https://github.blog/2021-01-05-advancing-developer-freedom-g...
This sort of union between tech and politics is not going to take us anywhere.
But since they are the same, I bet you can show us where the USA holds a few (at least 5 digit range) people in abduction camps, just to name one difference. Now that would be interesting.
Their main problem is using SaaS for something as basic and important as version control. Than you have to deal with silly US laws.
I mean, what do you need github for to integrate and deploy?
Also GitHub: "sorry you're from a wrong country"
git branch -m master main
With absolutely no explanation of what they are doing, or why. I can imagine this being confusing to beginners, and it requires mental effort for me to ignore it each time.When new people start, they are going to wonder what master vs main branch is -- I guarantee it.
GitHub has no choice into the matter short of moving all it's infra in another country.
This is a political issue, pressure need to be put on political leaders to change that stupid law.
https://home.treasury.gov/policy-issues/financial-sanctions/... 118. I have a client that is in Iran to visit a relative. Do I need to restrict the account?
Answer
No. As long as you are satisfied that the client is not ordinarily resident in Iran, then the account does not need to be restricted. See FAQ 37
Can most internet operations not run through companies who are registered and have servers in a country where most of those laws don't apply to customers who are not US citizen?
If you are ideologically motivated, you might do it. Apparently project Gutenberg has set up servers in locations with shorter copyright durations so that they can mirror public domain books. https://news.ycombinator.com/item?id=25610024
Companies pull tricks to optimize profits. Evading tax increases profit, but so does controlling the internet and sending blanket DMCA takedown requests instead of spending money on case-by-case review.
Heck, if the big companies wanted to avoid these things, they'd probably wouldn't be lobbying for these things.
Here comes a new employee onboarding document to sign: no Iranian VPN nor travel to Iran.
While it's certainly very convenient and economically reasonable to use cloud services for development and production, every company should have a plan B.
In this case, it's an absolute must to have daily backups of all repositories / all branches which are stored on premise. If your company is not doing that, you play the lottery of losing access to your own source code.
Then watch as bunches of companies are blocked from GitHub.
If the Iranian government wanted to have fun with US laws, they could totally set this up. And it wouldn't even be illegal.
* Is this a US Company?
* What was the employee doing in Iran?
* Is the employee an Iranian national?
* Was the company aware of this?
Headlines like this make me really scratch my head.
They are way too big to actually be penalized in a meaningful way and doing the right thing once in a while feels great.
The technology to realize a peer-to-peer alternative to GH is here. We just need to make it happen. IMO radicle.xyz is the most promising one right now.
> Hi Sebastian, sorry to hear about this. I will check into it right away and get your org unblocked.
https://twitter.com/natfriedman/status/1346452935924846593?s...
Pretty messed up that they built this kill switch in the first place though, if you ask me.
1. There's the obvious legal aspect i.e. how these laws are framed and interpreted.
2. Then there's the geopolitical aspect. Is it fair to impose sanctions on Iran.
3. There's another aspect around GitHub policy that asks if an entire organization be banned for the location of one team member.
4. Finally, there's the aspect of relinquishing control. Your app development is on the cloud. IDEs are on the cloud. Deployments are on the cloud. App stores are on the cloud.
You have relinquished so much control, why be surprised if that stares you back in the face?
Ironically, Git is a decentralized version control system.
We live in a market-based economy with highly specialized division of labor. The idea of "keeping control" of all our necessities and dependencies, is an archaic one. The system generally works, because we create sensible laws that foster trust, vet for partners who are trustworthy, and name-and-shame entities that violate our trust.
If you're a behemoth the size of FANG or a nation-state, maybe it is worth the effort needed to insulate yourself against these black-swan scenarios. But for a startup or small-medium-business that no one has heard of? That just sounds like bad prioritization.
All of which is to say... we should absolutely be surprised when a vendor like GitHub blocks an entire company because of an employee logging in from Iran while on travel. And this surprise, and the resulting name-and-shame, is what keeps the wheels of our economy turning.
If you're a small guy you get screwed and have no practical means of recourse. The little people are the ones who need to care about this kind of stuff.
As to what is archaic - I believe a point can be made that the division of labor thing can suit poorly our brave new cloud software world. You can't just buy things (or software) from others, and completely own them. If you are outsourcing some part of your business to others, you also lose a lot of sovereignty that is crucial to stay flexible and move fast. Apart from the fact that all these solutions are bundled with analytics that will play against you as soon as your supplier wants to become your competitor. And as I said before, staying in control is actually not that hard as soon as you know what you are doing, and can be a huge competitive advantage.
If GitHub is offline we can still setup a git server somewhere. I could offer my own for a quick startup. Mailing patches to each other, Linux kernel style, is not a viable backup plan. The cultural gap is too wide.
If Travis is down we can run tests locally.
We build the deployment artifact on one of our servers. If that one is down probably our production server is down too.
If Slack is down, ah, I was on vacation yesterday. I guess the fastest backup for us would be WhatsApp Web.
THAT SAID, it seems worth it for even a really tiny company to spend a half hour thinking about "what would I do if github (or AWS or google or the app store or whatever) cut me off?"
Probably in a lot of cases the answer is "call them and beg forgiveness" (i.e. if it's AWS), but for something like github it seems like "switch to gitlab" (or "deploy git server" or anything else) is a pretty easy move.
And Git is open source.
Github is a US-registered company under MS. The US has a history of weaponizing its economic power.
Stallman (RMS) was right once again.
https://home.treasury.gov/policy-issues/financial-sanctions/...
118. I have a client that is in Iran to visit a relative. Do I need to restrict the account?
A: No. As long as you are satisfied that the client is not ordinarily resident in Iran, then the account does not need to be restricted. See FAQ 37.
Source:
https://twitter.com/Hamed/status/1346433510786138114/photo/1If they do that within the US market, that might be justifiable. But in this particular case, GitHub appears to enforce US foreign policy on what appears to be a company on the EU market. Also in what to me appears to be a rather ruthless, totalitarian, maybe even draconian way.
I'm pretty certain that absent this US law within the EU market, this action is arbitrarily discriminatory, and very likely constitutes inflicting serious damage on another company without a legal basis (within the US, yes .. outside the US, no).
GitHub may find itself stuck, between adhering to US laws and laws elsewhere (in this case EU, but China is probably a good example too). Still, is ultimately is a choice for GitHub to offer their products on multiple markets. If they have issues with that, they are free to exit a particular market. It certainly is never a valid excuse to start violating law in any market outside whatever country your headquarter might be located.
Tangentially, this rather typical popular belief that US companies can simply absolve themselves from legal liability, just by crafting clever TOS/EULA that supposedly does just that, has always confused to me. It was always my understanding that you can not create contracts that violate laws. In most countries with a somewhat sane state of law, governments really do not like or tolerate when companies start essentially making their own law in parallel. But apparently you can rewrite (even basic) law in the USA, as long as you can somehow get both parties to agree on it. Be that by free will or coercion.
Maybe it's time, for other parts of the world to no longer put up with this kind of bullshit, and demand that US companies actually adhere to the laws (and legal protections) that exist within their markets, or be free to buzz off and only operate on the US market alone.
With US foreign policy becoming increasingly self-serving, legally dubious, and in some case downright insane, having internationally operating companies enforcing those policies is becoming a seriously risky proposition for anyone outside the USA.
But git and github are not the same, as the latter contains a lot more extras in terms of functionality.
There are good github alternatives, like https://gitea.io
And if you then talk decentralized version of that, ForgeFed comes into picture. See https://forgefed.peers.community
As it happens there's a recent interest to evaluate that for implementation in Gitea (and maybe funded by NGI0):
GitHub is simultaneously not the be-all-and-end-all of Git[1] and more than Git[2].
If they have good backups of everything (if not they should consider this a beating with the ol' clue stick (I'm assuming everything on github can be backed up away from it?)) this should only be a bump in the road, though a considerably inconvenient bump as there is nothing they can just restore to and move on using without a pile of changes and/or admin work.
[1] pick a new location for the "source of truth" repo for your team, push everything to that, and you're golden again
[2] all the bits wrapped around it are available elsewhere, but not necessarily in a convenient ready-made integrated manner[3]
[3] there is GitLab of course, not a direct 1-1 feature mapping in either direction but close enough for many, I'm told performance is more of an issue but you can always self-host if controlling that is worth the extra admin to you
Its also pretty easy to mirror your repo to other remotes. I've had projects that were in Gitlab, Github and Sourcehut at the same time. Sure, depending on how you sync them, there may be some steps (eg getting people to push their local branches to another remote) when your main one becomes inaccessible, but overall its really easy to work across multiple remotes. Its something git was designed for, after all.
So there are Cloud services that make more sense to use in the long run, in this case Gitlab is one of them.
In this case Github is just unreliable piece of infrastructure. My phone provider bans me for receiving phone call from wrong country? Nice joke.
"Decentralisation" of Git has been a running joke since the beginning.
I think github is the last one at fault for this.
Yeah. Nobody else should be allowed to have nukes, or else the U.S. is gonna take his ball and go home.
Making it difficult for the IAEA to provide oversight is enough of a treaty violation, and that goes double when there is credible evidence that unauthorized enrichment was occurring.
Especially us europeans should not rely on American services at all.It's not worth it.
American corporations are just as much a liability as their counterparts in China.
All US companies have to comply and majority of the tech companies are unfortunately in the US.
