GitHub blocks entire company because one employee was in Iran
twitter.comSo many dimensions come to play here.
1. There's the obvious legal aspect i.e. how these laws are framed and interpreted.
2. Then there's the geopolitical aspect. Is it fair to impose sanctions on Iran.
3. There's another aspect around GitHub policy that asks if an entire organization be banned for the location of one team member.
4. Finally, there's the aspect of relinquishing control. Your app development is on the cloud. IDEs are on the cloud. Deployments are on the cloud. App stores are on the cloud.
You have relinquished so much control, why be surprised if that stares you back in the face?
Ironically, Git is a decentralized version control system.
> You have relinquished so much control, why be surprised if that stares you back in the face?
We live in a market-based economy with highly specialized division of labor. The idea of "keeping control" of all our necessities and dependencies, is an archaic one. The system generally works, because we create sensible laws that foster trust, vet for partners who are trustworthy, and name-and-shame entities that violate our trust.
If you're a behemoth the size of FANG or a nation-state, maybe it is worth the effort needed to insulate yourself against these black-swan scenarios. But for a startup or small-medium-business that no one has heard of? That just sounds like bad prioritization.
All of which is to say... we should absolutely be surprised when a vendor like GitHub blocks an entire company because of an employee logging in from Iran while on travel. And this surprise, and the resulting name-and-shame, is what keeps the wheels of our economy turning.
I think it's the opposite. When you're FANG or a nation state preparedness doesn't matter. You have strings to pull to get fair treatment.
If you're a small guy you get screwed and have no practical means of recourse. The little people are the ones who need to care about this kind of stuff.
There is plenty of solutions that are keeping the data in-house. Or allow for easy exporting/importing (github is not too bad in this regard though). None of these solutions go against the "highly specialized division of labor". This is a question about what kind of solutions we build, not how labor is divided or not.
None of those solutions are as plug-and-play as hosted GitHub/GitLab, nor without maintenance costs. Those add up to quite a bit of money too, usually making hosted the more cost effective option. Although this can happen, the truth is 99% of the time it doesn't, so most companies continue to use hosted solutions as it is far more likely they go bankrupt due to poor business rather than US embargos.
Spinning up your own git server is not a huge effort though even for a startup.
As to what is archaic - I believe a point can be made that the division of labor thing can suit poorly our brave new cloud software world. You can't just buy things (or software) from others, and completely own them. If you are outsourcing some part of your business to others, you also lose a lot of sovereignty that is crucial to stay flexible and move fast. Apart from the fact that all these solutions are bundled with analytics that will play against you as soon as your supplier wants to become your competitor. And as I said before, staying in control is actually not that hard as soon as you know what you are doing, and can be a huge competitive advantage.
> Spinning up your own git server is not a huge effort though even for a startup.
At a previous job we self hosted Git and it worked fairly well. At my current job we use GitHub and while we could migrate away, it would hurt.
Personally, I think GitHub's value is more about the fact that it integrates so well with so many other services. Without GitHub we would lose:
- Most of our PR/ Code Review flow
- Integration with Pivotal (our ticketing/ story system)
- Integration with our Travis server for CI
- Integration with our hosting service for automated deployment.
All of this stuff can be done independent of GitHub, but most of it takes a lot of time and effort you could be spent delivering the product you are trying to ship. You also lose a lot of flexibility.
Yes, integrations are a real value. I've seen a lot of it working in self-hosted Gerrit, but there was a dedicated maintainer for the project who among other things implemented these.
A customer of mine use GitHub, Travis and Slack.
If GitHub is offline we can still setup a git server somewhere. I could offer my own for a quick startup. Mailing patches to each other, Linux kernel style, is not a viable backup plan. The cultural gap is too wide.
If Travis is down we can run tests locally.
We build the deployment artifact on one of our servers. If that one is down probably our production server is down too.
If Slack is down, ah, I was on vacation yesterday. I guess the fastest backup for us would be WhatsApp Web.
When we ran services like this in-house, I don't really recall a time where any of them failed. Now that we have a 3rd party run those services, it's easy to recall multiple instances where one or more of them were down for some reason.
I very much agree - the likelihood that your business will die because it just isn't great at selling stuff seems much greater than the likelihood that it will die because you get really unlucky with a service provider.
THAT SAID, it seems worth it for even a really tiny company to spend a half hour thinking about "what would I do if github (or AWS or google or the app store or whatever) cut me off?"
Probably in a lot of cases the answer is "call them and beg forgiveness" (i.e. if it's AWS), but for something like github it seems like "switch to gitlab" (or "deploy git server" or anything else) is a pretty easy move.
Don't be surprised when the "name-and-shame" doesn't work anymore.
So true. It already doesn't work in politics. Only a matter of time till it's the same with big companies
> Ironically, Git is a decentralized version control system.
And Git is open source.
Github is a US-registered company under MS. The US has a history of weaponizing its economic power.
Stallman (RMS) was right once again.
This particular case was overreach by Github and not the US Lawmakers.
https://home.treasury.gov/policy-issues/financial-sanctions/...
Source: https://twitter.com/Hamed/status/1346433510786138114/photo/1118. I have a client that is in Iran to visit a relative. Do I need to restrict the account? A: No. As long as you are satisfied that the client is not ordinarily resident in Iran, then the account does not need to be restricted. See FAQ 37.It may be overreach by GitHub, but given the severity of the sanctions lawmakers have set for if they happen to get it wrong, I'd like to at least blame lawmakers for creating such a risky situation.
I work with sanctions. I think both can be easily blamed. Similarly to DMCA notices, most companies opt to for the path of least resistance ( it is cheaper to blanket ban than to investigate ). Yes, politicians are to blame for creating the environment, but companies deserve flak for taking the path that is bad for the customer ( unless they are sufficiently well-heeled ).
My thoughts are my own. I do not represent anyone other than myself.
So look at (one one hand) a customer worth... well, PureLabs is "10 incredible FTEs," let's give them the $21/user/mo Enterprise plan at $210/month in revenue.
On the other hand, a sanctions violation could be a $65,000 fine (Trading with the Enemy Act) or $250,000 (International Emergency Economic Powers Act) for each offense. (I leave aside the million-dollar narcotics-kingpin act). On top of this we also see the risk of criminal prosecution.
In what world is it reasonable to expect anyone to take this chance?
It is hard to discuss hypothetical violations so I won't do that. It absolutely is a safe course of action to do a blanket ban. That said, is it reasonable to assume violation based on IP address ( and that is what seems to have happened here )? Banks don't automatically (typically ) block MUHAMMAD JIHAD even if they may end up questioning it.
That’s because the combined business of all Muhammads and their employers is way more than 210$/month AND it would be illegal, and Bad PR™, to ban them from your business based just on their culture/name. Otherwise they would have been “derisked” out of service.
You have a point ( and Mnuchin to his credit ,based on reports, does care about regulatory burden and its impact ). So you are right, one is not like the other. To address your point directly, if OFAC tomorrow added MOHAMMAD JIHAD with no other information ( no DOB, no address, and so on ), you would be surprised how quickly the banks would respond.
Now note that that we are discussing a name, a commmon, but somewhat reliable, if mutable, driver of our identity. Now compare it to IP address and tell me, which one is a better predictor of who you are.
Unless, we are assuming IP is a proxy for location, which is another story.
Banks typically would react overnight to OFAC list updates, through a sanctions list service.
If no DOB or similar is also provided, though, scoring should not be too high - and if a match with Mohammad is enough to trigger an alert, the overnight alert delta would be either manually processed by Compliance, or bulk closed as false positives, depending on how much time you need to unblock the clients and similar risk considerations.
I am not sure if you realize it, but you are proving my point. Banks found a way to address the issue without adversely affecting the customers. Github appears to have only recently started to do the same, but they opted for a blanket approach as opposed to a more targeted one.
Sure, I’m just not trying to disprove you, I argued similarly in other threads.
> It absolutely is a safe course of action to do a blanket ban.
Except when you make a mistake and ruin someone’s morning.
They do actually flag payments if you put the word Isis or something in the memo.
Do you have a story about this?
Not parent and not about terrorism directly, but Tardigrade Ltd. was sanctioned in US (because it is an arms dealer without licence in US) causing all "Tardigrade" payments blocked (even innocuous ones): https://news.ycombinator.com/item?id=24450828
Cases like this are an example of a company trying to cover their ass leads to a customer getting kicked in the ass.
Sanctions, compliance, etc. is a messy ordeal to manage (both technically and operationally), and the ways laws are written with so many intricacies and dependencies doesn't make it easier.
Because only 1 instance of violation could lead to fines equivalent to a person's salary, often the systems are made to be overly sensitive and less investigative to figure out whether a 'hit' is actually a false-positive because that also takes time/money and still carries potential risk.
I would blame the automatic sanctioning software triggering such as situation, without checking if the new access from Iran was by a tourist or citizen. Adding an org block for minor access within two weeks is overreach.
I’m unaware of a library that checks citizenship of the user behind an IP address.
Exactly, that's why cannot block somebody on the first access. Even prosecutors will understand this.
This kind of software is not simply installed with an apt-get one-liner, github can’t be exempted from choosing their business rules on screening matches.
Thing is, GitHub is a tool that facilitates distribution of IP. So if someone is logging into GitHub in Iran, whether they live there or not, they can use it to "export" code.
Which is kind of irrelevant---preventing the export of code is not the issue. This is an economic sanction against Iran by preventing companies from doing business there.
The law has a chilling effect on companies, that drives them to do things like this. If a company does something, that they clearly would not have done without a law, it's the fault of the law, even if that law didn't specifically require it, in fact even if that law specifically exempts it.
Since I can’t edit the comment, I want to paste this here so readers are informed about the extra mile Github travelled as well.
https://news.ycombinator.com/item?id=25648585Advancing developer freedom: GitHub is fully available in IranThe problem starts with how to even identify if someone is physically in Iran. Making that asumption based on the IP address is highly questionable.
You think a lot of people are proxyjng their traffic through an Iranian IP address?
If you read this literally, you could get away with leaking state secrets as long as you're visiting a relative while doing it.
Github cannot be expected to reliably differentiate between the coworker who just checked the status of a PR on a webapp versus the employee who opened a crucial piece of encryption code to leak it to the Iranian military or whatever.
This is an economic sanction against Iran; it has nothing to do with state, or corporate, secrets.
If that's the case, then the problem isn't Github, but of the organization having Iranian intelligence assets on staff. And the whole idea of the government regulating encryption and it being weaponized is overdone.
The above is not law. The law is more detailed. This is a FAQ that should be interpreted in a reasonable fashion, not with an extreme use-case.
A spy could also just clone the repo and travel to Iran, too.
Spies can send information from anywhere in the world to anywhere else, so I don’t see how they being in a specific location at all matters.
I do not see why a geoip filter do not suffice. GitHub should not be the one to interpret the whole complex picture.
I would go quite a step further than that. If this was not an unfortunate incident/mistake, then GitHub/Microsoft has become quite the active enforcer of US (legal) foreign policy.
If they do that within the US market, that might be justifiable. But in this particular case, GitHub appears to enforce US foreign policy on what appears to be a company on the EU market. Also in what to me appears to be a rather ruthless, totalitarian, maybe even draconian way.
I'm pretty certain that absent this US law within the EU market, this action is arbitrarily discriminatory, and very likely constitutes inflicting serious damage on another company without a legal basis (within the US, yes .. outside the US, no).
GitHub may find itself stuck, between adhering to US laws and laws elsewhere (in this case EU, but China is probably a good example too). Still, is ultimately is a choice for GitHub to offer their products on multiple markets. If they have issues with that, they are free to exit a particular market. It certainly is never a valid excuse to start violating law in any market outside whatever country your headquarter might be located.
Tangentially, this rather typical popular belief that US companies can simply absolve themselves from legal liability, just by crafting clever TOS/EULA that supposedly does just that, has always confused to me. It was always my understanding that you can not create contracts that violate laws. In most countries with a somewhat sane state of law, governments really do not like or tolerate when companies start essentially making their own law in parallel. But apparently you can rewrite (even basic) law in the USA, as long as you can somehow get both parties to agree on it. Be that by free will or coercion.
Maybe it's time, for other parts of the world to no longer put up with this kind of bullshit, and demand that US companies actually adhere to the laws (and legal protections) that exist within their markets, or be free to buzz off and only operate on the US market alone.
With US foreign policy becoming increasingly self-serving, legally dubious, and in some case downright insane, having internationally operating companies enforcing those policies is becoming a seriously risky proposition for anyone outside the USA.
"I would go quite a step further than that. If this was not an unfortunate incident/mistake, then GitHub/Microsoft has become quite the active enforcer of US (legal) foreign policy."
I am not sure if most people realize this, but OFAC compliance is rather rigid with no room for error ('strict liability'). And US treasury enforces it hard. Recently, Amazon got caught in its cross-hairs ( though it managed to get away with a low fine relative to its size ).
I guess what I am saying, according to OFAC, everyone is responsible for enforcing US foreign policy.
edit: Everyone as in US person, person on US soil or someone using US dollar. I really should avoid exaggeration.
There is no doubt about US companies having to follow US law. But this is an internationally operating company, which means it has to also follow whatever law might apply to whatever market they operate on.
GitHub, as any other US company, has a choice/freedom to stop offering services to customers outside the US market, if the particulars of providing those services causes them to violate laws in at least one of the jurisdictions.
Of course, US companies should be rightfully pissed, if the US government puts them in a situation where they can not (legally) operate abroad. But that's something they should take up with US lawmakers.
At the end of they day, they are still (most likely) operating illegally on a foreign market, even if they are unlikely ever to be substantially punished for that. The thing is, the US has a rather questionable track record of coming to the rescue, whenever a US companies get into trouble for (illegally) doing business abroad. Ironically, whenever another country does that (e.g. China) the US immediately have a long list of choice words an allegations at the ready. Long story short: pure hypocrisy.
> But in this particular case, GitHub appears to enforce US foreign policy on what appears to be a company on the EU market.
Surely enforcing your politics outside of your jurisdiction is the whole point of an embargo?
As a government, yes. As a commercial company, operating on a market outside of US jurisdiction, please explain me the legal basis for that (if you can).
The government where the commercial company is based expects the company to do so, and will hold that company accountable if they do not.
You may not agree with this situation, but it is how it works. The US government will investigate and penalize companies that violate US sanctions, even if the parts of those companies involved did so entirely outside of the US.
Yep, the current US administration is somewhat to blame on the shift. It has always been a requirement, it's just that the government up until this admin mostly didn't care to enforce it. It's pretty obvious a number of companies got threatening letters to comply or face jail time.
When I did some googling, I found an article from 2012 about sanctions enforcement (https://www.itproportal.com/2012/10/26/ibm-questioned-over-a...). I am unaware of new behavior regarding sanctions enforcement, although I know that the current administration imposed additional sanctions. But my understanding is that with existing sanctions, this is what the US government has always done.
The legal basis is they are using a U.S. company (GitHub) that has to has to follow U.S. laws. And that makes certain things inconvenient for them.
Github is not outside US jurisdiction, and is required to enforce these laws even if the client is in Europe. They could be sanctioned by OFAC if they don't
The legal basis is that the US has a big stick, and so all countries must follow us laws, or they'll nuke your capital, rape your children, destroy all your infrastructure, etc.
In this case, it's just leaving you to starve, so you're pretty well off on the whole vs other things Americans will do
Are there European laws that prohibit discriminating against people who live in Iran? Or that prohibit discriminating against companies who employ people who live in Iran? If not, the legal basis is that you can do anything you want unless it's prohibited by law, and the action in question isn't prohibited by law.
Yes, it actually is illegal to arbitrarily discriminate people based on their ethnicity, political views or nationality (unless there is a specific law that allows that for a particular nationality, e.g. in case of a legal embargo)
They probably did not want to have their CEO nabbed by police in the Vancouver airport for extradition on sanctions violations. You might want to see what happened with Huawei, who aren’t even a US company.
If Huawei wants to do business in the US economy, they can do so but have to abide by the rules. They can also choose to do business with Iran instead, but not both.
It appears that you are pretty much the only one who gets it. At least from anyone who responded.
I find it rather shameful, that apparently everyone who responded to my question, did so by explaining that a US company has to abide by US law. You don't say!
That was never the question, but apparently even reading is even too much to ask from people these days.
