I've said this before - I really love the concept but I can't get past the pricing. I don't think I'm cheap, but I work in a startup and have to justify what I spend, and USD$10/user/month is very steep for the hard-to-explain benefit of doing away with jump servers. I already use Wireguard, I have a script to add users, update configs and bounce the servers.. it's not as cool and automatic and "zero trust" but it also doesn't cost hundreds of dollars per month to access my own servers I'm already paying for!
GSuite is easy to justify for me. Github is. JIRA is. Tailscale is more expensive than all of them and it's hard for me to make the case, even to myself, that it's worth it.
I'd like to ask Tailscale to think about alternative pricing models of maybe $20/month per admin account, which comes with 10 bundled "member" accounts or similar. That would get me to $40 or $60 a month, which I can stomach. But I won't pay $300+/month to save myself a little bit of inconvenience every few weeks so my devs can securely log into our servers.
(Tailscale co-founder here). I certainly appreciate the feedback and suggestions. We've had pricing inquiries from individuals all the way to enterprise. Finding the right set of features at the right price is something we're going to spend a lot of time exploring (for instance, some larger companies don't care too much about ACLs, but some smaller ones really, really do). Right now, all I can say for certain is that our pricing page will change and that we're open to discussion.
I'd love to hear more of your thoughts on where you think we can add value and what it might be worth to you. If you're up for it, please email me at dfcarney@tailscale.com Regardless, thanks again for the input.
I signed up for it, I got 4320 hours left ... What's to complain about it?
Honestly, the customer in mind is not the startup with bootstrapped money. $10 a month is what people pay for a Netflix subscription, but this stuff is quite valuable. I think they may offer special plans for the poor, ailing startups but I don't see ANY reason to complain about their service.
Something that bugs me about ZeroTier is also present here, which is that there's no name management whatsoever, so I have to either keep a hosts file around with all the names of the network or find a script on GitHub that does it for me (or put a DNS server on the Tailscale network, and make sure all the hosts have records on there manually since there isn't a way to automatically integrate it with the hostnames that Tailscale already logs). Or, of course, use public records and pray you don't have more than a couple services because who wants to log in to the domain host every time you bring up a new container?
Half the magic of BeyondCorp (which I'm a big believer in) is that it's invisible from an end user perspective. I open a browser, go to git.corp.planeteaston.com, and it works, not "let's go to gitlab... it didn't resolve. what was the IP address again? 192.168.10-oh, wait, I'm offsite, the address is different, let's go see what it is in the Tailscale console", and a tech person could figure that out, maybe, never mind a computer-illiterate person in another department that was just told "go home, coronavirus, take your laptop".
This isn't a knock, since the main competitor, ZeroTier, doesn't have a great solution for DNS either besides run a DNS server, but whoever cracks it will probably win this race. And it's almost worse for ZeroTier, which by default (at least when I started using it 2-ish years ago), wanted you to use IPv6 addresses by default that there was no chance of you memorizing. I'll be a customer when this works!
ZeroTier has punted on this problem for ages because it's extremely hairy with a very long tail of edge cases and a lot of weird configurations in enterprises that we do not want to break. We really hate breaking stuff on user machines, and we also want to avoid pulling a Zoom and being more invasive on install than users expect. Then you have captive portal logins, people running stuff like Cloudflare's local DNS daemon or local dnsmasq, and more. It's the shaggiest yak ever so we have to make sure we have a really heavy duty shaver ready.
We are working on it as soon as we ship 2.0, which is a huge undertaking that's taking longer than we hoped. 2.0 has a ton of important improvements including but not limited to professionally audited design and code (not revealing the security firm yet but they are extremely well known). Just finished our first round with them. (Bonus: our existing design is not bad and it won't take much to harden it a lot more.)
(Tailscale co-founder) Everyone at tailscale agrees 100% with all your comments here. We're eager to someday have a chance to stop optimizing NAT traversal so that we can make magic DNS work. But we also know we have to get the core routing near-perfect before we start adding more features. I'm guessing ZeroTier feels the same.
> But we also know we have to get the core routing near-perfect
As someone who's been following tailscale's development, I'm curious to what you mean by core routing? Isn't routing P2P? Or, do you mean routing via DERP tunnels or TURN relays when P2P is a no-go? If so, what really are some key challenges here?