I know you can use a VPN and configure it on a router level to make sure that you are always connected via a VPN but just the fact that 1 slip-up can result in account level blocks (which google is notoriously good at and can essentially shut down your business) means no company would want to work with someone working from Iran.
Coming from a 3rd world country, I know the problems of internet censorship which Iranians also face but being too toxic to touch for everyone outside Iran because the US leadership thinks so is just infuriating and heart breaking.
Imagine being a programmer in Iran. Not only do you have less resources to learn and grow, you have a massive handicap to find good work as most work is outside of the country.
Only bet is to leave the country but even there you have a very low probability as you basically can't have a trial period for your job as most companies don't want to risk having their accounts blocked.
Most of us here know how degrading and infuriating the tech recruiting processes can be and now add to it the horrors of working from Iran.
Wars are not supposed to have civilian casualties but this one has a generation of civilians being starved of information and experience critical for them to grow.
[1] https://github.com/go-gitea/gitea/issues/1612
[2] https://github.com/go-gitea/gitea/issues/9045
[3] https://gitlab.com/gitlab-org/gitlab/-/issues/6468
[4] https://gitlab.com/gitlab-org/gitlab/-/issues/33665
[5] https://opencollective.com/gitea
The real question here is why people even consider using US cloud companies when they know they have employees working in countries subject to severe US trade restrictions. If you're willing to risk your company being denied business with American companies, then you should also have a mitigation strategy when you get caught. It sucks that you have to work around US regulation to do normal business but this is just how the world works right now.
This simply wouldn't happen at my company because special permission is needed to take any company assets out of the country. If anyone at my company casually took a company laptop to Iran that would be instant termination. It absolutely astonishes me that a company wouldn't have a policy about taking company resources to foreign countries.
Beyond just the Iran issue, it's known that trade secrets on employee laptops are at risk when crossing some international borders, particularly in airports. Border agents can confiscate electronic devices on vague suspicions, compel you to unlock them (or hack them open in some cases), and then leave them in unsupervised settings with yet more border agents who have the barest electronic security training. These risks terrified me during my travels!
Regardless, this person logged into GitHub, which could have been from any device including a phone.
Presumably GitHub needs some automated tool to prevent inbound traffic from sanctioned countries, and it's hard to be certain that they are complying with US law if such automated tools have some wiggle room allowing for a non-zero amount of usage from sanctioned countries.
The whole situation isn't great, but none of it is GitHub/Microsoft's fault.
I have now taken revenge on my whole company with minimal effort.
I think that some VPN services offer a "random server" access, so you are essentially playing Russian roulette if you just happen to log in via an Iranian server.
I steal with social engineering (or phishing or other method) the GitHub credentials of an employee from a company I wish to harm.
And then I simply log in GitHub(or use a VPN to appear in Iran) with those stolen credentials.
Sounds like a very easy DOS method.
We lost access to tens of thousands of dollars worth of project code which we had to rewrite.
The customer service support was Google style brick wall.
I wish this guy luck in getting access.
Consider also doing a regular local backup of all your repos. A quick Google search will yield you tools that will automate this entire process on platforms such as GitHub , BitBucket and GitLab. I personally delegated this to a Cron job. I check the backups manually once a month to check all is in order.
The twitter message says "We are completely blocked from deploying!."
Maybe they already have the source code elsewhere but use GitHub actions?
> we are working with the US government to secure similar licenses for developers in Crimea and Syria as well
That's also super cool to hear!
Related Thread: https://news.ycombinator.com/item?id=25648585
To show they've done what they can to enforce the embargo, in the hope that the policy is enough to satisfy the authorities wrt doing enough.
They can't tell is a user is circumventing the policy via a VPN, but such a user is actively circumventing the enforcement of the policy so can't try pass the buck with a "well they let us, so we just assumed it was OK" based excuse.
I use a ISP in the Netherlands that was founded only recently, I and frequently encounter sites that think I'm in Dubai, which is apparently where the previous owner of my IP block was located.
Fortunately, the only problems this seems to cause for the moment are that I occasionally get geo-blocked by some sites' overly-aggressive firewall rules, and I get Twitter ads in Arabic.
But I shudder to think what might happen should the UAE find itself under sanction.
They have refused to do that. Google did that with Gmail and made the argument that Gmail is an important utility for freedom of the people there. Microsoft can do the same.
They could simply block network access from Iran to make it easier. Otherwise, blocking without giving warning is wrong. Even banks give warning and deadline to their clients before closing accounts that are linked to sanctions. Why Github blocked the entire organization without proper communication and deadline to fix or clarify the issue?
Maybe Cuba has a very well known set of IP addresses and it's easy to block?
We were required to block traffic from sanctioned countries, and were allowed to use a Geolocation IP Database to do so. Lots of lawyers reviewed it, as well as external consultants.
On the flip side the US can do little if someone like China or Russia decide to trade with and help out Iran. The problem is the software sector is heavily dominated by the US, so they can disproportionately affect Iran.
I don't know, it just looks like some kind of surveillance automation kicked in, froze the account, and customer service was slow.
Isn't it trivial for them to catch you at the border if they wanted to do it?
One of the companies in the EU produces enterprise software almost no one on this website uses (SAP). The other is Dassault.
In the US the top five companies are Microsoft, Oracle, ADP, Adobe, and Salesforce. If you include Alphabet and Amazon, well...
When the EU or Asia (non-China, I guess) can offer mature alternatives even remotely competitive with the American companies, I guess your strategy could work. Until then, no one is going to flock to Hetzner over AWS.
And I like Hetzner.
[0]: https://en.wikipedia.org/wiki/List_of_the_largest_software_c...
Indeed there are viable local options for many of these things. Heck, the reason why European companies have so little relative marked share, is because they serve smaller, domestic, markets.
A Danish webshop provider probably has a better offering for a webshop for servicing the Danish market. It probably has better support for Danish accounting, better locale support etc.
The list employs some particular filters (e.g. SaaS seems to be excluded) and heavily emphasizes market cap over revenue.
What? SAP is a huge software that is used in a lot of companies.
Famous example: MS Windows having a marketshare of 96% should not necessarily stop you from designing your business around linux.
If you keep everything your business is at Amazon you better be prepared to Amazon booting you.
You don't need the market to flock to Hetzner or OVH to use it yourself and avoid US sanctions.
There are problems with the laws, copyright laws too, US gov agencies etc that are all incompatible with our own laws. If something bad were to happen, our own courts have zero power to help us. We also don't have a direct fiber line to America so all our traffic hops through Europe and more recently through South America, so about 200ms added to most requests.
The only reasons to use American hosting companies is because of:
1) The financial cost can in some cases work out to be lower than local options.
2) It can be easier to scale your service vs self-hosting on premisses.
3) American hosting platforms have really nice GUI's and tooling, while being well integrated with the billing side - everything mostly just works as expected.
But other than that, if money and skills are not a problem, then on-prem is best here.
Sure, please let me know how the EU plans to build Office 365, AWS, GitHub competitors of similar scale, quality and success.
We have no private investors that would pony up enough money to go against US tech titans and fat chance the EU would ever fund such initiatives and if they would, the money would evaporate over night to companies with political connections and overpriced consultants who would just produce documentation.
Let's face it, the ship of EU dominance in tech has sailed a long time ago, we might as well get comfy with the US pulling the strings on that front.
The only way the EU would ever stand a chance is if the EU would pull a Chinese style great firewall and outright ban foreign tech companies on their internal market, leaving space for local companies to spring up and fill the void but that will never happen.
However, if you cannot trust those products then you cannot use them.
Remember, this thread is about Github blocking an entire company due to one employee due to American politics. If a non-US company risks to lose it project management/code management (Github), its infrastructure (AWS) or its documents (Office 365) on a whim due to American policies then they cannot use those products.
If a big enough chunk of the world can't use the American offerings, then there is a market for alternatives.
You're right that it's probably too late to reverse all of this economic damage that the US has intentionally caused. It's a difficult problem for the world.
Did you miss this a couple of weeks back?
https://www.eetimes.eu/eu-signs-e145bn-declaration-to-develo...
It would be really interesting to know your opinion on what functionality in AWS is indispensable and what you can sacrifice in case Hetzner/OVH price for the rest is the same as AWS or lower.
There are no such plans. EU wields a lot of regulatory power. The most likely path of action would be to force MS/Amazon/etc. to spin-off their EU side of the business. And I believe that the companies have already prepared for this.
China requires access to your company code and pretty much owns you.
The USA government is interfering as much as Europeans government do, by making stupid laws and demanding access when they can think of an excuse. Sure, it's bad but it's not as bad as China.
You can't trust any government, but some are better than others.
Chinese and USA services should be avoided...
I am not condoning the actions of the United States government, but arguably the Iranian Islamic theocratic regime has unleashed more horrors on the Iranian people in the last 50 years than any other foreign government.
This is the other side of the Enlightenment ideal that the legitimacy of a government can only come from the support of its people.
When you declare another people to be, literally, Satan, there may be resulting consequences.
We're not unaware of the impact of sanctions. Fundamentally, starving a generation of Iranians of information and experience is worth it if leads to civil unrest and regime change, therefore preventing Iran's current leaders from committing the genocide they've said they want to commit so many times.
I'm afraid you're mistaken, and that removing knowledge from people just makes the regime stronger.
