GitHub blocks entire company because one employee was in Iran

So many dimensions come to play here.<p>1. There&#x27;s the obvious legal aspect i.e. how these laws are framed and interpreted.<p>2. Then there&#x27;s the geopolitical aspect. Is it fair to impose sanctions on Iran.<p>3. There&#x27;s another aspect around GitHub policy that asks if an entire organization be banned for the location of one team member.<p>4. Finally, there&#x27;s the aspect of relinquishing control. Your app development is on the cloud. IDEs are on the cloud. Deployments are on the cloud. App stores are on the cloud.<p>You have relinquished so much control, why be surprised if that stares you back in the face?<p>Ironically, Git is a decentralized version control system.

Entrusting your business to an american entity is the stupidest idea you could have thought about.<p>Especially us europeans should not rely on American services at all.It&#x27;s not worth it.<p>American corporations are just as much a liability as their counterparts in China.

The US sanctions on Iran has such a massive impact on Iranians that most of us don&#x27;t realise.<p>All US companies have to comply and majority of the tech companies are unfortunately in the US.<p>I know you can use a VPN and configure it on a router level to make sure that you are always connected via a VPN but just the fact that 1 slip-up can result in account level blocks (which google is notoriously good at and can essentially shut down your business) means no company would want to work with someone working from Iran.<p>Coming from a 3rd world country, I know the problems of internet censorship which Iranians also face but being too toxic to touch for everyone outside Iran because the US leadership thinks so is just infuriating and heart breaking.<p>Imagine being a programmer in Iran. Not only do you have less resources to learn and grow, you have a massive handicap to find good work as most work is outside of the country.<p>Only bet is to leave the country but even there you have a very low probability as you basically can&#x27;t have a trial period for your job as most companies don&#x27;t want to risk having their accounts blocked.<p>Most of us here know how degrading and infuriating the tech recruiting processes can be and now add to it the horrors of working from Iran.<p>Wars are not supposed to have civilian casualties but this one has a generation of civilians being starved of information and experience critical for them to grow.

Such cases highlight the importance of improving IPFS and Federation protocols, for example for Gitea[1][2] or GitLab[3][4]. Or just sponsoring them[5]. The source code for ForgeFed[6][7] might be also of interest for improvement.<p>[1] <a href="https:&#x2F;&#x2F;github.com&#x2F;go-gitea&#x2F;gitea&#x2F;issues&#x2F;1612" rel="nofollow">https:&#x2F;&#x2F;github.com&#x2F;go-gitea&#x2F;gitea&#x2F;issues&#x2F;1612</a><p>[2] <a href="https:&#x2F;&#x2F;github.com&#x2F;go-gitea&#x2F;gitea&#x2F;issues&#x2F;9045" rel="nofollow">https:&#x2F;&#x2F;github.com&#x2F;go-gitea&#x2F;gitea&#x2F;issues&#x2F;9045</a><p>[3] <a href="https:&#x2F;&#x2F;gitlab.com&#x2F;gitlab-org&#x2F;gitlab&#x2F;-&#x2F;issues&#x2F;6468" rel="nofollow">https:&#x2F;&#x2F;gitlab.com&#x2F;gitlab-org&#x2F;gitlab&#x2F;-&#x2F;issues&#x2F;6468</a><p>[4] <a href="https:&#x2F;&#x2F;gitlab.com&#x2F;gitlab-org&#x2F;gitlab&#x2F;-&#x2F;issues&#x2F;33665" rel="nofollow">https:&#x2F;&#x2F;gitlab.com&#x2F;gitlab-org&#x2F;gitlab&#x2F;-&#x2F;issues&#x2F;33665</a><p>[5] <a href="https:&#x2F;&#x2F;opencollective.com&#x2F;gitea" rel="nofollow">https:&#x2F;&#x2F;opencollective.com&#x2F;gitea</a><p>[6] <a href="https:&#x2F;&#x2F;forgefed.peers.community&#x2F;" rel="nofollow">https:&#x2F;&#x2F;forgefed.peers.community&#x2F;</a><p>[7] <a href="https:&#x2F;&#x2F;notabug.org&#x2F;peers&#x2F;forgefed" rel="nofollow">https:&#x2F;&#x2F;notabug.org&#x2F;peers&#x2F;forgefed</a>