Not saying you're wrong - and I'm just a (happy) hobby user of ZeroTier. But for my use case, mDNS/Bonjour works fine (ZeroTier "vouches" for sever/nodes - if you're able to broadcast your name, you're "inside" - and marginally trusted).
I suppose ms windows servers are still lagging on mDNS, though?
Indeed, my only problem with ZeroTier is that I cannot setup custom DNS routing on it. Currently I use nextdns.io on my phone to rewrite `www.mycompany.test` to the WiFi address of my laptop (I use https in local dev). I want to do this over mobile too, which would work with ZeroTier, except for the fact that I can't run two VPNs at once (nextdns + zerotier) on the phone.
A few characteristics most projects consistently fail to meet are (a) keeping the source code available, small, relatively simple and easy to compile, (b) allowing peers the option to connect directly after discovery without routing traffic through a third party and (c) recognising that not all peers want to form massive infinitely scalable networks, most will prefer small ones.
Most P2P projects choose a design that forces the majority of users compromise in order to accomodate a few unpredictable/hypothetical edge cases. "Perfect" gets in the way of progress. History shows there is no "perfect" when it comes to P2P.
(I'm a Tailscale co-founder) The idea is to avoid building yet another commercial service that holds onto your username and password. People have enough identities already. More details here: https://tailscale.com/blog/how-tailscale-works/
We know we keep getting feedback that people want a different way to authorize their accounts (especially for personal use), so we're looking at other options. We just really want to stay out of the username+password business; it's simply bad security practice.
I'd actually rather you have my username and password, since I use a password manager and every password is long and unique. I don't want to tie my Google/Apple/<X-Mega-Corp> account to my Tailscale account. This way I can also more easily keep track of which accounts I have since my password manager stores them all. So I will wait for email signup (which currently just subscribes me to a mailing list...)!
It's easy to make a basic password login system, and very technical people use password managers, long passwords, etc. But there's a long "tail" (ha ha) of people who don't use long passwords, who will reuse their password on multiple web sites, who will forget their password and need to recover it using their mother's maiden name, etc. This opens up unlimited opportunity for phishing attacks.
And you don't get any key rotation unless you force people to change their passwords occasionally, which is itself now deprecated as a bad practice because people then start writing their passwords down on paper or storing them in a spreadsheet, which is even worse than no rotation. (Tailscale rotates your VPN keys automatically, but it's all for naught if the root key is just a password.)
We know that something better is needed for personal accounts, but please, not username+password. Your private network security is important. The world needs something much closer to foolproof.
It originally said "a few", not "few", which was intended to have a slightly different meaning, but I've edited it to remove that because you're right and it's not important :)
Unfortunately non-technical people mostly don't use a password manager and we can't assume they do. Tailscale is about making the Internet secure by default, and passwords will never be secure by default.
FWIW, we'll probably also be supporting GitHub (and maybe Twitter?) auth, as well as perhaps letting you run your own auth server if you set up the right DNS records. Lot of things yet to do.
Super excited to see that you'll be supporting GitHub! That being said, do you have plans to implement any sort of account merging? For example, the ability to login with one of multiple authorized accounts (so my Google Account, my Twitter account, or my GitHub account).
(Tailscale co-founder) This question goes through my mind a lot. I personally want it for myself. However there's a "weakest link" problem in identity management: if you have N identity managers merged together, then your account is only as secure as the weakest one of them. So connecting multiple identity providers to one account might be risky.
On the other hand, I really like Keybase's way of federating multiple identities together, where each additional identity provider increases rather than decreases confidence.
There's more than just security concerns, when you allow a bunch of third-party accounts to access one of your first-party accounts.
If your highest concept of identity is the account and identity managers allow you to authenticate to that account, let's say you have a tailscale account with id 123, and any human who has access to john@personal.org or john.smith@job.com can access that account.
What do you do when John leaves job.com? Can John (accessing the account through john@personal.org) still admin the job.com bits?
I think the right abstraction is having first-party (in this case tailscale) accounts belonging to one or more "teams" and authenticating with a @job.com address allows you to switch to the job.com team in the UI / allows you to generate API creds that modify job.com's team.
I really love the privacy- and security-centric design of Sign In with Apple, but so far it only works if you have Apple hardware, right? Tailscale's selling point is you can use it on all your devices (modulo Android support which isn't released yet).