Instead, providing the people in Iran with more knowledge and education would make even more people oppose the dictatorship, I'd think.
Not nuclear physics though, but GitHub yes sure.
Unfortunately, peace in the Middle-East would shift political power in all countries involved, shift government spending, reduce military aid from superpowers [1], and reduce the importance of the countries to the superpowers. A lot of power and money is trying to prevent that from happening.
You don't need to play along with those powerful people. They don't want to help you. Lasting peace would help you and your descendants much more than continuing the current situation.
This argument should apply to Israel, which is the biggest per capita committer of genocide, land theft, rape, and fraud in the entire world. The entire history of Israel is one of genocide, from the ancient world to today. We need BDS now and a just society would absolutely shun your nation until they respect human rights.
GitHub reaction is outrageously disproportionate. They should just prevent login from Iran. They had no basis for blocking a legitimate customer in Europe based on this.
I suppose this implies that the employee is Iranian.
The U.S. sanctions are pretty aggressive, and I don't think preventing login from Iran is anywhere near enough to comply. The law is the problem here.
Should it be this way? No. Is it entirely Github’s fault they overreact to any sign they’re serving Iranian users? Also no.
The US military has been wrestling with that reasoning for about 20 years. If the majority of attacks and intrusions on military infrastructure originate from a single nation state and there exists evidence that most such attacks are sponsored by that nation state it would make sense to simply block all IP addresses originating from that nation state. This does not occur because the attorneys will not allow it due to both diplomatic and legal reasons.
Does US law require application to such an extreme degree? If not, then why is GH doing it?
If you are German and USA decides to apply sancations on Germany because of NordStream2 tomorrow, well, good luck setting up your own gitlab ce...
118. I have a client that is in Iran to visit a relative. Do I need to restrict the account?
Answer
No. As long as you are satisfied that the client is not ordinarily resident in Iran, then the account does not need to be restricted. See FAQ 37.
Does everyone in the world need to subscribe to "a list of countries US jurisdiction doesn't like" just so we will be able to work, check email or review opensource code while being on holiday in an exotic country?
But they are responsible for understanding what's required under those laws. If they're going beyond what's required to comply with the law, then those further actions are entirely on them.
Or you get the alternate headline "Github facilitates Iran sanction evasion by allowing Iranian developers to mark themselves as 'visiting a relative'" and the associated charges.
Not really:
https://home.treasury.gov/policy-issues/financial-sanctions/...
pretty clearly states they don’t even need to ban that specific person let alone thr entire company.
https://github.blog/2021-01-05-advancing-developer-freedom-g...
To me, it means "against a law", and laws are made by countries (sure, parliaments of those countries or dictators or...), and generally apply only to that particular country (some things attempt to get a wider reach, but they are usually unenforceable unless there's a local company to pursue, most famous example being GDPR).
There are international conventions and the UN, but countries do not have to be signatories or members to any of them. And I've never heard anyone use the term "illegal" in that sense before.
So what do you mean with "clearly illegal"?
(fwiw, I am very much against the US acting as the "policeman of the world", but sanctions are a political tool to make someone less powerful comply; beats an invasion and bombing that USA has frequently resorted to)
For example, someone has lost their password, email access, phone number, and 2FA app. Make them wait a month to regain account access.
If any time during that month, the account is used or logged into, cancel the takeover request. During the month, every day send an email to all points of contact on the account letting them know what will happen.
It's a trade-off of the harm of unauthorized access to a dormant account Vs blocking someone from accessing their data (that is probably not backed up, and probably took considerable effort to create).
Have an account-level setting to disable such a process, for the people who might be offline for extended periods.
Even with the positive spin you're trying to put on it, it still sounds like you are trying to steal data from your former employer.
The situation would probably also be easily resolvable with your former employer's help, and there is likely a reason they aren't helping you.
I’ve had really positive experiences with GitHub support, but you can’t ask them impossible things.
There’s a GitHub user with my org name, they’ve had it for a long time and aren’t active. I asked GitHub support to see if they were active and if they’d be willing to transfer the account. GitHub confirmed they were active but just with no public activity and they passed along the request.
I like that they were human and didn’t try to force the user to give up their account.
I’ve had multiple colleagues say that we should try to force the user and I don’t support that line of reasoning. The user has a legitimate use of the name.I like that GitHub took the high road,
What in your opinion should github do when an employee loses access to their company email, and 2FA, because they're fired? Should the employee gain access to all the code and the account by just contacting github via their personal email?
couldn't you "just" contact your previous employer?
anyway, why your private account was using job email :o
It's not as if this isn't commonly known. But when you view sanctions as a de-escalatory alternative to outright conflict, which also has huge negative impacts on the people of the countries in conflict.
- sanction the leaders responsible and their buddies, the most common (that's what we do with russia, turkey, ...), hurt their wallet but ultimately is a soft sanction, and also your populace sees it as ineffective / nothing is done
- sanction the country directly, embargo, complete block, kick out of swift, that sort of stuff is what was done to Iran. Can only be done if you're part of the bigger/more powerful group. Massive effect, causes lots of poverty and pain for the populace but that's on purpose, so they are forcing their leaders to change some stuff. Doesn't always work, but both outcome are victories in a way: either the country is forced to change and stop the original abuse, or it doesn't change but is so crippled that it's not longer a problem.
This is bound to something very, very, important: if the country does change and does what you asked, you start lifting.
Part of the message that's more of an european rant: that's why Trump action on the Iran deal was a disaster, because, now the population doesn't believe it's their own leaders fault, and even if they did their leaders don't believe it would ease if they did what was asked. That's how you end up with a north korea.
According to every report I've seen, Iran was fully respecting their part of the deal, and allowing all the inspection necessary, when the USA did a "AHAH ! it's a trap !" trick on them and screwed them. You're not convincing countries to behave, you're telling them that if they don't behave, they better go all the way to the other side.
This is what I'm talking about. Even if I'm to agree with the purpose of the requested change, does it justify the means by which it's being procured?
Trump may have screwed it up even more, but sanctions of the second kind have been introduced on countries like Iran or Syria since the mid-80s afaik. No major change happened, but the idea of knowingly use the population of another country to pressure their government which is known to not be chosen democratically is basically a form of hostage situation, and is immoral imho.
It's also alright to blame people for interpreting laws too widely and too abusively. The legal and security departments are much at fault for this where they'll prefer to abuse people than to take up any kind of risk.
Personally, I'd rather a world where companies obey the law than one where they pick and choose what laws they would like to obey.
Essentially you're saying that Nat Friedman should risk 20 years in prison, and a million dollar fine per user in order to let Iranian developers use Github.
As much as I hate the idea of software not being freely available to everyone, I would not be willing to take that risk. I doubt many HN readers would.
I'll pick the legal way unless the profits I can make somehow outweigh the sanctions (legislators can make mistakes too) and there are no penal repercussions.
Another thing it also doesn't care about is the U.S.A. laws that prohibit those under 13 from effectively contributing.
The real issue is that many projects, many of which making sanctimonious statements about inclusivity they clearly caren't a bit about continue to operate through GitHub and other companies under U.S.A. control and remain reliant upon them for contribution.
The last time I assessed the matter, publishing on crates.io seemed to require a GitHub account, though I'm not sure whether this issue has now been fixed; I've certainly seen Rust preach and pat itself on the back how much it cares about not excluding anyone, but apparently Iran isn't so included.
Is it an X-ray machine? Does it use crypto? Is it more than 231 dpi? Well you can't export it to Middleeastistan.
https://www.bis.doc.gov/index.php/licensing/commerce-control...
All devices are subject to search, seizure, and duplication when crossing international borders and border agents may tamper with devices as well. If assets cross borders there has to be a good reason, it has to be documented, and phones/computers may have to be scrubbed before and after depending on circumstances.
It does not condone that it took an HN frontpage to react to a massive issue from a client blocked due to either a badly configured sanctions system, or a badly defined false positive determination workflow, that could not be expedited otherwise by the client, but... it’s something I guess.
Good luck having a 7-day response by your bank, who have the legal obligation to not share with you why did they block you, or having Google’s CEO looking into your issue aired in twitter.
And then they would say "I had 30 minutes of waiting time in transit and I just wanted to add a comment on my Pull Request".
You're right. You should frame it correctly and take ownership over the complete and utter regulatory failures of European countries to support and nurture local businesses.
When I went to London for the first time I meet a ridiculously attractive Swedish Arab girl. She had mentioned she really wanted to visit America, but with the recent election of Donald Trump she was a bit scared.
Not all of us like Eastern European women, Trump blocked my game right there.
The point of this story is anyone can meet anyone from anywhere and the nasty racist system the US has for blocking certain people because they have the wrong last names or whatever doesn't do anyone any service.
I also don't think embargo serve anything aside from radicalizing other people's. Take Vietnam, now you have Coca-Cola, and McDonald's succeeding to do what 20 to 30 years of Western imposition couldn't, they've made Vietnam capitalist. That was accomplished once the embargoes were removed in the nineties. Even with Cuba ,I'd imagine if the embargo didn't exist you'd see much more reform as individuals would eventually be able to succeed on their own merits.
At a previous job we self hosted Git and it worked fairly well. At my current job we use GitHub and while we could migrate away, it would hurt.
Personally, I think GitHub's value is more about the fact that it integrates so well with so many other services. Without GitHub we would lose:
- Most of our PR/ Code Review flow
- Integration with Pivotal (our ticketing/ story system)
- Integration with our Travis server for CI
- Integration with our hosting service for automated deployment.