If the Iranian employee logged into the Github account, isn&#x27;t blocking the account exactly what the law says they should do? If all they did was apply a merge request in one of the repos then would reverting the merge and blocking the account would be enough to comply? Is there some alternative way to comply with US export restrictions?<p>The real question here is why people even consider using US cloud companies when they know they have employees working in countries subject to severe US trade restrictions. If you&#x27;re willing to risk your company being denied business with American companies, then you should also have a mitigation strategy when you get caught. It sucks that you have to work around US regulation to do normal business but this is just how the world works right now.

Is GitHub going to take itself down when one of their employees goes to Iran for holiday and logs into their GitHub account? If not, then why are they treating others with such contempt?

I&#x27;m on GitHub&#x2F;Microsoft&#x27;s side here. They are not responsible for the content of US export control laws, and they have an incredible amount to lose if they are found to be in violation of US export control laws.<p>Presumably GitHub needs some automated tool to prevent inbound traffic from sanctioned countries, and it&#x27;s hard to be certain that they are complying with US law if such automated tools have some wiggle room allowing for a non-zero amount of usage from sanctioned countries.<p>The whole situation isn&#x27;t great, but none of it is GitHub&#x2F;Microsoft&#x27;s fault.

This means that as a disgruntled employee I can simply visit Iran, log in my company Github account and boom!<p>I have now taken revenge on my whole company with minimal effort.

Github refused to help me regain access to an 11 year old account when I changed jobs so lost access to 2FA and email account at the same time.<p>We lost access to tens of thousands of dollars worth of project code which we had to rewrite.<p>The customer service support was Google style brick wall.<p>I wish this guy luck in getting access.

Please please PLEASE add at least one other provider to your remotes if you&#x27;re going all in on cloud.<p>Consider also doing a regular local backup of all your repos. A quick Google search will yield you tools that will automate this entire process on platforms such as GitHub , BitBucket and GitLab. I personally delegated this to a Cron job. I check the backups manually once a month to check all is in order.

Just happened: <a href="https:&#x2F;&#x2F;github.blog&#x2F;2021-01-05-advancing-developer-freedom-github-is-fully-available-in-iran&#x2F;" rel="nofollow">https:&#x2F;&#x2F;github.blog&#x2F;2021-01-05-advancing-developer-freedom-g...</a>

How long before someone gets an Iran VPN so that their company is knocked out and they get a day off.

Geolocation databases are frequently inaccurate, even at the country level of granularity!<p>I use a ISP in the Netherlands that was founded only recently, I and frequently encounter sites that think I&#x27;m in Dubai, which is apparently where the previous owner of my IP block was located.<p>Fortunately, the only problems this seems to cause for the moment are that I occasionally get geo-blocked by some sites&#x27; overly-aggressive firewall rules, and I get Twitter ads in Arabic.<p>But I shudder to think what might happen should the UAE find itself under sanction.

So are we not going to talk about how economic sanctions end up as a way to use the people of these countries as a way to pressure their governments for political gains? How these sanctions directly and indirectly cause an increased poverty gap and negatively impact the living standards? How the governments of these sanctioned countries magnify this economic pressure to prevent people from revolting and to entrench their presence even more?

They could have blocked the user in Iran. It&#x27;s without sense to block the organization&#x27;s account.

Reminder that Microsoft has the power to ask the state department for an exemption from these sanctions for github.<p>They have refused to do that. Google did that with Gmail and made the argument that Gmail is an important utility for freedom of the people there. Microsoft can do the same.

What a disproportionate reaction from Github.<p>They could simply block network access from Iran to make it easier. Otherwise, blocking without giving warning is wrong. Even banks give warning and deadline to their clients before closing accounts that are linked to sanctions. Why Github blocked the entire organization without proper communication and deadline to fix or clarify the issue?

Can&#x27;t really blame GitHub here... US laws are badly written.

Since MS owns github does the same rule ban happen if a company uses office365-onöline&#x2F;azure - and one employee opens email from Iran?