Sign in with Apple works natively on iOS, macOS, tvOS, and watchOS. And it works in any browser, which means you can deploy it on your website and in versions of your apps running on other platforms.
So it at least sounds like it can be used anywhere with a web login flow. Although the docs say this must be accomplished using their JS library, as opposed to a standard OAuth2 flow of some kind: https://developer.apple.com/documentation/sign_in_with_apple
FWIW I setup tailscale a few days ago with an iPad mini, iPhone, and Mac mini server. I don't know how many networks would be "Apple Only", but I would certainly prefer a quick Apple Sign in button vs. using Google.
Have you considered integrating with Keybase? I think the identity system of Keybase coupled with the secure mesh networking of Tailscale would be a really powerful combination.
Github's on the list to support, yeah. We can speak most "identity provider" protocols these days (OAuth, OIDC, SAML, etc.), but it's this weird little universe: the protocols are meant to let you implement once to support everyone, but in practice every IdP has its own little idiosyncrasies that mean you need a little bit of dedicated code for each new IdP. So, we end up with a backlog of "support IdP X, which is ostensibly OAuth but does something strange we've never seen yet" :)
Thank you for your response. Having battle scars from handling authentication in an enterprise SaaS, you'll notice I chose my words carefully and didn't say "just do/use" :)
I really want to give you guys money for my personal use but $10/user/month is steep when I know the other users will only use it once it a blue moon (but of course, when they need it they'll REALLY need it).
If there was something like a "supporter plan" that was similar if not identical to the free plan but charged a flat fee, I'd be all over that.
"supporter tier" is an interesting idea! We're still figuring out what kind of pricing makes sense for personal use vs. company use. Hopefully we'll have something soon!
In the meantime, it's fine to be on the solo plan for personal use, it's there and free to be used :)
We (ZeroTier) dragged our feet on this stuff for a long time because we are personally of your mindset, but we get asked for it a lot so more of it will be coming. The ability to use your own auth and your own other things will never go away though, and with ZT you can run a fully independent network controller if you want.
Personally I want ZT to integrate support for integrated (e.g. Apple security chip) and discrete (YubiKey etc.) secure tokens and enclaves. That is where the real security is at.
Glad you like it! The text styles are custom, and the layout is built using an in-house CSS framework not unlike Tailwind [1].
But if you'd like to build something similar, you could get pretty close by using something like Tailwind and building with Rasmus Andersson's lovely (and open-source!) Inter type family [2], which we use throughout the site.
thanks for your reply and great work:). The site looks just amazing and very clean (especially typography). I noticed it uses utility classes like tailwindcss so thought maybe there is a similar library.
Nice service, was just testing it out. I had one question/issue. Will the pings heal automatically if a device changes internet connections or wifi providers? I noticed I had to disable and re-enable the active toggle on an ipad after changing wifi networks (local wifi to phone/LTE). I didn't have to if simply disconnecting/reconnecting to the same wifi network.
It's planned. Although note that DERP only relays the encrypted wireguard packets. All we see is "please send this ciphertext blob to pubkey X", i.e. exactly what any router on the internet sees.
Still, for latency and compliance reasons, it makes sense to allow companies to operate their own DERP relays, if they want to.
If you can, do so. This reminds me of claiming to be able to build Dropbox in a weekend with existing tools. You can, but it most likely won't work as well, won't be as integrated and well, you'll have to build it yourself which won't be as easy as you think it is, then add monitoring and paging and, depending on your requirements, high availability.
I'd certainly be interested in a blog post about this, if it's as easy. But considering that Tailscale took this long to launch, I have doubts that this is as easy to build.
(Co-founder of Tailscale here) To that end, we started publishing a "blueprint" for people who want to DIY. There's more to explain (and questions encouraged). Please check it out: https://tailscale.com/blog/how-tailscale-works/
My teammate Dave Anderson is writing a post about all the insanity that is NAT traversal. That alone will probably be as long as this entire article. Stay tuned!
I've watched countless p2p projects fail due to NAT difficulties, and spent months/years banging my head against it only to fail too. I've heard that NAT is tragically still a thing with IPv6 as well.
Please, if you all make it big, start a cross-platform open source, drop-in library that completely solves the NAT problem. The unit test for it would be that an app using it can accept inbound connections with zero configuration. That might require a central server though. I think the crux of the problem is how to share IP addresses with each other through that central server securely for STUN/ICE so that nobody can eavesdrop. Would you consider making your DERP servers free and open for that purpose? Apologies if I'm glossing over this or missed something, this is just something that has vexed me for almost 20 years. Thanks!