Of course US companies have to follow US laws. But if that conflicts with law in wherever their services are offered, they no longer have any business operating there. They should consequently stop offering their services in that territory.
Since that's unlikely going to happen on their own initiative, maybe the EU should simply declare companies like these as illegal on their market.
Actually, that might even help to finally get rid of the stranglehold which many US have had for a long time on any emerging potential competition from EU companies. Something for which US companies have regularly used and abused differences in law and economy (between the US and EU), in order to obtain an (unfair) edge.
Maybe it's about time that comes to and end, so US companies can prove that they can compete on equal grounds. I personally doubt that, because for most of the last century this competition has been dominated by the US exploiting artificially created advantages.
Politics aside, it's rather sad that this aspect of legality is even a discussion topic. It should be a no-brainer that US companies should abide by whatever laws exist on a foreign market they operate on (of course on top of US law).
If they can't, the only (legal) option is to stop operating. Either that, or the company is a criminally operating organization. That is, the violations are systemic and not just a few unintended incidences, of course.
Is that not also what I just said?
That isn’t what my comment was actually about. It was a comment about GitHub, not Huawei or the US.
...” , this action is arbitrarily discriminatory, and very likely constitutes inflicting serious damage on another company without a legal basis...”
Isn’t that what YouTube and FaceBook do day in day out when their influencers run afoul of policy?
Those other companies certainly do too, yes. Or at least that is what I am convinced of. I would say that what I wrote about GitHub should equally apply to these companies too, or any company for that matter. Not just US companies, but any company that operates internationally.
Add other Apple and Blizzard to the list.
If a user runs afoul of policy, the action was not arbitrarily discriminatory.
Policy set by whom?
That of a commercial company, which does not have a legal mandate (at least not in the EU) to make make rules that violate EU law (including legal protections), or the US government, which does not have legal jurisdiction over the EU market?
Pick your poison
What? Your position is that if it’s policy and you enforce policy then it’s not discriminatory?
So if a policy or a law says X is disallowed or is unlawful, ipso facto, X can only run afoul of those bodies of governance and can’t be discriminatory? That’s interesting!
"this action is arbitrarily discriminatory" - if so, this action is permitted. While there often are restrictions on specific, enumerated types of discrimination (e.g. religion, ethnicity, gender, etc - though almost universally they apply to discrimination of people, not companies), those are exceptions to the general principle of "freedom of association" where people and companies are free to arbitrarily decide with whom they want to do business and whom they want to exclude - as far as they don't violate some of the specific restrictions listed in law. If a supplier does not want to sell to your company for an arbitrary reason, it's their right to do so.
"constitutes inflicting serious damage on another company without a legal basis" - again, that does not indicate any wrongdoing. Inflicting serious damage on another company is, by default, permitted (matching the core principle of "everything which is not forbidden is allowed") and is regularly done in the course of normal competition, winning over some other company in bids, recruiting key employees by offering them lots of money, targeting their customers with specific discounts, etc, etc.
If you're inflicting serious damage on another company, then both the intent and result is by itself legal, the only question is about the means. If you're inflicting serious damage on another company by legally prohibited means (e.g. theft or arson or illegal access to computer systems) or violating some established legal duty (e.g. "duty of care" as required by law in various service relationships), then the other company would be entitled compensation. But in the absence of that, if there's no specific legal prohibition to your action (for example, laws on anti-competitive actions tend to impose various restrictions), if your action is legally permitted, then if some company suffers because of that, it's not your problem. There are restrictions on what actions are legally permitted (law on tortious interference might apply here, and if there's some fraud, injurious falsehood etc then it matters) but if they do have the right to arbitrarily end the contract, then that's it, they are not responsible for the damages.
Given the pressure by the EU and China on US companies to enforce local laws globally (GDPR, RTBF, Taiwan), I don't see how Github, operating in the US, as a US company, has any chance absolving itself of enforcing US laws and regulations (though in this specific case they appear to have overreacted, likely due to regulatory enforcement via algorithm and not common sense).
If you expect US companies to respect GDPR and cookie banners and the right to be forgotten, globally; you cannot be surprised that they will respect and enforce US law globally as well.
"If you expect US companies to respect GDPR and cookie banners and the right to be forgotten, globally; you cannot be surprised that they will respect and enforce US law globally as well."
I don't expect any US entity to "respect" GDPR. Unless they are expecting to trade in the EU. If you trade in the EU, and violate EU law, then you can expect to be fined - wherever you choose to locate your HQ.
Incidentally, GDPR is pretty badly flawed. The intrusive cookie popups are an egregious example of unintended consequences - those popups are actually attacking privacy.
EU is not forcing American companies to enforce their laws for third party companies operating on non-EU market. Also, American company does not have to follow GDPR for Iranian customers.
EU wants American companies to follow GDPR when acting in EU market.
I'm in the U.S. and I still have to click all those super annoying "Accept using a cookie" popups everywhere. So that EU law certainly does affect me a U.S. citizen interacting with U.S. companies.
The only ones you have to blame for that, are the companies to show you those annoying popups. They have no obligation whatsoever to show that to anyone outside the EU.
Start complaining to those companies and stop pointing your finger in the wrong direction.
That is because it is cheaper to show it to everybody. Not because EU would demand it to be shown for Americans.
Also, law do not require it to be shown for all cookies. Only for tracking ones.
To nitpick, while for non-EU companies GDPR applies to individuals in EU (and their data) as per GDPR article 3.2, any EU companies have to apply this for all personal data as per GDPR article 3.1.
So while foreign companies can decide whether they want to apply their GDPR policies (which generally should not require "cookie banners", though it is a popular choice) only to people in EU or all their users, an EU company does not have a choice, they have the obligation to treat personal data of Americans and Iranians and everyone else in a GDPR-appropriate manner.
Keep that in mind the next time you encounter a US based newspaper that puts up a GDPR error page instead of serving the news article you requested. The EU asserts it can penalize a US based company a percentage of its worldwide revenue (not EU derived revenue) for GDPR violations.
I'm not saying it's right, I am saying that these are the logical, practical responses to the way different jurisdictions expect their laws and regulations to be honored, respected, and applied.
"The EU asserts it can penalize a US based company" ...
Well, of course it can, if the company violates EU law inside the EU. Do you think US law trumps [sic] national law globally? If a US company doesn't want to comply with GDPR, it is free to cease trading in the EU, or cough-up the fines.
Extraterritoriality is an old US habit.
I think you may have either misunderstood me, or maybe have gotten the logic backwards.
I'm not saying that US companies should not enforce US law. I think they should. That is: strictly within the US market.
When they operate outside the US market, they have to (also) adhere to whatever law exists for that market. If that creates a conflict, the company has a choice to either open up show elsewhere, outside of US jurisdiction (if that's the only way to comply with local market rules), or stay in the US and leave the foreign market alone.
Either way, being a US company should never be a valid excuse to violate laws (and/or legal protections) somewhere abroad.
It ultimately is up to a company to choose what they do and where they do it. To me, the current status quo appears to be that many US companies have been (illegally) enforcing US laws outside of US jurisdiction. Aside from that, and maybe even on a far worse level, they have been essentially been making up de facto "private laws", in their TOP/EULA "contracts".
Last time I checked, law should be left to governments. Preferable through democratic due process. Certainly not to commercial companies, who are either privately owned, or publicly by a select few rather undemocratic entities.
My shorter version: Precedent in the US is that the US views its jurisdiction over US citizens and corporations as global. If I as a US citizen step over the border to your country and bribe an official of your country in order to gain a commercial contract, I can (and probably, though not definitely) will be prosecuted for breaking US law, regardless of whether or not bribery is perfectly legal in your country. Same for corporations: if the act is prohibited in the US, the US Government generally does not distinguish between whether the act occurred in the US or not.
This is not new. The Internet exacerbates the potential for conflicts, but it’s not a new problem with the rise of the Internet.
The US government should do whatever it sees fit for its subjects. That's not the issue.
The issue is that a US company should also be held accountable for whatever they violates abroad. Not by the US government, of course. But by the authorities of whatever foreign market they operate on (the only authority with jurisdiction anyways).
While the tide is gradually changing, so far a substantial part of the problem is that the US government has quite a few nasty ways to shield US companies from being seriously held accountable abroad. Still, the longer that reality exists, the more inevitable it will become that at some point US companies will simply be barred altogether from (some) foreign markets. You can only abuse a dominant position for so long, before the receiving end will no longer put up with it. That is, of course, when (or as soon as) they have the luxury of choice in the matter.
It’s been my personal experience that the US government does not distinguish between a US company offering products and services in the US and a US company offering those products and services outside the US. Even foreign subsidiaries are held accountable to US laws and regulations if the US parent has sufficient control of the company.
Bigger companies get a little bit more leeway to negotiate with the US Federal government on this but if the US decides that something is illegal or prohibited, the Justice Department doesn't really care what country the prohibited activity occurred in, it'll walk the executive chain to pick people to prosecute.
The only way a company could complete avoid this scenario is if it licensed its product or service to an independent entity outside the US. And even then the DOJ would likely attempt to force the termination of the license agreement if it results in a product or service being offered in a prohibited jurisdiction.
None of this is new, or due to Trump, or even partisan.
You are correct, on each and every count. However, none of that is related to what I tried to highlight.
Sure, the US is (rightfully so) subjecting every company within its jurisdiction to US law, no matter on which market they operate. Sometimes they go even further and say non-US companies can be held liable, when they somehow interact with the USA or its citizens. That can sometimes become a bit dicey with jurisdictions, but even that is not the point here.
The point is that a US-based company is operating on a market outside the US and (most likely) is operating in a way that is within the law of that market.
To put bluntly: I don't give a #### about how the US treats companies on their territory, regardless where those operate. I care about US-based companies abiding to law wherever they do business. If they can not do that, they should cease to operate there. Whether it's the US government or something else that is to blame for the situation is irrelevant.
I'm not a pro dev by any means but what is stopping orgs from simply self hosting such a thing? Git is merely version control which supposedly does not take a lot of resources so you can go ahead and buy a dedicated server and host it in your office. Is the question more so about expanded services like CI/CD that may take up more computational resources to continuously build binaries and other deliverables?
The compute part is the least of your worries, even installing the software is usually not your primary concern - everything is fine as long as you're on the happy path.
Software needs to maintained, patched, backed up, verified etc. It has bugs, security issues, hardware breaks in weird ways. This takes time and skill - ideally you'd need two or three people that are capable of fixing problems with the install. (one ill, one on vacation, one available). This is something that detracts from the actual work you're doing. I'm very much an ops person and I actually like tinkering with a gitlab install - it's just so many moving parts that I prefer not to run this for my company since it would eat a substantial chunk of my time just caring for this.
The bottom line is that it is cheaper to use GitHub and live with the external risks than to maintain internal services or live without them.
I note that the Linux kernel lived with bare Git for many years.
At least for small to medium organizations without specific reasons for self-hosting. Once you have a team that manages internal infrastructure, this calculus can change.
The Linux kernel is a very specific case with a very specific development model that likely doesn’t apply to most other projects.
I would say it's less about the compute resources, and more about possibly needing a team dedicated to maintaining quite a lot of infrastructure to replace the features that GitHub has, which is far more extensive than just git hosting.
GitLab, Gitea or others provide most, if not all, and in some cases even more features than GitHub. Theiy are fully or partially Open Source and they are easy to host.
You need to compare the cost of self-hosting to the cost of SaaS - INCLUDING the risk of getting locked out.
One downside of the SaaS model is that you are just a very small customer in the bigger scheme and they can't really justify spending money on servicing you. Let's say you are company of 5 people, paying 50 bucks a month for a service - how many hours per year can they spend on servicing you before you become a net-negative account? You much power do you have in a negotiation if you are a net-negative account?
> Let's say you are company of 5 people, paying 50 bucks a month for a service - how many hours per year can they spend on servicing you before you become a net-negative account?
It probably isn't sustainable for a business to only consider this aspect. One thing that comes to mind with companies that thrive with a large number of small non-B2B customers, who individually don't tend to have much power, is that they understand that people love to talk about customer service when it's bad, and occasionally when it's very good as well. Word spreads, and nearly everyone places at least a little weight on this public perception of kindness or flexibility with customers especially when it isn't in the immediate financial interest of the company to do so.
WRT self hosting, GitLab could be painful, but Gitea is really easy to host and keep up to date.
I've been self-hosting gitlab for few years now in my company and never had a problem.
You should clone your environment and then inject faults into the clone to cause yourself some simulated problems.
How much resources does that consume (both compute and human)? Have you done upgrades?
It's perfectly possible for a team of 10 devs to run on self-hosted source-code control, run an in-house CI system, and run application hosting, with just one tech (and one backup) working part-time on maintaining the system. You need a VM host for the CI; now you have a VM host, you can build git servers and so on (bring the email inhouse, perhaps?).
As far as maintaining the system is concerned: setups that are hosted by 3rd-parties also need maintenance. Someone has to understand how it all fits together, and how to fix it when it goes wrong. So you still need a team-member working part-time on SCC, CI and deployment.
If you have developers that can use git they can setup and maintain a local git or source control.
If no one in your company can do that.. hire or outsource.
Maintaining a self hosted solution like GilLab takes less than a day of work a year, and it has more features than GitHub.
(I have been doing it for years)
Self-Hosting is a similar tradeoff to running your own hardware, imo. You can increase control and overall cost effectiveness for additional scaling, but these choices have a certain base cost you can't reduce. Thus, they only work beyond a certain initial scale, or because you have some specialized requirements.
For example, the source code as well as the tickets around a software tend to be the most critical assets of a company. As such, you need one or better 2 systems to host the source host and ticketing. However, such a system needs backups, so suddenly you need to maintain a backup solution, you need to implement and monitor the backups being created, you need restore tests. You end up needing some kind of monitoring as well. As well as 2-3 dudes at least part-time maintaining all of this capable of replacing each other during sickness and vacation.
That's a lot of stuff as well as a lot of manpower as your base cost. Of course, once you have that, you can self-host a lot of things easily and maintain excellent uptime at minimal risk, because these base services scale very well in complexity. For us it makes sense to do this, because unplanned outages at 100+ developers are seriously expensive and risky.
However, if you have 3 developers and a clock ticking to find product market fit, you don't have that budget - or spending it this way does not make sense. So you buy.
But Github is reason why git is popular ...
Github sure contributed to the popularity, but I remeber distinctly as Git came out and how it took off like rocket. Git was a "killer app" from it's day of inception and everyone I knew switched their source control to it in late 2005 early 2006. It was a game changer to say the least. Github jumped on a already rolling bandwagon and left me ans many people I knew wondering why the hell you would need to host your projects there. (I am still a little bit puzzled but came to accept it as useful)
Github fixes the problem that most users have with git (but are ashamed / too ignorant to admit): That it is de-centralized.
> Github fixes the problem that most users have with git (but are ashamed / too ignorant to admit): That it is de-centralized.
Git is designed for an environment where there are multiple canonical trunks. RedHats kernel is equally a master as SuSe's. So you are maintaining various tips in a semi-synchronized manner. In most projects there is a single repository branch that is the true branch (with perhaps a few tags for LTR) that represents the project. For that reason a lot of Git's mechanisms are unneeded complexity.
The killer features of Git is GitHub, and to a lesser degree local commits (after all, Mercurial has that too).
I doubt it.
There's definitely an argument that GitHub is one of the primary reasons that Git beat Mercurial.
Anecdotally, I started using git because of projects on Github I wanted to contribute to. A number of others I know where in a similar boat. Before that, we used subversion, bazaar or mercurial. I personally am happy with having been pushed to using git and if it was winning anyway (not clear) I'm sure I would have eventually ended there anyway, but GitHub is the reason I started using it when I did.
Yep!
"One click" fork + "one click" pull request are its killer features.
I've used Mercurial. It sucks compared to Git. And not because I can't use it on GitHub.
It's tricky to compare them now, because Git won, it's got a lot more investment. Ideally you'd need to care them just before Git got the upper hand - but that's hard to pinpoint.
So many reasons why I prefer on-prem over cloud for software that is directly attached to the value-chsin of the business. I wouldn‘t care if they cut me off of some backoffice app which manages the snack bar. But as a software company, my code is the heart of my company, so I would never give control of that to a 3rd party.
> Ironically, Git is a decentralized version control system.