I really wonder why economical penalties enforced to a country through its citizens or people born there or with ancestors like the USA does with all of its embargos aren&#x27;t considered just as terrorism. You are punishing other people for something they didn&#x27;t do just to pressure on their governments. Just like terrorists injuring people. (Yeah I know terrorists usually kill people but I&#x27;m pretty sure many people died due to economic embargo as well)

It looks like the company has now gotten access to their GitHub account again, according to the original poster on the Twitter thread.<p>I don&#x27;t know, it just looks like some kind of surveillance automation kicked in, froze the account, and customer service was slow.

Well, that’s what you get for doing business with an American company. The USA impose illegal sanctions and strongarm their allies in supporting the sanctions. Let this be a lesson for others.

What I don&#x27;t understand is why not blocking access to those regions which are affected by US sactions (in this case Iran). The current situation in which you can access the website, but if you do, your account will be banned immediately is more like a detective scenario than respecting the laws. You can simply block all Iranian IPs.

I&#x27;m an iranian-american and this saddens me deeply. When you travel to Iran you need to make sure you don&#x27;t get arrested by iranian regime because they have a history of taking dual nationals as hostage. Then you open your laptop and suddenly you have taken down your company and potentially lost your job.

Why do so many in the open source community use GitHub, a closed source platform?

Shit happens, but I would really appreciate if you would re-activate our Github Org now, @github. You know, some PRs are waiting there for me.

GitHub: &quot;Lets rename master to main because Inclusion &amp; Equality&quot;<p>Also GitHub: &quot;sorry you&#x27;re from a wrong country&quot;

Why don&#x27;t we have internet havens yet? Companies are so clever in legally avoiding tax by registering companies in the most favourable jurisdictions and only running the absolute minimum of operations through tax expensive countries and so on, why don&#x27;t we have the equivalent for avoiding dumb laws such as US trade wars, DMCA takedowns, etc.?<p>Can most internet operations not run through companies who are registered and have servers in a country where most of those laws don&#x27;t apply to customers who are not US citizen?

GitHub might start blocking countries doing any trade with Iran in order to comply with &quot;laws&quot;.

At work I had to take a course on US export control. The restrictions they bully everyone into are pretty nazi. Likewise with SWIFT. As evidenced by TFA it&#x27;s always regular citizens that suffer. Compare this with EU sanctions that are targeted to particular companies and individuals.

GitHub has just announced a license for developers in Iran: <a href="https:&#x2F;&#x2F;github.blog&#x2F;2021-01-05-advancing-developer-freedom-github-is-fully-available-in-iran&#x2F;" rel="nofollow">https:&#x2F;&#x2F;github.blog&#x2F;2021-01-05-advancing-developer-freedom-g...</a>

What happened to the &#x27;master main&#x27; comment thread? It was just silently deleted from this thread. Massive censorship going on, I am moving to a new website. Good riddance hackernews, take your censorship and stick it!

So GH has effectively given admin-level repo DELETE permissions to everyone in the organization. Not sure they really thought this one through.<p>Here comes a new employee onboarding document to sign: no Iranian VPN nor travel to Iran.

Let me see. You have a business in which you cannot control access to your Intellectual Property? And you take money from people for services? What can go wrong here? I really don&#x27;t get this. Git is free. Setting up dedicated server with redundancy backup is de facto the standard since SVN era. In this case I don&#x27;t blame GitHub at all. It is responsibility of the business owner to make a judgement with all &quot;bad case scenarios&quot; in mind. In production the idea of trusting third party infrastructure without alternative is unprofessional.

From the company perspective, it&#x27;s an arbitrary disruption. It could happen to any company.<p>While it&#x27;s certainly very convenient and economically reasonable to use cloud services for development and production, every company should have a plan B.<p>In this case, it&#x27;s an absolute must to have daily backups of all repositories &#x2F; all branches which are stored on premise. If your company is not doing that, you play the lottery of losing access to your own source code.