IPv6 by and large solves the NAT problem per se, but doesn't solve the stateful firewall traversal problem. Fortunately that one is _much_ simpler, especially now that we have QUIC as a robust stream protocol over UDP. IPv6 also introduces complexity while IPv4 is still around, because you have to detect and handle NAT64 in order to get a v6-only node (with NAT64) and a v4-only node talking to each other.
Completely solving NAT... I've tried a couple of times over the last 10 years, bunch of false starts. You can see one of the older attempts at https://github.com/danderson/nat (don't use it, it's very basic and fails at a lot of NATs). One of the tricky parts is that to make it work right, you really need control of the wire protocol you're using, because you have to inject frames and do all kinds of weird things to help with the NAT part, while ignoring all that noise at the "upper protocol" layer. You can make it generic with some careful layering, but it turns a simple API into a complicated one.
You absolutely need a coordination server for NAT traversal to work. That's unfortunately one of the great unsolved problems for fully decentralized p2p. But it can be _any_ low-bandwidth channel you have available (one of my first implementations piggybacked over XMPP messages), and it doesn't have to be a trusted part of the system (although making it trusted simplifies a ton of stuff). And you also need some kind of data plane relay (like DERP) for when NAT traversal fails, which still happens a fair bit. Without that extra layer of relaying, you'll only ever hit 95-99% connectivity, not 100%.
I'm (slowly) writing an article on NAT traversal that covers all this. It's a thorny problem, and I'd love to solve it once and for all (which is sort-of why I work at Tailscale - I think I have a shot of solving it once and for all at the IP layer, so that all the other layers can just stop caring)
(Tailscale co-founder) I'm with you on this! The NAT problem drives me nuts. That's one of the core concepts behind tailscale. Unfortunately I don't think the "open source NAT traversal as a library" idea will work; it's been tried before, but NAT is just so fiddly that the library invariably "doesn't quite work" in some weird condition and the app developer is left trying to debug NATs, which they don't know how to do.
With Tailscale we want to take full responsibility for connectivity, so that app developers can work on apps that just assume the connectivity+security is there, and users can complain to us instead of them when their computers won't connect. At least, that's the dream. How best to package that up, I'm not quite sure.
Regarding DERP, the server code is open source: https://github.com/tailscale/tailscale/tree/master/cmd/derpe... and if you look closely, you can see that DERP servers are fully anonymous (pseudonymous?) and will route traffic between any two DERP connections based on their public keys. We rate limit traffic to keep costs under control, and we'll let paying customers boost their speeds, but we intend to always let our DERP network be usable at "reasonable throughput" for free. And since the code is open source, you can write your own tools that do it.
Does tailscale work in China? Does DERP penetrate the great firewall? How does tailscale protect / work against nation state actors? Are you incorporated in the US? How does Tailscale help against wide-reaching legislation like EARN IT?
Congratulations on launch! The solo tier looks very nice and useful (except for missing Android client for now). Low the sign-up flow, very easy.
This looks very similar to ZeroTier - apart from building on wireguard - how do the solutions differ? Is tailscale also a true mesh (ie packets go direct between two tailscale nodes on a lan)?
In "The asymmetry of internet identity" you're describing a problem and currently Tailscale doesn't solve it -- it relies on google/ms/etc for identity.
I'm curious if it'd be possible to avoid using brands by just authorizing device ids like Syncthing does, without any login at all.
How about we add another pricing plan.
It's for people who like me are happy with the free plan, but still want to somehow give you money without upgrading to the $10/user plan.
Bonus points if you call the plan, the wireguard plan; and 90% of the payments go to Jason Donenfeld.
(Tailscale employee here) For personal use, we're planning a "sharing" feature, so that you can share machines (or individual services) with friends, and they just show up on their network (after mutual approval, of course). It's a feature I very much want for my personal use of tailscale, so it's going to happen :)
(Co-founder here). If you're referring to the free tier, it only supports a single email address at the moment. What some people have been doing is to create a fake Gmail address and sharing that with their family/friends to use as a common login.
We've been exploring the idea for a free (or significantly discounted) "family" plan (or even something like that for small teams). Please stay tuned over the coming weeks for some updates to our pricing and tiers.