But git and github are not the same, as the latter contains a lot more extras in terms of functionality.
There are good github alternatives, like https://gitea.io
And if you then talk decentralized version of that, ForgeFed comes into picture. See https://forgefed.peers.community
As it happens there's a recent interest to evaluate that for implementation in Gitea (and maybe funded by NGI0):
We all know that, but we both know most Git repositories out there are probably on Github.
Seems someone has responded to it.
lol someone responded a week later and possibly only because it made the front page on hacker news
That “someone” is github’s CEO.
It does not condone that it took an HN frontpage to react to a massive issue from a client blocked due to either a badly configured sanctions system, or a badly defined false positive determination workflow, that could not be expedited otherwise by the client, but... it’s something I guess.
Good luck having a 7-day response by your bank, who have the legal obligation to not share with you why did they block you, or having Google’s CEO looking into your issue aired in twitter.
Two things to consider: That guy is the corporate vice president for developer services, so he probably had to run that response by Legal before committing like that. Also unless this is a really exceptional year, there probably wasn't anyone "at work" at Microsoft last week except on-call rotations.
> Ironically, Git is a decentralized version control system.
GitHub is simultaneously not the be-all-and-end-all of Git[1] and more than Git[2].
If they have good backups of everything (if not they should consider this a beating with the ol' clue stick (I'm assuming everything on github can be backed up away from it?)) this should only be a bump in the road, though a considerably inconvenient bump as there is nothing they can just restore to and move on using without a pile of changes and/or admin work.
[1] pick a new location for the "source of truth" repo for your team, push everything to that, and you're golden again
[2] all the bits wrapped around it are available elsewhere, but not necessarily in a convenient ready-made integrated manner[3]
[3] there is GitLab of course, not a direct 1-1 feature mapping in either direction but close enough for many, I'm told performance is more of an issue but you can always self-host if controlling that is worth the extra admin to you
> pick a new location for the "source of truth" repo for your team, push everything to that, and you're golden again
Its also pretty easy to mirror your repo to other remotes. I've had projects that were in Gitlab, Github and Sourcehut at the same time. Sure, depending on how you sync them, there may be some steps (eg getting people to push their local branches to another remote) when your main one becomes inaccessible, but overall its really easy to work across multiple remotes. Its something git was designed for, after all.
Yes it is in the cloud but if you use Gitlab you're suddenly compatible with hosting your own Gitlab. If you use Github you're not. Unless you pay tons of money for Github Enterprise.
So there are Cloud services that make more sense to use in the long run, in this case Gitlab is one of them.
Hell no!
In this case Github is just unreliable piece of infrastructure. My phone provider bans me for receiving phone call from wrong country? Nice joke.
So called "decentralized", and only one company has a copy?
"Decentralisation" of Git has been a running joke since the beginning.
5. Github is bound to obey US law and international trade agreements.
I think github is the last one at fault for this.
>2. Then there's the geopolitical aspect. Is it fair to impose sanctions on Iran.
Yeah. Nobody else should be allowed to have nukes, or else the U.S. is gonna take his ball and go home.
Iran is a signatory to the Nuclear Nonproliferation Treaty. According to the treaty, they agreed to not pursue nuclear weapons and to allow IAEA oversight.
Making it difficult for the IAEA to provide oversight is enough of a treaty violation, and that goes double when there is credible evidence that unauthorized enrichment was occurring.
Why do non-US companies care about US foreign policy goals? EU companies can benefit from doing business with Iran, on the other hand using US based SaaS only makes them hostages of the US government and provides zero additional benefit. It would seem that using US based SaaS is simply bad risk management on the buyer's part.
The EU (and the UN) has had on-and-off sanctions against Iran for decades as well.
Are any EU countries still dependant on Iranian oil supplies?
#4 should be #1.
Entrusting your business to an american entity is the stupidest idea you could have thought about.
Especially us europeans should not rely on American services at all.It's not worth it.
American corporations are just as much a liability as their counterparts in China.
The top 33 "software and programming" companies by revenue in the world can be found below [0]. 28 of them are American. Two are in the EU. One is in the UK. One is in Australia. The last is Russian.
One of the companies in the EU produces enterprise software almost no one on this website uses (SAP). The other is Dassault.
In the US the top five companies are Microsoft, Oracle, ADP, Adobe, and Salesforce. If you include Alphabet and Amazon, well...
When the EU or Asia (non-China, I guess) can offer mature alternatives even remotely competitive with the American companies, I guess your strategy could work. Until then, no one is going to flock to Hetzner over AWS.
And I like Hetzner.
[0]: https://en.wikipedia.org/wiki/List_of_the_largest_software_c...
I think you are conflating marked share with quality of offering.
Indeed there are viable local options for many of these things. Heck, the reason why European companies have so little relative marked share, is because they serve smaller, domestic, markets.
A Danish webshop provider probably has a better offering for a webshop for servicing the Danish market. It probably has better support for Danish accounting, better locale support etc.
Do Danes have unique server needs compared to the rest of the world?
Yes, they speak Danish.
And Danish laws and Danish accounting systems and Danish gov agencies to maybe integrate with, etc
(Maybe more relevant for SaaS than servers though)
Don’t strawman the parent post, they have already generalized US service dependency beyond OP, and there are already examples of local needs above:
> It probably has better support for Danish accounting, better locale support
That's an issue for the webshop service provider ;)
While the US sure is dominant, there are dozens of software companies larger than those in that list, e.g. Zoho has about $5B revenue, Baidu $11B, Tencent $23B, Accenture $41B, ...
The list employs some particular filters (e.g. SaaS seems to be excluded) and heavily emphasizes market cap over revenue.
I wouldn't consider Accenture a large software company. They do a lot of software "consultancy" (ie bodyshopping), but the nature of the consulting game plus their decentralized architecture (I've worked with Accenture, and the relationship between their different offices seems to be closer to co-franchisees than colleagues) means I wouldn't consider it a "big software company" (as in lots of people working on the same system/architecture
It doesn't matter anyway. Accenture is also an American company despite being incorporated in Ireland.
Yup they're not a big software company if you arbitrarily constrain the definition of software company.
I could argue Google is not a big software company (as in lots of people working with mismatching socks and propeller hats).
But that would be just as stupid.
What I mean is that the overwhelming majority of Accenture (or TCS, or Deloitte, or IBM Consulting, or Infosys, or any other bodyshop) employees aren’t building software for Accenture, they’re being hired out. So that’s why I don’t consider Accenture a “software” company
Would you consider Randstad to be a building company? They loan out hundreds of thousands of building contractors across the world
Baidu and Tencent are in China, hence why they were excluded from the discussion (since the poster specifically said US/China can't be trusted).
Accenture is American-Irish and listed on the NYSE. Subject to US jurisdiction from a national, not global level.
> One of the companies in the EU produces enterprise software almost no one on this website uses (SAP)
What? SAP is a huge software that is used in a lot of companies.
Also, you should take into account that SAP the company is not just the ERP. It has acquired several big SaaS vendors in the past years (Ariba, SuccessFactors, Concur etc) so many of us may be touching SAP without even realizing it.
Correct. I'm also willing to bet the people on Hacker News are not typically in the circle of businesses that use SAP.
I'm willing to bet that they are.
Do you think there is a huge tendency towards Oracle, Infor or MS Dynamics rather than SAP across hacker news, or are you just assuming that people who go on hacker news aren't in the 'circle of companies' which need an ERP?
Most people on HN probably go work for companies that pay them the best compensation or offer them a good position, not based on what ERP they chose.
You underestimate the reach of SAP and overestimate the "SV-ness" of HN.
SAP Developer/Customer here.
Does that mean most people on HN work for companies either too small for or too competent to outsource an ERP system?
SAP user here... not that I liked it :)
Both you and the person you replied to are right. They are not mutually exclusive points.
Famous example: MS Windows having a marketshare of 96% should not necessarily stop you from designing your business around linux.
Sure they are. Propose an EU or non-Chinese Asian alternative to AWS that is, say, 80% as efficient/effective. If that's not possible, then choosing AWS for your startup/scaling business is not the stupidest move you can make, assuming AWS fits your use case.
"MS Windows having a marketshare of 96% should not necessarily stop you from designing your business around linux"
But Windows doesn't have this kind of marketshare in most areas going forward? The #1 OS used worldwide is AndroidOS and no one is clamoring to write for it as far as I can tell.
I think you're missing the point. It's less a question of "can you find an alternative that is at least 80% as efficient", and more a question of "is this 20% bump in efficiency worth the liability risk".
Your opinion is 'yes'. OP's opinion is 'no'.
Both are valid opinions and highly depend on the nature of your business.
But, OP's somewhat un-american sentiment aside (which I believe is mostly what you're reacting to, rather than the general nature of their argument), I agree that erring on the side of caution and minimizing external liabilities should be on the top of the agenda for any company.
And this is aside from the whole "support local infrastructure and don't empower monopolies further" argument.
I am not anti-american or anything like that.I even acknowledge american dominance in Tech and better conditions for skilled workers (read much higher salaries).
That said as a european I have to consider my interests and interests of my business.
Maximizing the risk-adjusted returns on the business is the top of the agenda. Sometimes this means shedding risk, particularly at well established companies; sometimes this means embracing it, particularly at younger ones. If you don’t have revenue yet there’s little need to protect it.
At this point it is kinda an open question whether using AWS/Azure/GCP for anything involving PII is even fully legal under EU/EFTA law. I know at least my employer is working towards having more options to jump ship at a moments notice these days.
I think EU/EFTA is large enough to enable the growth of at least one 80% offering given enough time. Or otherwise large enough as an economic bloc to force America to stricter legalisation so that they can use and depend on the American offerings.
Microsoft can't ban you from using Windows or developing software that runs under it.
Amazon can sure kick your company off its services.
For many startups AWS is a no-brainer, which makes life somewhat harder for anyone who wants to deal with Iran from EU (as long as EU allows it) and not be shut down on a US three-letter agency's request.
You can use many of the products from the companies in the list (i.e. SAP, Adobe or Oracle) without risking all your data in a Kafkaesque ploy of sorts.
If you keep everything your business is at Amazon you better be prepared to Amazon booting you.
>Until then, no one is going to flock to Hetzner over AWS.
You don't need the market to flock to Hetzner or OVH to use it yourself and avoid US sanctions.
There are often subsidiaries that offer the same services, except everything is done in the EU, data storage, support, etc. Of course the US still has access because of compromised infra, but at least it's illegal now.
I'm in Africa and most companies here host their systems either locally (very expensive and slow) or in America. The other day at work I had a pretty heated argument at work with a colleague when I mentioned it is really not good for us to host any of our stuff in America (all of it is currently in America). He basically freaked out about it. I just wanted to hear his thoughts about it, but he took personal offence (he's an aws fanboy).
There are problems with the laws, copyright laws too, US gov agencies etc that are all incompatible with our own laws. If something bad were to happen, our own courts have zero power to help us. We also don't have a direct fiber line to America so all our traffic hops through Europe and more recently through South America, so about 200ms added to most requests.
The only reasons to use American hosting companies is because of:
1) The financial cost can in some cases work out to be lower than local options.
2) It can be easier to scale your service vs self-hosting on premisses.
3) American hosting platforms have really nice GUI's and tooling, while being well integrated with the billing side - everything mostly just works as expected.
But other than that, if money and skills are not a problem, then on-prem is best here.
Money and skills are ALWAYS problems. Those are "cheap" and "fast" of the "cheap, fast, good, pick two".
> Money and skills are ALWAYS problems. Those are "cheap" and "fast" of the "cheap, fast, good, pick two".
Those are not problems, those are trade-offs. OP is right, you could be in a position in which those trade-offs dont apply to you (i.e. by buying a "expensive" but great solution, this happens all the time in all the industries) or you could sacrifice one item (say speed) in your solution if this is not a problem for your workflow ("so what if a open source tool runs 2x as slow as the best proprietary option, our daily batch processing take 2 hours and it is used in weekly buckets")
No one has an infinite supply of any of the three. They are problems. You say they "don't apply" but then you explicitly acknowledge that you lose "cheap" or "fast" in your examples.
> problem (n) 1a: a question raised for inquiry, consideration, or solution
>Especially us europeans should not rely on American services at all.It's not worth it.
Sure, please let me know how the EU plans to build Office 365, AWS, GitHub competitors of similar scale, quality and success.
We have no private investors that would pony up enough money to go against US tech titans and fat chance the EU would ever fund such initiatives and if they would, the money would evaporate over night to companies with political connections and overpriced consultants who would just produce documentation.
Let's face it, the ship of EU dominance in tech has sailed a long time ago, we might as well get comfy with the US pulling the strings on that front.
The only way the EU would ever stand a chance is if the EU would pull a Chinese style great firewall and outright ban foreign tech companies on their internal market, leaving space for local companies to spring up and fill the void but that will never happen.
I agree with you that Office 365, AWS and Github are great products. Hard, if not impossible, to catch up as a competitior, especially when you have trillion dollar companies backing them.
However, if you cannot trust those products then you cannot use them.
Remember, this thread is about Github blocking an entire company due to one employee due to American politics. If a non-US company risks to lose it project management/code management (Github), its infrastructure (AWS) or its documents (Office 365) on a whim due to American policies then they cannot use those products.
If a big enough chunk of the world can't use the American offerings, then there is a market for alternatives.
I think it's important to frame it correctly: US companies have been persistently acting illegally in Europe. Avoiding taxes (e.g. Amazon's Project Goldcrest) to undercut competitors, mishandling data for profit, and then abusing market dominant positions to prevent European competitors from rising up; forcing those potential competitors to sell to US firms.
You're right that it's probably too late to reverse all of this economic damage that the US has intentionally caused. It's a difficult problem for the world.
Ah yes, poor innocent Europe that is so distraught over the economic damage US companies did that checks notes Ireland sued the EU on behalf of Apple to prevent it from having to pay taxes.
You're right. You should frame it correctly and take ownership over the complete and utter regulatory failures of European countries to support and nurture local businesses.
> We have no private investors that would pony up enough money to go against US tech titans and fat chance the EU would ever fund such initiatives
Did you miss this a couple of weeks back?
https://www.eetimes.eu/eu-signs-e145bn-declaration-to-develo...
That's for semiconductor technology, not a full software stack, search engine, social network, or server hosting farm that could compete with Apple, Google, Facebook, or Amazon. Designing ICs is already a niche market, and designing process nodes for IC manufacturing is even more niche. Furthermore, the EU already had technical superiority here: ASML is the company that supplies TSMC with the machinery that powers their 5nm node.
Sure, I get what you're saying, but I hope you see my point here. Pursuing 2nm lithography (which is something like 1-2 nodes from bleeding edge?) with 135 billion euro surely tells you something about their commitment.
I would also point out that many of these companies you mention are immensely scattered. Take anyone and you'll find their resources spread across an evergrowing domain/portfolio. I'm not saying it's bad that Apple is developing cars and Facebook VR headsets - I'm just saying it spreads them thinner. If the EU found it valuable enough to pursue e.g search within the next five years it's not at all unfeasible or unreasonable to do so. It might even be better for the greater good of the internet frankly.
I generally agree with your post (we both made the mistake of posting during EU peak times and not US peak times, so downvotes incoming), but it's worth noting that Airbus is a success story bolstered by the now-EU to combat American aerospace dominance.
I love Airbus, but they're not a software company and since we live in the age of cloud-everything, software has eaten the world and all our mobile tech is controlled by two US walled gardens (apple and google) that is a lot more potentially impactful on our daily lives on multiple levels of our society than what Airbus could do.
The Silicon Valley wasn’t built overnight. The software industry is just taking off in the EU. Mind you, nobody would have thought that the US would loose their leading role in the Middle East, look at them now. I can see the same happening in tech.
Problem is that EU is not comparable in any manner to the US. For one, where do you suggest the Silicon Valley of EU is? London would've been a decent bet except that they just bailed.
As someone else mentioned, capital is way harder to raise (meaning slower to market) - and then an underrated factor which is equally important is how easy or difficult is it to sell as a nascent startup. At least in my industry (cybersecurity) it has been very hard in the EU vs US in the earlier stages of product maturity.
Much like the parent comment, I don't see this changing anytime soon and I'm fully betting on the fact US will keep their dominance in tech.
Well, we shouldn’t just assume that Silicon Valley has to be a place. The lockdown showed that numerous companies can operate 100% remotely. And I got the impression that there’s always more money than startups.