All of this stuff can be done independent of GitHub, but most of it takes a lot of time and effort you could be spent delivering the product you are trying to ship. You also lose a lot of flexibility.
Are any EU countries still dependant on Iranian oil supplies?
2) I can assure you there's policies at Microsoft that include performing work abroad and accessing any company resources from abroad. Obviously nobody will be approved to access any company resources from Iran, especially not source code.
3) I can say there is policies at MS this with a very high degree of confidence because I personally have done work with Microsoft involving code and data that is export restricted.
4) Companies should have policies in place in order to avoid situations like this. Taking your company laptop to, say, Germany probably isn't a big deal for most companies, but any "exporting" company assets should at least be pre-approved/documented.
I'm not sure what team you worked in, it's possible some teams have stricter policies. If you were doing business with Microsoft, the export control language is boilerplate contract language.
I would also point out that many of these companies you mention are immensely scattered. Take anyone and you'll find their resources spread across an evergrowing domain/portfolio. I'm not saying it's bad that Apple is developing cars and Facebook VR headsets - I'm just saying it spreads them thinner. If the EU found it valuable enough to pursue e.g search within the next five years it's not at all unfeasible or unreasonable to do so. It might even be better for the greater good of the internet frankly.
Those are not problems, those are trade-offs. OP is right, you could be in a position in which those trade-offs dont apply to you (i.e. by buying a "expensive" but great solution, this happens all the time in all the industries) or you could sacrifice one item (say speed) in your solution if this is not a problem for your workflow ("so what if a open source tool runs 2x as slow as the best proprietary option, our daily batch processing take 2 hours and it is used in weekly buckets")
> problem (n) 1a: a question raised for inquiry, consideration, or solution
Saying that Israel could resolve the issue by de-escalating is nonsense, as much as saying the same thing about North and South Korea. One side has leaders intent on acquiring nuclear weapons and publicly claims it will use them against its neighbors.
USA : Israel : Palestinians :: PRC : North Korean Dictatorship : North Korean People
Do you think there is a huge tendency towards Oracle, Infor or MS Dynamics rather than SAP across hacker news, or are you just assuming that people who go on hacker news aren't in the 'circle of companies' which need an ERP?
Most people on HN probably go work for companies that pay them the best compensation or offer them a good position, not based on what ERP they chose.
Does that mean most people on HN work for companies either too small for or too competent to outsource an ERP system?
(Maybe more relevant for SaaS than servers though)
> It probably has better support for Danish accounting, better locale support
As someone else mentioned, capital is way harder to raise (meaning slower to market) - and then an underrated factor which is equally important is how easy or difficult is it to sell as a nascent startup. At least in my industry (cybersecurity) it has been very hard in the EU vs US in the earlier stages of product maturity.
Much like the parent comment, I don't see this changing anytime soon and I'm fully betting on the fact US will keep their dominance in tech.
"MS Windows having a marketshare of 96% should not necessarily stop you from designing your business around linux"
But Windows doesn't have this kind of marketshare in most areas going forward? The #1 OS used worldwide is AndroidOS and no one is clamoring to write for it as far as I can tell.
Your opinion is 'yes'. OP's opinion is 'no'.
Both are valid opinions and highly depend on the nature of your business.
But, OP's somewhat un-american sentiment aside (which I believe is mostly what you're reacting to, rather than the general nature of their argument), I agree that erring on the side of caution and minimizing external liabilities should be on the top of the agenda for any company.
And this is aside from the whole "support local infrastructure and don't empower monopolies further" argument.
That said as a european I have to consider my interests and interests of my business.
I think EU/EFTA is large enough to enable the growth of at least one 80% offering given enough time. Or otherwise large enough as an economic bloc to force America to stricter legalisation so that they can use and depend on the American offerings.
Amazon can sure kick your company off its services.
For many startups AWS is a no-brainer, which makes life somewhat harder for anyone who wants to deal with Iran from EU (as long as EU allows it) and not be shut down on a US three-letter agency's request.
I could argue Google is not a big software company (as in lots of people working with mismatching socks and propeller hats).
But that would be just as stupid.
Would you consider Randstad to be a building company? They loan out hundreds of thousands of building contractors across the world
Accenture is American-Irish and listed on the NYSE. Subject to US jurisdiction from a national, not global level.
The argument is that the US sanctions are wrong. It's totally against what America and the West at large stands for. Those sanctions, as always punish innocent citizens the most. The strategy of course is to make those citizens revolt. But it ain't even working. See with Iraq and Libya, they litterally ended up bombing these countries and ensured the death penatly to those leaders, and now see how worse it has become over there (interestingly the news outlet don't report much of the situation now).
I have been clearly and firmly reminded by my employer about sanctions on Iran and to not engage in any business with Iranian as clients. The US government, like said in another comment is using its country's private economical powers for the service of its (absurd) geopolitics, not far from what China has been doing, but with far more hypocrisy and somehow less success.
[1] https://www.worldatlas.com/articles/how-many-countries-are-i...
>"According to Kelly and Laycock’s book, the United States has invaded or fought in 84 of the 193 countries recognized by the United Nations and has been militarily involved with 191 of 193 – a staggering 98 percent."
"Invaded or fought in" - that's a pretty big "or" there no? The theater of operations for the US Military in World War II was easily 84 countries in itself [1]. Also 84 countries is not all but 3 is it? Nor would it be considered "most" as you stated.
Further that's not really a citation that supports your assertion. It's a post with a single reference to a book entitled "America Invades: How We've Invaded or been Militarily Involved with almost Every Country on Earth." The phrase "or been Militarily Involved with" is casting a pretty wide net no? That's quite a nebulous clause. If you sell someone a tank you are "militarily involved" with them. By that dubious measure much of the globe is "militarily involved" with each other.
Have you read this book? What's seems to be notable about this book is the absence of any footnotes or bibliographic information. This is quite odd for a history book. I think this book could be accurately described as "entertainment reading" as it seems to lack any academic rigor.
[1] https://en.wikipedia.org/wiki/United_States_theaters_of_oper...
Or look at it another way: this is an Indian company. Does one employee opening their laptop in Iran make it an Iranian company under US law?
Private entities chartered and regulated by the government, of course.
The first one is a violent crime against individuals, the second one is basically a tax.
I'm against both but they carry a different weight.
“One has not only a legal, but a moral responsibility to obey just laws. Conversely, one has a moral responsibility to disobey unjust laws.” – Martin Luther King, Jr.
Microsoft is no stranger to breaking laws and certainly has the resources to fight this one, or at least to argue that it shouldn't apply in this case.
1. Bomb them back into the stone age. That would kill a whole bunch of people, who as you point out are basically held hostage by their government and don't get much choice in the matter. It'd also permanently wreck their economy and infrastructure, cost lives on both sides, and usually has follow on effects.
2. Do nothing and allow things like funding terrorism, selling arms, committing atrocities, etc. You would know these things are going on, and therefore be allowing them to happen, and these things would probably be happening to your own people and allies.
Which one would you rather take?
Funding of terrorism is still happening now, and their support is being funnelled through countries that are not under any economic restrictions, some even have good relations with US, like KSA. For example, most official fundamental/terroristic TV channels/groups are based there. Most shell companies used by oppressing regimes in MidEast are in the UAE.
"doing this to entity X stop that from entity X" "no, look, here is another entity Y where didn't do this, and it still does that"
If anything your comment implies we should sanction all of these countries too.
Sorry what??? I have family in India, but not because I'm Indian, I just have family there. I have family in Poland, not because I am Polish (well I am kind of, but not on paper). I have family in the UK, but I'm not British.
This is 2021, not Christopher Columbus times.
In 2021, people are still directly related to their parents, and the majority of citizens in most countries is indeed the local population.
They may of course have obtained American citizenship now, but we're talking in the context of crazy US sanctions on Iran here, which I think work on connection to Iran.
I don't think there should be any consequence to being Iranian, but I don't have a say in American politics.
[1] https://en.wikipedia.org/wiki/Internment_of_Japanese_America...
So, no, it's not merely a "sensible" assumption.
It's an assumption that carries collective trauma and negative connotations for many who's ancestors have experienced painful discrimination because of their ancestry.
> I don't think there should be any consequence to being Iranian, but I don't have a say in American politics.
No, you don't. But you do have a voice to ask critical and nuanced questions out loudly.
It depends on the countries' respective laws, but it's certainly possible that the person in question is not Iranian at all in terms of nationality as opposed to ancestory. As I recall, the law in question pertains to Iranian nationals, not those who happen to have Iranian ancestory.
"The United States has imposed an arms ban and an almost total economic embargo on Iran, which includes sanctions on companies doing business with Iran, a ban on all Iranian-origin imports, sanctions on Iranian financial institutions, ..."
A private visit is not doing business, so the org cannot be blocked. And most other companies are ignoring the US sanctions, that's why we have the current propaganda push.
The law is ok, because economical sanctions are the only way to get rogue nation states to comply. That's why we have sanctions on Iran, Russia, Crimes, North Korea. Unfortunately not against the US yet.
- the Arab nations don't consider themselves kin (or "coethnics" whatever that means) with the Palestinians. When Jordan and Egypt controlled the Palestinian territory, they treated the Palestinians worse then Israeli does today.