I've filed an issue for me to add a support email link. Will do another dashboard release in a couple days, thanks.
As for alternatives, we tried chat but no-one used it, and it added a ton of heavy awful javascript to our website. You can file issues on https://github.com/tailscale/tailscale, though for the dashboard I'll move them elsewhere. Also we have been looking at various pieces of "forum" software too but haven't settled on anything we really like.
Could you elaborate on the errors you saw? If you want to send support@ an email with your account email address and rough time, I can look in the server error logs and try to hunt it down. Thanks.
(Tailscale employee here) Automatic provisioning is definitely on the list. It's an enabler for immutable infra deployment, getting connectivity into containers, and building things like automatic enrollment based on external sources of trust (e.g. "automatically enroll any VM that can prove via its vTPM that it's in this GCP account").
I was interested in WireGuard for a while, but setting it up properly seemed rather a daunting task to me. With Tailscale, this was literally a matter of minutes. I'm not sure I would pay $10/month for this, but the free solo plan is sufficient for my purposes and works great.
I will get banned for this in a matter of minutes but I will say the truth to whoever think HN is fair. For the past 3 months, every, again EVERY post that was linked to Tailscale (not just the company domain but also the blog posts of the founders' websites), has gotten to the frontpage within minutes, with a full 100% hit rate. This cannot happen for any company, any project or anything else to be honest since there is a thread that gets posted every minute on average, and almost every thread, no matter how great it is, goes forgotten forever without a single upvote. This doesn't happen to even trillion dollar companies that are known by almost everybody so certainly this can't happen for a company of 5 people that was started only last year and hardly known by anybody. Nothing can get to HN's frontpage at a hit rate of 100% especially when you know this has been happening on almost a weekly basis since last December not to mention the daily promotion in comments on literally everything that has anything to do with WireGuard or even VPNs.
HN simply favors some founders who have good network over the rest of us. I know that organized upovting and astroturfing isn't uncommon here, but there has never been anything anywhere near that's being done by this company and its founders here. This is simply free advertising worth of hundreds of thousands of dollars for free simply because the founders "know people".
EDIT: Thank you HN for proving me right! This comment has 42 points as of now and it's buried in the bottom below almost every other comment. Still not a response from the founders who very coincidentally happen to exist literally during every time a post about their company gets submitted!
You've been proven nothing of the sort. I buried your post and the submission itself while investigating this claim, even though you've been trolling HN threads with these rants for weeks now, using multiple accounts to do it, ignoring our requests to stop breaking the site guidelines, and barraging us with ranty emails to boot.
I've looked closely at the data and found no evidence for any of this. Every sentence in your comment is either demonstrably false or completely unsupported.
I know that sometimes a bee gets into one's bonnet, but as I've explained to you a dozen times or so, all we can do is look at the data, and if reality conflicts with what you're saying, we have to go with reality. Actually, I appreciate your underlying concern for the integrity of this site. (Not so much the smears and accusations of corruption.)
Your real sin, though, is wasting our time. That sucks precious resources away from doing what we ought to be doing to make HN better. I haven't had a chance to attend to the front page for the last several hours because I've been busy looking into this, writing about it, and dealing with your posts and emails. Meanwhile other emails pointing out quality concerns in other threads have been piling up in the inbox.
Even though it's tedious, I've assembled a sample of what you've been posting so that readers can evaluate your claims for themselves, and also see how much damage a single disgruntled user can do to this place. In the future, we can refer concerns back here and hopefully not lose so much time.
In the past, you've had similar campaigns against other sites and topics, including Go, Kubernetes, IndieHackers, Keybase, DuckDuckGo, Mailchimp, and (yes) the Qataris:
I want to add something for fair-minded users who may still be wondering, after all that, whether the interest in the OP really is organic or whether there might be shenanigans. It's natural to worry about this, especially because other users tend to make loud and grand claims about abuse, whether they have knowledge or not.
You can check a lot of this for yourself using publicly available information.
Look at a sample of users who've been expressing interest about Tailscale, in threads about that topic and/or Wireguard or other topics. Check out the histories of these users—you can do that by clicking on a username to go to their profile, and then clicking on 'comments' or 'submissions'. You'll see that most are longstanding, serious community members. If your random samples look anything like the ones I've examined, you'll find many excellent HN contributors among them, with a lot of technical expertise. This is evidence that the interest in this topic is both organic and serious. I'd supply links, but it wouldn't feel right to haul in specific usernames that way. It's easy enough to check.