Silicon Valley absolutely has to be a place and people will return to face-to-face social contact the minute that is possible. It is impossible to build long-term meaningful relationships on a 100% remote basis.
Wages are also strangely way, way worse in the EU. When you combine that with cost of living (and taxes) being far higher there, it's not a great recipe for growth.
It depends. For example, office software is already far into the flat region of its innovation curve. IMHO it would suffice to throw away MS and adopt e.g. LibreOffice in all educational and government institutions throughout EU (and there are precedents already). GitHub shall be even easier to replace (complexity is far below office and open source alternatives do exist). Now with AWS, it is really a tough question. Hetzner is doing a very good (albeit slow) progress towards AWS functionality. Their prices are competitive and customer service is much better that what I ever got from AWS (not affiliated, just a happy customer). The level of integration in AWS however is still out of the reach of Hetzner (Cloudfront, S3, SES etc).
It would be really interesting to know your opinion on what functionality in AWS is indispensable and what you can sacrifice in case Hetzner/OVH price for the rest is the same as AWS or lower.
> Sure, please let me know how the EU plans to build Office 365, AWS, GitHub competitors of similar scale, quality and success.
There are no such plans. EU wields a lot of regulatory power. The most likely path of action would be to force MS/Amazon/etc. to spin-off their EU side of the business. And I believe that the companies have already prepared for this.
This is ridiculous.
China requires access to your company code and pretty much owns you.
The USA government is interfering as much as Europeans government do, by making stupid laws and demanding access when they can think of an excuse. Sure, it's bad but it's not as bad as China.
You can't trust any government, but some are better than others.
Indeed, gives me hope for decentralised technologies like gitcoin, that could perhaps give more agency to developers.
You must be kidding. There’s no way companies like Apple would ever handout iCloud source code to China.
I gotta agree with you. I understand GitHub doing that, they fear repercussions (remember that Huawei employee being arrested?). But, these things are too serious for a company to ignore.
Chinese and USA services should be avoided...
I assume this will be your last post on HN then...
What do you suggest to use instead of GitHub?
The US sanctions on Iran has such a massive impact on Iranians that most of us don't realise.
All US companies have to comply and majority of the tech companies are unfortunately in the US.
I know you can use a VPN and configure it on a router level to make sure that you are always connected via a VPN but just the fact that 1 slip-up can result in account level blocks (which google is notoriously good at and can essentially shut down your business) means no company would want to work with someone working from Iran.
Coming from a 3rd world country, I know the problems of internet censorship which Iranians also face but being too toxic to touch for everyone outside Iran because the US leadership thinks so is just infuriating and heart breaking.
Imagine being a programmer in Iran. Not only do you have less resources to learn and grow, you have a massive handicap to find good work as most work is outside of the country.
Only bet is to leave the country but even there you have a very low probability as you basically can't have a trial period for your job as most companies don't want to risk having their accounts blocked.
Most of us here know how degrading and infuriating the tech recruiting processes can be and now add to it the horrors of working from Iran.
Wars are not supposed to have civilian casualties but this one has a generation of civilians being starved of information and experience critical for them to grow.
(Controversial comment)
I am not condoning the actions of the United States government, but arguably the Iranian Islamic theocratic regime has unleashed more horrors on the Iranian people in the last 50 years than any other foreign government.
Imagine the horror US has unleashed "invading" almost every country in the world (except 3) with formal or hidden missions.
You replied to a troll trap. It doesn't matter what the Iranian gov does or did, nor what the US gov did all these years.
The argument is that the US sanctions are wrong. It's totally against what America and the West at large stands for. Those sanctions, as always punish innocent citizens the most. The strategy of course is to make those citizens revolt. But it ain't even working. See with Iraq and Libya, they litterally ended up bombing these countries and ensured the death penatly to those leaders, and now see how worse it has become over there (interestingly the news outlet don't report much of the situation now).
I have been clearly and firmly reminded by my employer about sanctions on Iran and to not engage in any business with Iranian as clients. The US government, like said in another comment is using its country's private economical powers for the service of its (absurd) geopolitics, not far from what China has been doing, but with far more hypocrisy and somehow less success.
You realize that there are between 194 and 197 countries in the world depending on who is doing the recognizing[1]. Could you please provide a citation for the 191+ countries you say the US has invaded?
[1] https://www.worldatlas.com/articles/how-many-countries-are-i...
From your link:
>"According to Kelly and Laycock’s book, the United States has invaded or fought in 84 of the 193 countries recognized by the United Nations and has been militarily involved with 191 of 193 – a staggering 98 percent."
"Invaded or fought in" - that's a pretty big "or" there no? The theater of operations for the US Military in World War II was easily 84 countries in itself [1]. Also 84 countries is not all but 3 is it? Nor would it be considered "most" as you stated.
Further that's not really a citation that supports your assertion. It's a post with a single reference to a book entitled "America Invades: How We've Invaded or been Militarily Involved with almost Every Country on Earth." The phrase "or been Militarily Involved with" is casting a pretty wide net no? That's quite a nebulous clause. If you sell someone a tank you are "militarily involved" with them. By that dubious measure much of the globe is "militarily involved" with each other.
Have you read this book? What's seems to be notable about this book is the absence of any footnotes or bibliographic information. This is quite odd for a history book. I think this book could be accurately described as "entertainment reading" as it seems to lack any academic rigor.
[1] https://en.wikipedia.org/wiki/United_States_theaters_of_oper...
US sanctions are just adding to the troubles of the Iranian people, I should say.
Hmm... I wonder if the United States government had anything to do with that regime coming to power...
Imagine having to preface such a benign statement of fact with a disclaimer like that. What kind of bizarre culture have we created?
Another controversial comment:
This is the other side of the Enlightenment ideal that the legitimacy of a government can only come from the support of its people.
When you declare another people to be, literally, Satan, there may be resulting consequences.
Imagine being a programmer in Israel and hearing that the leader of a neighboring country wants to kill you and everybody you know.
We're not unaware of the impact of sanctions. Fundamentally, starving a generation of Iranians of information and experience is worth it if leads to civil unrest and regime change, therefore preventing Iran's current leaders from committing the genocide they've said they want to commit so many times.
> starving a generation of Iranians of information and experience is worth it if leads to civil unrest and regime change
I'm afraid you're mistaken, and that removing knowledge from people just makes the regime stronger.
Instead, providing the people in Iran with more knowledge and education would make even more people oppose the dictatorship, I'd think.
Not nuclear physics though, but GitHub yes sure.
Israel is starving several generations of Palestinians of opportunity and experience [0], resulting in civil unrest. Israel could de-escalate its tensions with its neighbors (including Iran) at any time. It just needs to start treating its neighbors with respect.
Unfortunately, peace in the Middle-East would shift political power in all countries involved, shift government spending, reduce military aid from superpowers [1], and reduce the importance of the countries to the superpowers. A lot of power and money is trying to prevent that from happening.
You don't need to play along with those powerful people. They don't want to help you. Lasting peace would help you and your descendants much more than continuing the current situation.
What does Israel's conflict in Palestine have to do with Iran? The Ayatollah doesn't care about Palestinians.
Saying that Israel could resolve the issue by de-escalating is nonsense, as much as saying the same thing about North and South Korea. One side has leaders intent on acquiring nuclear weapons and publicly claims it will use them against its neighbors.
The analogy to North Korea is quite appropriate. Each superpower supports its vassal states and ignores their brutality.
USA : Israel : Palestinians :: PRC : North Korean Dictatorship : North Korean People
Imagine being almost any other religion in the Middle East and learning that Israelis on a day to day basis are lobbying to carve your countries apart by imperialist wars via their American proxies, bulldozing the homes of your coethnics in Palestine, raping their children, forcibly hijacking their TVs and exposing their kids to pornographic broadcasts, organizing a famine in Syria by their Kurdish proxies, and occupying their homelands. It was only in 2006 that Shiites and the SSNP finally kicked them out of South Lebanon, where they regularly committed war atrocities. Add to this the historical genocides that the nation of Israel completed and rejoice in within their scriptures -- the Ammonites, the Moabites, the Jebusites, the Canaanites (the assault on which happened the day after the Israelites convinced them to get circumcized, then went door to door killing them while their dicks hurt) are all tribes that were completely physically wiped out by the Israelites.
This argument should apply to Israel, which is the biggest per capita committer of genocide, land theft, rape, and fraud in the entire world. The entire history of Israel is one of genocide, from the ancient world to today. We need BDS now and a just society would absolutely shun your nation until they respect human rights.
There's a lot in your post that's wrong and this comment won't allow me to correct all of it. Grabbing two:
- the Arab nations don't consider themselves kin (or "coethnics" whatever that means) with the Palestinians. When Jordan and Egypt controlled the Palestinian territory, they treated the Palestinians worse then Israeli does today.
- the groups that commit the vast majority of rape (per capita or otherwise) in the middle east are not Israeli. In most of the Muslim countries, it's legal to rape your wife. In some of them (such as Iran), men execute their daughters for being raped by their neighbors. One well known group (ISIS) was really into rape - and so Iran gave them money so they could rape more.
If what you care about is rape, murder, and genocide, you're against Iran 100x as much as you're against Israel.
The Arab nations absolutely consider themselves kin with Palestinians. Pan-Arabism, Baathism (the ruling philosophy of Syria, which Palestine is a part of), and the Greater Syria of the SSNP are all extremely popular Arab world ideologies which include Palestinians in a framework of all Arab peoples. Your statement is extremely incorrect, and I find it extremely unlikely that someone who lived in the Levant would not know this.
Domestic disputes are also not like a foreign army arresting young children and raping them.
"Syria, which Palestine is a part of"
What an extraordinary claim. It demands an explanation. There is no part of Palestine in which Syrian law runs. There are no Syrian cops or troops in Palestine. There are no Syrian government offices in Palestine.
Throughout all of history Palestine was a part of Syria.
From the "Syria Palaestina" of Roman times all through the Rashidun, Umayyad, Abbasid, and Fatimid Caliphates, the Ayyubid dynasty, and the Mamluk Sultanate, the borders of Syria have nearly always encompassed all of what is described as Palestinian territories today, with a special exception made either for the occupation of Jerusalem by the Christian First Crusade or in the 19th century the Jerusalem Mutasarrifate of Jerusalem was split away into a special region given legal autonomy as a city-state, much like Vatican City.
All through this time, for thousands of years up through the Ottoman era, the borders of Syria included what are now described as the Palestinian territories. You can see them on a map here:
https://en.wikipedia.org/wiki/Ottoman_Syria
You can also check maps available on Wikipedia for the historical borders of Syria during the Caliphates, which have always encompassed Palestine.
Palestine was never an independent nation at any point in history. It was always a part of Syria, and Syria today considers it Syrian temporarily-occupied territory stolen by Western-sponsored violence and terrorism.
So: "Palestine WAS a part of Syria", ergo "Palestine IS part of Syria"?
Sounds like: "Palestine was inhabited by Jews", ergo "Israel is entitled to the whole of Palestine".
I evidently have a defective logic board. I'd better check myself in for servicing.
> Add to this the historical genocides that the nation of Israel completed and rejoice in within their scriptures
You do realize that the bulk of "other religions" in the Middle East (namely Islam) - and, for that matter, the US (namely Christianity) - are derived from those same scriptures and rejoice in those same genocides (and have happily added to them over the past couple millennia, of course), right? There's no moral high ground on either side of this mess.
Such cases highlight the importance of improving IPFS and Federation protocols, for example for Gitea[1][2] or GitLab[3][4]. Or just sponsoring them[5]. The source code for ForgeFed[6][7] might be also of interest for improvement.
[1] https://github.com/go-gitea/gitea/issues/1612
[2] https://github.com/go-gitea/gitea/issues/9045
[3] https://gitlab.com/gitlab-org/gitlab/-/issues/6468
[4] https://gitlab.com/gitlab-org/gitlab/-/issues/33665
[5] https://opencollective.com/gitea
also radicle.xyz
that was an interesting rabbit hole you sent me into, thanks for sharing!
If the Iranian employee logged into the Github account, isn't blocking the account exactly what the law says they should do? If all they did was apply a merge request in one of the repos then would reverting the merge and blocking the account would be enough to comply? Is there some alternative way to comply with US export restrictions?
The real question here is why people even consider using US cloud companies when they know they have employees working in countries subject to severe US trade restrictions. If you're willing to risk your company being denied business with American companies, then you should also have a mitigation strategy when you get caught. It sucks that you have to work around US regulation to do normal business but this is just how the world works right now.
It's not an Iranian employee. That's just someone visiting Iran and login to their GitHub account.
GitHub reaction is outrageously disproportionate. They should just prevent login from Iran. They had no basis for blocking a legitimate customer in Europe based on this.
Funny how GH gets shit for what the US has as laws. I'd focus my outrage on the law, the lawmaker, and those who uphold it. GH is merely trying to go by the book/ avoid penalties, as expected.
The US embargo prevents doing business with Iran. Providing service in Iran would be a violation of the embargo. Blocking a whole European company not conducting business with Iran because one of its employee tried to login while there is not respecting the embargo, it's just overreach. GitHub should get flak for that in the same way Paypal regularly get flak for randomly freezing accounts.
> GitHub should get flak for that in the same way Paypal regularly get flak for randomly freezing accounts.
Random? I think the problem with Paypal was that they do not warn or provide reasons for freezing. GH's reasons are clear.
> Blocking a whole European company not conducting business with Iran because one of its employee tried to login while there is not respecting the embargo, it's just overreach.
Says who? There is a law, the law is unclear and IHMO a bad law. The law is overreach. Blaming GH for shitty US laws is akin to killing the messenger.
> Says who? There is a law, the law is unclear and IHMO a bad law.
Says the US Department of the Treasury, as mentioned in the Twitter thread further down:
> 118. I have a client that is in Iran to visit a relative. Do I need to restrict the account?
> No. As long as you are satisfied that the client is not ordinarily resident in Iran, then the account does not need to be restricted.
from their "FAQs: Iran sanctions" page — https://home.treasury.gov/policy-issues/financial-sanctions/...
Is Github on the hook if the client is actually a resident? If so, the law is still bad and github's response may be appropriate(just blocking login from Iran sounds better though). You can't expect them to investigate the personal details of their users.
They could at least have a grace period for country changes.
But I sure as hell can expect them to investigate before cutting service to a long-time customer.
GitHub didn't decide in their actions blindly. They have lawyers who review the laws, look at their services and write the rules to follow internally. The lawyers obviously have a reason to disagree with the Treasury and GitHub under Microsoft aren't exactly going to be using cheap lawyers either.
They have since restored the account, so your argument is invalid.
Keep in mind that US Government agencies that administer sanctions laws (the Treasury, in this case) are the ones interpreting what these laws mean. See https://en.m.wikipedia.org/wiki/Chevron_U.S.A.,_Inc._v._Natu....
And now is when GP should reply saying "oh gee, you are right and I was wrong. thanks for pointing that out."
Github shoulders all the responsibility if they get it wrong. They appear to be doing the reasonable thing, up until this could not be resolved through customer support (as the company bears the burden of satisfying github that they are not violating the embargo).
Yes, the core problem here is that unblocking the preventive block in 7 days is both unacceptable for the client and a big OPEX ask for github.
What I’m not sure at all is that github had the obligation to preventively block cases instead of the alternative to investigate high risk cases prior to block. As long as they had a sound Compliance process for determining sanction enforcement needs in a reasonable time it should be enough - though for sure more expensive than autoblock followed by non-specialized, non-time sensitive (for github!) customer service followup.
> Says who?
The same law you're stating.
https://home.treasury.gov/policy-issues/financial-sanctions/...
> I think the problem with Paypal was that they do not warn or provide reasons for freezing
Which is par for the course for financial companies.
> GitHub should get flak for that in the same way Paypal regularly get flak for randomly freezing accounts.
If GitHub freezes your account, this is obviously serious and can impact your business to a greater or lesser extent depending on what your business does. But the data is not lost, and you'll likely have a copy of at least some of it (the actual repos) and maybe all of it if you were being careful.
If Paypal freeze your account then any money in it is simply lost (and your loss is Paypal's gain!). There's no way you could keep a "backup" of that money even if you were being careful. It's completely incomparable.
