Withdrawing a service is very different from delivering a malignant service. McDonalds is withdrawing from Russia instead of serving contaminated Burgers.
Regardless of multi-cloud deployment preferences, multi-cloud readiness has tremendous value in itself.
Biggest of the values is having the freedom and choice to pack up from one cloud and go to another at the drop of hat.
Another equally important reason is to provide some commoditization of cloud providers so they don't grow all powerful.
It also keeps cloud market open for new entrants that can come in with better/different value propositions than the existing players and stand a fighting chance of playing upon merits.
Unless you (as in general developer and not you specifically) want cloud providers to become massive rent seeking institutions, keep optionality in the ecosystem.
More than the statistics, it's the stories that open your imagination to the unlock connectivity is bringing. Using WhatsApp to report timber theft is something I would never have guessed.
This is something I found amazing about WeChat as well. You can schedule appointments with barbers, doctors, physicians, etc all through custom interfaces implemented by 3rd party vendors within the app. It's kind of like its own operating system. And for all of the needs that aren't already covered, you can always resort to basic text messaging (again through WeChat). This probably covers 100% of business communications: customers talking to vendors, vendors talking to customers, and vendors talking to other vendors. The only thing missing as far as I know is a way to communicate with government entities to e.g. file paperwork and such. But I'm sure that will come in time.
More than the abstract notion of it being a communication platform, it's the specific usecases that open your imagination to the unlocks connectivity is bringing. Using WhatsApp to report timber theft is something I would never have guessed.
I thought you'd have guessed the spirit of the comment since you're so adept at guessing.
It's so peculiar that you - and some guy on twitter, apparently - are quoting a footnote to a FAQ on Treasury's OFAC information page as if that captures the entirety of an American company's obligations under the law. This is really obviously crazy, right? In any other, less political, context involving business law and liability the advice would be "talk to a lawyer."
I doubt GitHub or any org is changing their SOP based on my comment. But the mere existence of a scenario equivalent to the one in question in the operating guidelines suggest there is room fur sanity to prevail in the interpretation of the law.
118. I have a client that is in Iran to visit a relative. Do I need to restrict the account?
A: No. As long as you are satisfied that the client is not ordinarily resident in Iran, then the account does not need to be restricted. See FAQ 37.
It may be overreach by GitHub, but given the severity of the sanctions lawmakers have set for if they happen to get it wrong, I'd like to at least blame lawmakers for creating such a risky situation.
I work with sanctions. I think both can be easily blamed. Similarly to DMCA notices, most companies opt to for the path of least resistance ( it is cheaper to blanket ban than to investigate ). Yes, politicians are to blame for creating the environment, but companies deserve flak for taking the path that is bad for the customer ( unless they are sufficiently well-heeled ).
My thoughts are my own. I do not represent anyone other than myself.
So look at (one one hand) a customer worth... well, PureLabs is "10 incredible FTEs," let's give them the $21/user/mo Enterprise plan at $210/month in revenue.
On the other hand, a sanctions violation could be a $65,000 fine (Trading with the Enemy Act) or $250,000 (International Emergency Economic Powers Act) for each offense. (I leave aside the million-dollar narcotics-kingpin act). On top of this we also see the risk of criminal prosecution.
In what world is it reasonable to expect anyone to take this chance?
It is hard to discuss hypothetical violations so I won't do that. It absolutely is a safe course of action to do a blanket ban. That said, is it reasonable to assume violation based on IP address ( and that is what seems to have happened here )? Banks don't automatically (typically ) block MUHAMMAD JIHAD even if they may end up questioning it.
That’s because the combined business of all Muhammads and their employers is way more than 210$/month AND it would be illegal, and Bad PR™, to ban them from your business based just on their culture/name. Otherwise they would have been “derisked” out of service.
You have a point ( and Mnuchin to his credit ,based on reports, does care about regulatory burden and its impact ). So you are right, one is not like the other. To address your point directly, if OFAC tomorrow added MOHAMMAD JIHAD with no other information ( no DOB, no address, and so on ), you would be surprised how quickly the banks would respond.
Now note that that we are discussing a name, a commmon, but somewhat reliable, if mutable, driver of our identity. Now compare it to IP address and tell me, which one is a better predictor of who you are.
Unless, we are assuming IP is a proxy for location, which is another story.
Banks typically would react overnight to OFAC list updates, through a sanctions list service.
If no DOB or similar is also provided, though, scoring should not be too high - and if a match with Mohammad is enough to trigger an alert, the overnight alert delta would be either manually processed by Compliance, or bulk closed as false positives, depending on how much time you need to unblock the clients and similar risk considerations.
I am not sure if you realize it, but you are proving my point. Banks found a way to address the issue without adversely affecting the customers. Github appears to have only recently started to do the same, but they opted for a blanket approach as opposed to a more targeted one.
Not parent and not about terrorism directly, but Tardigrade Ltd. was sanctioned in US (because it is an arms dealer without licence in US) causing all "Tardigrade" payments blocked (even innocuous ones): https://news.ycombinator.com/item?id=24450828
Cases like this are an example of a company trying to cover their ass leads to a customer getting kicked in the ass.
Sanctions, compliance, etc. is a messy ordeal to manage (both technically and operationally), and the ways laws are written with so many intricacies and dependencies doesn't make it easier.
Because only 1 instance of violation could lead to fines equivalent to a person's salary, often the systems are made to be overly sensitive and less investigative to figure out whether a 'hit' is actually a false-positive because that also takes time/money and still carries potential risk.
I would blame the automatic sanctioning software triggering such as situation, without checking if the new access from Iran was by a tourist or citizen. Adding an org block for minor access within two weeks is overreach.
This kind of software is not simply installed with an apt-get one-liner, github can’t be exempted from choosing their business rules on screening matches.
Thing is, GitHub is a tool that facilitates distribution of IP. So if someone is logging into GitHub in Iran, whether they live there or not, they can use it to "export" code.
Which is kind of irrelevant---preventing the export of code is not the issue. This is an economic sanction against Iran by preventing companies from doing business there.
The law has a chilling effect on companies, that drives them to do things like this. If a company does something, that they clearly would not have done without a law, it's the fault of the law, even if that law didn't specifically require it, in fact even if that law specifically exempts it.
If you read this literally, you could get away with leaking state secrets as long as you're visiting a relative while doing it.
Github cannot be expected to reliably differentiate between the coworker who just checked the status of a PR on a webapp versus the employee who opened a crucial piece of encryption code to leak it to the Iranian military or whatever.
If that's the case, then the problem isn't Github, but of the organization having Iranian intelligence assets on staff. And the whole idea of the government regulating encryption and it being weaponized is overdone.