To that public information, I can add some non-public facts. First, the profiles of users upvoting these threads look much the same as the commenters. Of course in many cases they are the same, since it's natural to both upvote and comment on something that you find interesting. In addition, the voting patterns on these threads look like what we see on popular topics of organic interest, and nothing like what we tend to see with voting rings and organized promotion.
Conclusion: although we can never say for sure, because we aren't inside users' heads while they upvote, the evidence points to organic interest. I'll go further: I'm the person who has spent by far the most time on this problem in the history of HN and I find it hard to imagine the evidence being any clearer. Also, no one at HN (and no one at YC that I know of) has any connection with any of the people involved in this project. I've spent so much time writing about this because (a) I don't like to see people smeared, (b) we take concerns about abuse of HN extremely seriously, and (c) I want a record to link back to in the future so I don't have to spend any more sad hours on this.
I'm a HN user who regularly looks for patterns like connected accounts, weird upvote or comment behaviour in /newest, fake news, bots and reports those to the moderators.
Until today I haven't known about Tailscale, or not conciously remember the brand name. Every past article listed I would've probably upvoted. It fits with the HN audience, just like Docker, ElasticSearch, Cloudflare, gitlab or most polished SaaS companies targetting developers when they release a new major feature. There will always be a commercial/marketing component when companies release something, even more when a founder or employee answers questions in comments. Doesn't mean there's some kind of secret community who upvote each other. Or rather if there was the moderators, once notified, would've found and acted on that.
My guess? The people involved at Tailscale. Two of the founders (Avery Pennarun and David Crawshaw) are former Googler's that had a lot of respect within the company (I loved both of their G+ posts internally). Brad Fitzpatrick also recently joined them.
They are then building the security model that Google uses[0], but trying to get it to other companies. I think the concept of BeyondCorp is pretty amazing and a great way to think about trust on a network.
Those 2 points together probably gets them lots of upvotes.
Again, my argument is simple, how can EVERY post about any certain thing (not just for a _for-profit_ company like Tailscale but in general) can go to the frontpage within the first minutes every time for more than 10 times in a row over the short course of the past 3 months in a website that has the reputation of near impossibility to have your post on the frontpage even once except maybe for SHOW HN threads and where a flood of new threads gets posted every 10 minutes and almost every post gets buried immediately without getting a single upvote even if it was very well written.
The "every" claim is false. This is a single user's personal war which has for whatever reason gotten trained on this company for the time being, and will no doubt move to some other target, since it's had other targets in the past.
The "every" claim is correct if you subtract this one exception https://news.ycombinator.com/item?id=22618517 which happens to be the least interesting post that really won't do much help for the company. Otherwise I stated all links above and you won't reply to it. And the real question that you still won't answer, how many very young/unknown companies have their posts on the HN's frontpage more than 4 times in less than a month with a 100% hit rate? give me other examples so that we know this is really so natural.
I haven't been offended by it, and I'm the founder of a company that's been around longer and is probably the closest competitor: https://www.zerotier.com/
I don't hate on people for doing similar things. If anything I am absolutely shocked it took someone this long, since to me the idea of a full mesh virtual network is how things should work, everything else is stupid and clunky, the fact that we have to bounce off servers to transfer things is dumb, and NAT is pure concentrated evil and must be destroyed.
I absolutely loved David Crawshaw's Remembering the LAN post:
It echoes exactly the sentiments that motivated me to start working on ZeroTier, so I wish them well.
As far as the upvotes go I just figured they have a lot of friends from their time at Google and their posts get upvoted a lot.
I notice the same thing when any company that has a lot of HN users among its employee base does anything. When AWS, Apple, and Google do a bunch of product releases the front page gets bombed for days. The site practically turns into a news feed of new AWS Elastic Beanie Cap products when the ironically titled AWS ReInvent happens. If anything the FAANG companies get more free advertising here than anyone.
> I am absolutely shocked it took someone this long
Because it's really hard to monetize it. Speaking from the experience.
