[HN Gopher] GitHub blocks entire company because one employee wa...
___________________________________________________________________
GitHub blocks entire company because one employee was in Iran
Author : PhilipTrauner
Score : 575 points
Date : 2021-01-05 10:23 UTC (12 hours ago)
(HTM) web link (twitter.com)
(TXT) w3m dump (twitter.com)
| dustinmoris wrote:
| Is GitHub going to take itself down when one of their employees
| goes to Iran for holiday and logs into their GitHub account? If
| not, then why are they treating others with such contempt?
| heisenbit wrote:
| I think it is ridiculous to treat this misbehavior of letting
| someone log in from Iran as a mere transgression of a
| subsidiary. Clearly Microsoft needs to shut down all their
| servers as they are paying for Github.
| astura wrote:
| I'd imagine Github/Microsoft has extremely strict rules about
| not taking company resources to, or performing any work at, or
| accessing any company resources from countries that are
| embargoed.
|
| This simply wouldn't happen at my company because special
| permission is needed to take any company assets out of the
| country. If anyone at my company casually took a company laptop
| to Iran that would be instant termination. It absolutely
| astonishes me that a company _wouldn 't_ have a policy about
| taking company resources to foreign countries.
| diebeforei485 wrote:
| This is not the case at most large companies (FAANG) - no
| special permission is required to take a laptop with you
| across borders. They'd generally rather you have your laptop
| with you so you can get work done.
|
| Regardless, this person logged into GitHub, which could have
| been from any device including a phone.
| astura wrote:
| 1) In this case the laptop was taken to Iran, so that's
| what we are talking about here.
|
| 2) I can assure you there's policies at Microsoft that
| include performing work abroad and accessing any company
| resources from abroad. Obviously nobody will be approved to
| access any company resources from Iran, especially not
| source code.
|
| 3) I can say there is policies at MS this with a very high
| degree of confidence because I personally have done work
| with Microsoft involving code and data that is export
| restricted.
|
| 4) Companies should have policies in place in order to
| avoid situations like this. Taking your company laptop to,
| say, Germany probably isn't a big deal for most companies,
| but any "exporting" company assets should at least be pre-
| approved/documented.
| meesles wrote:
| My startup had similar rules when we were only 10 people.
|
| Beyond just the Iran issue, it's known that trade secrets on
| employee laptops are at risk when crossing some international
| borders, particularly in airports. Border agents can
| confiscate electronic devices on vague suspicions, compel you
| to unlock them (or hack them open in some cases), and then
| leave them in unsupervised settings with yet more border
| agents who have the barest electronic security training.
| These risks terrified me during my travels!
| astura wrote:
| Right - this is actually the main reason for such policies;
| we receive regular training on this.
|
| All devices are subject to search, seizure, and duplication
| when crossing international borders and border agents may
| tamper with devices as well. If assets cross borders there
| has to be a good reason, it has to be documented, and
| phones/computers may have to be scrubbed before and after
| depending on circumstances.
| vegannet wrote:
| I can't speak for Microsoft but certainly at Amazon there was a
| very strict policy about working from specific US locales for
| tax liability reasons: it wouldn't surprise me at all to learn
| Microsoft employees are quite explicitly banned from ever
| taking equipment into places like Iran. Would they ban
| themselves if it did happen? No, but also it should never
| happen vs. this case where they have an employee working from
| Iran.
| [deleted]
| mugivarra69 wrote:
| its simple, they dont pass a background check on them probably.
| ceejayoz wrote:
| GitHub is in possession of substantial additional information
| in that scenario, namely, "we're quite certain we don't have
| Iranian employees on staff".
| viseztrance wrote:
| Do they keep an up to date database on who's dating whom?
| IThinkImOKAY wrote:
| yes
| offtop5 wrote:
| Funny Story.
|
| When I went to London for the first time I meet a
| ridiculously attractive Swedish Arab girl. She had
| mentioned she really wanted to visit America, but with the
| recent election of Donald Trump she was a bit scared.
|
| Not all of us like Eastern European women, Trump blocked my
| game right there.
|
| The point of this story is anyone can meet anyone from
| anywhere and the nasty racist system the US has for
| blocking certain people because they have the wrong last
| names or whatever doesn't do anyone any service.
|
| I also don't think embargo serve anything aside from
| radicalizing other people's. Take Vietnam, now you have
| Coca-Cola, and McDonald's succeeding to do what 20 to 30
| years of Western imposition couldn't, they've made Vietnam
| capitalist. That was accomplished once the embargoes were
| removed in the nineties. Even with Cuba ,I'd imagine if the
| embargo didn't exist you'd see much more reform as
| individuals would eventually be able to succeed on their
| own merits.
| eesmith wrote:
| Whoo-hoo! Set up a free wi-fi node outside of a tech conference
| (perhaps with cheap pastries for conference goers), routed
| through a proxy in Iran. Don't need to decode https or anything -
| assuming you can proxy https through Iran.
|
| Then watch as bunches of companies are blocked from GitHub.
|
| If the Iranian government wanted to have fun with US laws, they
| could totally set this up. And it wouldn't even be illegal.
| robinhood wrote:
| Just happened: https://github.blog/2021-01-05-advancing-
| developer-freedom-g...
| tirthapatel wrote:
| That's huge!
|
| > we are working with the US government to secure similar
| licenses for developers in Crimea and Syria as well
|
| That's also super cool to hear!
|
| Related Thread: https://news.ycombinator.com/item?id=25648585
| floatingatoll wrote:
| "We were working for two years to get this license."
| https://news.ycombinator.com/item?id=25648849
| zed88 wrote:
| What's the difference between a Chinese company and a US company?
| None. Both work for the state, although US ones operate under the
| guise of democracy.
|
| This sort of union between tech and politics is not going to take
| us anywhere.
| Daho0n wrote:
| No there are big differences. For example in China FAANG could
| easily be stopped from doing things they shouldn't while in the
| US it takes years and years of lobbying, talking to the media,
| making backroom deals, sitting on ones arse, changing the laws
| so it isn't unlawful anymore, etc.
| cambalache wrote:
| An American company pays the salary of a overwhelmingly
| fraction of the people on this site. They will be dealt with
| accordingly.
| numlock86 wrote:
| Nice phrasing. A bit edgy and exaggerated, though.
|
| But since they are the same, I bet you can show us where the
| USA holds a few (at least 5 digit range) people in abduction
| camps, just to name one difference. Now that would be
| interesting.
| zed88 wrote:
| Well...human memory is certainly weak or biased or both.
| Let's not forget Guantanamo bay, which is just one among many
| examples.
| 10000truths wrote:
| Surely you've heard of ICE and the sorry state of their
| "detention facilities" by now?
| asddubs wrote:
| the US prefers using drone strikes to inflict suffering, I
| believe
| zed88 wrote:
| Yeah you forgot to add 'extra-judicial' to the drone
| strikes, breaching every international law.
| NovemberWhiskey wrote:
| It looks like the company has now gotten access to their GitHub
| account again, according to the original poster on the Twitter
| thread.
|
| I don't know, it just looks like some kind of surveillance
| automation kicked in, froze the account, and customer service was
| slow.
| ballenf wrote:
| So GH has effectively given admin-level repo DELETE permissions
| to everyone in the organization. Not sure they really thought
| this one through.
|
| Here comes a new employee onboarding document to sign: no Iranian
| VPN nor travel to Iran.
| eplanit wrote:
| Don't let your business depend on cloud services. If they're
| really important, then self-host your servers. There are so many
| stories of the cloud being a single point of failure (ironically)
| due to arbitrary and capricious rules, and/or bad support.
| wolfretcrap wrote:
| How long before someone gets an Iran VPN so that their company is
| knocked out and they get a day off.
| willis936 wrote:
| My first thought was that this could have been avoided if a VPN
| was used. Why bother with such a weakly enforceable policy?
| dspillett wrote:
| _> Why bother with such a weakly enforceable policy?_
|
| To show they've done what they can to enforce the embargo, in
| the hope that the policy is enough to satisfy the authorities
| wrt doing enough.
|
| They can't tell is a user is circumventing the policy via a
| VPN, but such a user is actively circumventing the
| enforcement of the policy so can't try pass the buck with a
| "well they let us, so we just assumed it was OK" based
| excuse.
| ykevinator wrote:
| They don't have a choice it's not githubs fault
| benjaminwootton wrote:
| Github refused to help me regain access to an 11 year old account
| when I changed jobs so lost access to 2FA and email account at
| the same time.
|
| We lost access to tens of thousands of dollars worth of project
| code which we had to rewrite.
|
| The customer service support was Google style brick wall.
|
| I wish this guy luck in getting access.
| otagekki wrote:
| Rewrite? Wow. Hopefully for them it is just code so all they'd
| have to do is push their branches to a new self-hosted server.
| wccrawford wrote:
| Right? Why wasn't there a backup _somewhere_ other than
| Github? Even just a repo that was checked out somewhere.
| richardwhiuk wrote:
| Feels like this code was owned by the company was the
| author no longer worked for....
| elwell wrote:
| Code is (almost) always better when it's re-written. So,
| maybe it was a blessing in disguise...
| tester34 wrote:
| how did you want to prove that it was your account instead of
| stolen "informations" that may be used in recovery process?
|
| couldn't you "just" contact your previous employer?
|
| anyway, why your private account was using job email :o
| jeroenhd wrote:
| To be fair to GH, I wouldn't trust them if their customer
| service could be convinced to unlock an account with neither
| email nor 2FA access. Passwords leak all the time (because
| people are bad at using unique passwords) and social
| engineering efforts are quite effective at hijacking high-value
| accounts in a great deal of companies, so while I sympathise
| with the loss of your account, your experience actually
| improves my opinion of GH's support.
| zuzun wrote:
| They just turned 2FA on for all accounts and that was the
| moment I found out that mine was pointing to the wrong email
| address. I wish they would allow you to sign something with
| your private SSH key to get an inactive account back.
| smarx007 wrote:
| I think this is where I think having a scan of a passport
| and requiring a letter certified by a public notary would
| be a better approach.
| TimWolla wrote:
| They do: https://docs.github.com/en/free-pro-
| team@latest/github/authe...
| londons_explore wrote:
| 2FA should be bypassable after some longish lockout period.
|
| For example, someone has lost their password, email access,
| phone number, and 2FA app. Make them wait a month to regain
| account access.
|
| If any time during that month, the account is used or logged
| into, cancel the takeover request. During the month, every
| day send an email to all points of contact on the account
| letting them know what will happen.
|
| It's a trade-off of the harm of unauthorized access to a
| dormant account Vs blocking someone from accessing their data
| (that is probably not backed up, and probably took
| considerable effort to create).
|
| Have an account-level setting to disable such a process, for
| the people who might be offline for extended periods.
| qayxc wrote:
| > 2FA should be bypassable after some longish lockout
| period.
|
| Nope. No backups, no sympathy, simple as that.
|
| 2FA is worthless if you start to put holes in it like that.
|
| So if you value your data, make backups - preferably
| locally the old-fashioned way, e.g. HDDs stored in at least
| two different locations or at least using several different
| cloud providers (which have their own infrastructure and
| aren't just relying on AWS/GCP/Azure/etc.).
|
| There's no such thing as a "trade-off" when it comes to
| cyber security - either commit to it fully or just don't
| use 2FA at all.
|
| Personally, I think 2FA that doesn't rely on physical
| devices (phones, keys, smart cards, etc.) is unreliable and
| sketchy anyways.
|
| If you can't spare a few hundred bucks on a NAS that you
| can just put in a storage unit or bank vault if need be,
| you data can't be that valuable anyway.
| necovek wrote:
| 2fa is good enough when it's another factor in the
| authentication. Physical devices are great, but I prefer
| more open things like TOTP/HOTP because they are easy to
| backup and restore (well, for a technically versed person
| who'd know not to keep it on the same device as their
| password, otherwise you are almost back at 1fa).
|
| I do agree with your take on account takeover in case of
| lost credentials.
| jfk13 wrote:
| > There's no such thing as a "trade-off" when it comes to
| cyber security
|
| There are always trade-offs. No security is absolute, but
| that doesn't mean all security is worthless. And as a
| rule all security measures come with some associated
| cost/inconvenience. What trade-offs make sense will
| depend on many factors, such as the value of your data
| (both to you and to a potential attacker), the threat
| models you're concerned about, the people who need access
| to your "secure" data, etc.
| qayxc wrote:
| > No security is absolute, but that doesn't mean all
| security is worthless.
|
| I'm not talking about absolutely secure measures here,
| I'm talking about watered down security measures.
|
| Just like encryption that has backdoors, weakening 2FA by
| providing ways around it by design makes it completely
| worthless. And remember that this doesn't just apply to
| one user - it affects _all_ users of a platform at the
| same time if you allow nonsense like this.
|
| There's no trade-off to be had there - you either offer a
| more secure identification method or you don't.
|
| To put it in a different and simpler context: a safety
| gate has to have certain properties. If you remove one or
| more of these, it ceases to be a safety gate and becomes
| a regular door. A reinforced door with a cheap lock is
| just as insecure as a cardboard door with a security lock
| and a second key under the doormat or hidden under a rock
| outside invalidates the usefulness of even a vault
| door...
| fsflover wrote:
| >> 2FA should be bypassable after some longish lockout
| period.
|
| > Nope. No backups, no sympathy, simple as that.
|
| My two sim-cards were lost at the same time. Impossible,
| right? Now I cannot access my Github account anymore.
| Perfect security. Nothing important is lost and backups
| are there. But what about the account itself?
| TimWolla wrote:
| You might be able to regain access if you still have your
| SSH key: https://news.ycombinator.com/item?id=25648815
| necovek wrote:
| Most countries require SIM registration using a
| government issued ID document (including prepaid ones).
| Some providers offer ID registration even for prepaid
| SIMs. If you want privacy from your government too, don't
| use SIM-based (sms or call) 2fa.
|
| That's generally a suitable backup in my view.
| londons_explore wrote:
| Yet most countries allow foreign sims to roam into the
| country. That effectively defeats the benefits of
| requesting government id's, since the real criminals will
| just use foreign sims.
| qayxc wrote:
| That's a completely different scenario, though.
|
| Roaming is essential for the primary function of phones,
| whereas 2FA is not.
| nrmitchi wrote:
| > Nope. No backups, no sympathy, simple as that.
|
| This is a really garbage opinion. Long tail reliability
| situations like this is a major blocking point to large
| scale adoption of many things. No one wants to use
| something where the consequence of making a mistake is
| "well I guess you're f*cked now". You're ignoring the
| entire usability side of computing and innovation.
|
| > 2FA is worthless if you start to put holes in it like
| that.
|
| No, it is not. 2FA can still prevent 99% of takeover
| attempts. There are other ways to verify identity
| (especially within a social network, where real life
| people know other real life people), but these companies
| simply do not want to put the effort it. And I can't
| really blame them: it would be a large investment to
| verify the identity of a given, every day person. This
| could be something that can be paid for in order to
| regain access in order to cover the elevated review
| necessary.
|
| Trust me, if Nat Friedman somehow loses his email and
| 2fac at the same time, I can bet you that they would
| someone find a way to verify his identity and let him
| back in to his Github account (or honestly any other
| account).
|
| > There's no such thing as a "trade-off" when it comes to
| cyber security
|
| This is false. Almost every part of cyber-security is a
| trade-off between security and usability. If you want the
| most secure system, just turn everything off. Totally
| secure. But also totally un-useable.
|
| > If you can't spare a few hundred bucks on a NAS that
| you can just put in a storage unit or bank vault if need
| be, you data can't be that valuable anyway.
|
| Not everyone has the privilege to spend a "few hundred
| bucks on a NAS" and pay for it to be securely stored
| somewhere.
| qayxc wrote:
| > No one wants to use something where the consequence of
| making a mistake is "well I guess you're f_cked now".
| You're ignoring the entire usability side of computing
| and innovation.
|
| Wow wow wow, so you're basically saying that users who
| are capable enough to even need/use decentralised version
| control systems are too dumb and incompetent to setup
| Time Machine, Timeshift, or File History? Really?
|
| > There are other ways to verify identity (especially
| within a social network, where real life people know
| other real life people), but these companies simply do
| not want to put the effort it.
|
| So you are suggesting that instead of keeping one piece
| of information (e.g. a second e-mail address or just a
| token generator, which can be an app), you instead share
| your _entire_ private life with these companies? Oh, and
| by the way - how would you even protect your social media
| accounts then? 2FA all the way down?
|
| > Trust me, if Nat Friedman somehow loses his email and
| 2fac at the same time, I can bet you that they would
| someone find a way to verify his identity and let him
| back in to his Github account (or honestly any other
| account).
|
| Trust me, the CEO running the show is in an entirely
| different category than most of the 50 million other
| accounts and you (in this case GH) don't even _want_ to
| have all this sensitive personal information.
|
| The less info you have, the less impact a data leak on
| the provider's side can have. Why would anyone trust GH
| with their personal information more than any other tech
| company?
|
| Mission critical data belongs in multiple location. Full
| stop. Losing access to a GH account should never be more
| than an inconvenience if your livelihood depends on it or
| you value your personal data.
|
| > This is false. Almost every part of cyber-security is a
| trade-off between security and usability. If you want the
| most secure system, just turn everything off. Totally
| secure. But also totally un-useable.
|
| I'm not talking about security in general. I'm
| specifically talking about deliberately weakening a
| security measure (here: 2FA) for no reason at all.
|
| Do you leave your house key under the doormat? Do you
| keep a post-it note with all your passwords taped to the
| back of your phone - you know, just in case you forget
| one and for convenience?
|
| > Not everyone has the privilege to spend a "few hundred
| bucks on a NAS" and pay for it to be securely stored
| somewhere.
|
| A USB drive is not a privilege and if you can't afford a
| data storage solution I seriously wonder why you have a
| need for a distributed version control system in a
| (semi-)professional environment.
|
| Data has become more important than ever, yet people
| still fail to understand to treat it like they would
| other valuables. 20 bucks for a protective case for your
| phone - no problem. 50 bucks for a half decent 1TB
| portable USB HDD to backup their most important and
| irreplaceable data - only the privileged and tech gurus
| can afford that...
|
| Nah mate, think again. It just doesn't make sense to put
| all your eggs in one basket (allegedly 10s of thousands
| of proverbial eggs in this case) and then whine about
| forgetting to change 2FA, having no backups whatsoever,
| and mixing private and work accounts all at the same
| time.
|
| This is one of those things that you should learn from
| and the least you can do is to have a cheap external HDD
| and a recent backup of your most important stuff.
| nrmitchi wrote:
| > you're basically saying that users who are capable
| enough to even need/use decentralised version control
| systems are too dumb and incompetent
|
| Do not put words in my mouth. I did not say that, you
| just did. I said that usability is a real concern,
| because no matter what you expect people to do, it will
| never work perfectly 100% of the time.
|
| > I'm not talking about security in general.
|
| You can say that now, but that's not what you said
| previously. "There's no such thing as a "trade-off" when
| it comes to cyber security"
|
| > you instead share your entire private life with these
| companies?
|
| Again, I did not say that. Github is a social coding
| network. I am not saying that I have all of the answers
| as to how this should work, but I am saying that if 1
| member of a 100 person organization loses access to their
| account, and the other 99 members all confirm that their
| account access was lost via some event and assert their
| identity, you could have the start of a reasonable
| recovery path.