- the groups that commit the vast majority of rape (per capita or otherwise) in the middle east are not Israeli. In most of the Muslim countries, it's legal to rape your wife. In some of them (such as Iran), men execute their daughters for being raped by their neighbors. One well known group (ISIS) was really into rape - and so Iran gave them money so they could rape more.
If what you care about is rape, murder, and genocide, you're against Iran 100x as much as you're against Israel.
Domestic disputes are also not like a foreign army arresting young children and raping them.
What an extraordinary claim. It demands an explanation. There is no part of Palestine in which Syrian law runs. There are no Syrian cops or troops in Palestine. There are no Syrian government offices in Palestine.
You do realize that the bulk of "other religions" in the Middle East (namely Islam) - and, for that matter, the US (namely Christianity) - are derived from those same scriptures and rejoice in those same genocides (and have happily added to them over the past couple millennia, of course), right? There's no moral high ground on either side of this mess.
EDIT: concerning hypothetical worlds, I pretty much not want to live in a world were companies blindly follow the law regardless of how harmful it is. We have tried these worlds in the past and they were not pretty.
Personally, I think a distinction is necessary. Companies IMO should absolutely obey the laws regardless of if they like them or not. It's entirely unfair to blame them for obeying the law.
They (as well as individual people) are free to oppose those laws in an attempt to change them, however until they are changed, they should follow the laws or cease trading in the country who's laws they disagree with. It's entirely fair to blame them for not fighting stupid/wrong/harmful laws.
Allowing companies to choose which laws they are going to obey is never going to end well.
GitHub could have warned the company before blocking and/or blocked access only from Iran. It did neither.
You're right that companies don't always obey the law. However, what has that got to do with "Personally, I'd rather a world where companies obey the law"?
My point is that companies SHOULD obey the laws, not that they always do - and that - allowing and encouraging companies to pick and choose the laws they are going to obey is wrong, and will simply not end well.
> GitHub could have warned the company before blocking and/or blocked access only from Iran. It did neither.
I'm not familiar enough with the specifics of the US laws regarding Iran to know if this is a lawful course of action to take upon a customer attempting to use your products/services from Iran.
Maybe they could have? Maybe they can't? I've no idea & I've made no attempt to address anything other than the "It's alright to blame people for lawfully following harmful laws" comment.
Git is designed for an environment where there are multiple canonical trunks. RedHats kernel is equally a master as SuSe's. So you are maintaining various tips in a semi-synchronized manner. In most projects there is a single repository branch that is the true branch (with perhaps a few tags for LTR) that represents the project. For that reason a lot of Git's mechanisms are unneeded complexity.
The killer features of Git is GitHub, and to a lesser degree local commits (after all, Mercurial has that too).
"One click" fork + "one click" pull request are its killer features.
I consider immoral the USA's warmongering and spying on its own citizens.
Still, if I don't pay my taxes or if I try to stop the army from going to bomb some poor people in the middle east, I'll be put in jail.
If I have a way to sabotage the government which won't ruin my life, I'll do it, but I'll pass on the rest.
We're lucky enough not to live in a country that require us to kill people in concentration camps, because we would surely do that.
At least, I would do it if I didn't have another choice (but I would also try to desert).
Software needs to maintained, patched, backed up, verified etc. It has bugs, security issues, hardware breaks in weird ways. This takes time and skill - ideally you'd need two or three people that are capable of fixing problems with the install. (one ill, one on vacation, one available). This is something that detracts from the actual work you're doing. I'm very much an ops person and I actually like tinkering with a gitlab install - it's just so many moving parts that I prefer not to run this for my company since it would eat a substantial chunk of my time just caring for this.
I note that the Linux kernel lived with bare Git for many years.
The Linux kernel is a very specific case with a very specific development model that likely doesn’t apply to most other projects.
You need to compare the cost of self-hosting to the cost of SaaS - INCLUDING the risk of getting locked out.
One downside of the SaaS model is that you are just a very small customer in the bigger scheme and they can't really justify spending money on servicing you. Let's say you are company of 5 people, paying 50 bucks a month for a service - how many hours per year can they spend on servicing you before you become a net-negative account? You much power do you have in a negotiation if you are a net-negative account?
It probably isn't sustainable for a business to only consider this aspect. One thing that comes to mind with companies that thrive with a large number of small non-B2B customers, who individually don't tend to have much power, is that they understand that people love to talk about customer service when it's bad, and occasionally when it's very good as well. Word spreads, and nearly everyone places at least a little weight on this public perception of kindness or flexibility with customers especially when it isn't in the immediate financial interest of the company to do so.
As far as maintaining the system is concerned: setups that are hosted by 3rd-parties also need maintenance. Someone has to understand how it all fits together, and how to fix it when it goes wrong. So you still need a team-member working part-time on SCC, CI and deployment.
If no one in your company can do that.. hire or outsource.
(I have been doing it for years)
For example, the source code as well as the tickets around a software tend to be the most critical assets of a company. As such, you need one or better 2 systems to host the source host and ticketing. However, such a system needs backups, so suddenly you need to maintain a backup solution, you need to implement and monitor the backups being created, you need restore tests. You end up needing some kind of monitoring as well. As well as 2-3 dudes at least part-time maintaining all of this capable of replacing each other during sickness and vacation.
That's a lot of stuff as well as a lot of manpower as your base cost. Of course, once you have that, you can self-host a lot of things easily and maintain excellent uptime at minimal risk, because these base services scale very well in complexity. For us it makes sense to do this, because unplanned outages at 100+ developers are seriously expensive and risky.
However, if you have 3 developers and a clock ticking to find product market fit, you don't have that budget - or spending it this way does not make sense. So you buy.
It also does not require to do so without warning or clarification.
Disobey the law, make a public statement about it, and deal with the consequences. This is not a new problem, it was treated by Kant a few centuries ago.
Although I agree the export embargo is fucking stupid, especially when it comes to online technology, I really want to see less criminal behavior from companies, not more.
The law is not stupid, it's criminal. By following it, companies are precisely engaging in criminal behavior.
It may be countered that the law isn't actually unjust (nor immoral), but a more convincing point is that it opens the door for companies to do whatever they like. I don't think that holds up - morality is supposed to supercede law.
It could be argued that anyone can disobey any law because anyone can find something moral or immoral - but that doesn't stand up; most people (and certainly society in general) admit some degree of objectivity in morality to the point where almost all moral questions either already have an answer, or the answer is currently being discussed (and that discussion is a process to find the right answer). People tend to say morality is "subjective" (whatever that means) or "relative", but act as though it is objective - with all the blame, shame, guilt, and assigning of responsibility. Even if it is "relative", it is relative to this society, in which GitHub operates.
Some people are interpreting this discussion on morality and law as being a matter of what a company or person does or doesn't "like" - morality is (by most accounts) a different ballgame, and should not (epistemologically speaking) be conflated with mere preference. Disobeying a just law (and doing something unjust in the process) is just as morally blameworthy as obeying an unjust law (and doing something unjust in the process). It's not a carte blanche for companies to do as they please.
I'm not commenting on this specific case; I'm silent on my moral reasoning of it, but I wanted to try and explain what I think GP was getting at.
- Sanctions don't achieve the goal of stopping funding terrorism as evident by it still happening.
- IF the point of sanctions was to _actually_ stop terrorism funding, you'd start at the origin of where these ideas start, which is known to be Wahhabism/Salafism.
- At least, you'd start at the origin of how people holding these ideas were supported and given weapons and training to achieve regime change goals and to fight against Russians in Afghanistan.
What "personal"/natural right do you have to establish a limited liability corporation? That is a social construct, intended to facilitate business, but it is not some "private sphere" distinct from the society we live in.
Your account of consumer choice "regulation" fails when confronted with even the most basic externality.
From the "Syria Palaestina" of Roman times all through the Rashidun, Umayyad, Abbasid, and Fatimid Caliphates, the Ayyubid dynasty, and the Mamluk Sultanate, the borders of Syria have nearly always encompassed all of what is described as Palestinian territories today, with a special exception made either for the occupation of Jerusalem by the Christian First Crusade or in the 19th century the Jerusalem Mutasarrifate of Jerusalem was split away into a special region given legal autonomy as a city-state, much like Vatican City.
All through this time, for thousands of years up through the Ottoman era, the borders of Syria included what are now described as the Palestinian territories. You can see them on a map here:
https://en.wikipedia.org/wiki/Ottoman_Syria
You can also check maps available on Wikipedia for the historical borders of Syria during the Caliphates, which have always encompassed Palestine.
Palestine was never an independent nation at any point in history. It was always a part of Syria, and Syria today considers it Syrian temporarily-occupied territory stolen by Western-sponsored violence and terrorism.
Sounds like: "Palestine was inhabited by Jews", ergo "Israel is entitled to the whole of Palestine".
I evidently have a defective logic board. I'd better check myself in for servicing.
Nope. No backups, no sympathy, simple as that.
2FA is worthless if you start to put holes in it like that.
So if you value your data, make backups - preferably locally the old-fashioned way, e.g. HDDs stored in at least two different locations or at least using several different cloud providers (which have their own infrastructure and aren't just relying on AWS/GCP/Azure/etc.).
There's no such thing as a "trade-off" when it comes to cyber security - either commit to it fully or just don't use 2FA at all.
Personally, I think 2FA that doesn't rely on physical devices (phones, keys, smart cards, etc.) is unreliable and sketchy anyways.