Edit - This particular bicycle gets reinvented on regular basis and in a nearly identical form. While technical details are difficult, the overall idea is rather simple. Rendezvous servers to coordinate the setup and NAT traversal + relays to handle the edge cases. The tricky part is the UX... but it's still nothing compared to monetization. Very few end users will pay for this, because if it "just works", it doesn't look like something worth paying for. Smaller companies will pay, but they don't realize they need it. Larger companies realize the need, but they won't touch 3rd party managed VPNs with a long pole. It's really quite a pickle. But the tech is beautiful :)
I disagree. It is challenging to monetize, but so are many other things.
I'll give what I think are my reasons:
- It's "easy" to do a proof of concept here, but it's brutally hard to make it really work well and at scale. There are a lot of buggy NATs, highly restrictive firewalls, etc. Network virtualization, which is what you need for it to be general purpose rather than app specific, is another layer of difficulty.
- It's hard to do it securely. Anything that gets popular will get attacked a lot and has to stand up against that. It's easier to secure centralized systems against most attacks for multiple reasons.
- The dominant paradigmatic fads from 2004-2019(ish) were cloud and mobile. Cloud obviates the need for this (in exchange for all privacy and freedom), while early mobile devices and mobile data options were too wimpy to do P2P. The latter is still a problem but less so today than 5-10 years ago.
- Most P2P software has had poor usability, slowing its adoption.
- The cryptocurrency bubble sucked all the air out of the decentralization room, causing the entire notion of P2P and decentralization to get conflated with CoInZ. That seems to be ending.
I disagree that it's "brutally" hard, but to each his own.
The main issue is that the need is not well-defined and there are competing solutions that aren't as technically elegant, but as robust and as easily deployed. Competing with them on _P2P_ basis only is really hard. The only real technical benefit is lower latency... and even that may not hold true in aggressively shaped consumer networks. It used to be possible to get a bit of an edge from having near-zero hosting costs, but that's been far less relevant for a while now.
Things often seem easy to those who have done them already, but it's definitely hard for the vast majority of developers. It's also very hard when you try to do it at scale in a way that's enterprise-friendly and reliable.
(Tailscale co-founder here). I also loved Crawshaw's post. It really took me back, though I certainly wasn't doing the kind of hacking he was.
I, for one, really appreciate the nod. I agree our motivations align and I look forward to hearing more about what you and team come up with. All the best on things at ZeroTier.
I upvote everything about Tailscale because I love it and any information that comes up about it. If it wasn't for my long and boring history on HN, I'd probably look like an astroturfer to an algorithm.
Should the list of who upvotes an article be public?
When I make a comment, my username is displayed. If upvotes and their timestamps were public, it would make it a lot easier for the community to get to the bottom of any funny business like OP is describing.
It will never happen, but that's not the reason. The reason is that voting data is an extremely intimate reflection of users' feelings and beliefs. None of us would want that picture of ourselves to become public, and I shudder to think of what people would do to each other with the information.
I agree with this. But do you think only showing the first X votes could help resolve it? If you want to keep your upvote private, don't upvote if there are < X votes.
Everyone knows the site is partial to YC companies. It's an open secret. I consider it part of the "trade" in exchange for running a decent board without any ads or surveillance monetization. They're doing this for a reason, and it's to pump their brand.
Hell they could just tag articles related to YC companies with a special color and pin them for a bit. I'd be fine with that.
I'm not sure why you're feeling like this is secret when we make a point of explicitly disclosing it, and always have. In fact, haven't you and I had exchanges about this years ago?
There are three formal things that HN gives back to YC in exchange for funding it: (1) job ads, which appear on the front page and later on https://news.ycombinator.com/jobs; (2) Launch HNs for YC startups, which appear on the front page and later on https://news.ycombinator.com/launches; (3) YC alumni usernames display in orange to other YC alumni (though not to themselves, which has led to a stream of emails over the years).
We explicitly don't do anything beyond that to favor YC or YC companies on HN, though we don't draw lines to exclude anything either, because YC-related people and content are an inseparable part of the community here.
What alterations could HN make to the front page weighting algorithm that tries to spot and penalise voting rings?
e.g. if you're someone who routinely upvotes posts within minutes, maybe your vote could count for less than an account that only dips in to the new page occasionally?
Or maybe your vote gets penalised if it's your only upvote in a 24 hour period?
Or maybe HN keeps track of who you upvote with, and your vote gets penalised the more you upvote with the same people?
idk, it sounds like a fun project for someone if HN wanted a more organic front page.