|
| > the CEO running the show is in an entirely different
| category
|
| Not sure what you mean by this. Are you saying that a CEO
| is just automatically more responsible and not going to
| lose something? Or are you saying that he's clearly just
| more important so it's okay to bypass the stated
| procedure for just him/her?
|
| > Do you leave your house key under the doormat? Do you
| keep a post-it note with all your passwords taped to the
| back of your phone - you know, just in case you forget
| one and for convenience?
|
| This is not even a valid comparison, and you're just
| trying to be condescending. I don't leave a house key
| under my mat just in case I lose it. But I also don't
| expect to never be allowed to enter my house again just
| because my key is lost.
|
| > if you can't afford a data storage solution I seriously
| wonder why you have a need for a distributed version
| control system in a (semi-)professional environment.
|
| Because many people use Github for non semi-professional
| environments? It is full of amateurs. Just because you
| don't find someone's work valuable, doesn't mean that
| they don't. Saying "Well it's not professional, so if you
| lost it then it doesn't matter" is not correct.
|
| > 20 bucks for a protective case for your phone - no
| problem. 50 bucks for a half decent 1TB portable USB HDD
| to backup
|
| You're comparing a 1 time action to a recurring action.
| I'm not saying that you shouldn't have back ups. You
| obviously should. But people are human beings. Even if
| 99% of people have perfect back ups, that's still 560k
| (according to Github home page numbers) that will have
| failed backups or some other issue.
|
| PS. you keep widely including the term "decentralized",
| as if just because _git_ is decentralized, that nothing
| on Github should matter. For better or for worse, Github
| has become the central git repository provider for
| millions of people. Claiming that Github services should
| be magically decentralized just because git is
| decentralized is an invalid claim. Because _Github_ is
| not decentralized.
| qayxc wrote:
| >> I'm not talking about security in general.
|
| > You can say that now, but that's not what you said
| previously. "There's no such thing as a "trade-off" when
| it comes to cyber security"
|
| I literally followed that up by "either commit to it
| fully or don't use 2FA at all". You omitted crucial
| context there. Now I could have expressed that more
| clearly, sure, but the context is right there
| nonetheless.
|
| >> the CEO running the show is in an entirely different
| category
|
| > Not sure what you mean by this.
|
| What I mean is that the guy is not just "a CEO" - it's
| _the_ CEO of the very company in question here. So what I
| 'm saying is that someone _within_ an organisation - let
| alone the head of said organisation - has very different
| tools at their disposal than can or should be provided to
| their users.
|
| > It is full of amateurs. Just because you don't find
| someone's work valuable, doesn't mean that they don't.
| Saying "Well it's not professional, so if you lost it
| then it doesn't matter" is not correct.
|
| Amateurs don't lose 10s of thousands of dollars from
| losing their GH account. Again - omitting context. If
| your data isn't valuable to you (be that in terms of
| money of for sentimental reasons) then it doesn't matter
| indeed. Just like you'd protect physical assets, non-
| physical assets require protection as well and if you
| don't do that, said assets cannot be of much value to
| you, no?
|
| > But people are human beings. Even if 99% of people have
| perfect back ups, that's still 560k (according to Github
| home page numbers) that will have failed backups or some
| other issue.
|
| So what you're suggesting is putting 100% of users at
| risk because there's the odd chance that someone might
| lose data? That's just not reasonable at all.
|
| > you keep widely including the term "decentralized", as
| if just because git is decentralized, that nothing on
| Github should matter.
|
| Because it _does_ matter in that all you need to do is to
| keep a local copy of your repo. With a centralised system
| you 'd lose the most important part of the repo: the
| complete commit history and all branches.
|
| This is not the case with git and "all" you'd lose would
| be external configuration, issues and Wiki pages, but
| even those can easily be exported and saved externally.
|
| You can even re-import all of that to a new account if
| need be. Heck, you can setup triggers that synchronise
| the entire repo - including issues, projects and wiki to
| other providers or a local copy if you really want/need
| to.
|
| The fact that millions rely on services like GH, GL, and
| BB doesn't change the nature of git.
|
| Again - if your data is important to you - be that for
| monetary or private reasons - don't keep it in one place.
| Especially if that place can be locked away from you at
| any time for any odd reason. I don't understand why
| people these days have such a hard time understanding
| this, but using GH implies that you put your data on
| someone else's machine with little to no guarantees
| whatsoever.
|
| None of these multi-million and billion dollar
| corporation deserve _any_ of our trust and using their
| services comes with strings attached. Whining doesn 't
| help - being aware of this and becoming a responsible and
| critical user who knows their options is what helps
| avoiding disasters like this.
|
| PS: you should really start by looking into how git
| itself works (especially compared to centralised repos
| like SVN) to actually understand the importance of
| decentraised version control.
| londons_explore wrote:
| > Nope. No backups, no sympathy, simple as that.
|
| For your personal stuff, sure. But when engineering a
| service, you should care about _everyones_ stuff, not
| just those who are careful.
|
| You should design your service to try to help those users
| who use the same password they did on myspace in 2004 and
| write it on a sticky note on their desk. Engineer for
| those who shared their password with their now-hated ex.
|
| Even if the user takes massive security risks, the
| service should still try to maximize the users ability to
| use the service, while minimizing an attackers use/access
| to the service.
| qayxc wrote:
| > You should design your service to try to help those
| users who use the same password they did on myspace in
| 2004 and write it on a sticky note on their desk.
| Engineer for those who shared their password with their
| now-hated ex.
|
| Those can't be helped. We're not talking about Geocities
| or MySpace here - we're talking about a service that
| hosts a distributed version control system aimed at
| experienced users with a technical background.
|
| The target audience is strictly not your average consumer
| and even then you shouldn't insult the intelligence of
| your users.
|
| 2FA is intended to protect _all_ users of the service and
| users _do_ have a choice when it comes to selecting their
| 2nd factor. Doesn 't have to be an e-mail or phone. It
| can be an app-generated token as well.
|
| And loosing everything at once is tragic (hence: keep
| backups!), but suggesting that the locksmith should be
| allowed to just open the door if you ask nicely and the
| owners don't show up within an hour would be just as
| ridiculous as allowing to circumvent 2FA.
| necovek wrote:
| Other than requiring some form of government issued
| identification (including prior to the incident), or a
| well built reputation using GPG (but those are not going
| to be users you mention), how would achieve that today?
|
| And as the GP says, what role would 2fa play in that
| scenario?
| londons_explore wrote:
| 2fa simply means the user has more ways to potentially
| identify themselves... That means as a service you should
| try harder to stop someone else getting in, but also try
| harder to maintain access for the real owner. The 2fa
| code should help you do that, because now there are more
| things that the real account owner can do to identify
| themselves that an attacker cannot.
| nindalf wrote:
| I don't know why this is difficult to understand. Any
| decision Github takes has a trade-off that will affect
| all users. Any time they allow a bypass of 2FA _and_
| email, they are putting potentially every account at risk
| of compromise. It doesn 't matter how good the excuse
| given to the Github customer service rep is, bypass
| shouldn't be allowed so that all users' data is kept
| safe.
|
| Let me put it in HN terms. One person grousing how they
| lost their account due to their own fault is a minor HN
| comment in the middle of a thread. A person complaining
| that Github customer service assisted an attacker in
| account compromise is a front page thread by itself,
| probably picked up by mainstream news. Does that make
| Github's decision easier to make?
| a254613e wrote:
| To me that sounds perfectly reasonable, and in fact a good
| policy. It seems like you lost access to your company account,
| based on your comment, so who is "we" that lost thousands of
| dollars worth of project code? If it was your employer that you
| had the email with, why couldn't you just restore the email?
|
| What in your opinion should github do when an employee loses
| access to their company email, and 2FA, because they're fired?
| Should the employee gain access to all the code and the account
| by just contacting github via their personal email?
| frombody wrote:
| Using a company email to sign up for services and expecting to
| have access after you leave the company is 100% entirely your
| fault.
|
| Even with the positive spin you're trying to put on it, it
| still sounds like you are trying to steal data from your former
| employer.
|
| The situation would probably also be easily resolvable with
| your former employer's help, and there is likely a reason they
| aren't helping you.
| prepend wrote:
| Yeah, it seems odd that the former employer doesn't just
| remove the account from their org and thus remove the MFA
| requirement.
|
| I've had really positive experiences with GitHub support, but
| you can't ask them impossible things.
|
| There's a GitHub user with my org name, they've had it for a
| long time and aren't active. I asked GitHub support to see if
| they were active and if they'd be willing to transfer the
| account. GitHub confirmed they were active but just with no
| public activity and they passed along the request.
|
| I like that they were human and didn't try to force the user
| to give up their account.
|
| I've had multiple colleagues say that we should try to force
| the user and I don't support that line of reasoning. The user
| has a legitimate use of the name.I like that GitHub took the
| high road,
| kkapelon wrote:
| This means that as a disgruntled employee I can simply visit
| Iran, log in my company Github account and boom!
|
| I have now taken revenge on my whole company with minimal effort.
| Illniyar wrote:
| Or just use a vpn that has servers in Iran? I think there are a
| few, hidemyass is one also I think, services designed to test
| access from different countries.
| kkapelon wrote:
| Great idea! Maybe GitHub does some additional checks for
| determining if somebody is in Iran? Or they have a special
| way to know if a VPN is used?
|
| I think that some VPN services offer a "random server"
| access, so you are essentially playing Russian roulette if
| you just happen to log in via an Iranian server.
| wccrawford wrote:
| Only if you're okay with the legal consequences of sabotaging
| the company. They absolutely can sue you for it, and you might
| even face criminal prosecution for such a thing.
| kkapelon wrote:
| There is also another scenario.
|
| I steal with social engineering (or phishing or other method)
| the GitHub credentials of an employee from a company I wish
| to harm.
|
| And then I simply log in GitHub(or use a VPN to appear in
| Iran) with those stolen credentials.
|
| Sounds like a very easy DOS method.
| afroboy wrote:
| On what basis they are going to sue him? he visited a
| specific country and than boom. how in the hell are going to
| prove that he did it in purpose.?
| kkapelon wrote:
| Exactly. Somebody who wanted to do this could simply book a
| flight where Iran in an intermediate destination.
|
| And then they would say "I had 30 minutes of waiting time
| in transit and I just wanted to add a comment on my Pull
| Request".
| williesleg wrote:
| "facebook blocks entire company because one employee is liberal"
|
| "twitter blocks entire company because one employee is
| conservative"
|
| Who cares?
| sebastiancoe wrote:
| Nat Friedman, the CEO of Github has always been followed around
| by rumors of racism against dark skinned people. I remember
| someone saying he was saying racist stuff about Indians being
| rapist while literally visiting India. His whole eagerness to
| replace the terms master/slave has always stunk of someone trying
| to mask something.
| traviscj wrote:
| I can't imagine what a bad workday this is gonna be for the rest
| of the company.
| tehwebguy wrote:
| Microsoft should boycott the sanctions, they are cruel and the
| _only reason they exist_ is that our current president hates our
| previous president.
|
| They are way too big to actually be penalized in a meaningful way
| and doing the right thing once in a while feels great.
| jamesmishra wrote:
| I'm on GitHub/Microsoft's side here. They are not responsible for
| the content of US export control laws, and they have an
| incredible amount to lose if they are found to be in violation of
| US export control laws.
|
| Presumably GitHub needs some automated tool to prevent inbound
| traffic from sanctioned countries, and it's hard to be certain
| that they are complying with US law if such automated tools have
| some wiggle room allowing for a non-zero amount of usage from
| sanctioned countries.
|
| The whole situation isn't great, but none of it is
| GitHub/Microsoft's fault.
| zoobab wrote:
| Github does not respect Schrems2 neither.
| wwtrv wrote:
| " none of it is GitHub/Microsoft's fault."
|
| Not really:
|
| https://home.treasury.gov/policy-issues/financial-sanctions/...
|
| pretty clearly states they don't even need to ban that specific
| person let alone thr entire company.
| u801e wrote:
| > They are not responsible for the content of US export control
| law
|
| But they are responsible for understanding what's required
| under those laws. If they're going beyond what's required to
| comply with the law, then those further actions are entirely on
| them.
| whimsicalism wrote:
| Yes, so Github has to take on the assumption that they are
| visiting relatives, not resident in Iran.
|
| Or you get the alternate headline "Github facilitates Iran
| sanction evasion by allowing Iranian developers to mark
| themselves as 'visiting a relative'" and the associated
| charges.
| u801e wrote:
| There's nothing in the law that says that Github must block
| an entire company from accessing their company org because
| one member of that company logged into a separate account
| that happened to be a member of the company org. At most,
| the account that was accessed should be suspended.
| f6v wrote:
| Companies routinely engage in activism. I've seen more than one
| software company cut off Trump campaign from their services,
| which was politically motivated. Now, US sanctions against Iran
| are clearly illegal. Yet, everyone is just fine with that, no
| activism whatsoever. I say people should revolt.
| necovek wrote:
| I find your use of "illegal" interesting.
|
| To me, it means "against a law", and laws are made by
| countries (sure, parliaments of those countries or dictators
| or...), and generally apply only to that particular country
| (some things attempt to get a wider reach, but they are
| usually unenforceable unless there's a local company to
| pursue, most famous example being GDPR).
|
| There are international conventions and the UN, but countries
| do not have to be signatories or members to any of them. And
| I've never heard anyone use the term "illegal" in that sense
| before.
|
| So what do you mean with "clearly illegal"?
|
| (fwiw, I am very much against the US acting as the "policeman
| of the world", but sanctions are a political tool to make
| someone less powerful comply; beats an invasion and bombing
| that USA has frequently resorted to)
| f6v wrote:
| "Illegal" is routinely used when talked about sanctions. In
| that sense it means "unjustified".
| jimbob45 wrote:
| No, you're practicing Doublespeak. Illegality and
| illegitimacy are not the same thing.
| umarniz wrote:
| The US sanctions on Iran has such a massive impact on Iranians
| that most of us don't realise.
|
| All US companies have to comply and majority of the tech
| companies are unfortunately in the US.
|
| I know you can use a VPN and configure it on a router level to
| make sure that you are always connected via a VPN but just the
| fact that 1 slip-up can result in account level blocks (which
| google is notoriously good at and can essentially shut down your
| business) means no company would want to work with someone
| working from Iran.
|
| Coming from a 3rd world country, I know the problems of internet
| censorship which Iranians also face but being too toxic to touch
| for everyone outside Iran because the US leadership thinks so is
| just infuriating and heart breaking.
|
| Imagine being a programmer in Iran. Not only do you have less
| resources to learn and grow, you have a massive handicap to find
| good work as most work is outside of the country.
|
| Only bet is to leave the country but even there you have a very
| low probability as you basically can't have a trial period for
| your job as most companies don't want to risk having their
| accounts blocked.
|
| Most of us here know how degrading and infuriating the tech
| recruiting processes can be and now add to it the horrors of
| working from Iran.
|
| Wars are not supposed to have civilian casualties but this one
| has a generation of civilians being starved of information and
| experience critical for them to grow.
| factorialboy wrote:
| (Controversial comment)
|
| I am not condoning the actions of the United States government,
| but arguably the Iranian Islamic theocratic regime has
| unleashed more horrors on the Iranian people in the last 50
| years than any other foreign government.
| vernie wrote:
| Hmm... I wonder if the United States government had anything
| to do with that regime coming to power...
| edumucelli wrote:
| Imagine the horror US has unleashed "invading" almost every
| country in the world (except 3) with formal or hidden
| missions.
| bogomipz wrote:
| You realize that there are between 194 and 197 countries in
| the world depending on who is doing the recognizing[1].
| Could you please provide a citation for the 191+ countries
| you say the US has invaded?
|
| [1] https://www.worldatlas.com/articles/how-many-countries-
| are-i...
| hirako2000 wrote:
| You replied to a troll trap. It doesn't matter what the
| Iranian gov does or did, nor what the US gov did all these
| years.
|
| The argument is that the US sanctions are wrong. It's
| totally against what America and the West at large stands
| for. Those sanctions, as always punish innocent citizens
| the most. The strategy of course is to make those citizens
| revolt. But it ain't even working. See with Iraq and Libya,
| they litterally ended up bombing these countries and
| ensured the death penatly to those leaders, and now see how
| worse it has become over there (interestingly the news
| outlet don't report much of the situation now).
|
| I have been clearly and firmly reminded by my employer
| about sanctions on Iran and to not engage in any business
| with Iranian as clients. The US government, like said in
| another comment is using its country's private economical
| powers for the service of its (absurd) geopolitics, not far
| from what China has been doing, but with far more hypocrisy
| and somehow less success.
| publicola1990 wrote:
| US sanctions are just adding to the troubles of the Iranian
| people, I should say.
| camdenlock wrote:
| Imagine having to preface such a benign statement of fact
| with a disclaimer like that. What kind of bizarre culture
| have we created?
| mcguire wrote:
| Another controversial comment:
|
| This is the other side of the Enlightenment ideal that the
| legitimacy of a government can only come from the support of
| its people.
|
| When you declare another people to be, literally, Satan, there
| may be resulting consequences.
| will4274 wrote:
| Imagine being a programmer in Israel and hearing that the
| leader of a neighboring country wants to kill you and everybody
| you know.
|
| We're not unaware of the impact of sanctions. Fundamentally,
| starving a generation of Iranians of information and experience
| is worth it if leads to civil unrest and regime change,
| therefore preventing Iran's current leaders from committing the
| genocide they've said they want to commit so many times.
| cutemonster wrote:
| > starving a generation of Iranians of information and
| experience is worth it if leads to civil unrest and regime
| change
|
| I'm afraid you're mistaken, and that removing knowledge from
| people just makes the regime stronger.
|
| Instead, providing the people in Iran with more knowledge and
| education would make even more people oppose the
| dictatorship, I'd think.
|
| Not nuclear physics though, but GitHub yes sure.
| rabite wrote:
| Imagine being almost any other religion in the Middle East
| and learning that Israelis on a day to day basis are lobbying
| to carve your countries apart by imperialist wars via their
| American proxies, bulldozing the homes of your coethnics in
| Palestine, raping their children, forcibly hijacking their
| TVs and exposing their kids to pornographic broadcasts,
| organizing a famine in Syria by their Kurdish proxies, and
| occupying their homelands. It was only in 2006 that Shiites
| and the SSNP finally kicked them out of South Lebanon, where
| they regularly committed war atrocities. Add to this the
| historical genocides that the nation of Israel completed and
| rejoice in within their scriptures -- the Ammonites, the
| Moabites, the Jebusites, the Canaanites (the assault on which
| happened the day after the Israelites convinced them to get
| circumcized, then went door to door killing them while their
| dicks hurt) are all tribes that were completely physically
| wiped out by the Israelites.
|
| This argument should apply to Israel, which is the biggest
| per capita committer of genocide, land theft, rape, and fraud
| in the entire world. The entire history of Israel is one of
| genocide, from the ancient world to today. We need BDS now
| and a just society would absolutely shun your nation until
| they respect human rights.
| a1369209993 wrote:
| > Add to this the historical genocides that the nation of
| Israel completed and rejoice in within their scriptures
|
| You do realize that the bulk of "other religions" in the
| Middle East (namely Islam) - and, for that matter, the US
| (namely Christianity) - are derived from those same
| scriptures and rejoice in those same genocides (and have
| happily added to them over the past couple millennia, of
| course), right? There's no moral high ground on either side
| of this mess.