> If Paypal freeze your account then any money in it is simply lost (and your loss is Paypal's gain!).
While this is completely tangential to the current discussion, I feel compelled to inform you that that's not how it works. When Paypal freeze your account, your account is not deleted, you just can't do anything with it. The money on it obviously remains yours. You just have to convince them that your account should be unfrozen or wait the maximum duration you agreed to in Paypal ToS - 180 days - after which they have to hand it back to you.
> not conducting business with Iran
> its employee tried to login while there
Those two statements are incompatible with each other.
Nope. There is an explicit exception for non-citizen's. Only Iranian citizens need to be blocked.
And blocking on the first login attempt is overreach. The system doesn't know if you are tourist, visitor or resident. So wait two weeks at least.
Nope. There is an explicit exception for people who you know are not an Iranian national.
Not as per the letter of the law.
https://home.treasury.gov/policy-issues/financial-sanctions/...
It's so peculiar that you - and some guy on twitter, apparently - are quoting a footnote to a FAQ on Treasury's OFAC information page as if that captures the entirety of an American company's obligations under the law. This is really obviously crazy, right? In any other, less political, context involving business law and liability the advice would be "talk to a lawyer."
I doubt GitHub or any org is changing their SOP based on my comment. But the mere existence of a scenario equivalent to the one in question in the operating guidelines suggest there is room fur sanity to prevail in the interpretation of the law.
A single person has no way of influencing this. Twisting Github's and others' arms is a great proxy. If they get flak for their handling of this, they can go argue with law makers.
Does that not just speak to a larger problem with the current political system that twisting the arm of a large company is the only way to affect change?
Does that mean that we shouldn't address any of the smaller problems?
Well, it's kinda like the whole "if a misbehaving app crashes the whole OS, whose fault is it? The app's? Or the OS?"
> ... one employee opened his laptop while visiting [h]is parents in Iran.
I suppose this implies that the employee is Iranian.
The U.S. sanctions are pretty aggressive, and I don't think preventing login from Iran is anywhere near enough to comply. The law is the problem here.
> I suppose this implies that the employee is Iranian
Sorry what??? I have family in India, but not because I'm Indian, I just have family there. I have family in Poland, not because I am Polish (well I am kind of, but not on paper). I have family in the UK, but I'm not British.
This is 2021, not Christopher Columbus times.
You seem rather outraged by the sensible assumption that parents living in Iran are probably Iranian, and that a person with two Iranian parents is probably also Iranian.
In 2021, people are still directly related to their parents, and the majority of citizens in most countries is indeed the local population.
They may of course have obtained American citizenship now, but we're talking in the context of crazy US sanctions on Iran here, which I think work on connection to Iran.
I don't think there should be any consequence to being Iranian, but I don't have a say in American politics.
Such presumptions have, historically, led to such actions as the wholesale internment of Japanese Americans during World War II. This included 2nd and 3rd generations born in America, who never had left America. [1]
[1] https://en.wikipedia.org/wiki/Internment_of_Japanese_America...
So, no, it's not merely a "sensible" assumption.
It's an assumption that carries collective trauma and negative connotations for many who's ancestors have experienced painful discrimination because of their ancestry.
> I don't think there should be any consequence to being Iranian, but I don't have a say in American politics.
No, you don't. But you do have a voice to ask critical and nuanced questions out loudly.
The problem with that internment was not the part where the government labeled first generation immigrants as Japanese.
You cannot relate two different ideas by virtue of one tangentially common theme.
It's common sense that most people are from the same country their parents are from, given what we know about immigration.
Interning people based on predicting their behavior due to ancestry is a whole different ballgame.
> It's common sense that most people are from the same country their parents are from, given what we know about immigration.
The legal concept you're referring to is called "ius soli". The legal concept which serves as a basis to determine someone's allegiance by their ancestry is called "ius sanguinis". [1][2]
[1] https://en.wikipedia.org/wiki/Jus_soli [2] https://en.wikipedia.org/wiki/Jus_sanguinis
So, no, it's not "common sense" to make that assumption.
Moreover, there's also the concept of "right to return" in international law. Many nations have implemented this in their nationality laws in a way that extends surprisingly far.
For instance, if you're of Luxembourgish descent through the male line of your family, you could just claim Luxembourg citizenship - and by extension E.U. citizenship - under Article 7 of their nationality laws. Something which was recently pointed out on Reddit. Even if you weren't born in Luxembourg or never have set a foot in the E.U. proper. [3]
[3] https://www.reddit.com/r/YouShouldKnow/comments/izkwzk/ysk_t...
I'm pretty sure some people might be surprised to discover they have a right to citizenship in another nation simply because they took the time to dig into their ancestry, their history and nationality laws.
> Interning people based on predicting their behavior due to ancestry is a whole different ballgame.
Of course it is.
But, why discuss someone's citizenship or ancestry then if it - apparently - doesn't matter in this discussion at all?
The only other theory that explains why this person got his access revoked from Github because he visited Iran, regardless of the reasons why, nevermind his citizenship or his ancestry.
If citizenship and/or ancestry matters, as is seemingly implied but never voiced in this discussion, then bringing up the implications of how policies reflect on that assumption clearly is relevant given the historic perspective.
Those two rights deal with determining citizenship at birth.
The common sense idea deals with the probability of someone (already born) being of a certain citizenship given their parents' location.
Different ideas.
> The legal concept which serves as a basis to determine someone's allegiance by their ancestry is called "ius sanguinis"
Not allegiance, citizenship. Different, but similar concept again.
> Those two rights deal with determining citizenship at birth.
Citizenship is always first determined at birth. This isn't relevant to the discussion.
> The common sense idea deals with the probability of someone (already born) being of a certain citizenship given their parents' location.
That would be "ius soli". As opposed to "ius sanguinis".
It's also not a "probability". These are principles which are formally enshrined in nationality laws and very much determine travel, migration and national security policies in different nations. Including the United States.
These are not "common sense" either.
These are laws which come with a long historical pedigree which includes identity politics, economic policies, moral and ideological values, and so on.
They are also very much subject to change through the dominant politics of the day.
> Not allegiance, citizenship. Different, but similar concept again.
I'm not willing to engage in a semantic discussion.
> that a person with two Iranian parents is probably also Iranian.
It depends on the countries' respective laws, but it's certainly possible that the person in question is not Iranian at all in terms of nationality as opposed to ancestory. As I recall, the law in question pertains to Iranian nationals, not those who happen to have Iranian ancestory.
It implies he has parents in Iran. He could be a US citizen or an Iranian citizen. Or both. Or neither.
Nope, not at all. Thousands of Europeans are travelling to Iran for tourism or conducting business. The trade sanctions don't block visitors to check their work.
"The United States has imposed an arms ban and an almost total economic embargo on Iran, which includes sanctions on companies doing business with Iran, a ban on all Iranian-origin imports, sanctions on Iranian financial institutions, ..."
A private visit is not doing business, so the org cannot be blocked. And most other companies are ignoring the US sanctions, that's why we have the current propaganda push.
The law is ok, because economical sanctions are the only way to get rogue nation states to comply. That's why we have sanctions on Iran, Russia, Crimes, North Korea. Unfortunately not against the US yet.
Would it not be sufficient to just block requests from Iran rather than shut down the account and the groups they are in? That way when they return home they can still access the site.
Given the legal penalties for violating sanctions and the vigor with which they are pursued, probably not.
Should it be this way? No. Is it entirely Github’s fault they overreact to any sign they’re serving Iranian users? Also no.
Iranian company uses VPN service to get around the block - VPN goes down and their requests to GitHub go directly - GitHub blocks those requests; the Iranian company continues using them once the VPN is back on - US government finds out - Bye bye GitHub
I believe that would be illegal. I suspect the reasoning is that the US is not on friendly terms with the government of Iran, which is a political squabble and not a conflict with the people therein, even though the practical consequences are indecipherable.
The US military has been wrestling with that reasoning for about 20 years. If the majority of attacks and intrusions on military infrastructure originate from a single nation state and there exists evidence that most such attacks are sponsored by that nation state it would make sense to simply block all IP addresses originating from that nation state. This does not occur because the attorneys will not allow it due to both diplomatic and legal reasons.
The real question is why GH blocks an Indian company and all its Indian employees (all legal and outside the US sanctions list) when an employee logs on in Iran.
Does US law require application to such an extreme degree? If not, then why is GH doing it?
Because github is a company based in the USA and must comply with the law of USA. It does not matter where the customer of github is based. It would be the same with gitlab because they are based and hosted in the USA.
If you are German and USA decides to apply sancations on Germany because of NordStream2 tomorrow, well, good luck setting up your own gitlab ce...
Ofc GH has to comply with US law, but you missed the question: does US law require blocking access to cover those who are not on the sanctions list?
Or look at it another way: this is an Indian company. Does one employee opening their laptop in Iran make it an Iranian company under US law?
If the employee was Iranian, then yes, GitHub would be required to do this.
"If the employee was Iranian, then yes,...."
https://home.treasury.gov/policy-issues/financial-sanctions/...
118. I have a client that is in Iran to visit a relative. Do I need to restrict the account?
Answer
No. As long as you are satisfied that the client is not ordinarily resident in Iran, then the account does not need to be restricted. See FAQ 37.
>If the Iranian employee logged into the Github account, isn't blocking the account exactly what the law says they should do?
Does everyone in the world need to subscribe to "a list of countries US jurisdiction doesn't like" just so we will be able to work, check email or review opensource code while being on holiday in an exotic country?
Is GitHub going to take itself down when one of their employees goes to Iran for holiday and logs into their GitHub account? If not, then why are they treating others with such contempt?
I'd imagine Github/Microsoft has extremely strict rules about not taking company resources to, or performing any work at, or accessing any company resources from countries that are embargoed.
This simply wouldn't happen at my company because special permission is needed to take any company assets out of the country. If anyone at my company casually took a company laptop to Iran that would be instant termination. It absolutely astonishes me that a company wouldn't have a policy about taking company resources to foreign countries.
My startup had similar rules when we were only 10 people.
Beyond just the Iran issue, it's known that trade secrets on employee laptops are at risk when crossing some international borders, particularly in airports. Border agents can confiscate electronic devices on vague suspicions, compel you to unlock them (or hack them open in some cases), and then leave them in unsupervised settings with yet more border agents who have the barest electronic security training. These risks terrified me during my travels!
Right - this is actually the main reason for such policies; we receive regular training on this.
All devices are subject to search, seizure, and duplication when crossing international borders and border agents may tamper with devices as well. If assets cross borders there has to be a good reason, it has to be documented, and phones/computers may have to be scrubbed before and after depending on circumstances.
This is not the case at most large companies (FAANG) - no special permission is required to take a laptop with you across borders. They'd generally rather you have your laptop with you so you can get work done.
Regardless, this person logged into GitHub, which could have been from any device including a phone.
1) In this case the laptop was taken to Iran, so that's what we are talking about here.
2) I can assure you there's policies at Microsoft that include performing work abroad and accessing any company resources from abroad. Obviously nobody will be approved to access any company resources from Iran, especially not source code.
3) I can say there is policies at MS this with a very high degree of confidence because I personally have done work with Microsoft involving code and data that is export restricted.
4) Companies should have policies in place in order to avoid situations like this. Taking your company laptop to, say, Germany probably isn't a big deal for most companies, but any "exporting" company assets should at least be pre-approved/documented.
I checked with my old classmates who currently work at Microsoft and LinkedIn, and they do not require permission for accessing company resources from abroad. One of them has been working from Israel and Turkey for many months in 2020. Another has been in Mexico since the pandemic began.
I'm not sure what team you worked in, it's possible some teams have stricter policies. If you were doing business with Microsoft, the export control language is boilerplate contract language.
GitHub is in possession of substantial additional information in that scenario, namely, "we're quite certain we don't have Iranian employees on staff".
Do they keep an up to date database on who's dating whom?
yes
Funny Story.
When I went to London for the first time I meet a ridiculously attractive Swedish Arab girl. She had mentioned she really wanted to visit America, but with the recent election of Donald Trump she was a bit scared.
Not all of us like Eastern European women, Trump blocked my game right there.
The point of this story is anyone can meet anyone from anywhere and the nasty racist system the US has for blocking certain people because they have the wrong last names or whatever doesn't do anyone any service.
I also don't think embargo serve anything aside from radicalizing other people's. Take Vietnam, now you have Coca-Cola, and McDonald's succeeding to do what 20 to 30 years of Western imposition couldn't, they've made Vietnam capitalist. That was accomplished once the embargoes were removed in the nineties. Even with Cuba ,I'd imagine if the embargo didn't exist you'd see much more reform as individuals would eventually be able to succeed on their own merits.
I think it is ridiculous to treat this misbehavior of letting someone log in from Iran as a mere transgression of a subsidiary. Clearly Microsoft needs to shut down all their servers as they are paying for Github.
I can’t speak for Microsoft but certainly at Amazon there was a very strict policy about working from specific US locales for tax liability reasons: it wouldn’t surprise me at all to learn Microsoft employees are quite explicitly banned from ever taking equipment into places like Iran. Would they ban themselves if it did happen? No, but also it should never happen vs. this case where they have an employee working from Iran.
its simple, they dont pass a background check on them probably.
I'm on GitHub/Microsoft's side here. They are not responsible for the content of US export control laws, and they have an incredible amount to lose if they are found to be in violation of US export control laws.
Presumably GitHub needs some automated tool to prevent inbound traffic from sanctioned countries, and it's hard to be certain that they are complying with US law if such automated tools have some wiggle room allowing for a non-zero amount of usage from sanctioned countries.
The whole situation isn't great, but none of it is GitHub/Microsoft's fault.
> They are not responsible for the content of US export control law
But they are responsible for understanding what's required under those laws. If they're going beyond what's required to comply with the law, then those further actions are entirely on them.
Yes, so Github has to take on the assumption that they are visiting relatives, not resident in Iran.
Or you get the alternate headline "Github facilitates Iran sanction evasion by allowing Iranian developers to mark themselves as 'visiting a relative'" and the associated charges.
There's nothing in the law that says that Github must block an entire company from accessing their company org because one member of that company logged into a separate account that happened to be a member of the company org. At most, the account that was accessed should be suspended.
“ none of it is GitHub/Microsoft's fault.”
Not really:
https://home.treasury.gov/policy-issues/financial-sanctions/...
pretty clearly states they don’t even need to ban that specific person let alone thr entire company.
Perhaps I spoke too soon. It looks like GitHub is able to do something about the issue.
https://github.blog/2021-01-05-advancing-developer-freedom-g...
Github does not respect Schrems2 neither.
Companies routinely engage in activism. I’ve seen more than one software company cut off Trump campaign from their services, which was politically motivated. Now, US sanctions against Iran are clearly illegal. Yet, everyone is just fine with that, no activism whatsoever. I say people should revolt.
I find your use of "illegal" interesting.
To me, it means "against a law", and laws are made by countries (sure, parliaments of those countries or dictators or...), and generally apply only to that particular country (some things attempt to get a wider reach, but they are usually unenforceable unless there's a local company to pursue, most famous example being GDPR).
There are international conventions and the UN, but countries do not have to be signatories or members to any of them. And I've never heard anyone use the term "illegal" in that sense before.
So what do you mean with "clearly illegal"?
(fwiw, I am very much against the US acting as the "policeman of the world", but sanctions are a political tool to make someone less powerful comply; beats an invasion and bombing that USA has frequently resorted to)
"Illegal" is routinely used when talked about sanctions. In that sense it means "unjustified".
No, you’re practicing Doublespeak. Illegality and illegitimacy are not the same thing.
This means that as a disgruntled employee I can simply visit Iran, log in my company Github account and boom!
I have now taken revenge on my whole company with minimal effort.
Or just use a vpn that has servers in Iran? I think there are a few, hidemyass is one also I think, services designed to test access from different countries.
Great idea! Maybe GitHub does some additional checks for determining if somebody is in Iran? Or they have a special way to know if a VPN is used?
I think that some VPN services offer a "random server" access, so you are essentially playing Russian roulette if you just happen to log in via an Iranian server.
Only if you're okay with the legal consequences of sabotaging the company. They absolutely can sue you for it, and you might even face criminal prosecution for such a thing.
There is also another scenario.
I steal with social engineering (or phishing or other method) the GitHub credentials of an employee from a company I wish to harm.