If you can't spare a few hundred bucks on a NAS that you can just put in a storage unit or bank vault if need be, you data can't be that valuable anyway.
This is a really garbage opinion. Long tail reliability situations like this is a major blocking point to large scale adoption of many things. No one wants to use something where the consequence of making a mistake is "well I guess you're f*cked now". You're ignoring the entire usability side of computing and innovation.
> 2FA is worthless if you start to put holes in it like that.
No, it is not. 2FA can still prevent 99% of takeover attempts. There are other ways to verify identity (especially within a social network, where real life people know other real life people), but these companies simply do not want to put the effort it. And I can't really blame them: it would be a large investment to verify the identity of a given, every day person. This could be something that can be paid for in order to regain access in order to cover the elevated review necessary.
Trust me, if Nat Friedman somehow loses his email and 2fac at the same time, I can bet you that they would someone find a way to verify his identity and let him back in to his Github account (or honestly any other account).
> There's no such thing as a "trade-off" when it comes to cyber security
This is false. Almost every part of cyber-security is a trade-off between security and usability. If you want the most secure system, just turn everything off. Totally secure. But also totally un-useable.
> If you can't spare a few hundred bucks on a NAS that you can just put in a storage unit or bank vault if need be, you data can't be that valuable anyway.
Not everyone has the privilege to spend a "few hundred bucks on a NAS" and pay for it to be securely stored somewhere.
Wow wow wow, so you're basically saying that users who are capable enough to even need/use decentralised version control systems are too dumb and incompetent to setup Time Machine, Timeshift, or File History? Really?
> There are other ways to verify identity (especially within a social network, where real life people know other real life people), but these companies simply do not want to put the effort it.
So you are suggesting that instead of keeping one piece of information (e.g. a second e-mail address or just a token generator, which can be an app), you instead share your entire private life with these companies? Oh, and by the way - how would you even protect your social media accounts then? 2FA all the way down?
> Trust me, if Nat Friedman somehow loses his email and 2fac at the same time, I can bet you that they would someone find a way to verify his identity and let him back in to his Github account (or honestly any other account).
Trust me, the CEO running the show is in an entirely different category than most of the 50 million other accounts and you (in this case GH) don't even want to have all this sensitive personal information.
The less info you have, the less impact a data leak on the provider's side can have. Why would anyone trust GH with their personal information more than any other tech company?
Mission critical data belongs in multiple location. Full stop. Losing access to a GH account should never be more than an inconvenience if your livelihood depends on it or you value your personal data.
> This is false. Almost every part of cyber-security is a trade-off between security and usability. If you want the most secure system, just turn everything off. Totally secure. But also totally un-useable.
I'm not talking about security in general. I'm specifically talking about deliberately weakening a security measure (here: 2FA) for no reason at all.
Do you leave your house key under the doormat? Do you keep a post-it note with all your passwords taped to the back of your phone - you know, just in case you forget one and for convenience?
> Not everyone has the privilege to spend a "few hundred bucks on a NAS" and pay for it to be securely stored somewhere.
A USB drive is not a privilege and if you can't afford a data storage solution I seriously wonder why you have a need for a distributed version control system in a (semi-)professional environment.
Data has become more important than ever, yet people still fail to understand to treat it like they would other valuables. 20 bucks for a protective case for your phone - no problem. 50 bucks for a half decent 1TB portable USB HDD to backup their most important and irreplaceable data - only the privileged and tech gurus can afford that...
Nah mate, think again. It just doesn't make sense to put all your eggs in one basket (allegedly 10s of thousands of proverbial eggs in this case) and then whine about forgetting to change 2FA, having no backups whatsoever, and mixing private and work accounts all at the same time.
This is one of those things that you should learn from and the least you can do is to have a cheap external HDD and a recent backup of your most important stuff.
For your personal stuff, sure. But when engineering a service, you should care about everyones stuff, not just those who are careful.
You should design your service to try to help those users who use the same password they did on myspace in 2004 and write it on a sticky note on their desk. Engineer for those who shared their password with their now-hated ex.
Even if the user takes massive security risks, the service should still try to maximize the users ability to use the service, while minimizing an attackers use/access to the service.
Let me put it in HN terms. One person grousing how they lost their account due to their own fault is a minor HN comment in the middle of a thread. A person complaining that Github customer service assisted an attacker in account compromise is a front page thread by itself, probably picked up by mainstream news. Does that make Github's decision easier to make?
And as the GP says, what role would 2fa play in that scenario?
Those can't be helped. We're not talking about Geocities or MySpace here - we're talking about a service that hosts a distributed version control system aimed at experienced users with a technical background.
The target audience is strictly not your average consumer and even then you shouldn't insult the intelligence of your users.
2FA is intended to protect all users of the service and users do have a choice when it comes to selecting their 2nd factor. Doesn't have to be an e-mail or phone. It can be an app-generated token as well.
And loosing everything at once is tragic (hence: keep backups!), but suggesting that the locksmith should be allowed to just open the door if you ask nicely and the owners don't show up within an hour would be just as ridiculous as allowing to circumvent 2FA.
There are always trade-offs. No security is absolute, but that doesn't mean all security is worthless. And as a rule all security measures come with some associated cost/inconvenience. What trade-offs make sense will depend on many factors, such as the value of your data (both to you and to a potential attacker), the threat models you're concerned about, the people who need access to your "secure" data, etc.
I'm not talking about absolutely secure measures here, I'm talking about watered down security measures.
Just like encryption that has backdoors, weakening 2FA by providing ways around it by design makes it completely worthless. And remember that this doesn't just apply to one user - it affects all users of a platform at the same time if you allow nonsense like this.
There's no trade-off to be had there - you either offer a more secure identification method or you don't.
To put it in a different and simpler context: a safety gate has to have certain properties. If you remove one or more of these, it ceases to be a safety gate and becomes a regular door. A reinforced door with a cheap lock is just as insecure as a cardboard door with a security lock and a second key under the doormat or hidden under a rock outside invalidates the usefulness of even a vault door...
I do agree with your take on account takeover in case of lost credentials.
> Nope. No backups, no sympathy, simple as that.
My two sim-cards were lost at the same time. Impossible, right? Now I cannot access my Github account anymore. Perfect security. Nothing important is lost and backups are there. But what about the account itself?
That's generally a suitable backup in my view.
It's common sense that most people are from the same country their parents are from, given what we know about immigration.
Interning people based on predicting their behavior due to ancestry is a whole different ballgame.
The legal concept you're referring to is called "ius soli". The legal concept which serves as a basis to determine someone's allegiance by their ancestry is called "ius sanguinis". [1][2]
[1] https://en.wikipedia.org/wiki/Jus_soli [2] https://en.wikipedia.org/wiki/Jus_sanguinis
So, no, it's not "common sense" to make that assumption.
Moreover, there's also the concept of "right to return" in international law. Many nations have implemented this in their nationality laws in a way that extends surprisingly far.
For instance, if you're of Luxembourgish descent through the male line of your family, you could just claim Luxembourg citizenship - and by extension E.U. citizenship - under Article 7 of their nationality laws. Something which was recently pointed out on Reddit. Even if you weren't born in Luxembourg or never have set a foot in the E.U. proper. [3]
[3] https://www.reddit.com/r/YouShouldKnow/comments/izkwzk/ysk_t...
I'm pretty sure some people might be surprised to discover they have a right to citizenship in another nation simply because they took the time to dig into their ancestry, their history and nationality laws.
> Interning people based on predicting their behavior due to ancestry is a whole different ballgame.
Of course it is.
But, why discuss someone's citizenship or ancestry then if it - apparently - doesn't matter in this discussion at all?
The only other theory that explains why this person got his access revoked from Github because he visited Iran, regardless of the reasons why, nevermind his citizenship or his ancestry.
If citizenship and/or ancestry matters, as is seemingly implied but never voiced in this discussion, then bringing up the implications of how policies reflect on that assumption clearly is relevant given the historic perspective.
The common sense idea deals with the probability of someone (already born) being of a certain citizenship given their parents' location.
Different ideas.
> The legal concept which serves as a basis to determine someone's allegiance by their ancestry is called "ius sanguinis"
Not allegiance, citizenship. Different, but similar concept again.
We are quite privileged to just assume that following the law as written (AND interpreted by the judiciary) will mostly work out alright and doesn't cause us moral dilemma. And companies consist of people, too. Is it then all of a sudden morally acceptable to build spying software so your country's leadership can prey on it's political enemies? Or assist in persecuting discriminated groups?
You don't have to cite long abolished laws or an industrialized killing machine for pointing that out ;-) though the post is really begging for it.
Should US companies be free to ignore laws related to sanctions because the UAE has made being gay illegal or because political opposition in China could land you in jail? Where do you draw the line? Specifically - for a US company as is being discussed.
Yet you continue with your strawmans. Nobody said that. The crucial word in your sentence is "all", with which nobody has agreed here. Of course nobody is above law. But sometimes, in exceptional circumstances, a particular law turns out to be immoral. In that case, and only in that case, it is wrong to follow that particular law, and it is right to do the illegal alternative.
If a company is found to have followed an immoral law and performed harmful (but lawful) acts, it is right that society punish that company later (e.g., when the law situation is solved). More so in this case, when the company is overzealous in its application of that immoral law.
My thoughts are my own. I do not represent anyone other than myself.