| will4274 wrote:
| There's a lot in your post that's wrong and this comment
| won't allow me to correct all of it. Grabbing two:
|
| - the Arab nations don't consider themselves kin (or
| "coethnics" whatever that means) with the Palestinians.
| When Jordan and Egypt controlled the Palestinian territory,
| they treated the Palestinians worse then Israeli does
| today.
|
| - the groups that commit the vast majority of rape (per
| capita or otherwise) in the middle east are not Israeli. In
| most of the Muslim countries, it's legal to rape your wife.
| In some of them (such as Iran), men execute their daughters
| for being raped by their neighbors. One well known group
| (ISIS) was really into rape - and so Iran gave them money
| so they could rape more.
|
| If what you care about is rape, murder, and genocide,
| you're against Iran 100x as much as you're against Israel.
| mleonhard wrote:
| Israel is starving several generations of Palestinians of
| opportunity and experience [0], resulting in civil unrest.
| Israel could de-escalate its tensions with its neighbors
| (including Iran) at any time. It just needs to start treating
| its neighbors with respect.
|
| Unfortunately, peace in the Middle-East would shift political
| power in all countries involved, shift government spending,
| reduce military aid from superpowers [1], and reduce the
| importance of the countries to the superpowers. A lot of
| power and money is trying to prevent that from happening.
|
| You don't need to play along with those powerful people. They
| don't want to help you. Lasting peace would help you and your
| descendants much more than continuing the current situation.
|
| [0] https://www.btselem.org
|
| [1] https://explorer.usaid.gov
| will4274 wrote:
| What does Israel's conflict in Palestine have to do with
| Iran? The Ayatollah doesn't care about Palestinians.
|
| Saying that Israel could resolve the issue by de-escalating
| is nonsense, as much as saying the same thing about North
| and South Korea. One side has leaders intent on acquiring
| nuclear weapons and publicly claims it will use them
| against its neighbors.
| mleonhard wrote:
| The analogy to North Korea is quite appropriate. Each
| superpower supports its vassal states and ignores their
| brutality.
|
| USA : Israel : Palestinians :: PRC : North Korean
| Dictatorship : North Korean People
| kkoncevicius wrote:
| A bit off topic, but seems like at some point these sanctions
| start helping instead of harming. If you are "sanctioned" by
| GitHub, Facebook, Twitter, Reddit, Instagram, PornHub, what have
| you, then in the end you will probably gain productivity, not
| loose it.
| Dotnaught wrote:
| GitHub has just announced a license for developers in Iran:
| https://github.blog/2021-01-05-advancing-developer-freedom-g...
| jeroenhd wrote:
| If the Iranian employee logged into the Github account, isn't
| blocking the account exactly what the law says they should do? If
| all they did was apply a merge request in one of the repos then
| would reverting the merge and blocking the account would be
| enough to comply? Is there some alternative way to comply with US
| export restrictions?
|
| The real question here is why people even consider using US cloud
| companies when they know they have employees working in countries
| subject to severe US trade restrictions. If you're willing to
| risk your company being denied business with American companies,
| then you should also have a mitigation strategy when you get
| caught. It sucks that you have to work around US regulation to do
| normal business but this is just how the world works right now.
| gnopgnip wrote:
| https://home.treasury.gov/policy-issues/financial-sanctions/...
|
| 118. I have a client that is in Iran to visit a relative. Do I
| need to restrict the account?
|
| Answer
|
| No. As long as you are satisfied that the client is not
| ordinarily resident in Iran, then the account does not need to
| be restricted. See FAQ 37.
| agilob wrote:
| >If the Iranian employee logged into the Github account, isn't
| blocking the account exactly what the law says they should do?
|
| Does everyone in the world need to subscribe to "a list of
| countries US jurisdiction doesn't like" just so we will be able
| to work, check email or review opensource code while being on
| holiday in an exotic country?
| canofbars wrote:
| Would it not be sufficient to just block requests from Iran
| rather than shut down the account and the groups they are in?
| That way when they return home they can still access the site.
| austincheney wrote:
| I believe that would be illegal. I suspect the reasoning is
| that the US is not on friendly terms with the government of
| Iran, which is a political squabble and not a conflict with
| the people therein, even though the practical consequences
| are indecipherable.
|
| The US military has been wrestling with that reasoning for
| about 20 years. If the majority of attacks and intrusions on
| military infrastructure originate from a single nation state
| and there exists evidence that most such attacks are
| sponsored by that nation state it would make sense to simply
| block all IP addresses originating from that nation state.
| This does not occur because the attorneys will not allow it
| due to both diplomatic and legal reasons.
| jfrunyon wrote:
| Iranian company uses VPN service to get around the block -
| VPN goes down and their requests to GitHub go directly -
| GitHub blocks those requests; the Iranian company continues
| using them once the VPN is back on - US government finds out
| - Bye bye GitHub
| ceejayoz wrote:
| Given the legal penalties for violating sanctions and the
| vigor with which they are pursued, probably not.
|
| Should it be this way? No. Is it entirely Github's fault they
| overreact to any sign they're serving Iranian users? Also no.
| brmgb wrote:
| It's not an Iranian employee. That's just someone visiting Iran
| and login to their GitHub account.
|
| GitHub reaction is outrageously disproportionate. They should
| just prevent login from Iran. They had no basis for blocking a
| legitimate customer in Europe based on this.
| arghwhat wrote:
| > ... one employee opened his laptop while visiting [h]is
| parents in Iran.
|
| I suppose this implies that the employee is Iranian.
|
| The U.S. sanctions are pretty aggressive, and I don't think
| preventing login from Iran is anywhere near enough to comply.
| The law is the problem here.
| dustinmoris wrote:
| > I suppose this implies that the employee is Iranian
|
| Sorry what??? I have family in India, but not because I'm
| Indian, I just have family there. I have family in Poland,
| not because I am Polish (well I am kind of, but not on
| paper). I have family in the UK, but I'm not British.
|
| This is 2021, not Christopher Columbus times.
| arghwhat wrote:
| You seem rather outraged by the sensible assumption that
| parents living in Iran are _probably_ Iranian, and that a
| person with two Iranian parents is _probably_ also
| Iranian.
|
| In 2021, people are still directly related to their
| parents, and the majority of citizens in most countries
| is indeed the local population.
|
| They may of course have obtained American citizenship
| now, but we're talking in the context of crazy US
| sanctions on Iran here, which I think work on connection
| to Iran.
|
| I don't think there should be _any_ consequence to being
| Iranian, but I don 't have a say in American politics.
| CaptArmchair wrote:
| Such presumptions have, historically, led to such actions
| as the wholesale internment of Japanese Americans during
| World War II. This included 2nd and 3rd generations born
| in America, who never had left America. [1]
|
| [1] https://en.wikipedia.org/wiki/Internment_of_Japanese_
| America...
|
| So, no, it's not merely a "sensible" assumption.
|
| It's an assumption that carries collective trauma and
| negative connotations for many who's ancestors have
| experienced painful discrimination because of their
| ancestry.
|
| > I don't think there should be any consequence to being
| Iranian, but I don't have a say in American politics.
|
| No, you don't. But you do have a voice to ask critical
| and nuanced questions out loudly.
| [deleted]
| Dylan16807 wrote:
| The problem with that internment was not the part where
| the government labeled first generation immigrants as
| Japanese.
| dj_mc_merlin wrote:
| You cannot relate two different ideas by virtue of one
| tangentially common theme.
|
| It's common sense that most people are from the same
| country their parents are from, given what we know about
| immigration.
|
| Interning people based on predicting their behavior due
| to ancestry is a whole different ballgame.
| CaptArmchair wrote:
| > It's common sense that most people are from the same
| country their parents are from, given what we know about
| immigration.
|
| The legal concept you're referring to is called "ius
| soli". The legal concept which serves as a basis to
| determine someone's allegiance by their ancestry is
| called "ius sanguinis". [1][2]
|
| [1] https://en.wikipedia.org/wiki/Jus_soli [2]
| https://en.wikipedia.org/wiki/Jus_sanguinis
|
| So, no, it's not "common sense" to make that assumption.
|
| Moreover, there's also the concept of "right to return"
| in international law. Many nations have implemented this
| in their nationality laws in a way that extends
| surprisingly far.
|
| For instance, if you're of Luxembourgish descent through
| the male line of your family, you could just claim
| Luxembourg citizenship - and by extension E.U.
| citizenship - under Article 7 of their nationality laws.
| Something which was recently pointed out on Reddit. Even
| if you weren't born in Luxembourg or never have set a
| foot in the E.U. proper. [3]
|
| [3] https://www.reddit.com/r/YouShouldKnow/comments/izkwz
| k/ysk_t...
|
| I'm pretty sure some people might be surprised to
| discover they have a right to citizenship in another
| nation simply because they took the time to dig into
| their ancestry, their history and nationality laws.
|
| > Interning people based on predicting their behavior due
| to ancestry is a whole different ballgame.
|
| Of course it is.
|
| But, why discuss someone's citizenship or ancestry then
| if it - apparently - doesn't matter in this discussion at
| all?
|
| The only other theory that explains why this person got
| his access revoked from Github because he visited Iran,
| regardless of the reasons why, nevermind his citizenship
| or his ancestry.
|
| If citizenship and/or ancestry matters, as is seemingly
| implied but never voiced in this discussion, then
| bringing up the implications of how policies reflect on
| that assumption clearly is relevant given the historic
| perspective.
| dj_mc_merlin wrote:
| Those two rights deal with determining citizenship at
| birth.
|
| The common sense idea deals with the probability of
| someone (already born) being of a certain citizenship
| given their parents' location.
|
| Different ideas.
|
| > The legal concept which serves as a basis to determine
| someone's allegiance by their ancestry is called "ius
| sanguinis"
|
| Not allegiance, citizenship. Different, but similar
| concept again.
| CaptArmchair wrote:
| > Those two rights deal with determining citizenship at
| birth.
|
| Citizenship is always first determined at birth. This
| isn't relevant to the discussion.
|
| > The common sense idea deals with the probability of
| someone (already born) being of a certain citizenship
| given their parents' location.
|
| That would be "ius soli". As opposed to "ius sanguinis".
|
| It's also not a "probability". These are principles which
| are formally enshrined in nationality laws and very much
| determine travel, migration and national security
| policies in different nations. Including the United
| States.
|
| These are not "common sense" either.
|
| These are laws which come with a long historical pedigree
| which includes identity politics, economic policies,
| moral and ideological values, and so on.
|
| They are also very much subject to change through the
| dominant politics of the day.
|
| > Not allegiance, citizenship. Different, but similar
| concept again.
|
| I'm not willing to engage in a semantic discussion.
| u801e wrote:
| > that a person with two Iranian parents is probably also
| Iranian.
|
| It depends on the countries' respective laws, but it's
| certainly possible that the person in question is not
| Iranian at all in terms of nationality as opposed to
| ancestory. As I recall, the law in question pertains to
| Iranian nationals, not those who happen to have Iranian
| ancestory.
| rurban wrote:
| Nope, not at all. Thousands of Europeans are travelling to
| Iran for tourism or conducting business. The trade
| sanctions don't block visitors to check their work.
|
| "The United States has imposed an arms ban and an almost
| total economic embargo on Iran, which includes sanctions on
| companies doing business with Iran, a ban on all Iranian-
| origin imports, sanctions on Iranian financial
| institutions, ..."
|
| A private visit is not doing business, so the org cannot be
| blocked. And most other companies are ignoring the US
| sanctions, that's why we have the current propaganda push.
|
| The law is ok, because economical sanctions are the only
| way to get rogue nation states to comply. That's why we
| have sanctions on Iran, Russia, Crimes, North Korea.
| Unfortunately not against the US yet.
| esolyt wrote:
| It implies he has parents in Iran. He could be a US citizen
| or an Iranian citizen. Or both. Or neither.
| cies wrote:
| Funny how GH gets shit for what the US has as laws. I'd focus
| my outrage on the law, the lawmaker, and those who uphold it.
| GH is merely trying to go by the book/ avoid penalties, as
| expected.
| matsemann wrote:
| A single person has no way of influencing this. Twisting
| Github's and others' arms is a great proxy. If they get
| flak for their handling of this, they can go argue with law
| makers.
| imposterr wrote:
| Does that not just speak to a larger problem with the
| current political system that twisting the arm of a large
| company is the only way to affect change?
| jfrunyon wrote:
| Does that mean that we shouldn't address any of the
| smaller problems?
| brmgb wrote:
| The US embargo prevents doing business with Iran. Providing
| service in Iran would be a violation of the embargo.
| Blocking a whole European company not conducting business
| with Iran because one of its employee tried to login while
| there is not respecting the embargo, it's just overreach.
| GitHub should get flak for that in the same way Paypal
| regularly get flak for randomly freezing accounts.
| jfrunyon wrote:
| > not conducting business with Iran
|
| > its employee tried to login while there
|
| Those two statements are incompatible with each other.
| rurban wrote:
| Nope. There is an explicit exception for non-citizen's.
| Only Iranian citizens need to be blocked.
|
| And blocking on the first login attempt is overreach. The
| system doesn't know if you are tourist, visitor or
| resident. So wait two weeks at least.
| jfrunyon wrote:
| Nope. There is an explicit exception for people who you
| _know_ are not an Iranian national.
| quietbritishjim wrote:
| > GitHub should get flak for that in the same way Paypal
| regularly get flak for randomly freezing accounts.
|
| If GitHub freezes your account, this is obviously serious
| and can impact your business to a greater or lesser
| extent depending on what your business does. But the data
| is not lost, and you'll likely have a copy of at least
| some of it (the actual repos) and maybe all of it if you
| were being careful.
|
| If Paypal freeze your account then any money in it is
| simply lost (and your loss is Paypal's gain!). There's no
| way you could keep a "backup" of that money even if you
| were being careful. It's completely incomparable.
| brmgb wrote:
| > If Paypal freeze your account then any money in it is
| simply lost (and your loss is Paypal's gain!).
|
| While this is completely tangential to the current
| discussion, I feel compelled to inform you that that's
| not how it works. When Paypal freeze your account, your
| account is not deleted, you just can't do anything with
| it. The money on it obviously remains yours. You just
| have to convince them that your account should be
| unfrozen or wait the maximum duration you agreed to in
| Paypal ToS - 180 days - after which they have to hand it
| back to you.
| cies wrote:
| > GitHub should get flak for that in the same way Paypal
| regularly get flak for randomly freezing accounts.
|
| Random? I think the problem with Paypal was that they do
| not warn or provide reasons for freezing. GH's reasons
| are clear.
|
| > Blocking a whole European company not conducting
| business with Iran because one of its employee tried to
| login while there is not respecting the embargo, it's
| just overreach.
|
| Says who? There is a law, the law is unclear and IHMO a
| bad law. The law is overreach. Blaming GH for shitty US
| laws is akin to killing the messenger.
| ffpip wrote:
| > Says who?
|
| The same law you're stating.
|
| https://home.treasury.gov/policy-issues/financial-
| sanctions/...
| [deleted]
| astura wrote:
| > I think the problem with Paypal was that they do not
| warn or provide reasons for freezing
|
| Which is par for the course for financial companies.
| another-dave wrote:
| > Says who? There is a law, the law is unclear and IHMO a
| bad law.
|
| Says the US Department of the Treasury, as mentioned in
| the Twitter thread further down:
|
| > 118. I have a client that is in Iran to visit a
| relative. Do I need to restrict the account?
|
| > No. As long as you are satisfied that the client is not
| ordinarily resident in Iran, then the account does not
| need to be restricted.
|
| from their "FAQs: Iran sanctions" page --
| https://home.treasury.gov/policy-issues/financial-
| sanctions/...
| delfinom wrote:
| GitHub didn't decide in their actions blindly. They have
| lawyers who review the laws, look at their services and
| write the rules to follow internally. The lawyers
| obviously have a reason to disagree with the Treasury and
| GitHub under Microsoft aren't exactly going to be using
| cheap lawyers either.
| diebeforei485 wrote:
| They have since restored the account, so your argument is
| invalid.
|
| Keep in mind that US Government agencies that administer
| sanctions laws (the Treasury, in this case) are the ones
| interpreting what these laws mean. See https://en.m.wikip
| edia.org/wiki/Chevron_U.S.A.,_Inc._v._Natu....
| Sacho wrote:
| Is Github on the hook if the client is actually a
| resident? If so, the law is still bad and github's
| response may be appropriate(just blocking login from Iran
| sounds better though). You can't expect them to
| investigate the personal details of their users.
| Dylan16807 wrote:
| They could at least have a grace period for country
| changes.
|
| But I sure as hell _can_ expect them to investigate
| before cutting service to a long-time customer.
| darkwater wrote:
| And now is when GP should reply saying "oh gee, you are
| right and I was wrong. thanks for pointing that out."
| jimmydorry wrote:
| Github shoulders all the responsibility if they get it
| wrong. They appear to be doing the reasonable thing, up
| until this could not be resolved through customer support
| (as the company bears the burden of satisfying github
| that they are not violating the embargo).
| harperlee wrote:
| Yes, the core problem here is that unblocking the
| preventive block in 7 days is both unacceptable for the
| client and a big OPEX ask for github.
|
| What I'm not sure at all is that github had the
| obligation to preventively block cases instead of the
| alternative to investigate high risk cases prior to
| block. As long as they had a sound Compliance process for
| determining sanction enforcement needs in a reasonable
| time it should be enough - though for sure more expensive
| than autoblock followed by non-specialized, non-time
| sensitive (for github!) customer service followup.
| tpoacher wrote:
| Well, it's kinda like the whole "if a misbehaving app
| crashes the whole OS, whose fault is it? The app's? Or the
| OS?"
| x3c wrote:
| Not as per the letter of the law.
|
| https://home.treasury.gov/policy-issues/financial-
| sanctions/...
| justin66 wrote:
| It's so peculiar that you - and some guy on twitter,
| apparently - are quoting a footnote to a FAQ on
| Treasury's OFAC information page as if that captures the
| entirety of an American company's obligations under the
| law. This is _really obviously crazy,_ right? In any
| other, less political, context involving business law and
| liability the advice would be "talk to a lawyer."
| x3c wrote:
| I doubt GitHub or any org is changing their SOP based on
| my comment. But the mere existence of a scenario
| equivalent to the one in question in the operating
| guidelines suggest there is room fur sanity to prevail in
| the interpretation of the law.
| kitd wrote:
| The real question is why GH blocks an Indian company and all
| its Indian employees (all legal and outside the US sanctions
| list) when an employee logs on in Iran.
|
| Does US law require application to such an extreme degree? If
| not, then why is GH doing it?
| rad_gruchalski wrote:
| Because github is a company based in the USA and must comply
| with the law of USA. It does not matter where the customer of
| github is based. It would be the same with gitlab because
| they are based and hosted in the USA.
|
| If you are German and USA decides to apply sancations on
| Germany because of NordStream2 tomorrow, well, good luck
| setting up your own gitlab ce...
| kitd wrote:
| Ofc GH has to comply with US law, but you missed the
| question: does US law require blocking access to cover
| those who are not on the sanctions list?
|
| Or look at it another way: this is an Indian company. Does
| one employee opening their laptop in Iran make it an
| Iranian company under US law?
