it understands the need for that separation.
It's a pain, in my opinion to switch between accounts in Slack. I've only been able to keep up with one a time, especially on mobile. I realize that is a feature, but I haven't wanted to introduce Slack outside work setting since I didn't think I could keep up.
Mattermost CEO here, sorry to hear you had a negative experience with the admin adviser. Thank you for the feedback.
Mattermost Team Edition is designed for teams (I.e. groups of people that work together and trust each other) and there were issues when Team Edition was deployed to unintended use cases—-like hosting hundreds of users, saving millions of posts, or other scenarios outside of what a team was meant to do.
Admin adviser was meant to help admins who hit those scenarios, and some of the advisory in scenarios Team Edition wasn’t intended to handle was for the Enterprise Edition. It sounds like that came across the wrong way and we should revisit.
Note: I think a fair chunk of admin advisor was paused a while ago. Not sure how much is running these days. Regardless we should take a look.
I run a fairly big instance with hundreds of users. We wanted to support/promote a more free/libre alternative to Slack, but you are basically saying we should not use Mattermost?
(I think that channel deletion was a concern at some point, but archiving mitigates it, we are happy users in general)
We offer a non-profit license for open-source projects [0] with special nonprofit pricing. We also plan to move the System Permissions Scheme into the open source Team Edition with the 6.0 release on September 15 [1].
Thanks for being a user, feedback is always welcome!
reply