On the other hand, a sanctions violation could be a $65,000 fine (Trading with the Enemy Act) or $250,000 (International Emergency Economic Powers Act) for each offense. (I leave aside the million-dollar narcotics-kingpin act). On top of this we also see the risk of criminal prosecution.
In what world is it reasonable to expect anyone to take this chance?
Sanctions, compliance, etc. is a messy ordeal to manage (both technically and operationally), and the ways laws are written with so many intricacies and dependencies doesn't make it easier.
Because only 1 instance of violation could lead to fines equivalent to a person's salary, often the systems are made to be overly sensitive and less investigative to figure out whether a 'hit' is actually a false-positive because that also takes time/money and still carries potential risk.
Advancing developer freedom: GitHub is fully available in Iran
https://news.ycombinator.com/item?id=25648585Github cannot be expected to reliably differentiate between the coworker who just checked the status of a PR on a webapp versus the employee who opened a crucial piece of encryption code to leak it to the Iranian military or whatever.
No, it was rhetorical question. Reading and making an effort to respond to the entirety of the comment would have made that obvious when I specially ask "Where do you draw the line?".
Do not put words in my mouth. I did not say that, you just did. I said that usability is a real concern, because no matter what you expect people to do, it will never work perfectly 100% of the time.
> I'm not talking about security in general.
You can say that now, but that's not what you said previously. "There's no such thing as a "trade-off" when it comes to cyber security"
> you instead share your entire private life with these companies?
Again, I did not say that. Github is a social coding network. I am not saying that I have all of the answers as to how this should work, but I am saying that if 1 member of a 100 person organization loses access to their account, and the other 99 members all confirm that their account access was lost via some event and assert their identity, you could have the start of a reasonable recovery path.
> the CEO running the show is in an entirely different category
Not sure what you mean by this. Are you saying that a CEO is just automatically more responsible and not going to lose something? Or are you saying that he's clearly just more important so it's okay to bypass the stated procedure for just him/her?
> Do you leave your house key under the doormat? Do you keep a post-it note with all your passwords taped to the back of your phone - you know, just in case you forget one and for convenience?
This is not even a valid comparison, and you're just trying to be condescending. I don't leave a house key under my mat just in case I lose it. But I also don't expect to never be allowed to enter my house again just because my key is lost.
> if you can't afford a data storage solution I seriously wonder why you have a need for a distributed version control system in a (semi-)professional environment.
Because many people use Github for non semi-professional environments? It is full of amateurs. Just because you don't find someone's work valuable, doesn't mean that they don't. Saying "Well it's not professional, so if you lost it then it doesn't matter" is not correct.
> 20 bucks for a protective case for your phone - no problem. 50 bucks for a half decent 1TB portable USB HDD to backup
You're comparing a 1 time action to a recurring action. I'm not saying that you shouldn't have back ups. You obviously should. But people are human beings. Even if 99% of people have perfect back ups, that's still 560k (according to Github home page numbers) that will have failed backups or some other issue.
PS. you keep widely including the term "decentralized", as if just because git is decentralized, that nothing on Github should matter. For better or for worse, Github has become the central git repository provider for millions of people. Claiming that Github services should be magically decentralized just because git is decentralized is an invalid claim. Because Github is not decentralized.
> You can say that now, but that's not what you said previously. "There's no such thing as a "trade-off" when it comes to cyber security"
I literally followed that up by "either commit to it fully or don't use 2FA at all". You omitted crucial context there. Now I could have expressed that more clearly, sure, but the context is right there nonetheless.
>> the CEO running the show is in an entirely different category
> Not sure what you mean by this.
What I mean is that the guy is not just "a CEO" - it's the CEO of the very company in question here. So what I'm saying is that someone within an organisation - let alone the head of said organisation - has very different tools at their disposal than can or should be provided to their users.
> It is full of amateurs. Just because you don't find someone's work valuable, doesn't mean that they don't. Saying "Well it's not professional, so if you lost it then it doesn't matter" is not correct.
Amateurs don't lose 10s of thousands of dollars from losing their GH account. Again - omitting context. If your data isn't valuable to you (be that in terms of money of for sentimental reasons) then it doesn't matter indeed. Just like you'd protect physical assets, non-physical assets require protection as well and if you don't do that, said assets cannot be of much value to you, no?
> But people are human beings. Even if 99% of people have perfect back ups, that's still 560k (according to Github home page numbers) that will have failed backups or some other issue.
So what you're suggesting is putting 100% of users at risk because there's the odd chance that someone might lose data? That's just not reasonable at all.
> you keep widely including the term "decentralized", as if just because git is decentralized, that nothing on Github should matter.
Because it does matter in that all you need to do is to keep a local copy of your repo. With a centralised system you'd lose the most important part of the repo: the complete commit history and all branches.
This is not the case with git and "all" you'd lose would be external configuration, issues and Wiki pages, but even those can easily be exported and saved externally.
You can even re-import all of that to a new account if need be. Heck, you can setup triggers that synchronise the entire repo - including issues, projects and wiki to other providers or a local copy if you really want/need to.
The fact that millions rely on services like GH, GL, and BB doesn't change the nature of git.
Again - if your data is important to you - be that for monetary or private reasons - don't keep it in one place. Especially if that place can be locked away from you at any time for any odd reason. I don't understand why people these days have such a hard time understanding this, but using GH implies that you put your data on someone else's machine with little to no guarantees whatsoever.
None of these multi-million and billion dollar corporation deserve any of our trust and using their services comes with strings attached. Whining doesn't help - being aware of this and becoming a responsible and critical user who knows their options is what helps avoiding disasters like this.
PS: you should really start by looking into how git itself works (especially compared to centralised repos like SVN) to actually understand the importance of decentraised version control.
Citizenship is always first determined at birth. This isn't relevant to the discussion.
> The common sense idea deals with the probability of someone (already born) being of a certain citizenship given their parents' location.
That would be "ius soli". As opposed to "ius sanguinis".
It's also not a "probability". These are principles which are formally enshrined in nationality laws and very much determine travel, migration and national security policies in different nations. Including the United States.
These are not "common sense" either.
These are laws which come with a long historical pedigree which includes identity politics, economic policies, moral and ideological values, and so on.
They are also very much subject to change through the dominant politics of the day.
> Not allegiance, citizenship. Different, but similar concept again.
I'm not willing to engage in a semantic discussion.
If you are not using both, then it's a single factor authentication.
You still haven't answered the core question: how do you do what you propose (keep strong security and allow easier restoration of an account to the real owner) today?
But we are talking about restoring access to your phone number. I don't really care about "a criminal" getting their account back on my service (well, unless I am SilkRoad or something).
My point is that I am able to get a new SIM for the same phone number as long as I've registered my ID with the provider. I have even kept my phone number even though I had my phone stolen 3 times for the last 20 years or so. Thus, if any of my accounts rely on that phone number for 2fa, I am good.
Roaming is essential for the primary function of phones, whereas 2FA is not.
Random? I think the problem with Paypal was that they do not warn or provide reasons for freezing. GH's reasons are clear.
> Blocking a whole European company not conducting business with Iran because one of its employee tried to login while there is not respecting the embargo, it's just overreach.
Says who? There is a law, the law is unclear and IHMO a bad law. The law is overreach. Blaming GH for shitty US laws is akin to killing the messenger.
Says the US Department of the Treasury, as mentioned in the Twitter thread further down:
> 118. I have a client that is in Iran to visit a relative. Do I need to restrict the account?
> No. As long as you are satisfied that the client is not ordinarily resident in Iran, then the account does not need to be restricted.
from their "FAQs: Iran sanctions" page — https://home.treasury.gov/policy-issues/financial-sanctions/...
The same law you're stating.
https://home.treasury.gov/policy-issues/financial-sanctions/...
Which is par for the course for financial companies.
If GitHub freezes your account, this is obviously serious and can impact your business to a greater or lesser extent depending on what your business does. But the data is not lost, and you'll likely have a copy of at least some of it (the actual repos) and maybe all of it if you were being careful.
If Paypal freeze your account then any money in it is simply lost (and your loss is Paypal's gain!). There's no way you could keep a "backup" of that money even if you were being careful. It's completely incomparable.
While this is completely tangential to the current discussion, I feel compelled to inform you that that's not how it works. When Paypal freeze your account, your account is not deleted, you just can't do anything with it. The money on it obviously remains yours. You just have to convince them that your account should be unfrozen or wait the maximum duration you agreed to in Paypal ToS - 180 days - after which they have to hand it back to you.
> its employee tried to login while there
Those two statements are incompatible with each other.
And blocking on the first login attempt is overreach. The system doesn't know if you are tourist, visitor or resident. So wait two weeks at least.
https://home.treasury.gov/policy-issues/financial-sanctions/...
I am not sure if most people realize this, but OFAC compliance is rather rigid with no room for error ('strict liability'). And US treasury enforces it hard. Recently, Amazon got caught in its cross-hairs ( though it managed to get away with a low fine relative to its size ).
I guess what I am saying, according to OFAC, everyone is responsible for enforcing US foreign policy.
edit: Everyone as in US person, person on US soil or someone using US dollar. I really should avoid exaggeration.
GitHub, as any other US company, has a choice/freedom to stop offering services to customers outside the US market, if the particulars of providing those services causes them to violate laws in at least one of the jurisdictions.