| richardwhiuk wrote:
| If the employee was Iranian, then yes, GitHub would be
| required to do this.
| kitd wrote:
| No it wouldn't.
|
| https://home.treasury.gov/policy-issues/financial-
| sanctions/...
| ChrisLomont wrote:
| "If the employee was Iranian, then yes,...."
| jfrunyon wrote:
| https://docs.github.com/en/free-pro-
| team@latest/github/site-...
| LatteLazy wrote:
| You can't blame GitHub for intentionally over broad, OTT US
| sanctions.
| mcguire wrote:
| Outsourcing anything has its own set of risks. Understand them
| before you commit to living with them.
| papier2020 wrote:
| Since MS owns github does the same rule ban happen if a company
| uses office365-onoline/azure - and one employee opens email from
| Iran?
| znpy wrote:
| Probably yes
| reallydontask wrote:
| Tangentially related but one of my guys when to Cuba when we
| were using G-suite and he couldn't access gmail, it seemed to
| be ip-blocked.
|
| Maybe Cuba has a very well known set of IP addresses and it's
| easy to block?
| paranoidrobot wrote:
| A company I used to work for got acquired by a US-owned
| organisation.
|
| We were required to block traffic from sanctioned countries,
| and were allowed to use a Geolocation IP Database to do so.
| Lots of lawyers reviewed it, as well as external consultants.
| amir734jj wrote:
| I'm an iranian-american and this saddens me deeply. When you
| travel to Iran you need to make sure you don't get arrested by
| iranian regime because they have a history of taking dual
| nationals as hostage. Then you open your laptop and suddenly you
| have taken down your company and potentially lost your job.
| Triv888 wrote:
| > When you travel to Iran you need to make sure you don't get
| arrested by iranian regime because they have a history of
| taking dual nationals as hostage.
|
| Isn't it trivial for them to catch you at the border if they
| wanted to do it?
| amir734jj wrote:
| They usually arrest people at the airport when they are
| leaving. It's called "hostage diplomacy"[0]. There is a whole
| Wikipedia page dedicated to it.
|
| [0] https://en.wikipedia.org/wiki/Hostage_diplomacy#Iran
| jonny383 wrote:
| Please please PLEASE add at least one other provider to your
| remotes if you're going all in on cloud.
|
| Consider also doing a regular local backup of all your repos. A
| quick Google search will yield you tools that will automate this
| entire process on platforms such as GitHub , BitBucket and
| GitLab. I personally delegated this to a Cron job. I check the
| backups manually once a month to check all is in order.
| grumple wrote:
| This is good advise. Maybe even self-host a backup server.
| kkapelon wrote:
| While this is good advice of course, it is not clear to me if
| the problem is just the source code.
|
| The twitter message says "We are completely blocked from
| deploying!."
|
| Maybe they already have the source code elsewhere but use
| GitHub actions?
| RyJones wrote:
| Heroku, maybe?
| arthurmorgan wrote:
| Was the employee logged in with the organization account? When I
| visited Iran my personal and work account got locked but the org
| account was untouched.
| darkwater wrote:
| I really wonder why economical penalties enforced to a country
| through its citizens or people born there or with ancestors like
| the USA does with all of its embargos aren't considered just as
| terrorism. You are punishing other people for something they
| didn't do just to pressure on their governments. Just like
| terrorists injuring people. (Yeah I know terrorists usually kill
| people but I'm pretty sure many people died due to economic
| embargo as well)
| Chris2048 wrote:
| > You are punishing other people.. Just like terrorists
| injuring people.
|
| Because terrorism implies violence. What kind of deaths result
| from economic embargo?
| srtjstjsj wrote:
| Starvation and disease.
| Santosh83 wrote:
| At this level "might makes right" is the only reality. Don't
| let anyone tell you otherwise. Oh yeah they went through UN for
| the sanctions... right... as if the UN isn't little better than
| a rubber stamp agency in these areas.
|
| On the flip side the US can do little if someone like China or
| Russia decide to trade with and help out Iran. The problem is
| the software sector is heavily dominated by the US, so they can
| disproportionately affect Iran.
| pelasaco wrote:
| It looks like they are reading hacker news :)
|
| https://github.blog/2021-01-05-advancing-developer-freedom-g...
| talal7860 wrote:
| Well, GitHub is now fully available in Iran:
| https://github.blog/2021-01-05-advancing-developer-freedom-g...
| exabrial wrote:
| I have _a lot_ of questions...
|
| * Is this a US Company?
|
| * What was the employee doing in Iran?
|
| * Is the employee an Iranian national?
|
| * Was the company aware of this?
|
| Headlines like this make me really scratch my head.
| siculars wrote:
| Github obviously did not do enough due diligence here. IANAL but
| am familiar with Sanctions considerations and IMHO, this does not
| rise to the level of the action taken.
| stunt wrote:
| What a disproportionate reaction from Github.
|
| They could simply block network access from Iran to make it
| easier. Otherwise, blocking without giving warning is wrong. Even
| banks give warning and deadline to their clients before closing
| accounts that are linked to sanctions. Why Github blocked the
| entire organization without proper communication and deadline to
| fix or clarify the issue?
| mzs wrote:
| resolved:
| https://twitter.com/sebslomski/status/1346467442428530691
| bigphishy wrote:
| What happened to the 'master main' comment thread? It was just
| silently deleted from this thread. Massive censorship going on, I
| am moving to a new website. Good riddance hackernews, take your
| censorship and stick it!
| aaomidi wrote:
| Reminder that Microsoft has the power to ask the state department
| for an exemption from these sanctions for github.
|
| They have refused to do that. Google did that with Gmail and made
| the argument that Gmail is an important utility for freedom of
| the people there. Microsoft can do the same.
| aaomidi wrote:
| I'm glad that Microsoft finally reversed their stance on this.
| sebyx07 wrote:
| use vpn bois, it's 2020 not 1999
| prepperdev wrote:
| From the company perspective, it's an arbitrary disruption. It
| could happen to any company.
|
| While it's certainly very convenient and economically reasonable
| to use cloud services for development and production, every
| company should have a plan B.
|
| In this case, it's an absolute must to have daily backups of all
| repositories / all branches which are stored on premise. If your
| company is not doing that, you play the lottery of losing access
| to your own source code.
| EdwinLarkin wrote:
| Entrusting your business to an american entity is the stupidest
| idea you could have thought about.
|
| Especially us europeans should not rely on American services at
| all.It's not worth it.
|
| American corporations are just as much a liability as their
| counterparts in China.
| ChuckNorris89 wrote:
| _> Especially us europeans should not rely on American services
| at all.It's not worth it._
|
| Sure, please let me know how the EU plans to build Office 365,
| AWS, GitHub competitors of similar scale, quality and success.
|
| We have no private investors that would pony up enough money to
| go against US tech titans and fat chance the EU would ever fund
| such initiatives and if they would, the money would evaporate
| over night to companies with political connections and
| overpriced consultants who would just produce documentation.
|
| Let's face it, the ship of EU dominance in tech has sailed a
| long time ago, we might as well get comfy with the US pulling
| the strings on that front.
|
| The only way the EU would ever stand a chance is if the EU
| would pull a Chinese style great firewall and outright ban
| foreign tech companies on their internal market, leaving space
| for local companies to spring up and fill the void but that
| will never happen.
| sjogress wrote:
| I agree with you that Office 365, AWS and Github are great
| products. Hard, if not impossible, to catch up as a
| competitior, especially when you have trillion dollar
| companies backing them.
|
| However, if you cannot trust those products then you cannot
| use them.
|
| Remember, this thread is about Github blocking an entire
| company due to one employee due to American politics. If a
| non-US company risks to lose it project management/code
| management (Github), its infrastructure (AWS) or its
| documents (Office 365) on a whim due to American policies
| then they cannot use those products.
|
| If a big enough chunk of the world can't use the American
| offerings, then there is a market for alternatives.
| m000 wrote:
| > Sure, please let me know how the EU plans to build Office
| 365, AWS, GitHub competitors of similar scale, quality and
| success.
|
| There are no such plans. EU wields a lot of regulatory power.
| The most likely path of action would be to force
| MS/Amazon/etc. to spin-off their EU side of the business. And
| I believe that the companies have already prepared for this.
| icelancer wrote:
| I generally agree with your post (we both made the mistake of
| posting during EU peak times and not US peak times, so
| downvotes incoming), but it's worth noting that Airbus is a
| success story bolstered by the now-EU to combat American
| aerospace dominance.
| ChuckNorris89 wrote:
| I love Airbus, but they're not a software company and since
| we live in the age of cloud-everything, software has eaten
| the world and all our mobile tech is controlled by two US
| walled gardens (apple and google) that is a lot more
| potentially impactful on our daily lives on multiple levels
| of our society than what Airbus could do.
| pastrami_panda wrote:
| > We have no private investors that would pony up enough
| money to go against US tech titans and fat chance the EU
| would ever fund such initiatives
|
| Did you miss this a couple of weeks back?
|
| https://www.eetimes.eu/eu-signs-e145bn-declaration-to-
| develo...
| kmeisthax wrote:
| That's for semiconductor technology, not a full software
| stack, search engine, social network, or server hosting
| farm that could compete with Apple, Google, Facebook, or
| Amazon. Designing ICs is already a niche market, and
| designing process nodes for IC manufacturing is even more
| niche. Furthermore, the EU already had technical
| superiority here: ASML is the company that supplies TSMC
| with the machinery that powers their 5nm node.
| pastrami_panda wrote:
| Sure, I get what you're saying, but I hope you see my
| point here. Pursuing 2nm lithography (which is something
| like 1-2 nodes from bleeding edge?) with 135 billion euro
| surely tells you something about their commitment.
|
| I would also point out that many of these companies you
| mention are immensely scattered. Take anyone and you'll
| find their resources spread across an evergrowing
| domain/portfolio. I'm not saying it's bad that Apple is
| developing cars and Facebook VR headsets - I'm just
| saying it spreads them thinner. If the EU found it
| valuable enough to pursue e.g search within the next five
| years it's not at all unfeasible or unreasonable to do
| so. It might even be better for the greater good of the
| internet frankly.
| fnord123 wrote:
| I think it's important to frame it correctly: US companies
| have been persistently acting illegally in Europe. Avoiding
| taxes (e.g. Amazon's Project Goldcrest) to undercut
| competitors, mishandling data for profit, and then abusing
| market dominant positions to prevent European competitors
| from rising up; forcing those potential competitors to sell
| to US firms.
|
| You're right that it's probably too late to reverse all of
| this economic damage that the US has intentionally caused.
| It's a difficult problem for the world.
| drstewart wrote:
| Ah yes, poor innocent Europe that is so distraught over the
| economic damage US companies did that _checks notes_
| Ireland sued the EU on behalf of Apple to prevent it from
| having to pay taxes.
|
| You're right. You should frame it correctly and take
| ownership over the complete and utter regulatory failures
| of European countries to support and nurture local
| businesses.
| kavalg wrote:
| It depends. For example, office software is already far into
| the flat region of its innovation curve. IMHO it would
| suffice to throw away MS and adopt e.g. LibreOffice in all
| educational and government institutions throughout EU (and
| there are precedents already). GitHub shall be even easier to
| replace (complexity is far below office and open source
| alternatives do exist). Now with AWS, it is really a tough
| question. Hetzner is doing a very good (albeit slow) progress
| towards AWS functionality. Their prices are competitive and
| customer service is much better that what I ever got from AWS
| (not affiliated, just a happy customer). The level of
| integration in AWS however is still out of the reach of
| Hetzner (Cloudfront, S3, SES etc).
|
| It would be really interesting to know your opinion on what
| functionality in AWS is indispensable and what you can
| sacrifice in case Hetzner/OVH price for the rest is the same
| as AWS or lower.
| f6v wrote:
| The Silicon Valley wasn't built overnight. The software
| industry is just taking off in the EU. Mind you, nobody would
| have thought that the US would loose their leading role in
| the Middle East, look at them now. I can see the same
| happening in tech.
| waihtis wrote:
| Problem is that EU is not comparable in any manner to the
| US. For one, where do you suggest the Silicon Valley of EU
| is? London would've been a decent bet except that they just
| bailed.
|
| As someone else mentioned, capital is way harder to raise
| (meaning slower to market) - and then an underrated factor
| which is equally important is how easy or difficult is it
| to sell as a nascent startup. At least in my industry
| (cybersecurity) it has been very hard in the EU vs US in
| the earlier stages of product maturity.
|
| Much like the parent comment, I don't see this changing
| anytime soon and I'm fully betting on the fact US will keep
| their dominance in tech.
| f6v wrote:
| Well, we shouldn't just assume that Silicon Valley has to
| be a place. The lockdown showed that numerous companies
| can operate 100% remotely. And I got the impression that
| there's always more money than startups.
| icelancer wrote:
| Wages are also strangely way, way worse in the EU. When
| you combine that with cost of living (and taxes) being
| far higher there, it's not a great recipe for growth.
| BatteryMountain wrote:
| I'm in Africa and most companies here host their systems either
| locally (very expensive and slow) or in America. The other day
| at work I had a pretty heated argument at work with a colleague
| when I mentioned it is really not good for us to host any of
| our stuff in America (all of it is currently in America). He
| basically freaked out about it. I just wanted to hear his
| thoughts about it, but he took personal offence (he's an aws
| fanboy).
|
| There are problems with the laws, copyright laws too, US gov
| agencies etc that are all incompatible with our own laws. If
| something bad were to happen, our own courts have zero power to
| help us. We also don't have a direct fiber line to America so
| all our traffic hops through Europe and more recently through
| South America, so about 200ms added to most requests.
|
| The only reasons to use American hosting companies is because
| of:
|
| 1) The financial cost can in some cases work out to be lower
| than local options.
|
| 2) It can be easier to scale your service vs self-hosting on
| premisses.
|
| 3) American hosting platforms have really nice GUI's and
| tooling, while being well integrated with the billing side -
| everything mostly just works as expected.
|
| But other than that, if money and skills are not a problem,
| then on-prem is best here.
| [deleted]
| jfrunyon wrote:
| Money and skills are ALWAYS problems. Those are "cheap" and
| "fast" of the "cheap, fast, good, pick two".
| cambalache wrote:
| > Money and skills are ALWAYS problems. Those are "cheap"
| and "fast" of the "cheap, fast, good, pick two".
|
| Those are not problems, those are trade-offs. OP is right,
| you could be in a position in which those trade-offs dont
| apply to you (i.e. by buying a "expensive" but great
| solution, this happens all the time in all the industries)
| or you could sacrifice one item (say speed) in your
| solution if this is not a problem for your workflow ("so
| what if a open source tool runs 2x as slow as the best
| proprietary option, our daily batch processing take 2 hours
| and it is used in weekly buckets")
| jokethrowaway wrote:
| This is ridiculous.
|
| China requires access to your company code and pretty much owns
| you.
|
| The USA government is interfering as much as Europeans
| government do, by making stupid laws and demanding access when
| they can think of an excuse. Sure, it's bad but it's not as bad
| as China.
|
| You can't trust any government, but some are better than
| others.
| swayson wrote:
| Indeed, gives me hope for decentralised technologies like
| gitcoin, that could perhaps give more agency to developers.
| icelancer wrote:
| The top 33 "software and programming" companies by revenue in
| the world can be found below [0]. 28 of them are American. Two
| are in the EU. One is in the UK. One is in Australia. The last
| is Russian.
|
| One of the companies in the EU produces enterprise software
| almost no one on this website uses (SAP). The other is
| Dassault.
|
| In the US the top five companies are Microsoft, Oracle, ADP,
| Adobe, and Salesforce. If you include Alphabet and Amazon,
| well...
|
| When the EU or Asia (non-China, I guess) can offer mature
| alternatives even remotely competitive with the American
| companies, I guess your strategy could work. Until then, no one
| is going to flock to Hetzner over AWS.
|
| And I like Hetzner.
|
| [0]:
| https://en.wikipedia.org/wiki/List_of_the_largest_software_c...
| Erlich_Bachman wrote:
| > One of the companies in the EU produces enterprise software
| almost no one on this website uses (SAP)
|
| What? SAP is a huge software that is used in a lot of
| companies.
| kavalg wrote:
| Also, you should take into account that SAP the company is
| not just the ERP. It has acquired several big SaaS vendors
| in the past years (Ariba, SuccessFactors, Concur etc) so
| many of us may be touching SAP without even realizing it.
| icelancer wrote:
| Correct. I'm also willing to bet the people on Hacker News
| are not typically in the circle of businesses that use SAP.
| Closi wrote:
| I'm willing to bet that they are.
|
| Do you think there is a huge tendency towards Oracle,
| Infor or MS Dynamics rather than SAP across hacker news,
| or are you just assuming that people who go on hacker
| news aren't in the 'circle of companies' which need an
| ERP?
|
| Most people on HN probably go work for companies that pay
| them the best compensation or offer them a good position,
| not based on what ERP they chose.
| dtech wrote:
| You underestimate the reach of SAP and overestimate the
| "SV-ness" of HN.
| kuriho wrote:
| SAP Developer/Customer here.
|
| Does that mean most people on HN work for companies
| either too small for or too competent to outsource an ERP
| system?
| hasa wrote:
| SAP user here... not that I liked it :)
| tpoacher wrote:
| Both you and the person you replied to are right. They are
| not mutually exclusive points.
|
| Famous example: MS Windows having a marketshare of 96% should
| not necessarily stop you from designing your business around
| linux.
| icelancer wrote:
| Sure they are. Propose an EU or non-Chinese Asian
| alternative to AWS that is, say, 80% as
| efficient/effective. If that's not possible, then choosing
| AWS for your startup/scaling business is not the stupidest
| move you can make, assuming AWS fits your use case.
|
| "MS Windows having a marketshare of 96% should not
| necessarily stop you from designing your business around
| linux"
|
| But Windows doesn't have this kind of marketshare in most
| areas going forward? The #1 OS used worldwide is AndroidOS
| and no one is clamoring to write for it as far as I can
| tell.
| jojobas wrote:
| Microsoft can't ban you from using Windows or developing
| software that runs under it.
|
| Amazon can sure kick your company off its services.
|
| For many startups AWS is a no-brainer, which makes life
| somewhat harder for anyone who wants to deal with Iran
| from EU (as long as EU allows it) and not be shut down on
| a US three-letter agency's request.
| sjogress wrote:
| At this point it is kinda an open question whether using
| AWS/Azure/GCP for anything involving PII is even fully
| legal under EU/EFTA law. I know at least my employer is
| working towards having more options to jump ship at a
| moments notice these days.
|
| I think EU/EFTA is large enough to enable the growth of
| at least one 80% offering given enough time. Or otherwise
| large enough as an economic bloc to force America to
| stricter legalisation so that they can use and depend on
| the American offerings.
| tpoacher wrote:
| I think you're missing the point. It's less a question of
| "can you find an alternative that is at least 80% as
| efficient", and more a question of "is this 20% bump in
| efficiency worth the liability risk".
|
| Your opinion is 'yes'. OP's opinion is 'no'.
|
| Both are valid opinions and highly depend on the nature
| of your business.
|
| But, OP's somewhat un-american sentiment aside (which I
| believe is mostly what you're reacting to, rather than
| the general nature of their argument), I agree that
| erring on the side of caution and minimizing external
| liabilities should be on the top of the agenda for any
| company.
|
| And this is aside from the whole "support local
| infrastructure and don't empower monopolies further"
| argument.