And then I simply log in GitHub(or use a VPN to appear in Iran) with those stolen credentials.
Sounds like a very easy DOS method.
On what basis they are going to sue him? he visited a specific country and than boom. how in the hell are going to prove that he did it in purpose.?
Exactly. Somebody who wanted to do this could simply book a flight where Iran in an intermediate destination.
And then they would say "I had 30 minutes of waiting time in transit and I just wanted to add a comment on my Pull Request".
On the basis of this comment thread :)
Github refused to help me regain access to an 11 year old account when I changed jobs so lost access to 2FA and email account at the same time.
We lost access to tens of thousands of dollars worth of project code which we had to rewrite.
The customer service support was Google style brick wall.
I wish this guy luck in getting access.
To be fair to GH, I wouldn't trust them if their customer service could be convinced to unlock an account with neither email nor 2FA access. Passwords leak all the time (because people are bad at using unique passwords) and social engineering efforts are quite effective at hijacking high-value accounts in a great deal of companies, so while I sympathise with the loss of your account, your experience actually improves my opinion of GH's support.
2FA should be bypassable after some longish lockout period.
For example, someone has lost their password, email access, phone number, and 2FA app. Make them wait a month to regain account access.
If any time during that month, the account is used or logged into, cancel the takeover request. During the month, every day send an email to all points of contact on the account letting them know what will happen.
It's a trade-off of the harm of unauthorized access to a dormant account Vs blocking someone from accessing their data (that is probably not backed up, and probably took considerable effort to create).
Have an account-level setting to disable such a process, for the people who might be offline for extended periods.
> 2FA should be bypassable after some longish lockout period.
Nope. No backups, no sympathy, simple as that.
2FA is worthless if you start to put holes in it like that.
So if you value your data, make backups - preferably locally the old-fashioned way, e.g. HDDs stored in at least two different locations or at least using several different cloud providers (which have their own infrastructure and aren't just relying on AWS/GCP/Azure/etc.).
There's no such thing as a "trade-off" when it comes to cyber security - either commit to it fully or just don't use 2FA at all.
Personally, I think 2FA that doesn't rely on physical devices (phones, keys, smart cards, etc.) is unreliable and sketchy anyways.
If you can't spare a few hundred bucks on a NAS that you can just put in a storage unit or bank vault if need be, you data can't be that valuable anyway.
> Nope. No backups, no sympathy, simple as that.
This is a really garbage opinion. Long tail reliability situations like this is a major blocking point to large scale adoption of many things. No one wants to use something where the consequence of making a mistake is "well I guess you're f*cked now". You're ignoring the entire usability side of computing and innovation.
> 2FA is worthless if you start to put holes in it like that.
No, it is not. 2FA can still prevent 99% of takeover attempts. There are other ways to verify identity (especially within a social network, where real life people know other real life people), but these companies simply do not want to put the effort it. And I can't really blame them: it would be a large investment to verify the identity of a given, every day person. This could be something that can be paid for in order to regain access in order to cover the elevated review necessary.
Trust me, if Nat Friedman somehow loses his email and 2fac at the same time, I can bet you that they would someone find a way to verify his identity and let him back in to his Github account (or honestly any other account).
> There's no such thing as a "trade-off" when it comes to cyber security
This is false. Almost every part of cyber-security is a trade-off between security and usability. If you want the most secure system, just turn everything off. Totally secure. But also totally un-useable.
> If you can't spare a few hundred bucks on a NAS that you can just put in a storage unit or bank vault if need be, you data can't be that valuable anyway.
Not everyone has the privilege to spend a "few hundred bucks on a NAS" and pay for it to be securely stored somewhere.
> No one wants to use something where the consequence of making a mistake is "well I guess you're f_cked now". You're ignoring the entire usability side of computing and innovation.
Wow wow wow, so you're basically saying that users who are capable enough to even need/use decentralised version control systems are too dumb and incompetent to setup Time Machine, Timeshift, or File History? Really?
> There are other ways to verify identity (especially within a social network, where real life people know other real life people), but these companies simply do not want to put the effort it.
So you are suggesting that instead of keeping one piece of information (e.g. a second e-mail address or just a token generator, which can be an app), you instead share your entire private life with these companies? Oh, and by the way - how would you even protect your social media accounts then? 2FA all the way down?
> Trust me, if Nat Friedman somehow loses his email and 2fac at the same time, I can bet you that they would someone find a way to verify his identity and let him back in to his Github account (or honestly any other account).
Trust me, the CEO running the show is in an entirely different category than most of the 50 million other accounts and you (in this case GH) don't even want to have all this sensitive personal information.
The less info you have, the less impact a data leak on the provider's side can have. Why would anyone trust GH with their personal information more than any other tech company?
Mission critical data belongs in multiple location. Full stop. Losing access to a GH account should never be more than an inconvenience if your livelihood depends on it or you value your personal data.
> This is false. Almost every part of cyber-security is a trade-off between security and usability. If you want the most secure system, just turn everything off. Totally secure. But also totally un-useable.
I'm not talking about security in general. I'm specifically talking about deliberately weakening a security measure (here: 2FA) for no reason at all.
Do you leave your house key under the doormat? Do you keep a post-it note with all your passwords taped to the back of your phone - you know, just in case you forget one and for convenience?
> Not everyone has the privilege to spend a "few hundred bucks on a NAS" and pay for it to be securely stored somewhere.
A USB drive is not a privilege and if you can't afford a data storage solution I seriously wonder why you have a need for a distributed version control system in a (semi-)professional environment.
Data has become more important than ever, yet people still fail to understand to treat it like they would other valuables. 20 bucks for a protective case for your phone - no problem. 50 bucks for a half decent 1TB portable USB HDD to backup their most important and irreplaceable data - only the privileged and tech gurus can afford that...
Nah mate, think again. It just doesn't make sense to put all your eggs in one basket (allegedly 10s of thousands of proverbial eggs in this case) and then whine about forgetting to change 2FA, having no backups whatsoever, and mixing private and work accounts all at the same time.
This is one of those things that you should learn from and the least you can do is to have a cheap external HDD and a recent backup of your most important stuff.
> you're basically saying that users who are capable enough to even need/use decentralised version control systems are too dumb and incompetent
Do not put words in my mouth. I did not say that, you just did. I said that usability is a real concern, because no matter what you expect people to do, it will never work perfectly 100% of the time.
> I'm not talking about security in general.
You can say that now, but that's not what you said previously. "There's no such thing as a "trade-off" when it comes to cyber security"
> you instead share your entire private life with these companies?
Again, I did not say that. Github is a social coding network. I am not saying that I have all of the answers as to how this should work, but I am saying that if 1 member of a 100 person organization loses access to their account, and the other 99 members all confirm that their account access was lost via some event and assert their identity, you could have the start of a reasonable recovery path.
> the CEO running the show is in an entirely different category
Not sure what you mean by this. Are you saying that a CEO is just automatically more responsible and not going to lose something? Or are you saying that he's clearly just more important so it's okay to bypass the stated procedure for just him/her?
> Do you leave your house key under the doormat? Do you keep a post-it note with all your passwords taped to the back of your phone - you know, just in case you forget one and for convenience?
This is not even a valid comparison, and you're just trying to be condescending. I don't leave a house key under my mat just in case I lose it. But I also don't expect to never be allowed to enter my house again just because my key is lost.
> if you can't afford a data storage solution I seriously wonder why you have a need for a distributed version control system in a (semi-)professional environment.
Because many people use Github for non semi-professional environments? It is full of amateurs. Just because you don't find someone's work valuable, doesn't mean that they don't. Saying "Well it's not professional, so if you lost it then it doesn't matter" is not correct.
> 20 bucks for a protective case for your phone - no problem. 50 bucks for a half decent 1TB portable USB HDD to backup
You're comparing a 1 time action to a recurring action. I'm not saying that you shouldn't have back ups. You obviously should. But people are human beings. Even if 99% of people have perfect back ups, that's still 560k (according to Github home page numbers) that will have failed backups or some other issue.
PS. you keep widely including the term "decentralized", as if just because git is decentralized, that nothing on Github should matter. For better or for worse, Github has become the central git repository provider for millions of people. Claiming that Github services should be magically decentralized just because git is decentralized is an invalid claim. Because Github is not decentralized.
>> I'm not talking about security in general.
> You can say that now, but that's not what you said previously. "There's no such thing as a "trade-off" when it comes to cyber security"
I literally followed that up by "either commit to it fully or don't use 2FA at all". You omitted crucial context there. Now I could have expressed that more clearly, sure, but the context is right there nonetheless.
>> the CEO running the show is in an entirely different category
> Not sure what you mean by this.
What I mean is that the guy is not just "a CEO" - it's the CEO of the very company in question here. So what I'm saying is that someone within an organisation - let alone the head of said organisation - has very different tools at their disposal than can or should be provided to their users.
> It is full of amateurs. Just because you don't find someone's work valuable, doesn't mean that they don't. Saying "Well it's not professional, so if you lost it then it doesn't matter" is not correct.
Amateurs don't lose 10s of thousands of dollars from losing their GH account. Again - omitting context. If your data isn't valuable to you (be that in terms of money of for sentimental reasons) then it doesn't matter indeed. Just like you'd protect physical assets, non-physical assets require protection as well and if you don't do that, said assets cannot be of much value to you, no?
> But people are human beings. Even if 99% of people have perfect back ups, that's still 560k (according to Github home page numbers) that will have failed backups or some other issue.
So what you're suggesting is putting 100% of users at risk because there's the odd chance that someone might lose data? That's just not reasonable at all.
> you keep widely including the term "decentralized", as if just because git is decentralized, that nothing on Github should matter.
Because it does matter in that all you need to do is to keep a local copy of your repo. With a centralised system you'd lose the most important part of the repo: the complete commit history and all branches.
This is not the case with git and "all" you'd lose would be external configuration, issues and Wiki pages, but even those can easily be exported and saved externally.
You can even re-import all of that to a new account if need be. Heck, you can setup triggers that synchronise the entire repo - including issues, projects and wiki to other providers or a local copy if you really want/need to.
The fact that millions rely on services like GH, GL, and BB doesn't change the nature of git.
Again - if your data is important to you - be that for monetary or private reasons - don't keep it in one place. Especially if that place can be locked away from you at any time for any odd reason. I don't understand why people these days have such a hard time understanding this, but using GH implies that you put your data on someone else's machine with little to no guarantees whatsoever.
None of these multi-million and billion dollar corporation deserve any of our trust and using their services comes with strings attached. Whining doesn't help - being aware of this and becoming a responsible and critical user who knows their options is what helps avoiding disasters like this.
PS: you should really start by looking into how git itself works (especially compared to centralised repos like SVN) to actually understand the importance of decentraised version control.
> Nope. No backups, no sympathy, simple as that.
For your personal stuff, sure. But when engineering a service, you should care about everyones stuff, not just those who are careful.
You should design your service to try to help those users who use the same password they did on myspace in 2004 and write it on a sticky note on their desk. Engineer for those who shared their password with their now-hated ex.
Even if the user takes massive security risks, the service should still try to maximize the users ability to use the service, while minimizing an attackers use/access to the service.
I don't know why this is difficult to understand. Any decision Github takes has a trade-off that will affect all users. Any time they allow a bypass of 2FA and email, they are putting potentially every account at risk of compromise. It doesn't matter how good the excuse given to the Github customer service rep is, bypass shouldn't be allowed so that all users' data is kept safe.
Let me put it in HN terms. One person grousing how they lost their account due to their own fault is a minor HN comment in the middle of a thread. A person complaining that Github customer service assisted an attacker in account compromise is a front page thread by itself, probably picked up by mainstream news. Does that make Github's decision easier to make?
Other than requiring some form of government issued identification (including prior to the incident), or a well built reputation using GPG (but those are not going to be users you mention), how would achieve that today?
And as the GP says, what role would 2fa play in that scenario?
2fa simply means the user has more ways to potentially identify themselves... That means as a service you should try harder to stop someone else getting in, but also try harder to maintain access for the real owner. The 2fa code should help you do that, because now there are more things that the real account owner can do to identify themselves that an attacker cannot.
The increased security from 2FA comes from using both factors to authenticate to a service.
If you are not using both, then it's a single factor authentication.
You still haven't answered the core question: how do you do what you propose (keep strong security and allow easier restoration of an account to the real owner) today?
> You should design your service to try to help those users who use the same password they did on myspace in 2004 and write it on a sticky note on their desk. Engineer for those who shared their password with their now-hated ex.
Those can't be helped. We're not talking about Geocities or MySpace here - we're talking about a service that hosts a distributed version control system aimed at experienced users with a technical background.
The target audience is strictly not your average consumer and even then you shouldn't insult the intelligence of your users.
2FA is intended to protect all users of the service and users do have a choice when it comes to selecting their 2nd factor. Doesn't have to be an e-mail or phone. It can be an app-generated token as well.
And loosing everything at once is tragic (hence: keep backups!), but suggesting that the locksmith should be allowed to just open the door if you ask nicely and the owners don't show up within an hour would be just as ridiculous as allowing to circumvent 2FA.
> There's no such thing as a "trade-off" when it comes to cyber security
There are always trade-offs. No security is absolute, but that doesn't mean all security is worthless. And as a rule all security measures come with some associated cost/inconvenience. What trade-offs make sense will depend on many factors, such as the value of your data (both to you and to a potential attacker), the threat models you're concerned about, the people who need access to your "secure" data, etc.
> No security is absolute, but that doesn't mean all security is worthless.
I'm not talking about absolutely secure measures here, I'm talking about watered down security measures.
Just like encryption that has backdoors, weakening 2FA by providing ways around it by design makes it completely worthless. And remember that this doesn't just apply to one user - it affects all users of a platform at the same time if you allow nonsense like this.
There's no trade-off to be had there - you either offer a more secure identification method or you don't.
To put it in a different and simpler context: a safety gate has to have certain properties. If you remove one or more of these, it ceases to be a safety gate and becomes a regular door. A reinforced door with a cheap lock is just as insecure as a cardboard door with a security lock and a second key under the doormat or hidden under a rock outside invalidates the usefulness of even a vault door...
2fa is good enough when it's another factor in the authentication. Physical devices are great, but I prefer more open things like TOTP/HOTP because they are easy to backup and restore (well, for a technically versed person who'd know not to keep it on the same device as their password, otherwise you are almost back at 1fa).
I do agree with your take on account takeover in case of lost credentials.
>> 2FA should be bypassable after some longish lockout period.
> Nope. No backups, no sympathy, simple as that.
My two sim-cards were lost at the same time. Impossible, right? Now I cannot access my Github account anymore. Perfect security. Nothing important is lost and backups are there. But what about the account itself?
You might be able to regain access if you still have your SSH key: https://news.ycombinator.com/item?id=25648815
Most countries require SIM registration using a government issued ID document (including prepaid ones). Some providers offer ID registration even for prepaid SIMs. If you want privacy from your government too, don't use SIM-based (sms or call) 2fa.
That's generally a suitable backup in my view.
Yet most countries allow foreign sims to roam into the country. That effectively defeats the benefits of requesting government id's, since the real criminals will just use foreign sims.
Sure, if you are using a SIM from a country that does not require ID registration.
But we are talking about restoring access to your phone number. I don't really care about "a criminal" getting their account back on my service (well, unless I am SilkRoad or something).
My point is that I am able to get a new SIM for the same phone number as long as I've registered my ID with the provider. I have even kept my phone number even though I had my phone stolen 3 times for the last 20 years or so. Thus, if any of my accounts rely on that phone number for 2fa, I am good.
That's a completely different scenario, though.
Roaming is essential for the primary function of phones, whereas 2FA is not.
They just turned 2FA on for all accounts and that was the moment I found out that mine was pointing to the wrong email address. I wish they would allow you to sign something with your private SSH key to get an inactive account back.
I think this is where I think having a scan of a passport and requiring a letter certified by a public notary would be a better approach.
Using a company email to sign up for services and expecting to have access after you leave the company is 100% entirely your fault.
Even with the positive spin you're trying to put on it, it still sounds like you are trying to steal data from your former employer.
The situation would probably also be easily resolvable with your former employer's help, and there is likely a reason they aren't helping you.
Yeah, it seems odd that the former employer doesn’t just remove the account from their org and thus remove the MFA requirement.
I’ve had really positive experiences with GitHub support, but you can’t ask them impossible things.