Of course, US companies should be rightfully pissed, if the US government puts them in a situation where they can not (legally) operate abroad. But that's something they should take up with US lawmakers.
At the end of they day, they are still (most likely) operating illegally on a foreign market, even if they are unlikely ever to be substantially punished for that. The thing is, the US has a rather questionable track record of coming to the rescue, whenever a US companies get into trouble for (illegally) doing business abroad. Ironically, whenever another country does that (e.g. China) the US immediately have a long list of choice words an allegations at the ready. Long story short: pure hypocrisy.
Surely enforcing your politics outside of your jurisdiction is the whole point of an embargo?
You may not agree with this situation, but it is how it works. The US government will investigate and penalize companies that violate US sanctions, even if the parts of those companies involved did so entirely outside of the US.
In this case, it's just leaving you to starve, so you're pretty well off on the whole vs other things Americans will do
Isn’t that what YouTube and FaceBook do day in day out when their influencers run afoul of policy?
That of a commercial company, which does not have a legal mandate (at least not in the EU) to make make rules that violate EU law (including legal protections), or the US government, which does not have legal jurisdiction over the EU market?
Pick your poison
So if a policy or a law says X is disallowed or is unlawful, ipso facto, X can only run afoul of those bodies of governance and can’t be discriminatory? That’s interesting!
"constitutes inflicting serious damage on another company without a legal basis" - again, that does not indicate any wrongdoing. Inflicting serious damage on another company is, by default, permitted (matching the core principle of "everything which is not forbidden is allowed") and is regularly done in the course of normal competition, winning over some other company in bids, recruiting key employees by offering them lots of money, targeting their customers with specific discounts, etc, etc.
If you're inflicting serious damage on another company, then both the intent and result is by itself legal, the only question is about the means. If you're inflicting serious damage on another company by legally prohibited means (e.g. theft or arson or illegal access to computer systems) or violating some established legal duty (e.g. "duty of care" as required by law in various service relationships), then the other company would be entitled compensation. But in the absence of that, if there's no specific legal prohibition to your action (for example, laws on anti-competitive actions tend to impose various restrictions), if your action is legally permitted, then if some company suffers because of that, it's not your problem. There are restrictions on what actions are legally permitted (law on tortious interference might apply here, and if there's some fraud, injurious falsehood etc then it matters) but if they do have the right to arbitrarily end the contract, then that's it, they are not responsible for the damages.
If you expect US companies to respect GDPR and cookie banners and the right to be forgotten, globally; you cannot be surprised that they will respect and enforce US law globally as well.
I don't expect any US entity to "respect" GDPR. Unless they are expecting to trade in the EU. If you trade in the EU, and violate EU law, then you can expect to be fined - wherever you choose to locate your HQ.
Incidentally, GDPR is pretty badly flawed. The intrusive cookie popups are an egregious example of unintended consequences - those popups are actually attacking privacy.
EU wants American companies to follow GDPR when acting in EU market.
I'm not saying it's right, I am saying that these are the logical, practical responses to the way different jurisdictions expect their laws and regulations to be honored, respected, and applied.
I'm not saying that US companies should not enforce US law. I think they should. That is: strictly within the US market.
When they operate outside the US market, they have to (also) adhere to whatever law exists for that market. If that creates a conflict, the company has a choice to either open up show elsewhere, outside of US jurisdiction (if that's the only way to comply with local market rules), or stay in the US and leave the foreign market alone.
Either way, being a US company should never be a valid excuse to violate laws (and/or legal protections) somewhere abroad.
It ultimately is up to a company to choose what they do and where they do it. To me, the current status quo appears to be that many US companies have been (illegally) enforcing US laws outside of US jurisdiction. Aside from that, and maybe even on a far worse level, they have been essentially been making up de facto "private laws", in their TOP/EULA "contracts".
Last time I checked, law should be left to governments. Preferable through democratic due process. Certainly not to commercial companies, who are either privately owned, or publicly by a select few rather undemocratic entities.
This is not new. The Internet exacerbates the potential for conflicts, but it’s not a new problem with the rise of the Internet.
Bigger companies get a little bit more leeway to negotiate with the US Federal government on this but if the US decides that something is illegal or prohibited, the Justice Department doesn't really care what country the prohibited activity occurred in, it'll walk the executive chain to pick people to prosecute.
The only way a company could complete avoid this scenario is if it licensed its product or service to an independent entity outside the US. And even then the DOJ would likely attempt to force the termination of the license agreement if it results in a product or service being offered in a prohibited jurisdiction.
None of this is new, or due to Trump, or even partisan.
Sure, the US is (rightfully so) subjecting every company within its jurisdiction to US law, no matter on which market they operate. Sometimes they go even further and say non-US companies can be held liable, when they somehow interact with the USA or its citizens. That can sometimes become a bit dicey with jurisdictions, but even that is not the point here.
The point is that a US-based company is operating on a market outside the US and (most likely) is operating in a way that is within the law of that market.
To put bluntly: I don't give a #### about how the US treats companies on their territory, regardless where those operate. I care about US-based companies abiding to law wherever they do business. If they can not do that, they should cease to operate there. Whether it's the US government or something else that is to blame for the situation is irrelevant.
The issue is that a US company should also be held accountable for whatever they violates abroad. Not by the US government, of course. But by the authorities of whatever foreign market they operate on (the only authority with jurisdiction anyways).
While the tide is gradually changing, so far a substantial part of the problem is that the US government has quite a few nasty ways to shield US companies from being seriously held accountable abroad. Still, the longer that reality exists, the more inevitable it will become that at some point US companies will simply be barred altogether from (some) foreign markets. You can only abuse a dominant position for so long, before the receiving end will no longer put up with it. That is, of course, when (or as soon as) they have the luxury of choice in the matter.
Well, of course it can, if the company violates EU law inside the EU. Do you think US law trumps [sic] national law globally? If a US company doesn't want to comply with GDPR, it is free to cease trading in the EU, or cough-up the fines.
Extraterritoriality is an old US habit.
The law itself is not illegal, as the lawmakers have created and enacted that law. It's the opposite, the law is declaring what's illegal.
So, if GitHub doesn't ban users from Iran, they are breaking the law in the US.
Hope this clears up any misunderstanding on how things work.
GitHub could comply with the law without completely banning users who access their service from Iran, e.g. by making their website unavailable for Iranian IPs or by making paid features unavailable.
But, if the CEO of GitHub (Nat Friedman) claims that they "do no more than what is required by the law" and end up banning a user, my understanding is that the lawyers are GitHub and Microsoft have made the judgement that banning users are a must, simply restricting them temporary is not enough.
Again, I think export embargoes are shit and don't necessarily agree with the calls that GitHub/Microsoft did, but trying to understand the side they are coming from here.
Now note that that we are discussing a name, a commmon, but somewhat reliable, if mutable, driver of our identity. Now compare it to IP address and tell me, which one is a better predictor of who you are.
Unless, we are assuming IP is a proxy for location, which is another story.
Except when you make a mistake and ruin someone’s morning.
Start complaining to those companies and stop pointing your finger in the wrong direction.
Also, law do not require it to be shown for all cookies. Only for tracking ones.
So while foreign companies can decide whether they want to apply their GDPR policies (which generally should not require "cookie banners", though it is a popular choice) only to people in EU or all their users, an EU company does not have a choice, they have the obligation to treat personal data of Americans and Iranians and everyone else in a GDPR-appropriate manner.
I find it rather shameful, that apparently everyone who responded to my question, did so by explaining that a US company has to abide by US law. You don't say!
That was never the question, but apparently even reading is even too much to ask from people these days.
Of course US companies have to follow US laws. But if that conflicts with law in wherever their services are offered, they no longer have any business operating there. They should consequently stop offering their services in that territory.
Since that's unlikely going to happen on their own initiative, maybe the EU should simply declare companies like these as illegal on their market.
Actually, that might even help to finally get rid of the stranglehold which many US have had for a long time on any emerging potential competition from EU companies. Something for which US companies have regularly used and abused differences in law and economy (between the US and EU), in order to obtain an (unfair) edge.
Maybe it's about time that comes to and end, so US companies can prove that they can compete on equal grounds. I personally doubt that, because for most of the last century this competition has been dominated by the US exploiting artificially created advantages.
Politics aside, it's rather sad that this aspect of legality is even a discussion topic. It should be a no-brainer that US companies should abide by whatever laws exist on a foreign market they operate on (of course on top of US law).
If they can't, the only (legal) option is to stop operating. Either that, or the company is a criminally operating organization. That is, the violations are systemic and not just a few unintended incidences, of course.
But I sure as hell can expect them to investigate before cutting service to a long-time customer.
Keep in mind that US Government agencies that administer sanctions laws (the Treasury, in this case) are the ones interpreting what these laws mean. See https://en.m.wikipedia.org/wiki/Chevron_U.S.A.,_Inc._v._Natu....
What I’m not sure at all is that github had the obligation to preventively block cases instead of the alternative to investigate high risk cases prior to block. As long as they had a sound Compliance process for determining sanction enforcement needs in a reasonable time it should be enough - though for sure more expensive than autoblock followed by non-specialized, non-time sensitive (for github!) customer service followup.
If no DOB or similar is also provided, though, scoring should not be too high - and if a match with Mohammad is enough to trigger an alert, the overnight alert delta would be either manually processed by Compliance, or bulk closed as false positives, depending on how much time you need to unblock the clients and similar risk considerations.