| fennecfoxen wrote:
| Maximizing the risk-adjusted returns on the business is
| the top of the agenda. Sometimes this means shedding
| risk, particularly at well established companies;
| sometimes this means embracing it, particularly at
| younger ones. If you don't have revenue yet there's
| little need to protect it.
| EdwinLarkin wrote:
| I am not anti-american or anything like that.I even
| acknowledge american dominance in Tech and better
| conditions for skilled workers (read much higher
| salaries).
|
| That said as a european I have to consider my interests
| and interests of my business.
| literallycancer wrote:
| There are often subsidiaries that offer the same services,
| except everything is done in the EU, data storage, support,
| etc. Of course the US still has access because of compromised
| infra, but at least it's illegal now.
| fnord123 wrote:
| >Until then, no one is going to flock to Hetzner over AWS.
|
| You don't need the market to flock to Hetzner or OVH to use
| it yourself and avoid US sanctions.
| jojobas wrote:
| You can use many of the products from the companies in the
| list (i.e. SAP, Adobe or Oracle) without risking all your
| data in a Kafkaesque ploy of sorts.
|
| If you keep everything your business is at Amazon you better
| be prepared to Amazon booting you.
| bildung wrote:
| While the US sure is dominant, there are dozens of software
| companies larger than those in that list, e.g. Zoho has about
| $5B revenue, Baidu $11B, Tencent $23B, Accenture $41B, ...
|
| The list employs some particular filters (e.g. SaaS seems to
| be excluded) and heavily emphasizes market cap over revenue.
| namdnay wrote:
| I wouldn't consider Accenture a large software company.
| They do a lot of software "consultancy" (ie bodyshopping),
| but the nature of the consulting game plus their
| decentralized architecture (I've worked with Accenture, and
| the relationship between their different offices seems to
| be closer to co-franchisees than colleagues) means I
| wouldn't consider it a "big software company" (as in lots
| of people working on the same system/architecture
| mdoms wrote:
| Yup they're not a big software company if you arbitrarily
| constrain the definition of software company.
|
| I could argue Google is not a big software company (as in
| lots of people working with mismatching socks and
| propeller hats).
|
| But that would be just as stupid.
| namdnay wrote:
| What I mean is that the overwhelming majority of
| Accenture (or TCS, or Deloitte, or IBM Consulting, or
| Infosys, or any other bodyshop) employees aren't building
| software for Accenture, they're being hired out. So
| that's why I don't consider Accenture a "software"
| company
|
| Would you consider Randstad to be a building company?
| They loan out hundreds of thousands of building
| contractors across the world
| icelancer wrote:
| It doesn't matter anyway. Accenture is also an American
| company despite being incorporated in Ireland.
| icelancer wrote:
| Baidu and Tencent are in China, hence why they were
| excluded from the discussion (since the poster specifically
| said US/China can't be trusted).
|
| Accenture is American-Irish and listed on the NYSE. Subject
| to US jurisdiction from a national, not global level.
| [deleted]
| madsbuch wrote:
| I think you are conflating marked share with quality of
| offering.
|
| Indeed there are viable local options for many of these
| things. Heck, the reason why European companies have so
| little relative marked share, is because they serve smaller,
| domestic, markets.
|
| A Danish webshop provider probably has a better offering for
| a webshop for servicing the Danish market. It probably has
| better support for Danish accounting, better locale support
| etc.
| MattGaiser wrote:
| Do Danes have unique server needs compared to the rest of
| the world?
| madsbuch wrote:
| That's an issue for the webshop service provider ;)
| harperlee wrote:
| Don't strawman the parent post, they have already
| generalized US service dependency beyond OP, and there
| are already examples of local needs above:
|
| > It probably has better support for Danish accounting,
| better locale support
| tdy721 wrote:
| Yes, they speak Danish.
| cutemonster wrote:
| And Danish laws and Danish accounting systems and Danish
| gov agencies to maybe integrate with, etc
|
| (Maybe more relevant for SaaS than servers though)
| traveler01 wrote:
| I gotta agree with you. I understand GitHub doing that, they
| fear repercussions (remember that Huawei employee being
| arrested?). But, these things are too serious for a company to
| ignore.
|
| Chinese and USA services should be avoided...
| drstewart wrote:
| I assume this will be your last post on HN then...
| MaxHoppersGhost wrote:
| - Sent from my iPhone
|
| Ok buddy. Good luck with China and not using American software.
| bitzl wrote:
| What do you suggest to use instead of GitHub?
| factorialboy wrote:
| So many dimensions come to play here.
|
| 1. There's the obvious legal aspect i.e. how these laws are
| framed and interpreted.
|
| 2. Then there's the geopolitical aspect. Is it fair to impose
| sanctions on Iran.
|
| 3. There's another aspect around GitHub policy that asks if an
| entire organization be banned for the location of one team
| member.
|
| 4. Finally, there's the aspect of relinquishing control. Your app
| development is on the cloud. IDEs are on the cloud. Deployments
| are on the cloud. App stores are on the cloud.
|
| You have relinquished so much control, why be surprised if that
| stares you back in the face?
|
| Ironically, Git is a decentralized version control system.
| burade wrote:
| >2. Then there's the geopolitical aspect. Is it fair to impose
| sanctions on Iran.
|
| Yeah. Nobody else should be allowed to have nukes, or else the
| U.S. is gonna take his ball and go home.
| coredog64 wrote:
| Iran is a signatory to the Nuclear Nonproliferation Treaty.
| According to the treaty, they agreed to not pursue nuclear
| weapons and to allow IAEA oversight.
|
| Making it difficult for the IAEA to provide oversight is
| enough of a treaty violation, and that goes double when there
| is credible evidence that unauthorized enrichment was
| occurring.
| literallycancer wrote:
| Why do non-US companies care about US foreign policy goals?
| EU companies can benefit from doing business with Iran, on
| the other hand using US based SaaS only makes them hostages
| of the US government and provides zero additional benefit.
| It would seem that using US based SaaS is simply bad risk
| management on the buyer's part.
| mcguire wrote:
| The EU (and the UN) has had on-and-off sanctions against
| Iran for decades as well.
|
| Are any EU countries still dependant on Iranian oil
| supplies?
| rapnie wrote:
| > Ironically, Git is a decentralized version control system.
|
| But git and github are not the same, as the latter contains a
| lot more extras in terms of functionality.
|
| There are good github alternatives, like https://gitea.io
|
| And if you then talk decentralized version of that, ForgeFed
| comes into picture. See https://forgefed.peers.community
|
| As it happens there's a recent interest to evaluate that for
| implementation in Gitea (and maybe funded by NGI0):
|
| https://github.com/go-gitea/gitea/issues/14186
| tamentis wrote:
| We all know that, but we both know most Git repositories out
| there are probably on Github.
| whack wrote:
| > _You have relinquished so much control, why be surprised if
| that stares you back in the face?_
|
| We live in a market-based economy with highly specialized
| division of labor. The idea of "keeping control" of all our
| necessities and dependencies, is an archaic one. The system
| generally works, because we create sensible laws that foster
| trust, vet for partners who are trustworthy, and name-and-shame
| entities that violate our trust.
|
| If you're a behemoth the size of FANG or a nation-state, maybe
| it is worth the effort needed to insulate yourself against
| these black-swan scenarios. But for a startup or small-medium-
| business that no one has heard of? That just sounds like bad
| prioritization.
|
| All of which is to say... we should absolutely be surprised
| when a vendor like GitHub blocks an entire company because of
| an employee logging in from Iran while on travel. And this
| surprise, and the resulting name-and-shame, is what keeps the
| wheels of our economy turning.
| oytis wrote:
| Spinning up your own git server is not a huge effort though
| even for a startup.
|
| As to what is archaic - I believe a point can be made that
| the division of labor thing can suit poorly our brave new
| cloud software world. You can't just buy things (or software)
| from others, and completely own them. If you are outsourcing
| some part of your business to others, you also lose a lot of
| sovereignty that is crucial to stay flexible and move fast.
| Apart from the fact that all these solutions are bundled with
| analytics that will play against you as soon as your supplier
| wants to become your competitor. And as I said before,
| staying in control is actually not that hard as soon as you
| know what you are doing, and can be a huge competitive
| advantage.
| ogre_codes wrote:
| > Spinning up your own git server is not a huge effort
| though even for a startup.
|
| At a previous job we self hosted Git and it worked fairly
| well. At my current job we use GitHub and while we could
| migrate away, it would hurt.
|
| Personally, I think GitHub's value is more about the fact
| that it integrates so well with so many other services.
| Without GitHub we would lose:
|
| - Most of our PR/ Code Review flow
|
| - Integration with Pivotal (our ticketing/ story system)
|
| - Integration with our Travis server for CI
|
| - Integration with our hosting service for automated
| deployment.
|
| All of this stuff can be done independent of GitHub, but
| most of it takes a lot of time and effort you could be
| spent delivering the product you are trying to ship. You
| also lose a lot of flexibility.
| throwaway0a5e wrote:
| I think it's the opposite. When you're FANG or a nation state
| preparedness doesn't matter. You have strings to pull to get
| fair treatment.
|
| If you're a small guy you get screwed and have no practical
| means of recourse. The little people are the ones who need to
| care about this kind of stuff.
| Dirlewanger wrote:
| Don't be surprised when the "name-and-shame" doesn't work
| anymore.
| darod wrote:
| So true. It already doesn't work in politics. Only a matter
| of time till it's the same with big companies
| Erlich_Bachman wrote:
| There is plenty of solutions that are keeping the data in-
| house. Or allow for easy exporting/importing (github is not
| too bad in this regard though). None of these solutions go
| against the "highly specialized division of labor". This is a
| question about what kind of solutions we build, not how labor
| is divided or not.
| dj_mc_merlin wrote:
| None of those solutions are as plug-and-play as hosted
| GitHub/GitLab, nor without maintenance costs. Those add up
| to quite a bit of money too, usually making hosted the more
| cost effective option. Although this can happen, the truth
| is 99% of the time it doesn't, so most companies continue
| to use hosted solutions as it is far more likely they go
| bankrupt due to poor business rather than US embargos.
| hospadar wrote:
| I very much agree - the likelihood that your business will
| die because it just isn't great at selling stuff seems much
| greater than the likelihood that it will die because you get
| really unlucky with a service provider.
|
| THAT SAID, it seems worth it for even a really tiny company
| to spend a half hour thinking about "what would I do if
| github (or AWS or google or the app store or whatever) cut me
| off?"
|
| Probably in a lot of cases the answer is "call them and beg
| forgiveness" (i.e. if it's AWS), but for something like
| github it seems like "switch to gitlab" (or "deploy git
| server" or anything else) is a pretty easy move.
| [deleted]
| pmontra wrote:
| A customer of mine use GitHub, Travis and Slack.
|
| If GitHub is offline we can still setup a git server
| somewhere. I could offer my own for a quick startup. Mailing
| patches to each other, Linux kernel style, is not a viable
| backup plan. The cultural gap is too wide.
|
| If Travis is down we can run tests locally.
|
| We build the deployment artifact on one of our servers. If
| that one is down probably our production server is down too.
|
| If Slack is down, ah, I was on vacation yesterday. I guess
| the fastest backup for us would be WhatsApp Web.
| u801e wrote:
| When we ran services like this in-house, I don't really
| recall a time where any of them failed. Now that we have a
| 3rd party run those services, it's easy to recall multiple
| instances where one or more of them were down for some
| reason.
| INTPenis wrote:
| Yes it is in the cloud but if you use Gitlab you're suddenly
| compatible with hosting your own Gitlab. If you use Github
| you're not. Unless you pay tons of money for Github Enterprise.
|
| So there are Cloud services that make more sense to use in the
| long run, in this case Gitlab is one of them.
| jankotek wrote:
| Hell no!
|
| In this case Github is just unreliable piece of infrastructure.
| My phone provider bans me for receiving phone call from wrong
| country? Nice joke.
| dspillett wrote:
| _> Ironically, Git is a decentralized version control system._
|
| GitHub is simultaneously not the be-all-and-end-all of Git[1]
| and more than Git[2].
|
| If they have good backups of everything (if not they should
| consider this a beating with the ol' clue stick (I'm assuming
| _everything_ on github can be backed up away from it?)) this
| should only be a bump in the road, though a considerably
| inconvenient bump as there is nothing they can just restore to
| and move on using without a pile of changes and /or admin work.
|
| [1] pick a new location for the "source of truth" repo for your
| team, push everything to that, and you're golden again
|
| [2] all the bits wrapped around it are available elsewhere, but
| not necessarily in a convenient ready-made integrated manner[3]
|
| [3] there is GitLab of course, not a direct 1-1 feature mapping
| in either direction but close enough for many, I'm told
| performance is more of an issue but you can always self-host if
| controlling that is worth the extra admin to you
| dkersten wrote:
| > pick a new location for the "source of truth" repo for your
| team, push everything to that, and you're golden again
|
| Its also pretty easy to mirror your repo to other remotes.
| I've had projects that were in Gitlab, Github and Sourcehut
| at the same time. Sure, depending on how you sync them, there
| may be some steps (eg getting people to push their local
| branches to another remote) when your main one becomes
| inaccessible, but overall its really easy to work across
| multiple remotes. Its something git was designed for, after
| all.
| cies wrote:
| > Ironically, Git is a decentralized version control system.
|
| And Git is open source.
|
| Github is a US-registered company under MS. The US has a
| history of weaponizing its economic power.
|
| Stallman (RMS) was right once again.
| x3c wrote:
| This particular case was overreach by Github and not the US
| Lawmakers.
|
| https://home.treasury.gov/policy-issues/financial-
| sanctions/... 118. I have a client that is in
| Iran to visit a relative. Do I need to restrict the account?
| A: No. As long as you are satisfied that the client is not
| ordinarily resident in Iran, then the account does not need
| to be restricted. See FAQ 37.
|
| Source:
| https://twitter.com/Hamed/status/1346433510786138114/photo/1
| fennecfoxen wrote:
| It may be overreach by GitHub, but given the severity of
| the sanctions lawmakers have set for if they happen to get
| it wrong, I'd like to at least blame lawmakers for creating
| such a risky situation.
| A4ET8a8uTh0 wrote:
| I work with sanctions. I think both can be easily blamed.
| Similarly to DMCA notices, most companies opt to for the
| path of least resistance ( it is cheaper to blanket ban
| than to investigate ). Yes, politicians are to blame for
| creating the environment, but companies deserve flak for
| taking the path that is bad for the customer ( unless
| they are sufficiently well-heeled ).
|
| My thoughts are my own. I do not represent anyone other
| than myself.
| siruncledrew wrote:
| Cases like this are an example of a company trying to
| cover their ass leads to a customer getting kicked in the
| ass.
|
| Sanctions, compliance, etc. is a messy ordeal to manage
| (both technically and operationally), and the ways laws
| are written with so many intricacies and dependencies
| doesn't make it easier.
|
| Because only 1 instance of violation could lead to fines
| equivalent to a person's salary, often the systems are
| made to be overly sensitive and less investigative to
| figure out whether a 'hit' is actually a false-positive
| because that also takes time/money and still carries
| potential risk.
| fennecfoxen wrote:
| So look at (one one hand) a customer worth... well,
| PureLabs is "10 incredible FTEs," let's give them the
| $21/user/mo Enterprise plan at $210/month in revenue.
|
| On the other hand, a sanctions violation could be a
| $65,000 fine (Trading with the Enemy Act) or $250,000
| (International Emergency Economic Powers Act) for each
| offense. (I leave aside the million-dollar narcotics-
| kingpin act). On top of this we also see the risk of
| criminal prosecution.
|
| In what world is it reasonable to expect anyone to take
| this chance?
| A4ET8a8uTh0 wrote:
| It is hard to discuss hypothetical violations so I won't
| do that. It absolutely is a safe course of action to do a
| blanket ban. That said, is it reasonable to assume
| violation based on IP address ( and that is what seems to
| have happened here )? Banks don't automatically
| (typically ) block MUHAMMAD JIHAD even if they may end up
| questioning it.
| harperlee wrote:
| That's because the combined business of all Muhammads and
| their employers is way more than 210$/month AND it would
| be illegal, and Bad PR(tm), to ban them from your
| business based just on their culture/name. Otherwise they
| would have been "derisked" out of service.
| A4ET8a8uTh0 wrote:
| You have a point ( and Mnuchin to his credit ,based on
| reports, does care about regulatory burden and its impact
| ). So you are right, one is not like the other. To
| address your point directly, if OFAC tomorrow added
| MOHAMMAD JIHAD with no other information ( no DOB, no
| address, and so on ), you would be surprised how quickly
| the banks would respond.
|
| Now note that that we are discussing a name, a commmon,
| but somewhat reliable, if mutable, driver of our
| identity. Now compare it to IP address and tell me, which
| one is a better predictor of who you are.
|
| Unless, we are assuming IP is a proxy for location, which
| is another story.
| harperlee wrote:
| Banks typically would react overnight to OFAC list
| updates, through a sanctions list service.
|
| If no DOB or similar is also provided, though, scoring
| should not be too high - and if a match with Mohammad is
| enough to trigger an alert, the overnight alert delta
| would be either manually processed by Compliance, or bulk
| closed as false positives, depending on how much time you
| need to unblock the clients and similar risk
| considerations.
| A4ET8a8uTh0 wrote:
| I am not sure if you realize it, but you are proving my
| point. Banks found a way to address the issue without
| adversely affecting the customers. Github appears to have
| only recently started to do the same, but they opted for
| a blanket approach as opposed to a more targeted one.
| harperlee wrote:
| Sure, I'm just not trying to disprove you, I argued
| similarly in other threads.
| slaymaker1907 wrote:
| They do actually flag payments if you put the word Isis
| or something in the memo.
| lawnchair_larry wrote:
| Do you have a story about this?
| zinekeller wrote:
| Not parent and not about terrorism directly, but
| Tardigrade Ltd. was sanctioned in US (because it is an
| arms dealer without licence in US) causing all
| "Tardigrade" payments blocked (even innocuous ones):
| https://news.ycombinator.com/item?id=24450828
| saagarjha wrote:
| > It absolutely is a safe course of action to do a
| blanket ban.
|
| Except when you make a mistake and ruin someone's
| morning.
| rurban wrote:
| I would blame the automatic sanctioning software
| triggering such as situation, without checking if the new
| access from Iran was by a tourist or citizen. Adding an
| org block for minor access within two weeks is overreach.
| inlined wrote:
| I'm unaware of a library that checks citizenship of the
| user behind an IP address.
| harperlee wrote:
| This kind of software is not simply installed with an
| apt-get one-liner, github can't be exempted from choosing
| their business rules on screening matches.
| raziel2p wrote:
| If you read this literally, you could get away with leaking
| state secrets as long as you're visiting a relative while
| doing it.
|
| Github cannot be expected to reliably differentiate between
| the coworker who just checked the status of a PR on a
| webapp versus the employee who opened a crucial piece of
| encryption code to leak it to the Iranian military or
| whatever.
| Siira wrote:
| Spies can send information from anywhere in the world to
| anywhere else, so I don't see how they being in a
| specific location at all matters.
| mcguire wrote:
| This is an economic sanction against Iran; it has nothing
| to do with state, or corporate, secrets.
| hoppla wrote:
| I do not see why a geoip filter do not suffice. GitHub
| should not be the one to interpret the whole complex
| picture.