There’s a GitHub user with my org name, they’ve had it for a long time and aren’t active. I asked GitHub support to see if they were active and if they’d be willing to transfer the account. GitHub confirmed they were active but just with no public activity and they passed along the request.
I like that they were human and didn’t try to force the user to give up their account.
I’ve had multiple colleagues say that we should try to force the user and I don’t support that line of reasoning. The user has a legitimate use of the name.I like that GitHub took the high road,
To me that sounds perfectly reasonable, and in fact a good policy. It seems like you lost access to your company account, based on your comment, so who is "we" that lost thousands of dollars worth of project code? If it was your employer that you had the email with, why couldn't you just restore the email?
What in your opinion should github do when an employee loses access to their company email, and 2FA, because they're fired? Should the employee gain access to all the code and the account by just contacting github via their personal email?
how did you want to prove that it was your account instead of stolen "informations" that may be used in recovery process?
couldn't you "just" contact your previous employer?
anyway, why your private account was using job email :o
Rewrite? Wow. Hopefully for them it is just code so all they'd have to do is push their branches to a new self-hosted server.
Right? Why wasn't there a backup somewhere other than Github? Even just a repo that was checked out somewhere.
Feels like this code was owned by the company was the author no longer worked for....
Code is (almost) always better when it's re-written. So, maybe it was a blessing in disguise...
Please please PLEASE add at least one other provider to your remotes if you're going all in on cloud.
Consider also doing a regular local backup of all your repos. A quick Google search will yield you tools that will automate this entire process on platforms such as GitHub , BitBucket and GitLab. I personally delegated this to a Cron job. I check the backups manually once a month to check all is in order.
While this is good advice of course, it is not clear to me if the problem is just the source code.
The twitter message says "We are completely blocked from deploying!."
Maybe they already have the source code elsewhere but use GitHub actions?
Heroku, maybe?
This is good advise. Maybe even self-host a backup server.
That's huge!
> we are working with the US government to secure similar licenses for developers in Crimea and Syria as well
That's also super cool to hear!
Related Thread: https://news.ycombinator.com/item?id=25648585
"We were working for two years to get this license." https://news.ycombinator.com/item?id=25648849
How long before someone gets an Iran VPN so that their company is knocked out and they get a day off.
My first thought was that this could have been avoided if a VPN was used. Why bother with such a weakly enforceable policy?
> Why bother with such a weakly enforceable policy?
To show they've done what they can to enforce the embargo, in the hope that the policy is enough to satisfy the authorities wrt doing enough.
They can't tell is a user is circumventing the policy via a VPN, but such a user is actively circumventing the enforcement of the policy so can't try pass the buck with a "well they let us, so we just assumed it was OK" based excuse.
Geolocation databases are frequently inaccurate, even at the country level of granularity!
I use a ISP in the Netherlands that was founded only recently, I and frequently encounter sites that think I'm in Dubai, which is apparently where the previous owner of my IP block was located.
Fortunately, the only problems this seems to cause for the moment are that I occasionally get geo-blocked by some sites' overly-aggressive firewall rules, and I get Twitter ads in Arabic.
But I shudder to think what might happen should the UAE find itself under sanction.
So are we not going to talk about how economic sanctions end up as a way to use the people of these countries as a way to pressure their governments for political gains? How these sanctions directly and indirectly cause an increased poverty gap and negatively impact the living standards? How the governments of these sanctioned countries magnify this economic pressure to prevent people from revolting and to entrench their presence even more?
> economic sanctions end up as a way to use the people of these countries as a way to pressure their governments for political gains?
It's not as if this isn't commonly known. But when you view sanctions as a de-escalatory alternative to outright conflict, which also has huge negative impacts on the people of the countries in conflict.
This de-escalation is benefiting one group of people on the account of another. While both groups having nothing to do with the situation directly, the group that's benefiting is indirectly approving of it by continuing to vote for the same policies.
Two kind of sanctions:
- sanction the leaders responsible and their buddies, the most common (that's what we do with russia, turkey, ...), hurt their wallet but ultimately is a soft sanction, and also your populace sees it as ineffective / nothing is done
- sanction the country directly, embargo, complete block, kick out of swift, that sort of stuff is what was done to Iran. Can only be done if you're part of the bigger/more powerful group. Massive effect, causes lots of poverty and pain for the populace but that's on purpose, so they are forcing their leaders to change some stuff. Doesn't always work, but both outcome are victories in a way: either the country is forced to change and stop the original abuse, or it doesn't change but is so crippled that it's not longer a problem.
This is bound to something very, very, important: if the country does change and does what you asked, you start lifting.
Part of the message that's more of an european rant: that's why Trump action on the Iran deal was a disaster, because, now the population doesn't believe it's their own leaders fault, and even if they did their leaders don't believe it would ease if they did what was asked. That's how you end up with a north korea.
According to every report I've seen, Iran was fully respecting their part of the deal, and allowing all the inspection necessary, when the USA did a "AHAH ! it's a trap !" trick on them and screwed them. You're not convincing countries to behave, you're telling them that if they don't behave, they better go all the way to the other side.
> Massive effect, causes lots of poverty and pain for the populace but that's on purpose
This is what I'm talking about. Even if I'm to agree with the purpose of the requested change, does it justify the means by which it's being procured?
Trump may have screwed it up even more, but sanctions of the second kind have been introduced on countries like Iran or Syria since the mid-80s afaik. No major change happened, but the idea of knowingly use the population of another country to pressure their government which is known to not be chosen democratically is basically a form of hostage situation, and is immoral imho.
The alternatives:
1. Bomb them back into the stone age. That would kill a whole bunch of people, who as you point out are basically held hostage by their government and don't get much choice in the matter. It'd also permanently wreck their economy and infrastructure, cost lives on both sides, and usually has follow on effects.
2. Do nothing and allow things like funding terrorism, selling arms, committing atrocities, etc. You would know these things are going on, and therefore be allowing them to happen, and these things would probably be happening to your own people and allies.
Which one would you rather take?
These are not the only options.
Funding of terrorism is still happening now, and their support is being funnelled through countries that are not under any economic restrictions, some even have good relations with US, like KSA. For example, most official fundamental/terroristic TV channels/groups are based there. Most shell companies used by oppressing regimes in MidEast are in the UAE.
I don't understand your comment as the countries you list are not under sanctions like the ones described.
"doing this to entity X stop that from entity X" "no, look, here is another entity Y where didn't do this, and it still does that"
If anything your comment implies we should sanction all of these countries too.
It's pretty simple really:
- Sanctions don't achieve the goal of stopping funding terrorism as evident by it still happening.
- IF the point of sanctions was to _actually_ stop terrorism funding, you'd start at the origin of where these ideas start, which is known to be Wahhabism/Salafism.
- At least, you'd start at the origin of how people holding these ideas were supported and given weapons and training to achieve regime change goals and to fight against Russians in Afghanistan.
One thing to keep in mind Iranian leaders are mostly conservative Shiites. As such you are never going to get them to stop supporting Shiite communities in the middle east. Even if they disappeared tomorrow whoever replaces them is also not going to stop. And as Shiites they want nothing to do with Wahhabism/Salafism.
You can make the same arguments against capricious Google and YouTube delisting, Facebook or Instagram bans, Twitter bans, App Store takedowns etc.
True, and I'd agree. But these companies are private entities. I can disagree with them but I can't force them to do anything, aside from not using them. Economic sanctions are introduced by governments, supposedly from and for the people.
> companies are private entities.
Private entities chartered and regulated by the government, of course.
Businesses have the right to refuse service.
By that logic, so do governments have the right to exercise their prerogatives...
Not really. They both may be immoral, but the government is chosen by the people, and I don't believe they "bestowed" on you your personal rights (in your private life or in how you run your business), they are there to protect you from others trying to prevent you from practicing your rights. Businesses/companies are regulated by the market. By you stopping to use them, you indirectly affect their decisions. If enough people think that what Google is doing is wrong, they can stop using them. Google will either shutter or change. This last bit also applies to governments in terms of actual vote power. If enough people thought that US gov policies are bad/wrong, they wouldn't vote for them. Obviously they still vote for the same people, so they still don't see it.
> your personal rights (in your private life or in how you run your business)
What "personal"/natural right do you have to establish a limited liability corporation? That is a social construct, intended to facilitate business, but it is not some "private sphere" distinct from the society we live in.
Your account of consumer choice "regulation" fails when confronted with even the most basic externality.
They could have blocked the user in Iran. It's without sense to block the organization's account.
OFAC sanctions are transitive.
Reminder that Microsoft has the power to ask the state department for an exemption from these sanctions for github.
They have refused to do that. Google did that with Gmail and made the argument that Gmail is an important utility for freedom of the people there. Microsoft can do the same.
I'm glad that Microsoft finally reversed their stance on this.
What a disproportionate reaction from Github.
They could simply block network access from Iran to make it easier. Otherwise, blocking without giving warning is wrong. Even banks give warning and deadline to their clients before closing accounts that are linked to sanctions. Why Github blocked the entire organization without proper communication and deadline to fix or clarify the issue?
Can't really blame GitHub here... US laws are badly written.
US laws follow US geo-politics, which is where the problem lies.
It's alright to blame people for lawfully following harmful laws.
> It's alright to blame people for lawfully following harmful laws.
It's also alright to blame people for interpreting laws too widely and too abusively. The legal and security departments are much at fault for this where they'll prefer to abuse people than to take up any kind of risk.
It's also not fair to blame people (well, companies...) for obeying the law.
Personally, I'd rather a world where companies obey the law than one where they pick and choose what laws they would like to obey.
I agree with you. It's alright to blame them, but it's unfair at the same time. The world is not fair.
EDIT: concerning hypothetical worlds, I pretty much not want to live in a world were companies blindly follow the law regardless of how harmful it is. We have tried these worlds in the past and they were not pretty.
> EDIT: concerning hypothetical worlds, I pretty much not want to live in a world were companies blindly follow the law regardless of how harmful it is. We have tried these worlds in the past and they were not pretty.
Personally, I think a distinction is necessary. Companies IMO should absolutely obey the laws regardless of if they like them or not. It's entirely unfair to blame them for obeying the law.
They (as well as individual people) are free to oppose those laws in an attempt to change them, however until they are changed, they should follow the laws or cease trading in the country who's laws they disagree with. It's entirely fair to blame them for not fighting stupid/wrong/harmful laws.
Allowing companies to choose which laws they are going to obey is never going to end well.
I'm sorry, I cannot reply to your post without triggering Godwin's law.
There are countries in which being gay will still cause you serious trouble. Or not agreeing with the political leadership.
We are quite privileged to just assume that following the law as written (AND interpreted by the judiciary) will mostly work out alright and doesn't cause us moral dilemma. And companies consist of people, too. Is it then all of a sudden morally acceptable to build spying software so your country's leadership can prey on it's political enemies? Or assist in persecuting discriminated groups?
You don't have to cite long abolished laws or an industrialized killing machine for pointing that out ;-) though the post is really begging for it.
We can all cite harmful laws, does that mean companies (and people) should be free to ignore all law?
Should US companies be free to ignore laws related to sanctions because the UAE has made being gay illegal or because political opposition in China could land you in jail? Where do you draw the line? Specifically - for a US company as is being discussed.
> companies (and people) should be free to ignore all law?
Yet you continue with your strawmans. Nobody said that. The crucial word in your sentence is "all", with which nobody has agreed here. Of course nobody is above law. But sometimes, in exceptional circumstances, a particular law turns out to be immoral. In that case, and only in that case, it is wrong to follow that particular law, and it is right to do the illegal alternative.
If a company is found to have followed an immoral law and performed harmful (but lawful) acts, it is right that society punish that company later (e.g., when the law situation is solved). More so in this case, when the company is overzealous in its application of that immoral law.
> Yet you continue with your strawmans. Nobody said that.
No, it was rhetorical question. Reading and making an effort to respond to the entirety of the comment would have made that obvious when I specially ask "Where do you draw the line?".
Where did I say "all"?
One way to fight a law is civil disobedience.
You won't get that from Microsoft, they do a lot of business with the US government.
But consumers can express their stance by not doing business with MS. I believe that communities have enough power in this age.
You are making a strawman. Companies are often following the law strictly or loosely as it suits them.
GitHub could have warned the company before blocking and/or blocked access only from Iran. It did neither.
> You are making a strawman. Companies are often following the law strictly or loosely as it suits them.
You're right that companies don't always obey the law. However, what has that got to do with "Personally, I'd rather a world where companies obey the law"?
My point is that companies SHOULD obey the laws, not that they always do - and that - allowing and encouraging companies to pick and choose the laws they are going to obey is wrong, and will simply not end well.
> GitHub could have warned the company before blocking and/or blocked access only from Iran. It did neither.
I'm not familiar enough with the specifics of the US laws regarding Iran to know if this is a lawful course of action to take upon a customer attempting to use your products/services from Iran.
Maybe they could have? Maybe they can't? I've no idea & I've made no attempt to address anything other than the "It's alright to blame people for lawfully following harmful laws" comment.
It's very easy to say that on someone else's behalf.
Essentially you're saying that Nat Friedman should risk 20 years in prison, and a million dollar fine per user in order to let Iranian developers use Github.
As much as I hate the idea of software not being freely available to everyone, I would not be willing to take that risk. I doubt many HN readers would.
It's not. You have a literal state actor backed with an army demanding money if you don't comply.
I'll pick the legal way unless the profits I can make somehow outweigh the sanctions (legislators can make mistakes too) and there are no penal repercussions.
It is. We established this quite clearly in Nuremberg.
You're comparing state sanctioned killing and torturing with sanctioning people trading with each other.
The first one is a violent crime against individuals, the second one is basically a tax.
I'm against both but they carry a different weight.
Sure, the impact is different. But on the other hand, I try to follow this rule as much as possible:
“One has not only a legal, but a moral responsibility to obey just laws. Conversely, one has a moral responsibility to disobey unjust laws.” – Martin Luther King, Jr.
Microsoft is no stranger to breaking laws and certainly has the resources to fight this one, or at least to argue that it shouldn't apply in this case.
I consider immoral to threaten individuals with jail time unless they give you 40% of their salary.
I consider immoral the USA's warmongering and spying on its own citizens.
Still, if I don't pay my taxes or if I try to stop the army from going to bomb some poor people in the middle east, I'll be put in jail.
If I have a way to sabotage the government which won't ruin my life, I'll do it, but I'll pass on the rest.
We're lucky enough not to live in a country that require us to kill people in concentration camps, because we would surely do that.
At least, I would do it if I didn't have another choice (but I would also try to desert).
There's a law for this...?
Indeed! Here's how it works: https://news.ycombinator.com/item?id=25644356
What is GitHub supposed to do?
Block requests from Iran, display a message that connections are blocked for legal reasons. Allow account to be used when not in Iran.
Would that comply with US law?
Compliance with the law is not binary. The US has a system of selective enforcement whereby they go after the most flagrant violators to make an example to everyone else. Blocking requests is compliance enough, practically speaking.
Yes, the law does not require blocking the account globally.
It also does not require to do so without warning or clarification.
> What is GitHub supposed to do?
Disobey the law, make a public statement about it, and deal with the consequences. This is not a new problem, it was treated by Kant a few centuries ago.
Are you really suggesting that companies should willfully break laws? We already have this in reality I guess, but don't think we should suggest them to do it further. Right way to get change would be for companies to get together and lobby for the change they wanna see, not just break the law.
Although I agree the export embargo is fucking stupid, especially when it comes to online technology, I really want to see less criminal behavior from companies, not more.
> Although I agree the export embargo is fucking stupid, especially when it comes to online technology, I really want to see less criminal behavior from companies, not more.
The law is not stupid, it's criminal. By following it, companies are precisely engaging in criminal behavior.
You seem confused why GitHub did what they did. In the US there is something called "US Export Law", the law includes declarations that makes companies unable to sell services/goods to certain countries (which spoiler, Iran is part of that list).
The law itself is not illegal, as the lawmakers have created and enacted that law. It's the opposite, the law is declaring what's illegal.
So, if GitHub doesn't ban users from Iran, they are breaking the law in the US.
Hope this clears up any misunderstanding on how things work.
"the law includes declarations that makes companies unable to sell services/goods to certain countries" is not the same as "if GitHub doesn't ban users from Iran, they are breaking the law".
