> Keep in mind that Sandstorm is meant to host internal-facing services.
This is not really obvious from any of your marketing copy or documentation, nor would it be a realistic expectation if it were. I think you need to secure like your users don't know or understand your intentions.
Unfortunately, we've had trouble expressing what Sandstorm is in web page format, because it's so different from anything else out there. People tend try to pattern-match it to something else and get the wrong idea. This has been a constant struggle. But once you actually try it, I think it becomes a lot clearer.
There are literally two Sandstorm servers in the world that allow self-service creation of full user accounts (one of which is run by us). The rest are by invite only, which means that to launch an attack, you'd first have to trick the server admin into giving you an invite. That's certainly not impossible, but it is a significant barrier.
That said, again, I do agree this was a real problem -- we do think it's bad if invited users can compromise the server or its network. I'm not trying to claim otherwise, I'm just trying to put everything into full perspective and avoid hyperbole.
This is not really obvious from any of your marketing copy or documentation, nor would it be a realistic expectation if it were. I think you need to secure like your users don't know or understand your intentions.