| koheripbal wrote:
| The above is not law. The law is more detailed. This is a
| FAQ that should be interpreted in a reasonable fashion,
| not with an extreme use-case.
| x86_64Ubuntu wrote:
| If that's the case, then the problem isn't Github, but of
| the organization having Iranian intelligence assets on
| staff. And the whole idea of the government regulating
| encryption and it being weaponized is overdone.
| saagarjha wrote:
| A spy could also just clone the repo and travel to Iran,
| too.
| sparkling wrote:
| The problem starts with how to even identify if someone is
| physically in Iran. Making that asumption based on the IP
| address is highly questionable.
| ABeeSea wrote:
| You think a lot of people are proxyjng their traffic
| through an Iranian IP address?
| amadeuspagel wrote:
| The law has a chilling effect on companies, that drives
| them to do things like this. If a company does something,
| that they clearly would not have done without a law, it's
| the fault of the law, even if that law didn't specifically
| require it, in fact even if that law specifically exempts
| it.
| x3c wrote:
| Since I can't edit the comment, I want to paste this here
| so readers are informed about the extra mile Github
| travelled as well. Advancing developer
| freedom: GitHub is fully available in Iran
|
| https://news.ycombinator.com/item?id=25648585
| antihero wrote:
| Thing is, GitHub is a tool that facilitates distribution of
| IP. So if someone is logging into GitHub in Iran, whether
| they live there or not, they can use it to "export" code.
| mcguire wrote:
| Which is kind of irrelevant---preventing the export of
| code is not the issue. This is an economic sanction
| against Iran by preventing companies from doing business
| there.
| fibers wrote:
| I'm not a pro dev by any means but what is stopping orgs from
| simply self hosting such a thing? Git is merely version
| control which supposedly does not take a lot of resources so
| you can go ahead and buy a dedicated server and host it in
| your office. Is the question more so about expanded services
| like CI/CD that may take up more computational resources to
| continuously build binaries and other deliverables?
| tetha wrote:
| Self-Hosting is a similar tradeoff to running your own
| hardware, imo. You can increase control and overall cost
| effectiveness for additional scaling, but these choices
| have a certain base cost you can't reduce. Thus, they only
| work beyond a certain initial scale, or because you have
| some specialized requirements.
|
| For example, the source code as well as the tickets around
| a software tend to be the most critical assets of a
| company. As such, you need one or better 2 systems to host
| the source host and ticketing. However, such a system needs
| backups, so suddenly you need to maintain a backup
| solution, you need to implement and monitor the backups
| being created, you need restore tests. You end up needing
| some kind of monitoring as well. As well as 2-3 dudes at
| least part-time maintaining all of this capable of
| replacing each other during sickness and vacation.
|
| That's a lot of stuff as well as a lot of manpower as your
| base cost. Of course, once you have that, you can self-host
| a lot of things easily and maintain excellent uptime at
| minimal risk, because these base services scale very well
| in complexity. For us it makes sense to do this, because
| unplanned outages at 100+ developers are seriously
| expensive and risky.
|
| However, if you have 3 developers and a clock ticking to
| find product market fit, you don't have that budget - or
| spending it this way does not make sense. So you buy.
| sjagoe wrote:
| I would say it's less about the compute resources, and more
| about possibly needing a team dedicated to maintaining
| quite a lot of infrastructure to replace the features that
| GitHub has, which is far more extensive than just git
| hosting.
| wolco2 wrote:
| If you have developers that can use git they can setup
| and maintain a local git or source control.
|
| If no one in your company can do that.. hire or
| outsource.
| turbinerneiter wrote:
| GitLab, Gitea or others provide most, if not all, and in
| some cases even more features than GitHub. Theiy are
| fully or partially Open Source and they are easy to host.
|
| You need to compare the cost of self-hosting to the cost
| of SaaS - INCLUDING the risk of getting locked out.
|
| One downside of the SaaS model is that you are just a
| very small customer in the bigger scheme and they can't
| really justify spending money on servicing you. Let's say
| you are company of 5 people, paying 50 bucks a month for
| a service - how many hours per year can they spend on
| servicing you before you become a net-negative account?
| You much power do you have in a negotiation if you are a
| net-negative account?
| vinay427 wrote:
| > Let's say you are company of 5 people, paying 50 bucks
| a month for a service - how many hours per year can they
| spend on servicing you before you become a net-negative
| account?
|
| It probably isn't sustainable for a business to only
| consider this aspect. One thing that comes to mind with
| companies that thrive with a large number of small
| non-B2B customers, who individually don't tend to have
| much power, is that they understand that people love to
| talk about customer service when it's bad, and
| occasionally when it's very good as well. Word spreads,
| and nearly everyone places at least a little weight on
| this public perception of kindness or flexibility with
| customers especially when it isn't in the immediate
| financial interest of the company to do so.
| kavalg wrote:
| WRT self hosting, GitLab could be painful, but Gitea is
| really easy to host and keep up to date.
| risyachka wrote:
| I've been self-hosting gitlab for few years now in my
| company and never had a problem.
| sitkack wrote:
| You should clone your environment and then inject faults
| into the clone to cause yourself some simulated problems.
| chillfox wrote:
| Maintaining a self hosted solution like GilLab takes less
| than a day of work a year, and it has more features than
| GitHub.
|
| (I have been doing it for years)
| Xylakant wrote:
| The compute part is the least of your worries, even
| installing the software is usually not your primary concern
| - everything is fine as long as you're on the happy path.
|
| Software needs to maintained, patched, backed up, verified
| etc. It has bugs, security issues, hardware breaks in weird
| ways. This takes time and skill - ideally you'd need two or
| three people that are capable of fixing problems with the
| install. (one ill, one on vacation, one available). This is
| something that detracts from the actual work you're doing.
| I'm very much an ops person and I actually like tinkering
| with a gitlab install - it's just so many moving parts that
| I prefer not to run this for my company since it would eat
| a substantial chunk of my time just caring for this.
| mcguire wrote:
| The bottom line is that it is cheaper to use GitHub and
| live with the external risks than to maintain internal
| services or live without them.
|
| I note that the Linux kernel lived with bare Git for many
| years.
| Xylakant wrote:
| At least for small to medium organizations without
| specific reasons for self-hosting. Once you have a team
| that manages internal infrastructure, this calculus can
| change.
|
| The Linux kernel is a very specific case with a very
| specific development model that likely doesn't apply to
| most other projects.
| throwaway4good wrote:
| But Github is reason why git is popular ...
| jhasse wrote:
| I doubt it.
| richardwhiuk wrote:
| There's definitely an argument that GitHub is one of the
| primary reasons that Git beat Mercurial.
| ajsnigrutin wrote:
| Yep!
|
| "One click" fork + "one click" pull request are its
| killer features.
| [deleted]
| dkersten wrote:
| Anecdotally, I started using git because of projects on
| Github I wanted to contribute to. A number of others I
| know where in a similar boat. Before that, we used
| subversion, bazaar or mercurial. I personally am happy
| with having been pushed to using git and if it was
| winning anyway (not clear) I'm sure I would have
| eventually ended there anyway, but GitHub is the reason I
| started using it when I did.
| owlmirror wrote:
| Github sure contributed to the popularity, but I remeber
| distinctly as Git came out and how it took off like rocket.
| Git was a "killer app" from it's day of inception and
| everyone I knew switched their source control to it in late
| 2005 early 2006. It was a game changer to say the least.
| Github jumped on a already rolling bandwagon and left me
| ans many people I knew wondering why the hell you would
| need to host your projects there. (I am still a little bit
| puzzled but came to accept it as useful)
| throwaway4good wrote:
| Github fixes the problem that most users have with git
| (but are ashamed / too ignorant to admit): That it is de-
| centralized.
| Pet_Ant wrote:
| > Github fixes the problem that most users have with git
| (but are ashamed / too ignorant to admit): That it is de-
| centralized.
|
| Git is designed for an environment where there are
| multiple canonical trunks. RedHats kernel is equally a
| master as SuSe's. So you are maintaining various tips in
| a semi-synchronized manner. In most projects there is a
| single repository branch that is the true branch (with
| perhaps a few tags for LTR) that represents the project.
| For that reason a lot of Git's mechanisms are unneeded
| complexity.
|
| The killer features of Git is GitHub, and to a lesser
| degree local commits (after all, Mercurial has that too).
| elmo2you wrote:
| I would go quite a step further than that. If this was not an
| unfortunate incident/mistake, then GitHub/Microsoft has
| become quite the active enforcer of US (legal) foreign
| policy.
|
| If they do that within the US market, that might be
| justifiable. But in this particular case, GitHub appears to
| enforce US foreign policy on what appears to be a company on
| the EU market. Also in what to me appears to be a rather
| ruthless, totalitarian, maybe even draconian way.
|
| I'm pretty certain that absent this US law within the EU
| market, this action is arbitrarily discriminatory, and very
| likely constitutes inflicting serious damage on another
| company without a legal basis (within the US, yes .. outside
| the US, no).
|
| GitHub may find itself stuck, between adhering to US laws and
| laws elsewhere (in this case EU, but China is probably a good
| example too). Still, is ultimately is a choice for GitHub to
| offer their products on multiple markets. If they have issues
| with that, they are free to exit a particular market. It
| certainly is never a valid excuse to start violating law in
| any market outside whatever country your headquarter might be
| located.
|
| Tangentially, this rather typical popular belief that US
| companies can simply absolve themselves from legal liability,
| just by crafting clever TOS/EULA that supposedly does just
| that, has always confused to me. It was always my
| understanding that you can not create contracts that violate
| laws. In most countries with a somewhat sane state of law,
| governments really do not like or tolerate when companies
| start essentially making their own law in parallel. But
| apparently you can rewrite (even basic) law in the USA, as
| long as you can somehow get both parties to agree on it. Be
| that by free will or coercion.
|
| Maybe it's time, for other parts of the world to no longer
| put up with this kind of bullshit, and demand that US
| companies actually adhere to the laws (and legal protections)
| that exist within their markets, or be free to buzz off and
| only operate on the US market alone.
|
| With US foreign policy becoming increasingly self-serving,
| legally dubious, and in some case downright insane, having
| internationally operating companies enforcing those policies
| is becoming a seriously risky proposition for anyone outside
| the USA.
| michaelt wrote:
| _> But in this particular case, GitHub appears to enforce
| US foreign policy on what appears to be a company on the EU
| market._
|
| Surely enforcing your politics outside of your jurisdiction
| is the whole point of an embargo?
| elmo2you wrote:
| As a government, yes. As a commercial company, operating
| on a market outside of US jurisdiction, please explain me
| the legal basis for that (if you can).
| JamesBarney wrote:
| The legal basis is they are using a U.S. company (GitHub)
| that has to has to follow U.S. laws. And that makes
| certain things inconvenient for them.
| gnopgnip wrote:
| Github is not outside US jurisdiction, and is required to
| enforce these laws even if the client is in Europe. They
| could be sanctioned by OFAC if they don't
| scott_s wrote:
| The government where the commercial company is based
| expects the company to do so, and will hold that company
| accountable if they do not.
|
| You may not agree with this situation, but it is how it
| works. The US government will investigate and penalize
| companies that violate US sanctions, even if the parts of
| those companies involved did so entirely outside of the
| US.
| delfinom wrote:
| Yep, the current US administration is somewhat to blame
| on the shift. It has always been a requirement, it's just
| that the government up until this admin mostly didn't
| care to enforce it. It's pretty obvious a number of
| companies got threatening letters to comply or face jail
| time.
| scott_s wrote:
| When I did some googling, I found an article from 2012
| about sanctions enforcement
| (https://www.itproportal.com/2012/10/26/ibm-questioned-
| over-a...). I am unaware of new behavior regarding
| sanctions _enforcement_ , although I know that the
| current administration imposed additional sanctions. But
| my understanding is that with existing sanctions, this is
| what the US government has always done.
| 8note wrote:
| The legal basis is that the US has a big stick, and so
| all countries must follow us laws, or they'll nuke your
| capital, rape your children, destroy all your
| infrastructure, etc.
|
| In this case, it's just leaving you to starve, so you're
| pretty well off on the whole vs other things Americans
| will do
| scott00 wrote:
| Are there European laws that prohibit discriminating
| against people who live in Iran? Or that prohibit
| discriminating against companies who employ people who
| live in Iran? If not, the legal basis is that you can do
| anything you want unless it's prohibited by law, and the
| action in question isn't prohibited by law.
| elmo2you wrote:
| Yes, it actually is illegal to arbitrarily discriminate
| people based on their ethnicity, political views or
| nationality (unless there is a specific law that allows
| that for a particular nationality, e.g. in case of a
| legal embargo)
| lawnchair_larry wrote:
| They probably did not want to have their CEO nabbed by
| police in the Vancouver airport for extradition on
| sanctions violations. You might want to see what happened
| with Huawei, who aren't even a US company.
| lodovic wrote:
| If Huawei wants to do business in the US economy, they
| can do so but have to abide by the rules. They can also
| choose to do business with Iran instead, but not both.
| elmo2you wrote:
| It appears that you are pretty much the only one who gets
| it. At least from anyone who responded.
|
| I find it rather shameful, that apparently everyone who
| responded to my question, did so by explaining that a US
| company has to abide by US law. You don't say!
|
| That was never the question, but apparently even reading
| is even too much to ask from people these days.
|
| Of course US companies have to follow US laws. But if
| that conflicts with law in wherever their services are
| offered, they no longer have any business operating
| there. They should consequently stop offering their
| services in that territory.
|
| Since that's unlikely going to happen on their own
| initiative, maybe the EU should simply declare companies
| like these as illegal on their market.
|
| Actually, that might even help to finally get rid of the
| stranglehold which many US have had for a long time on
| any emerging potential competition from EU companies.
| Something for which US companies have regularly used and
| abused differences in law and economy (between the US and
| EU), in order to obtain an (unfair) edge.
|
| Maybe it's about time that comes to and end, so US
| companies can prove that they can compete on equal
| grounds. I personally doubt that, because for most of the
| last century this competition has been dominated by the
| US exploiting artificially created advantages.
|
| Politics aside, it's rather sad that this aspect of
| legality is even a discussion topic. It should be a no-
| brainer that US companies should abide by whatever laws
| exist on a foreign market they operate on (of course on
| top of US law).
|
| If they can't, the only (legal) option is to stop
| operating. Either that, or the company is a criminally
| operating organization. That is, the violations are
| systemic and not just a few unintended incidences, of
| course.
| mc32 wrote:
| ..." , this action is arbitrarily discriminatory, and very
| likely constitutes inflicting serious damage on another
| company without a legal basis..."
|
| Isn't that what YouTube and FaceBook do day in day out when
| their influencers run afoul of policy?
| elmo2you wrote:
| Those other companies certainly do too, yes. Or at least
| that is what I am convinced of. I would say that what I
| wrote about GitHub should equally apply to these
| companies too, or any company for that matter. Not just
| US companies, but any company that operates
| internationally.
| vezycash wrote:
| Add other Apple and Blizzard to the list.
| gnopgnip wrote:
| If a user runs afoul of policy, the action was not
| arbitrarily discriminatory.
| elmo2you wrote:
| Policy set by whom?
|
| That of a commercial company, which does not have a legal
| mandate (at least not in the EU) to make make rules that
| violate EU law (including legal protections), or the US
| government, which does not have legal jurisdiction over
| the EU market?
|
| Pick your poison
| mc32 wrote:
| What? Your position is that if it's policy and you
| enforce policy then it's not discriminatory?
|
| So if a policy or a law says X is disallowed or is
| unlawful, ipso facto, X can only run afoul of those
| bodies of governance and can't be discriminatory? That's
| interesting!
| [deleted]
| A4ET8a8uTh0 wrote:
| "I would go quite a step further than that. If this was not
| an unfortunate incident/mistake, then GitHub/Microsoft has
| become quite the active enforcer of US (legal) foreign
| policy."
|
| I am not sure if most people realize this, but OFAC
| compliance is rather rigid with no room for error ('strict
| liability'). And US treasury enforces it hard. Recently,
| Amazon got caught in its cross-hairs ( though it managed to
| get away with a low fine relative to its size ).
|
| I guess what I am saying, according to OFAC, everyone is
| responsible for enforcing US foreign policy.
|
| edit: Everyone as in US person, person on US soil or
| someone using US dollar. I really should avoid
| exaggeration.
| elmo2you wrote:
| There is no doubt about US companies having to follow US
| law. But this is an internationally operating company,
| which means it has to also follow whatever law might
| apply to whatever market they operate on.
|
| GitHub, as any other US company, has a choice/freedom to
| stop offering services to customers outside the US
| market, if the particulars of providing those services
| causes them to violate laws in at least one of the
| jurisdictions.
|
| Of course, US companies should be rightfully pissed, if
| the US government puts them in a situation where they can
| not (legally) operate abroad. But that's something they
| should take up with US lawmakers.
|
| At the end of they day, they are still (most likely)
| operating illegally on a foreign market, even if they are
| unlikely ever to be substantially punished for that. The
| thing is, the US has a rather questionable track record
| of coming to the rescue, whenever a US companies get into
| trouble for (illegally) doing business abroad.
| Ironically, whenever another country does that (e.g.
| China) the US immediately have a long list of choice
| words an allegations at the ready. Long story short: pure
| hypocrisy.
| epc wrote:
| Given the pressure by the EU and China on US companies to
| enforce local laws globally (GDPR, RTBF, Taiwan), I don't
| see how Github, operating in the US, as a US company, has
| any chance absolving itself of enforcing US laws and
| regulations (though in this specific case they appear to
| have overreacted, likely due to regulatory enforcement via
| algorithm and not common sense).
|
| If you expect US companies to respect GDPR and cookie
| banners and the right to be forgotten, globally; you cannot
| be surprised that they will respect and enforce US law
| globally as well.
| watwut wrote:
| EU is not forcing American companies to enforce their
| laws for third party companies operating on non-EU
| market. Also, American company does not have to follow
| GDPR for Iranian customers.
|
| EU wants American companies to follow GDPR when acting in
| EU market.
| JamesBarney wrote:
| I'm in the U.S. and I still have to click all those super
| annoying "Accept using a cookie" popups everywhere. So
| that EU law certainly does affect me a U.S. citizen
| interacting with U.S. companies.
| watwut wrote:
| That is because it is cheaper to show it to everybody.
| Not because EU would demand it to be shown for Americans.
|
| Also, law do not require it to be shown for all cookies.
| Only for tracking ones.
| PeterisP wrote:
| To nitpick, while for non-EU companies GDPR applies to
| individuals in EU (and their data) as per GDPR article
| 3.2, any EU companies have to apply this for _all_
| personal data as per GDPR article 3.1.
|
| So while foreign companies can decide whether they want
| to apply their GDPR policies (which generally should not
| require "cookie banners", though it is a popular choice)
| only to people in EU or all their users, an EU company
| does not have a choice, they have the obligation to treat
| personal data of Americans and Iranians and everyone else
| in a GDPR-appropriate manner.
| elmo2you wrote:
| The only ones you have to blame for that, are the
| companies to show you those annoying popups. They have no
| obligation whatsoever to show that to anyone outside the
| EU.
|
| Start complaining to those companies and stop pointing
| your finger in the wrong direction.