GitHub could comply with the law without completely banning users who access their service from Iran, e.g. by making their website unavailable for Iranian IPs or by making paid features unavailable.
IANAL and I'm not 100% confident on my knowledge around the export laws in the US, as I've only have to deal with that mess once in my lifetime.
But, if the CEO of GitHub (Nat Friedman) claims that they "do no more than what is required by the law" and end up banning a user, my understanding is that the lawyers are GitHub and Microsoft have made the judgement that banning users are a must, simply restricting them temporary is not enough.
Again, I think export embargoes are shit and don't necessarily agree with the calls that GitHub/Microsoft did, but trying to understand the side they are coming from here.
What happens if a company has Office 365? Does MS block entire company emails?
Who knows, probably? For the rest of the "Does X block Y if Y is in Iran|Other embargoed country" questions, the answers are either A) Yes, you'll get banned or B) No, they haven't thought of that yet, but they'll add banning as soon as they figure it out, as the law requires it.
Yeah, that's not how the world works.
citation needed
To the extent that a law is unjust or otherwise morally wrong, it could be said there is a moral responsibility to disobey an unjust law (where one would otherwise be following it in a way which results in the unjust outcome). Note that GP isn't saying that it's permissible to break any law, only immoral ones.
It may be countered that the law isn't actually unjust (nor immoral), but a more convincing point is that it opens the door for companies to do whatever they like. I don't think that holds up - morality is supposed to supercede law.
It could be argued that anyone can disobey any law because anyone can find something moral or immoral - but that doesn't stand up; most people (and certainly society in general) admit some degree of objectivity in morality to the point where almost all moral questions either already have an answer, or the answer is currently being discussed (and that discussion is a process to find the right answer). People tend to say morality is "subjective" (whatever that means) or "relative", but act as though it is objective - with all the blame, shame, guilt, and assigning of responsibility. Even if it is "relative", it is relative to this society, in which GitHub operates.
Some people are interpreting this discussion on morality and law as being a matter of what a company or person does or doesn't "like" - morality is (by most accounts) a different ballgame, and should not (epistemologically speaking) be conflated with mere preference. Disobeying a just law (and doing something unjust in the process) is just as morally blameworthy as obeying an unjust law (and doing something unjust in the process). It's not a carte blanche for companies to do as they please.
I'm not commenting on this specific case; I'm silent on my moral reasoning of it, but I wanted to try and explain what I think GP was getting at.
I'm surprised this got downvoted. Can anyone explain why and help me understand what mistake I've made in my argument?
I for one enjoyed your comment, I think it's just a heated subject and HN tends to swing up/down with the votes on those topics, no matter if you argue well or not. I don't necessarily agree with everything you said, but it's well argued in general, and now I do understand the point of view I did not understand before. So thank you!
Thanks for the clarification, that was exactly my point.
And if the consequences is that the police comes at their doors and ordering them to comply, then what exactly has Github achieved? It's easy to be a keyboard warrior and taking an idealistic stance.
I didn't see a whole lot of blaming tech when every big company was found to be participating in NSA's PRISM program.
GitHub makes far more noise about such laws when it care about them, however.
Another thing it also doesn't care about is the U.S.A. laws that prohibit those under 13 from effectively contributing.
The real issue is that many projects, many of which making sanctimonious statements about inclusivity they clearly caren't a bit about continue to operate through GitHub and other companies under U.S.A. control and remain reliant upon them for contribution.
The last time I assessed the matter, publishing on crates.io seemed to require a GitHub account, though I'm not sure whether this issue has now been fixed; I've certainly seen Rust preach and pat itself on the back how much it cares about not excluding anyone, but apparently Iran isn't so included.
When I worked for "mega bank" a few years ago, even for software purchasing (because we were Anglo-American), we needed an 'ECCN' - an export control number for everything. Thanks US gov. Initially it was funny. Then it wasn't for a very long time.
Is it an X-ray machine? Does it use crypto? Is it more than 231 dpi? Well you can't export it to Middleeastistan.
https://www.bis.doc.gov/index.php/licensing/commerce-control...
If Github is going to block people for accessing from Iran, why don't they just block all Iranian ips? I'd totally blame Github for this.
They could have prevented the access they merely detected. Much less harm all round
GitHub seems proudly american with their support for ICEs, the US concentration camps.
Since MS owns github does the same rule ban happen if a company uses office365-onöline/azure - and one employee opens email from Iran?
Tangentially related but one of my guys when to Cuba when we were using G-suite and he couldn't access gmail, it seemed to be ip-blocked.
Maybe Cuba has a very well known set of IP addresses and it's easy to block?
A company I used to work for got acquired by a US-owned organisation.
We were required to block traffic from sanctioned countries, and were allowed to use a Geolocation IP Database to do so. Lots of lawyers reviewed it, as well as external consultants.
Probably yes
I really wonder why economical penalties enforced to a country through its citizens or people born there or with ancestors like the USA does with all of its embargos aren't considered just as terrorism. You are punishing other people for something they didn't do just to pressure on their governments. Just like terrorists injuring people. (Yeah I know terrorists usually kill people but I'm pretty sure many people died due to economic embargo as well)
At this level "might makes right" is the only reality. Don't let anyone tell you otherwise. Oh yeah they went through UN for the sanctions... right... as if the UN isn't little better than a rubber stamp agency in these areas.
On the flip side the US can do little if someone like China or Russia decide to trade with and help out Iran. The problem is the software sector is heavily dominated by the US, so they can disproportionately affect Iran.
> You are punishing other people.. Just like terrorists injuring people.
Because terrorism implies violence. What kind of deaths result from economic embargo?
Starvation and disease.
So Iran cannot support it's own population wrt food without imports?
It looks like the company has now gotten access to their GitHub account again, according to the original poster on the Twitter thread.
I don't know, it just looks like some kind of surveillance automation kicked in, froze the account, and customer service was slow.
Well, that’s what you get for doing business with an American company. The USA impose illegal sanctions and strongarm their allies in supporting the sanctions. Let this be a lesson for others.
What I don't understand is why not blocking access to those regions which are affected by US sactions (in this case Iran). The current situation in which you can access the website, but if you do, your account will be banned immediately is more like a detective scenario than respecting the laws. You can simply block all Iranian IPs.
I'm an iranian-american and this saddens me deeply. When you travel to Iran you need to make sure you don't get arrested by iranian regime because they have a history of taking dual nationals as hostage. Then you open your laptop and suddenly you have taken down your company and potentially lost your job.
> When you travel to Iran you need to make sure you don't get arrested by iranian regime because they have a history of taking dual nationals as hostage.
Isn't it trivial for them to catch you at the border if they wanted to do it?
They usually arrest people at the airport when they are leaving. It's called "hostage diplomacy"[0]. There is a whole Wikipedia page dedicated to it.
Why do so many in the open source community use GitHub, a closed source platform?
Do you have Gmail account? Nothing beats free service.
No
Nothing? Really? Nothing? Nothing in the entire existence of the universe ever beats a free service? OK then...
It's a phrase, a commonly used one in English, obviously not nothing in the entire universe.
It's unnecessary hyperbole and wrong too.
Shit happens, but I would really appreciate if you would re-activate our Github Org now, @github. You know, some PRs are waiting there for me.
can't you just push elsewhere, be it a self-hosted location or the one of a reliable 3rd party and tell Microsoft to go f§ck themselves?
I mean, what do you need github for to integrate and deploy?
GitHub: "Lets rename master to main because Inclusion & Equality"
Also GitHub: "sorry you're from a wrong country"
Github’s help text when opening a new repo irks me. It contains the following:
With absolutely no explanation of what they are doing, or why. I can imagine this being confusing to beginners, and it requires mental effort for me to ignore it each time.git branch -m master mainThis cost me 20 minutes + lots of confusion when teaching a Git course to newbies some weeks ago. I switched to GitLab for the next group.
Well, just think of how many tutorials (aka 99.9%) iterate git master branch.
When new people start, they are going to wonder what master vs main branch is -- I guarantee it.
They seriously think "master" is a bad word? That's crazy.
To be fair, our industry brought this on itself -- we did use "master" and "slave" together as technical terms in various contexts. Now even the innocent uses of "master" that don't involve any reference to slavery are tainted too, at least from the perspective of a non-technical outsider. I'm sure their eyes will glaze over well before one can finish explaining what a version control system is, why you would want one, why it has branches and what they are used for, and that all this involves no references to slavery.
> Also GitHub: "sorry you're from a wrong country"
GitHub has no choice into the matter short of moving all it's infra in another country.
This is a political issue, pressure need to be put on political leaders to change that stupid law.
Not true. As per another commenter in this thread,
https://home.treasury.gov/policy-issues/financial-sanctions/... 118. I have a client that is in Iran to visit a relative. Do I need to restrict the account?
Answer
No. As long as you are satisfied that the client is not ordinarily resident in Iran, then the account does not need to be restricted. See FAQ 37
Why don't we have internet havens yet? Companies are so clever in legally avoiding tax by registering companies in the most favourable jurisdictions and only running the absolute minimum of operations through tax expensive countries and so on, why don't we have the equivalent for avoiding dumb laws such as US trade wars, DMCA takedowns, etc.?
Can most internet operations not run through companies who are registered and have servers in a country where most of those laws don't apply to customers who are not US citizen?
The reward for dodging taxes is pretty high. What's the reward of letting a few folks open their laptop while at their parents?
If you are ideologically motivated, you might do it. Apparently project Gutenberg has set up servers in locations with shorter copyright durations so that they can mirror public domain books. https://news.ycombinator.com/item?id=25610024
> Why don't we have internet havens yet?
Companies pull tricks to optimize profits. Evading tax increases profit, but so does controlling the internet and sending blanket DMCA takedown requests instead of spending money on case-by-case review.
Heck, if the big companies wanted to avoid these things, they'd probably wouldn't be lobbying for these things.
GitHub might start blocking countries doing any trade with Iran in order to comply with "laws".
unfortunately this is a real thing the US imposes on the world (it's called Secondary Sanctions)
At work I had to take a course on US export control. The restrictions they bully everyone into are pretty nazi. Likewise with SWIFT. As evidenced by TFA it's always regular citizens that suffer. Compare this with EU sanctions that are targeted to particular companies and individuals.
Yeah. A few days ago I asked why was us demanding kyc/aml regulations from countries when in us itself its easy to set up an anonymous corporation because laws. Its supposed to protect people from doing transactions and getting your "privacy violated".
GitHub has just announced a license for developers in Iran: https://github.blog/2021-01-05-advancing-developer-freedom-g...
What happened to the 'master main' comment thread? It was just silently deleted from this thread. Massive censorship going on, I am moving to a new website. Good riddance hackernews, take your censorship and stick it!
So GH has effectively given admin-level repo DELETE permissions to everyone in the organization. Not sure they really thought this one through.
Here comes a new employee onboarding document to sign: no Iranian VPN nor travel to Iran.
Let me see. You have a business in which you cannot control access to your Intellectual Property? And you take money from people for services? What can go wrong here? I really don't get this. Git is free. Setting up dedicated server with redundancy backup is de facto the standard since SVN era. In this case I don't blame GitHub at all. It is responsibility of the business owner to make a judgement with all "bad case scenarios" in mind. In production the idea of trusting third party infrastructure without alternative is unprofessional.
From the company perspective, it's an arbitrary disruption. It could happen to any company.
While it's certainly very convenient and economically reasonable to use cloud services for development and production, every company should have a plan B.
In this case, it's an absolute must to have daily backups of all repositories / all branches which are stored on premise. If your company is not doing that, you play the lottery of losing access to your own source code.
Whoo-hoo! Set up a free wi-fi node outside of a tech conference (perhaps with cheap pastries for conference goers), routed through a proxy in Iran. Don't need to decode https or anything - assuming you can proxy https through Iran.
Then watch as bunches of companies are blocked from GitHub.
If the Iranian government wanted to have fun with US laws, they could totally set this up. And it wouldn't even be illegal.
I have _a lot_ of questions...
* Is this a US Company?
* What was the employee doing in Iran?
* Is the employee an Iranian national?
* Was the company aware of this?
Headlines like this make me really scratch my head.
Well, GitHub is now fully available in Iran: https://github.blog/2021-01-05-advancing-developer-freedom-g...
Don't let your business depend on cloud services. If they're really important, then self-host your servers. There are so many stories of the cloud being a single point of failure (ironically) due to arbitrary and capricious rules, and/or bad support.
Microsoft should boycott the sanctions, they are cruel and the only reason they exist is that our current president hates our previous president.
They are way too big to actually be penalized in a meaningful way and doing the right thing once in a while feels great.
I can’t imagine what a bad workday this is gonna be for the rest of the company.
Github obviously did not do enough due diligence here. IANAL but am familiar with Sanctions considerations and IMHO, this does not rise to the level of the action taken.
Support peer-to-peer alternatives.
The technology to realize a peer-to-peer alternative to GH is here. We just need to make it happen. IMO radicle.xyz is the most promising one right now.
Seems like this policy would actually make sense for Russia.
Was the employee logged in with the organization account? When I visited Iran my personal and work account got locked but the org account was untouched.
Just wondering, does it also happen when connecting with Tor ? Would like to warn my friends and eventually tell them the workaround ...
My guess would be that either GitHub outright blocks connections if they think it's via Tor. Second guess is that if your Tor exit node happens to be in Iran (or any other embargoed country), you'll get blocked as well, as they most likely looks at the source IP to get the location.
Just tell your friends to use gitlabon prem or another eu-hosted got service.
I had similar issue visiting Crimea. I was simply looking through my issues, while in holidays over there.
How can one even reliably detect if one is loging in from crimea? There is no Ukranian/Russian ISP operating exclusively in crimea, is there?
What happened after? your account was unblocked later?
yes, it was unblocked later, after some email exchanges, but it took me some days and a lot of nerves.
To be fair Nat Friedman replied:
> Hi Sebastian, sorry to hear about this. I will check into it right away and get your org unblocked.
https://twitter.com/natfriedman/status/1346452935924846593?s...
Pretty messed up that they built this kill switch in the first place though, if you ask me.
This behavior shouldn't be praised. Having to go on twitter, get on the front page of HN, and make Github look bad seems like the only way to get help these days.
Yeah I mean, I completely agree.
How do you manage this kind of risk? Are there other options other than don’t use GitHub to begin with?
Outsourcing anything has its own set of risks. Understand them before you commit to living with them.
You can't blame GitHub for intentionally over broad, OTT US sanctions.
A bit off topic, but seems like at some point these sanctions start helping instead of harming. If you are "sanctioned" by GitHub, Facebook, Twitter, Reddit, Instagram, PornHub, what have you, then in the end you will probably gain productivity, not loose it.
It looks like they are reading hacker news :)
https://github.blog/2021-01-05-advancing-developer-freedom-g...
use vpn bois, it's 2020 not 1999
What's the difference between a Chinese company and a US company? None. Both work for the state, although US ones operate under the guise of democracy.
This sort of union between tech and politics is not going to take us anywhere.
Nice phrasing. A bit edgy and exaggerated, though.
But since they are the same, I bet you can show us where the USA holds a few (at least 5 digit range) people in abduction camps, just to name one difference. Now that would be interesting.
Well...human memory is certainly weak or biased or both. Let's not forget Guantánamo bay, which is just one among many examples.
Surely you’ve heard of ICE and the sorry state of their “detention facilities” by now?
the US prefers using drone strikes to inflict suffering, I believe
Yeah you forgot to add 'extra-judicial' to the drone strikes, breaching every international law.
An American company pays the salary of a overwhelmingly fraction of the people on this site. They will be dealt with accordingly.
No there are big differences. For example in China FAANG could easily be stopped from doing things they shouldn't while in the US it takes years and years of lobbying, talking to the media, making backroom deals, sitting on ones arse, changing the laws so it isn't unlawful anymore, etc.
While GitHub is not really to blame (following the laws and all, no matter how silly they are) why would your employees login from Iran with their work laptops into their work accounts while "visiting their parents" anyway? Why is that not the actual problem? Lack of policies?
depending on what the company does, different levels of security are appropriate. but, yeah, I would avoid taking valuable data with me on a flight to shady countries (the US being among the top 10 of that list)
You can't have policies for everything.
Their main problem is using SaaS for something as basic and important as version control. Than you have to deal with silly US laws.