maximumpc.com OCT 2019 MAXIMUMPC 17
Alex Campbell
OPEN SOURCE
GitHub Shuts the Gates for
Sanctioned Countries
WHAT HAPPENS WHEN one of the world’s biggest
repositories of open-source projects denies accessto users based on location? GitHub’s new policy
can’t stop people from Iran or Syria using its
services, but it can definitely make it prohibitively
inconvenient. And that might be enough.
Drawing borders in the
inherently borderless Internet
is tough, even for state actors.In a recent post on its website, the open-source
Git repository host GitHub said it would be closing
its doors to users originating from countries the
United States has sanctioned. Specifically, the
ban prevents users from North Korea, Iran, Cuba,
Syria, and the Crimea region of Ukraine hosting
private repositories with GitHub.com.
For most of the Western world, this doesn’t
seem to have much impact. After all, keeping North
Korea away from code can’t be all bad, can it?
While I understand the need for export controls
to prevent state enemies acquiring technology, the
Internet has made this very difficult to stop. And
this isn’t the first instance of US law intervening in
open source. In 1991, Phil Zimmermann’s release
of his RSA-based Pretty Good Privacy (PGP)
encryption program was considered a violation of
the US Arms Export Control Act by the US Customs
Service, and considered a munition. Of course,
PGP (largely implemented through GnuPG) is used
by most Linux systems in the wild today. The open
nature of the program made it difficult to control,
because once the source was available online,
there is little that can be done to stop its spread.
While Zimmerman and PGP is a good case to
use as reference, GitHub’s move doesn’t attempt
to stop open source, but the use of its platform.
T h a t ’s a n i m p o r t a nt d i s t i n c t i o n , e s p e c i a l ly a s p u b l i crepositories will still be available
in sanctioned countries. In fact,
GitHub’s new terms have little to
do with controlling the use of open
source in sanctioned countries;
organizations in those states can
still spin up some GitLab servers
and get many of the same features.
What does draw a little attention is
the details of implementation.
Drawing borders in the
inherently borderless Internet
is tough, even for state actors.
Famously, the Chinese firewall
is an attempt to isolate mainland
Chinese users from using Western
news and social media. Dedicated
Chinese users use VPNs to skirt
the government’s digital barrier.
GitHub says that it will use IP
addresses and billing information
to block access to users in
sanctioned countries. For those
keeping score at home, location
data from IP addresses can be
easily hidden using a proxy or VPN.
GitHub addresses this by saying
that use of proxies or VPNs by
users from sanctioned countries is
a violation of its rules. It would be a
very tough job to try to enforce this.
By their very nature, VPNs hide
the identities of their connected
clients. The first thought of how
Microsoft and GitHub could block
VPN use is by blacklisting VPNp r o v i d e r I P a d d r e s s e s. S u c h a m o v e
would have the obvious unintended
consequence of preventing non-
sanctioned users accessing
the service via VPN. This has the
potential to trample on legitimate
VPN use: Traveling users who
use open Wi-Fi networks use (or
should use) VPNs to protect their
internet traffic from a snooping
Wi-Fi or internet service provider.
Even then, it is trivial to spin up
an OpenVPN server on a virtual
private server (VPS) provider.
Trying to catch every user who
tries to skirt the Eye of Sauron
will likely prove to be futile for
all but the most careless users.
That said, the policy makes sense.
GitHub is now owned by Microsoft,
and Microsoft provides a lot of
services to the US government. If
Tehran kept code for state projects
on GitHub, which is owned by a
company that also contracts with
the US Defense Department, it
definitely wouldn’t be a good look.Alex Campbell is a Linux geek
who enjoys learning about
computer security.Iran, as
seen from orbit.©^
NA
SA