| epc wrote:
| Keep that in mind the next time you encounter a US based
| newspaper that puts up a GDPR error page instead of
| serving the news article you requested. The EU asserts it
| can penalize a US based company a percentage of its
| worldwide revenue (not EU derived revenue) for GDPR
| violations.
|
| I'm not saying it's right, I am saying that these are the
| logical, practical responses to the way different
| jurisdictions expect their laws and regulations to be
| honored, respected, and applied.
| elmo2you wrote:
| I think you may have either misunderstood me, or maybe
| have gotten the logic backwards.
|
| I'm not saying that US companies should not enforce US
| law. I think they should. That is: strictly within the US
| market.
|
| When they operate outside the US market, they have to
| (also) adhere to whatever law exists for that market. If
| that creates a conflict, the company has a choice to
| either open up show elsewhere, outside of US jurisdiction
| (if that's the only way to comply with local market
| rules), or stay in the US and leave the foreign market
| alone.
|
| Either way, being a US company should never be a valid
| excuse to violate laws (and/or legal protections)
| somewhere abroad.
|
| It ultimately is up to a company to choose what they do
| and where they do it. To me, the current status quo
| appears to be that many US companies have been
| (illegally) enforcing US laws outside of US jurisdiction.
| Aside from that, and maybe even on a far worse level,
| they have been essentially been making up de facto
| "private laws", in their TOP/EULA "contracts".
|
| Last time I checked, law should be left to governments.
| Preferable through democratic due process. Certainly not
| to commercial companies, who are either privately owned,
| or publicly by a select few rather undemocratic entities.
| epc wrote:
| My shorter version: Precedent in the US is that the US
| views its jurisdiction over US citizens and corporations
| as global. If I as a US citizen step over the border to
| your country and bribe an official of your country in
| order to gain a commercial contract, I can (and probably,
| though not definitely) will be prosecuted for breaking US
| law, regardless of whether or not bribery is perfectly
| legal in your country. Same for corporations: if the act
| is prohibited in the US, the US Government generally does
| not distinguish between whether the act occurred in the
| US or not.
|
| This is not new. The Internet exacerbates the potential
| for conflicts, but it's not a new problem with the rise
| of the Internet.
| elmo2you wrote:
| The US government should do whatever it sees fit for its
| subjects. That's not the issue.
|
| The issue is that a US company should also be held
| accountable for whatever they violates abroad. Not by the
| US government, of course. But by the authorities of
| whatever foreign market they operate on (the only
| authority with jurisdiction anyways).
|
| While the tide is gradually changing, so far a
| substantial part of the problem is that the US government
| has quite a few nasty ways to shield US companies from
| being seriously held accountable abroad. Still, the
| longer that reality exists, the more inevitable it will
| become that at some point US companies will simply be
| barred altogether from (some) foreign markets. You can
| only abuse a dominant position for so long, before the
| receiving end will no longer put up with it. That is, of
| course, when (or as soon as) they have the luxury of
| choice in the matter.
| epc wrote:
| It's been my personal experience that the US government
| does not distinguish between a US company offering
| products and services in the US and a US company offering
| those products and services outside the US. Even foreign
| subsidiaries are held accountable to US laws and
| regulations if the US parent has sufficient control of
| the company.
|
| Bigger companies get a little bit more leeway to
| negotiate with the US Federal government on this but if
| the US decides that something is illegal or prohibited,
| the Justice Department doesn't really care what country
| the prohibited activity occurred in, it'll walk the
| executive chain to pick people to prosecute.
|
| The only way a company could complete avoid this scenario
| is if it licensed its product or service to an
| independent entity outside the US. And even then the DOJ
| would likely attempt to force the termination of the
| license agreement if it results in a product or service
| being offered in a prohibited jurisdiction.
|
| None of this is new, or due to Trump, or even partisan.
| elmo2you wrote:
| You are correct, on each and every count. However, none
| of that is related to what I tried to highlight.
|
| Sure, the US is (rightfully so) subjecting every company
| within its jurisdiction to US law, no matter on which
| market they operate. Sometimes they go even further and
| say non-US companies can be held liable, when they
| somehow interact with the USA or its citizens. That can
| sometimes become a bit dicey with jurisdictions, but even
| that is not the point here.
|
| The point is that a US-based company is operating on a
| market outside the US and (most likely) is operating in a
| way that is within the law of that market.
|
| To put bluntly: I don't give a #### about how the US
| treats companies on their territory, regardless where
| those operate. I care about US-based companies abiding to
| law wherever they do business. If they can not do that,
| they should cease to operate there. Whether it's the US
| government or something else that is to blame for the
| situation is irrelevant.
| PeterisP wrote:
| "this action is arbitrarily discriminatory" - if so, this
| action is permitted. While there often are restrictions on
| _specific, enumerated_ types of discrimination (e.g.
| religion, ethnicity, gender, etc - though almost
| universally they apply to discrimination of people, not
| companies), those are exceptions to the general principle
| of "freedom of association" where people and companies are
| free to arbitrarily decide with whom they want to do
| business and whom they want to exclude - as far as they
| don't violate some of the specific restrictions listed in
| law. If a supplier does not want to sell to your company
| for an arbitrary reason, it's their right to do so.
|
| "constitutes inflicting serious damage on another company
| without a legal basis" - again, that does not indicate any
| wrongdoing. Inflicting serious damage on another company
| is, by default, permitted (matching the core principle of
| "everything which is not forbidden is allowed") and is
| regularly done in the course of normal competition, winning
| over some other company in bids, recruiting key employees
| by offering them lots of money, targeting their customers
| with specific discounts, etc, etc.
|
| If you're inflicting serious damage on another company,
| then both the intent and result is by itself legal, the
| only question is about the means. If you're inflicting
| serious damage on another company _by legally prohibited
| means_ (e.g. theft or arson or illegal access to computer
| systems) or _violating_ some established legal duty (e.g.
| "duty of care" as required by law in various service
| relationships), _then_ the other company would be entitled
| compensation. But in the absence of that, if there 's no
| specific legal prohibition to your action (for example,
| laws on anti-competitive actions tend to impose various
| restrictions), if your action is legally permitted, then if
| some company suffers because of that, it's not your
| problem. There are restrictions on what actions are legally
| permitted (law on tortious interference might apply here,
| and if there's some fraud, injurious falsehood etc then it
| matters) but if they do have the right to arbitrarily end
| the contract, then that's it, they are not responsible for
| the damages.
| golemotron wrote:
| #4 should be #1.
| zoobab wrote:
| So called "decentralized", and only one company has a copy?
|
| "Decentralisation" of Git has been a running joke since the
| beginning.
| 2OEH8eoCRo0 wrote:
| 5. Github is bound to obey US law and international trade
| agreements.
|
| I think github is the last one at fault for this.
| chrisandchris wrote:
| So many reasons why I prefer on-prem over cloud for software
| that is directly attached to the value-chsin of the business. I
| wouldn't care if they cut me off of some backoffice app which
| manages the snack bar. But as a software company, my code is
| the heart of my company, so I would never give control of that
| to a 3rd party.
| amaajemyfren wrote:
| Seems someone has responded to it.
|
| https://twitter.com/natfriedman/status/1346452935924846593
| stevehawk wrote:
| lol someone responded a week later and possibly only because
| it made the front page on hacker news
| harperlee wrote:
| That "someone" is github's CEO.
|
| It does not condone that it took an HN frontpage to react
| to a massive issue from a client blocked due to either a
| badly configured sanctions system, or a badly defined false
| positive determination workflow, that could not be
| expedited otherwise by the client, but... it's something I
| guess.
|
| Good luck having a 7-day response by your bank, who have
| the legal obligation to not share with you why did they
| block you, or having Google's CEO looking into your issue
| aired in twitter.
| 13of40 wrote:
| Two things to consider: That guy is the corporate vice
| president for developer services, so he probably had to run
| that response by Legal before committing like that. Also
| unless this is a really exceptional year, there probably
| wasn't anyone "at work" at Microsoft last week except on-
| call rotations.
| pelasaco wrote:
| I had similar issue visiting Crimea. I was simply looking through
| my issues, while in holidays over there.
| sparkling wrote:
| How can one even reliably detect if one is loging in from
| crimea? There is no Ukranian/Russian ISP operating exclusively
| in crimea, is there?
| mebr wrote:
| What happened after? your account was unblocked later?
| pelasaco wrote:
| yes, it was unblocked later, after some email exchanges, but
| it took me some days and a lot of nerves.
| dweberz wrote:
| Support peer-to-peer alternatives.
|
| The technology to realize a peer-to-peer alternative to GH is
| here. We just need to make it happen. IMO radicle.xyz is the most
| promising one right now.
| nbzso wrote:
| Let me see. You have a business in which you cannot control
| access to your Intellectual Property? And you take money from
| people for services? What can go wrong here? I really don't get
| this. Git is free. Setting up dedicated server with redundancy
| backup is de facto the standard since SVN era. In this case I
| don't blame GitHub at all. It is responsibility of the business
| owner to make a judgement with all "bad case scenarios" in mind.
| In production the idea of trusting third party infrastructure
| without alternative is unprofessional.
| Proven wrote:
| Why wouldn't they block the entire company?
|
| Can the company guarantee the employee isn't directly or
| indirectly using Github?
| xvilka wrote:
| Such cases highlight the importance of improving IPFS and
| Federation protocols, for example for Gitea[1][2] or
| GitLab[3][4]. Or just sponsoring them[5]. The source code for
| ForgeFed[6][7] might be also of interest for improvement.
|
| [1] https://github.com/go-gitea/gitea/issues/1612
|
| [2] https://github.com/go-gitea/gitea/issues/9045
|
| [3] https://gitlab.com/gitlab-org/gitlab/-/issues/6468
|
| [4] https://gitlab.com/gitlab-org/gitlab/-/issues/33665
|
| [5] https://opencollective.com/gitea
|
| [6] https://forgefed.peers.community/
|
| [7] https://notabug.org/peers/forgefed
| gbrindisi wrote:
| that was an interesting rabbit hole you sent me into, thanks
| for sharing!
| dweberz wrote:
| also radicle.xyz
| jjd33 wrote:
| >Iran wants to buy COVID vaccine with their own money that is in
| South Korea >South Korea refuses money access due to US sanctions
|
| Yes it is not directly related to this post. But this witch hunt
| against Iran is beyond retarded. I get why Saudi Arabia and
| Israel would join ties against Iran it makes sense.
|
| But for US, Japan and South Korea to join just due to personal
| and financial motives is a literal disgrace to humanity.
| londons_explore wrote:
| Can't really blame GitHub here... US laws are badly written.
| dancemethis wrote:
| GitHub seems proudly american with their support for ICEs, the
| US concentration camps.
| zed88 wrote:
| US laws follow US geo-politics, which is where the problem
| lies.
| DrBazza wrote:
| When I worked for "mega bank" a few years ago, even for
| software purchasing (because we were Anglo-American), we needed
| an 'ECCN' - an export control number for everything. Thanks US
| gov. Initially it was funny. Then it wasn't for a very long
| time.
|
| Is it an X-ray machine? Does it use crypto? Is it more than 231
| dpi? Well you can't export it to Middleeastistan.
|
| https://www.bis.doc.gov/index.php/licensing/commerce-control...
| grumple wrote:
| If Github is going to block people for accessing from Iran, why
| don't they just block all Iranian ips? I'd totally blame Github
| for this.
| asplake wrote:
| They could have prevented the access they merely detected. Much
| less harm all round
| enriquto wrote:
| It's alright to blame people for lawfully following harmful
| laws.
| Dirlewanger wrote:
| I didn't see a whole lot of blaming tech when every big
| company was found to be participating in NSA's PRISM program.
| izacus wrote:
| > It's alright to blame people for lawfully following harmful
| laws.
|
| It's also alright to blame people for interpreting laws too
| widely and too abusively. The legal and security departments
| are much at fault for this where they'll prefer to abuse
| people than to take up any kind of risk.
| cush wrote:
| There's a law for this...?
| capableweb wrote:
| Indeed! Here's how it works:
| https://news.ycombinator.com/item?id=25644356
| jokethrowaway wrote:
| It's not. You have a literal state actor backed with an army
| demanding money if you don't comply.
|
| I'll pick the legal way unless the profits I can make somehow
| outweigh the sanctions (legislators can make mistakes too)
| and there are no penal repercussions.
| grumple wrote:
| It is. We established this quite clearly in Nuremberg.
| jokethrowaway wrote:
| You're comparing state sanctioned killing and torturing
| with sanctioning people trading with each other.
|
| The first one is a violent crime against individuals, the
| second one is basically a tax.
|
| I'm against both but they carry a different weight.
| grumple wrote:
| Sure, the impact is different. But on the other hand, I
| try to follow this rule as much as possible:
|
| "One has not only a legal, but a moral responsibility to
| obey just laws. Conversely, one has a moral
| responsibility to disobey unjust laws." - Martin Luther
| King, Jr.
|
| Microsoft is no stranger to breaking laws and certainly
| has the resources to fight this one, or at least to argue
| that it shouldn't apply in this case.
| jokethrowaway wrote:
| I consider immoral to threaten individuals with jail time
| unless they give you 40% of their salary.
|
| I consider immoral the USA's warmongering and spying on
| its own citizens.
|
| Still, if I don't pay my taxes or if I try to stop the
| army from going to bomb some poor people in the middle
| east, I'll be put in jail.
|
| If I have a way to sabotage the government which won't
| ruin my life, I'll do it, but I'll pass on the rest.
|
| We're lucky enough not to live in a country that require
| us to kill people in concentration camps, because we
| would surely do that.
|
| At least, I would do it if I didn't have another choice
| (but I would also try to desert).
| kiallmacinnes wrote:
| It's also not fair to blame people (well, companies...) for
| obeying the law.
|
| Personally, I'd rather a world where companies obey the law
| than one where they pick and choose what laws they would like
| to obey.
| goodpoint wrote:
| You are making a strawman. Companies are often following
| the law strictly or loosely as it suits them.
|
| GitHub could have warned the company before blocking and/or
| blocked access only from Iran. It did neither.
| kiallmacinnes wrote:
| > You are making a strawman. Companies are often
| following the law strictly or loosely as it suits them.
|
| You're right that companies don't always obey the law.
| However, what has that got to do with "Personally, I'd
| rather a world where companies obey the law"?
|
| My point is that companies SHOULD obey the laws, not that
| they always do - and that - allowing and encouraging
| companies to pick and choose the laws they are going to
| obey is wrong, and will simply not end well.
|
| > GitHub could have warned the company before blocking
| and/or blocked access only from Iran. It did neither.
|
| I'm not familiar enough with the specifics of the US laws
| regarding Iran to know if this is a lawful course of
| action to take upon a customer attempting to use your
| products/services from Iran.
|
| Maybe they could have? Maybe they can't? I've no idea &
| I've made no attempt to address anything other than the
| "It's alright to blame people for lawfully following
| harmful laws" comment.
| enriquto wrote:
| I agree with you. It's alright to blame them, but it's
| unfair at the same time. The world is not fair.
|
| EDIT: concerning hypothetical worlds, I pretty much _not_
| want to live in a world were companies blindly follow the
| law regardless of how harmful it is. We have tried these
| worlds in the past and they were not pretty.
| kiallmacinnes wrote:
| > EDIT: concerning hypothetical worlds, I pretty much not
| want to live in a world were companies blindly follow the
| law regardless of how harmful it is. We have tried these
| worlds in the past and they were not pretty.
|
| Personally, I think a distinction is necessary. Companies
| IMO should absolutely obey the laws regardless of if they
| like them or not. It's entirely unfair to blame them for
| obeying the law.
|
| They (as well as individual people) are free to oppose
| those laws in an attempt to change them, however until
| they are changed, they should follow the laws or cease
| trading in the country who's laws they disagree with.
| It's entirely fair to blame them for not fighting
| stupid/wrong/harmful laws.
|
| Allowing companies to choose which laws they are going to
| obey is never going to end well.
| enriquto wrote:
| I'm sorry, I cannot reply to your post without triggering
| Godwin's law.
| archi42 wrote:
| There are countries in which being gay will still cause
| you serious trouble. Or not agreeing with the political
| leadership.
|
| We are quite privileged to just assume that following the
| law as written (AND interpreted by the judiciary) will
| mostly work out alright and doesn't cause us moral
| dilemma. And companies consist of people, too. Is it then
| all of a sudden morally acceptable to build spying
| software so your country's leadership can prey on it's
| political enemies? Or assist in persecuting discriminated
| groups?
|
| You don't have to cite long abolished laws or an
| industrialized killing machine for pointing that out ;-)
| though the post is really begging for it.
| kiallmacinnes wrote:
| We can all cite harmful laws, does that mean companies
| (and people) should be free to ignore all law?
|
| Should US companies be free to ignore laws related to
| sanctions because the UAE has made being gay illegal or
| because political opposition in China could land you in
| jail? Where do you draw the line? Specifically - for a US
| company as is being discussed.
| enriquto wrote:
| > companies (and people) should be free to ignore all
| law?
|
| Yet you continue with your strawmans. Nobody said that.
| The crucial word in your sentence is "all", with which
| nobody has agreed here. Of course nobody is above law.
| But sometimes, in exceptional circumstances, a particular
| law turns out to be immoral. In that case, and only in
| that case, it is wrong to follow that particular law, and
| it is right to do the illegal alternative.
|
| If a company is found to have followed an immoral law and
| performed harmful (but lawful) acts, it is right that
| society punish that company later (e.g., when the law
| situation is solved). More so in this case, when the
| company is overzealous in its application of that immoral
| law.
| kiallmacinnes wrote:
| > Yet you continue with your strawmans. Nobody said that.
|
| No, it was rhetorical question. Reading and making an
| effort to respond to the entirety of the comment would
| have made that obvious when I specially ask "Where do you
| draw the line?".
| archi42 wrote:
| Where did I say "all"?
| mola wrote:
| One way to fight a law is civil disobedience.
| astura wrote:
| You won't get that from Microsoft, they do a lot of
| business with the US government.
| f6v wrote:
| But consumers can express their stance by not doing
| business with MS. I believe that communities have enough
| power in this age.
| Zealotux wrote:
| What is GitHub supposed to do?
| enriquto wrote:
| > What is GitHub supposed to do?
|
| Disobey the law, make a public statement about it, and deal
| with the consequences. This is not a new problem, it was
| treated by Kant a few centuries ago.
| capableweb wrote:
| Are you really suggesting that companies should willfully
| break laws? We already have this in reality I guess, but
| don't think we should suggest them to do it further.
| Right way to get change would be for companies to get
| together and lobby for the change they wanna see, not
| just break the law.
|
| Although I agree the export embargo is fucking stupid,
| especially when it comes to online technology, I really
| want to see less criminal behavior from companies, not
| more.
| enriquto wrote:
| > Although I agree the export embargo is fucking stupid,
| especially when it comes to online technology, I really
| want to see less criminal behavior from companies, not
| more.
|
| The law is not stupid, it's criminal. By following it,
| companies are precisely engaging in criminal behavior.
| capableweb wrote:
| You seem confused why GitHub did what they did. In the US
| there is something called "US Export Law", the law
| includes declarations that makes companies unable to sell
| services/goods to certain countries (which spoiler, Iran
| is part of that list).
|
| The law itself is not illegal, as the lawmakers have
| created and enacted that law. It's the opposite, the law
| is declaring what's illegal.