Whoo-hoo! Set up a free wi-fi node outside of a tech conference (perhaps with cheap pastries for conference goers), routed through a proxy in Iran. Don&#x27;t need to decode https or anything - assuming you can proxy https through Iran.<p>Then watch as bunches of companies are blocked from GitHub.<p>If the Iranian government wanted to have fun with US laws, they could totally set this up. And it wouldn&#x27;t even be illegal.

I have _a lot_ of questions...<p>* Is this a US Company?<p>* What was the employee doing in Iran?<p>* Is the employee an Iranian national?<p>* Was the company aware of this?<p>Headlines like this make me really scratch my head.

Well, GitHub is now fully available in Iran: <a href="https:&#x2F;&#x2F;github.blog&#x2F;2021-01-05-advancing-developer-freedom-github-is-fully-available-in-iran&#x2F;" rel="nofollow">https:&#x2F;&#x2F;github.blog&#x2F;2021-01-05-advancing-developer-freedom-g...</a>

Don&#x27;t let your business depend on cloud services. If they&#x27;re really important, then self-host your servers. There are so many stories of the cloud being a single point of failure (ironically) due to arbitrary and capricious rules, and&#x2F;or bad support.

Microsoft should boycott the sanctions, they are cruel and the <i>only reason they exist</i> is that our current president hates our previous president.<p>They are way too big to actually be penalized in a meaningful way and doing the right thing once in a while feels great.

I can’t imagine what a bad workday this is gonna be for the rest of the company.

Github obviously did not do enough due diligence here. IANAL but am familiar with Sanctions considerations and IMHO, this does not rise to the level of the action taken.

Support peer-to-peer alternatives.<p>The technology to realize a peer-to-peer alternative to GH is here. We just need to make it happen. IMO radicle.xyz is the most promising one right now.

Seems like this policy would actually make sense for Russia.

Was the employee logged in with the organization account? When I visited Iran my personal and work account got locked but the org account was untouched.

Just wondering, does it also happen when connecting with Tor ? Would like to warn my friends and eventually tell them the workaround ...

I had similar issue visiting Crimea. I was simply looking through my issues, while in holidays over there.

To be fair Nat Friedman replied:<p>&gt; Hi Sebastian, sorry to hear about this. I will check into it right away and get your org unblocked.<p><a href="https:&#x2F;&#x2F;twitter.com&#x2F;natfriedman&#x2F;status&#x2F;1346452935924846593?s=20" rel="nofollow">https:&#x2F;&#x2F;twitter.com&#x2F;natfriedman&#x2F;status&#x2F;1346452935924846593?s...</a><p>Pretty messed up that they built this kill switch in the first place though, if you ask me.

How do you manage this kind of risk? Are there other options other than don’t use GitHub to begin with?

Outsourcing anything has its own set of risks. Understand them before you commit to living with them.

resolved: <a href="https:&#x2F;&#x2F;twitter.com&#x2F;sebslomski&#x2F;status&#x2F;1346467442428530691" rel="nofollow">https:&#x2F;&#x2F;twitter.com&#x2F;sebslomski&#x2F;status&#x2F;1346467442428530691</a>

You can&#x27;t blame GitHub for intentionally over broad, OTT US sanctions.

A bit off topic, but seems like at some point these sanctions start helping instead of harming. If you are &quot;sanctioned&quot; by GitHub, Facebook, Twitter, Reddit, Instagram, PornHub, what have you, then in the end you will probably gain productivity, not loose it.

It looks like they are reading hacker news :)<p><a href="https:&#x2F;&#x2F;github.blog&#x2F;2021-01-05-advancing-developer-freedom-github-is-fully-available-in-iran&#x2F;" rel="nofollow">https:&#x2F;&#x2F;github.blog&#x2F;2021-01-05-advancing-developer-freedom-g...</a>

use vpn bois, it&#x27;s 2020 not 1999

What&#x27;s the difference between a Chinese company and a US company? None. Both work for the state, although US ones operate under the guise of democracy.<p>This sort of union between tech and politics is not going to take us anywhere.

While GitHub is not really to blame (following the laws and all, no matter how silly they are) why would your employees login from Iran with their work laptops into their work accounts while &quot;visiting their parents&quot; anyway? Why is that not the actual problem? Lack of policies?