I've personally spent hundreds of hours working on this, as well as tracking down voting rings of every imaginable sort. I'd never claim that our software catches everything, but I can tell you that it catches so much that I often go through the lists to find examples of good projects that people were trying ineptly to promote, and invite them to do it again in a way that is more likely to gain community interest.
I can see you didn't want to talk about this, esp with the tedious conspiracists. But I'm glad you did, and appreciate your work in keeping HN interesting & fair.
It surprised me because 1) I achieved a moderate position on the front page a few years back "asking a few friends" to upvote something about my former company, but mainly 2) there's no warning to new post submitters as to the values, integrity etc. of the site, to warn people off trying to game it, which I'd expect when you'd put that much work in.
I know there's a minimalist / in-the-know aesthetic to HN but I've been here 10 years, started & sold a tech business, and still didn't know the rules, the moderation patterns etc, other than "by example" (but then who'd want a whole meta.hn forum, gulp).
Out of curiosity, would you be willing to share a link to the post you mentioned that got on the front page? I'd like to see whether our software missed it, and why. You can provide it here or send it to hn@ycombinator.com if you'd prefer a private conversation.
Sometimes the software catches voting rings and we turn the penalty off because the article seems likely to interest the community. It's not perfect, though, and knowing about cases that it missed can be very helpful, since independent verification is usually not available!
If I google for "buy hacker news upvotes" I see someone selling them for $2. You don't need a network for it. If you spend time on your content marketing and you buy upvotes you'll get bumped to the front page and stay there. Tinfoil hat not necessary.
When the HN plays favoritism in the vein of shilling for Y Combinator portfolio companies they make it fairly obvious to anybody paying attention. The portfolio company hiring posts are an example. Post to job descriptions and commenting disabled.
Those spammers are ripping off their own customers. What actually happens when people use that service is that they get their sites and accounts banned. I can't claim this in all cases, because I don't have a list of all their customers, but we've done it dozens of times and we have much independent verification in the form of user confessions and mea culpas. (We're softies when it comes to forgiving people, by the way, as long as they tell the truth.)
You guys should realize how much work we put into defending this site against manipulation. Especially if you ever find yourself wondering why there isn't much new feature development on HN.
> No. Users should vote for a story because they personally find it intellectually interesting, not because someone has content to promote. HN's software penalizes submissions, accounts, and sites that break this rule, so please don't.
"A "voting ring" is when people get friends to upvote their stuff. This is against the rules. We want stories to be on HN because they're good, not because they were promoted." [2]
Even if it is only as innocent as having your friends mass upvoting every thread of yours, then this is an outright exploitation of HN rules. Again never happened that a company, especially a company that was started a few months ago and hardly known by anybody, gets to the frontpage with a 100% hit rate for more than 10 times in less than 3 months.
Sure, that's very much against HN's rules. Also against HN's rules is posting accusations about these things without evidence. I've looked extensively into these cases, mainly because you've drummed up such a fuss about them with your various accounts. I found zero evidence of abuse. All the data indicates that these threads have been upvoted by serious, longstanding HN community members are just genuinely interested in the topic—probably because of the lineage of the founders, who are well known to this community and whose work many people like to follow.
You've now crossed way beyond the point of trolling, including barraging us with hostile emails, and it's time to drop it and move on.
There is no accusation, you're just playing with words to deflect the situation and make it on me instead on the real issue here which is about a company that had more frontpage posts of free positive publicity than most FAANG companies in the last month with a staggering 100% hit rate.
As someone who has spent years upon years fighting with and against corrupt subreddit mods+astroturfing users on reddit:
HN can't do much about upvotes coming from friends if they're sufficiently distributed/no patterns to find.
Also, please consider: their posts are just good/stimulate great discussion across multiple sectors of tech (networking meshing applies to ALMOST EVERYONE!).
GSuite is easy to justify for me. Github is. JIRA is. Tailscale is more expensive than all of them and it's hard for me to make the case, even to myself, that it's worth it.
I'd like to ask Tailscale to think about alternative pricing models of maybe $20/month per admin account, which comes with 10 bundled "member" accounts or similar. That would get me to $40 or $60 a month, which I can stomach. But I won't pay $300+/month to save myself a little bit of inconvenience every few weeks so my devs can securely log into our servers.