|
| So, if GitHub doesn't ban users from Iran, they are
| breaking the law in the US.
|
| Hope this clears up any misunderstanding on how things
| work.
| papier2020 wrote:
| What happens if a company has Office 365? Does MS block
| entire company emails?
| capableweb wrote:
| Who knows, probably? For the rest of the "Does X block Y
| if Y is in Iran|Other embargoed country" questions, the
| answers are either A) Yes, you'll get banned or B) No,
| they haven't thought of that yet, but they'll add banning
| as soon as they figure it out, as the law requires it.
| yorwba wrote:
| "the law includes declarations that makes companies
| unable to sell services/goods to certain countries" is
| not the same as "if GitHub doesn't ban users from Iran,
| they are breaking the law".
|
| GitHub could comply with the law without completely
| banning users who access their service from Iran, e.g. by
| making their website unavailable for Iranian IPs or by
| making paid features unavailable.
| capableweb wrote:
| IANAL and I'm not 100% confident on my knowledge around
| the export laws in the US, as I've only have to deal with
| that mess once in my lifetime.
|
| But, if the CEO of GitHub (Nat Friedman) claims that they
| "do no more than what is required by the law" and end up
| banning a user, my understanding is that the lawyers are
| GitHub and Microsoft have made the judgement that banning
| users are a must, simply restricting them temporary is
| not enough.
|
| Again, I think export embargoes are shit and don't
| necessarily agree with the calls that GitHub/Microsoft
| did, but trying to understand the side they are coming
| from here.
| eznzt wrote:
| Yeah, that's not how the world works.
| goodpoint wrote:
| citation needed
| claudiawerner wrote:
| To the extent that a law is unjust or otherwise morally
| wrong, it could be said there is a moral responsibility
| to disobey an unjust law (where one would otherwise be
| following it in a way which results in the unjust
| outcome). Note that GP isn't saying that it's permissible
| to break any law, only immoral ones.
|
| It may be countered that the law isn't actually unjust
| (nor immoral), but a more convincing point is that it
| opens the door for companies to do whatever they like. I
| don't think that holds up - morality is supposed to
| supercede law.
|
| It could be argued that anyone can disobey any law
| because anyone can find something moral or immoral - but
| that doesn't stand up; most people (and certainly society
| in general) admit some degree of objectivity in morality
| to the point where almost all moral questions either
| already have an answer, or the answer is currently being
| discussed (and that discussion is a process to find the
| right answer). People tend to say morality is
| "subjective" (whatever that means) or "relative", but act
| as though it is objective - with all the blame, shame,
| guilt, and assigning of responsibility. Even if it is
| "relative", it is relative to this society, in which
| GitHub operates.
|
| Some people are interpreting this discussion on morality
| and law as being a matter of what a company or person
| does or doesn't "like" - morality is (by most accounts) a
| different ballgame, and should not (epistemologically
| speaking) be conflated with mere preference. Disobeying a
| just law (and doing something unjust in the process) is
| just as morally blameworthy as obeying an unjust law (and
| doing something unjust in the process). It's not a carte
| blanche for companies to do as they please.
|
| I'm not commenting on this specific case; I'm silent on
| my moral reasoning of it, but I wanted to try and explain
| what I think GP was getting at.
| enriquto wrote:
| Thanks for the clarification, that was exactly my point.
| FooBarWidget wrote:
| And if the consequences is that the police comes at their
| doors and ordering them to comply, then what exactly has
| Github achieved? It's easy to be a keyboard warrior and
| taking an idealistic stance.
| mantap wrote:
| Block requests from Iran, display a message that
| connections are blocked for legal reasons. Allow account to
| be used when not in Iran.
| MaxBarraclough wrote:
| Would that comply with US law?
| goodpoint wrote:
| Yes, the law does not require blocking the account
| globally.
|
| It also does not require to do so without warning or
| clarification.
| mantap wrote:
| Compliance with the law is not binary. The US has a
| system of selective enforcement whereby they go after the
| most flagrant violators to make an example to everyone
| else. Blocking requests is compliance enough, practically
| speaking.
| onion2k wrote:
| It's very easy to say that on someone else's behalf.
|
| Essentially you're saying that Nat Friedman should risk 20
| years in prison, and a million dollar fine _per user_ in
| order to let Iranian developers use Github.
|
| As much as I hate the idea of software not being freely
| available to everyone, I would not be willing to take that
| risk. I doubt many HN readers would.
| Blikkentrekker wrote:
| _GitHub_ makes far more noise about such laws when it care
| about them, however.
|
| Another thing it also doesn't care about is the U.S.A. laws
| that prohibit those under 13 from effectively contributing.
|
| The real issue is that many projects, many of which making
| sanctimonious statements about inclusivity they clearly caren't
| a bit about continue to operate through _GitHub_ and other
| companies under U.S.A. control and remain reliant upon them for
| contribution.
|
| The last time I assessed the matter, publishing on _crates.io_
| seemed to require a _GitHub_ account, though I 'm not sure
| whether this issue has now been fixed; I've certainly seen
| _Rust_ preach and pat itself on the back how much it cares
| about not excluding anyone, but apparently Iran isn 't so
| included.
| f6v wrote:
| Well, that's what you get for doing business with an American
| company. The USA impose illegal sanctions and strongarm their
| allies in supporting the sanctions. Let this be a lesson for
| others.
| sebslomski wrote:
| Shit happens, but I would really appreciate if you would re-
| activate our Github Org now, @github. You know, some PRs are
| waiting there for me.
| mro_name wrote:
| can't you just push elsewhere, be it a self-hosted location or
| the one of a reliable 3rd party and tell Microsoft to go fSSck
| themselves?
|
| I mean, what do you need github for to integrate and deploy?
| beshrkayali wrote:
| So are we not going to talk about how economic sanctions end up
| as a way to use the people of these countries as a way to
| pressure their governments for political gains? How these
| sanctions directly and indirectly cause an increased poverty gap
| and negatively impact the living standards? How the governments
| of these sanctioned countries magnify this economic pressure to
| prevent people from revolting and to entrench their presence even
| more?
| nolok wrote:
| Two kind of sanctions:
|
| - sanction the leaders responsible and their buddies, the most
| common (that's what we do with russia, turkey, ...), hurt their
| wallet but ultimately is a soft sanction, and also your
| populace sees it as ineffective / nothing is done
|
| - sanction the country directly, embargo, complete block, kick
| out of swift, that sort of stuff is what was done to Iran. Can
| only be done if you're part of the bigger/more powerful group.
| Massive effect, causes lots of poverty and pain for the
| populace but that's on purpose, so they are forcing their
| leaders to change some stuff. Doesn't always work, but both
| outcome are victories in a way: either the country is forced to
| change and stop the original abuse, or it doesn't change but is
| so crippled that it's not longer a problem.
|
| This is bound to something very, very, important: if the
| country does change and does what you asked, you start lifting.
|
| Part of the message that's more of an european rant: that's why
| Trump action on the Iran deal was a disaster, because, now the
| population doesn't believe it's their own leaders fault, and
| even if they did their leaders don't believe it would ease if
| they did what was asked. That's how you end up with a north
| korea.
|
| According to every report I've seen, Iran was fully respecting
| their part of the deal, and allowing all the inspection
| necessary, when the USA did a "AHAH ! it's a trap !" trick on
| them and screwed them. You're not convincing countries to
| behave, you're telling them that if they don't behave, they
| better go all the way to the other side.
| beshrkayali wrote:
| > Massive effect, causes lots of poverty and pain for the
| populace but that's on purpose
|
| This is what I'm talking about. Even if I'm to agree with the
| purpose of the requested change, does it justify the means by
| which it's being procured?
|
| Trump may have screwed it up even more, but sanctions of the
| second kind have been introduced on countries like Iran or
| Syria since the mid-80s afaik. No major change happened, but
| the idea of knowingly use the population of another country
| to pressure their government which is known to not be chosen
| democratically is basically a form of hostage situation, and
| is immoral imho.
| vorpalhex wrote:
| The alternatives:
|
| 1. Bomb them back into the stone age. That would kill a
| whole bunch of people, who as you point out are basically
| held hostage by their government and don't get much choice
| in the matter. It'd also permanently wreck their economy
| and infrastructure, cost lives on both sides, and usually
| has follow on effects.
|
| 2. Do nothing and allow things like funding terrorism,
| selling arms, committing atrocities, etc. You would know
| these things are going on, and therefore be allowing them
| to happen, and these things would probably be happening to
| your own people and allies.
|
| Which one would you rather take?
| beshrkayali wrote:
| These are not the only options.
|
| Funding of terrorism _is still happening now_ , and their
| support is being funnelled through countries that are not
| under any economic restrictions, some even have good
| relations with US, like KSA. For example, most official
| fundamental/terroristic TV channels/groups are based
| there. Most shell companies used by oppressing regimes in
| MidEast are in the UAE.
| nolok wrote:
| I don't understand your comment as the countries you list
| are not under sanctions like the ones described.
|
| "doing this to entity X stop that from entity X" "no,
| look, here is another entity Y where didn't do this, and
| it still does that"
|
| If anything your comment implies we should sanction all
| of these countries too.
| beshrkayali wrote:
| It's pretty simple really:
|
| - Sanctions don't achieve the goal of stopping funding
| terrorism as evident by it still happening.
|
| - IF the point of sanctions was to _actually_ stop
| terrorism funding, you'd start at the origin of where
| these ideas start, which is known to be
| Wahhabism/Salafism.
|
| - At least, you'd start at the origin of how people
| holding these ideas were supported and given weapons and
| training to achieve regime change goals and to fight
| against Russians in Afghanistan.
| Gibbon1 wrote:
| One thing to keep in mind Iranian leaders are mostly
| conservative Shiites. As such you are never going to get
| them to stop supporting Shiite communities in the middle
| east. Even if they disappeared tomorrow whoever replaces
| them is also not going to stop. And as Shiites they want
| nothing to do with Wahhabism/Salafism.
| whimsicalism wrote:
| > economic sanctions end up as a way to use the people of these
| countries as a way to pressure their governments for political
| gains?
|
| It's not as if this isn't commonly known. But when you view
| sanctions as a de-escalatory alternative to outright conflict,
| which also has huge negative impacts on the people of the
| countries in conflict.
| beshrkayali wrote:
| This de-escalation is benefiting one group of people on the
| account of another. While both groups having nothing to do
| with the situation directly, the group that's benefiting is
| indirectly approving of it by continuing to vote for the same
| policies.
| mc32 wrote:
| You can make the same arguments against capricious Google and
| YouTube delisting, Facebook or Instagram bans, Twitter bans,
| App Store takedowns etc.
| beshrkayali wrote:
| True, and I'd agree. But these companies are private
| entities. I can disagree with them but I can't force them to
| do anything, aside from not using them. Economic sanctions
| are introduced by governments, supposedly from and for the
| people.
| whimsicalism wrote:
| > companies are private entities.
|
| Private entities chartered and regulated by the government,
| of course.
| beshrkayali wrote:
| Businesses have the right to refuse service.
| mc32 wrote:
| By that logic, so do governments have the right to
| exercise their prerogatives...
| beshrkayali wrote:
| Not really. They both may be immoral, but the government
| is chosen by the people, and I don't believe they
| "bestowed" on you your personal rights (in your private
| life or in how you run your business), they are there to
| protect you from others trying to prevent you from
| practicing your rights. Businesses/companies are
| regulated by the market. By you stopping to use them, you
| indirectly affect their decisions. If enough people think
| that what Google is doing is wrong, they can stop using
| them. Google will either shutter or change. This last bit
| also applies to governments in terms of actual vote
| power. If enough people thought that US gov policies are
| bad/wrong, they wouldn't vote for them. Obviously they
| still vote for the same people, so they still don't see
| it.
| whimsicalism wrote:
| > your personal rights (in your private life or in how
| you run your business)
|
| What "personal"/natural right do you have to establish a
| limited liability corporation? That is a social
| construct, intended to facilitate business, but it is not
| some "private sphere" distinct from the society we live
| in.
|
| Your account of consumer choice "regulation" fails when
| confronted with even the most basic externality.
| rathel wrote:
| At work I had to take a course on US export control. The
| restrictions they bully everyone into are pretty nazi. Likewise
| with SWIFT. As evidenced by TFA it's always regular citizens that
| suffer. Compare this with EU sanctions that are targeted to
| particular companies and individuals.
| 2Gkashmiri wrote:
| Yeah. A few days ago I asked why was us demanding kyc/aml
| regulations from countries when in us itself its easy to set up
| an anonymous corporation because laws. Its supposed to protect
| people from doing transactions and getting your "privacy
| violated".
| trapexit wrote:
| Geolocation databases are frequently inaccurate, even at the
| country level of granularity!
|
| I use a ISP in the Netherlands that was founded only recently, I
| and frequently encounter sites that think I'm in Dubai, which is
| apparently where the previous owner of my IP block was located.
|
| Fortunately, the only problems this seems to cause for the moment
| are that I occasionally get geo-blocked by some sites' overly-
| aggressive firewall rules, and I get Twitter ads in Arabic.
|
| But I shudder to think what might happen should the UAE find
| itself under sanction.
| michaeltimo wrote:
| What I don't understand is why not blocking access to those
| regions which are affected by US sactions (in this case Iran).
| The current situation in which you can access the website, but if
| you do, your account will be banned immediately is more like a
| detective scenario than respecting the laws. You can simply block
| all Iranian IPs.
| jitbit wrote:
| GitHub: "Lets rename master to main because Inclusion & Equality"
|
| Also GitHub: "sorry you're from a wrong country"
| jpxw wrote:
| Github's help text when opening a new repo irks me. It contains
| the following: git branch -m master main
|
| With absolutely no explanation of what they are doing, or why.
| I can imagine this being confusing to beginners, and it
| requires mental effort for me to ignore it each time.
| weka wrote:
| Well, just think of how many tutorials (aka 99.9%) iterate
| git master branch.
|
| When new people start, they are going to wonder what master
| vs main branch is -- I guarantee it.
| apta_ wrote:
| They seriously think "master" is a bad word? That's crazy.
| jey wrote:
| To be fair, our industry brought this on itself -- we did
| use "master" and "slave" together as technical terms in
| various contexts. Now even the innocent uses of "master"
| that don't involve any reference to slavery are tainted
| too, at least from the perspective of a non-technical
| outsider. I'm sure their eyes will glaze over well before
| one can finish explaining what a version control system is,
| why you would want one, why it has branches and what they
| are used for, and that all this involves no references to
| slavery.
| skrebbel wrote:
| This cost me 20 minutes + lots of confusion when teaching a
| Git course to newbies some weeks ago. I switched to GitLab
| for the next group.
| Voloskaya wrote:
| > Also GitHub: "sorry you're from a wrong country"
|
| GitHub has no choice into the matter short of moving all it's
| infra in another country.
|
| This is a political issue, pressure need to be put on political
| leaders to change that stupid law.
| mdoms wrote:
| Not true. As per another commenter in this thread,
|
| https://home.treasury.gov/policy-issues/financial-
| sanctions/... 118. I have a client that is in Iran to visit a
| relative. Do I need to restrict the account?
|
| Answer
|
| No. As long as you are satisfied that the client is not
| ordinarily resident in Iran, then the account does not need
| to be restricted. See FAQ 37
| nanna wrote:
| To be fair Nat Friedman replied:
|
| > Hi Sebastian, sorry to hear about this. I will check into it
| right away and get your org unblocked.
|
| https://twitter.com/natfriedman/status/1346452935924846593?s...
|
| Pretty messed up that they built this kill switch in the first
| place though, if you ask me.
| Merman_Mike wrote:
| This behavior shouldn't be praised. Having to go on twitter,
| get on the front page of HN, and make Github look bad seems
| like the only way to get help these days.
| nanna wrote:
| Yeah I mean, I completely agree.
| draw_down wrote:
| You guys can keep making this point, and I guess you probably
| will. But that ship has sailed folks.
|
| Doing it this way works, whether we like it or not.
| 300 wrote:
| They could have blocked the user in Iran. It's without sense to
| block the organization's account.
| freeone3000 wrote:
| OFAC sanctions are transitive.
| optimalsolver wrote:
| Why do so many in the open source community use GitHub, a closed
| source platform?
| nuker wrote:
| Do you have Gmail account? Nothing beats free service.
| Tepix wrote:
| No
| LockAndLol wrote:
| Nothing? Really? Nothing? Nothing in the entire existence of
| the universe ever beats a free service? OK then...
| dubcanada wrote:
| It's a phrase, a commonly used one in English, obviously
| not nothing in the entire universe.
| [deleted]
| 1337shadow wrote:
| Just wondering, does it also happen when connecting with Tor ?
| Would like to warn my friends and eventually tell them the
| workaround ...
| capableweb wrote:
| My guess would be that either GitHub outright blocks
| connections if they think it's via Tor. Second guess is that if
| your Tor exit node happens to be in Iran (or any other
| embargoed country), you'll get blocked as well, as they most
| likely looks at the source IP to get the location.
| znpy wrote:
| Just tell your friends to use gitlabon prem or another eu-
| hosted got service.
| [deleted]
| davidg109 wrote:
| How do you manage this kind of risk? Are there other options
| other than don't use GitHub to begin with?
| numlock86 wrote:
| While GitHub is not really to blame (following the laws and all,
| no matter how silly they are) why would your employees login from
| Iran with their work laptops into their work accounts while
| "visiting their parents" anyway? Why is that not the actual
| problem? Lack of policies?
| cookieswumchorr wrote:
| depending on what the company does, different levels of
| security are appropriate. but, yeah, I would avoid taking
| valuable data with me on a flight to shady countries (the US
| being among the top 10 of that list)
| rightbyte wrote:
| You can't have policies for everything.
|
| Their main problem is using SaaS for something as basic and
| important as version control. Than you have to deal with silly
| US laws.
| 0xmohit wrote:
| GitHub might start blocking countries doing any trade with Iran
| in order to comply with "laws".
| JJJollyjim wrote:
| unfortunately this is a real thing the US imposes on the world
| (it's called Secondary Sanctions)
| [deleted]
| dustinmoris wrote:
| Why don't we have internet havens yet? Companies are so clever in
| legally avoiding tax by registering companies in the most
| favourable jurisdictions and only running the absolute minimum of
| operations through tax expensive countries and so on, why don't
| we have the equivalent for avoiding dumb laws such as US trade
| wars, DMCA takedowns, etc.?
|
| Can most internet operations not run through companies who are
| registered and have servers in a country where most of those laws
| don't apply to customers who are not US citizen?
| arghwhat wrote:
| > Why don't we have internet havens yet?
|
| Companies pull tricks to optimize profits. Evading tax
| increases profit, but so does controlling the internet and
| sending blanket DMCA takedown requests instead of spending
| money on case-by-case review.
|
| Heck, if the big companies wanted to avoid these things, they'd
| probably wouldn't be lobbying _for_ these things.
| est31 wrote:
| The reward for dodging taxes is pretty high. What's the reward
| of letting a few folks open their laptop while at their
| parents?
|
| If you are ideologically motivated, you might do it. Apparently
| project Gutenberg has set up servers in locations with shorter
| copyright durations so that they can mirror public domain
| books. https://news.ycombinator.com/item?id=25610024
| JoshTko wrote:
| Seems like this policy would actually make sense for Russia.
___________________________________________________________________
(page generated 2021-01-05 23:02 UTC)