🇮🇹 🇪🇪 🖥
Lack of rate limiting is a code vulnerability if we are talking about an API endpoint.
Not that discussion makes any sense at all…
Also, “not securing” doesn’t mean much. Security is not a boolean. They probably have some controls, but they still have a gap in the lack of rate limiting.
Over nextcloud probably the e2ee. I suppose soon they will also integrate this better with email (like you can attach directly and save directly from email), so the seamless integrations with the rest of the products will probably amount to other benefits over time.
Until I can easily export the data, where is the vendor lock?
Vendor lock means that migrating away has significant cost or technical challenges.
Take this case: documents saved are first of all easily downloadable from drive (in bulk), and also exportable in markdown.
They change pricing/add features that I don’t want/sell off the company (hard now that it’s managed by a nonprofit but still) etc.? I make a nice bulk download and move everything in whatever other system I want. I can do the same for contacts, email (I use my own domains) and calendar. Basically, 1h + the time to download files and I am moved to another provider.
Can you elaborate in what you think the vendor lock looks like?
https://github.com/ProtonMail/WebClients/tree/main/applications
They use monorepo for the web clients, at least.
Here the mobile apps:
Public financing of the press, newspapers stopping being garbage and selling subscriptions like they have always done, pay per article (cents), donations. Just some ideas of economically viable alternatives. There are good niche newspapers which survive with such models, it’s not like I am making it up.
I would say the opposite: advertising alone is not sustainable for the press because it creates wrong incentives (grab attention, clicks). This is why 90% of newspapers have the same garbage, short, generic articles. This is why you get rage baits, fake news etc. too, to some extent. So yes, you get websites online, but you get no information…
Also in Italy, but I think once the data protection agencies will get on it, it will be forbidden. It will take some time, but there is no way that’s a legitimate use of consent.
The GDPR says that if you use consent as the legal basis for processing data, such consent must be free. This means that there cannot be consequences if you give or not give the consent. If there are, then the consent is not free anymore. Paying money for a service is absolutely legal, obviously, what probably is not legal is extracting your consent by offering you a discount (which is the flipside of “pay to avoid tracking”).
I just wanted to specify a bit, not that you said anything incorrect.
Yes, that’s true. I guess that is for sure a better metric that being “international”.
Many do both, I would say the vast majority. Same regulations and licenses apply, in fact. Simply some companies invest more in casino (which are purchased games from vendors in the vast majority of cases), some invest more in sportsbook. I guess the OP’s case is the former, but it’s not a very relevant distinction to make.
If you are cloudflare and you suspect they broke ToS you quote which ToS has been broken, you specify which country blocking the customer is trying or has tried to circumvent and you force the customer to either move away or enforce geo-blocking for those countries (or have a separate account for those with your own IPs). There is no reason to cancel the whole account if the blocking is country-specific and there is no way that 10k a month is anyway a sufficient benefit for cloudflare for their IPs to be blocked in a country (affecting potentially hundreds or thousand of customers).
I despise gambling, I don’t gamble myself and I consider it a tax on those who don’t know math. That said, I worked for a gambling company and I know that different companies target different types of customers. Also they have responsible gambling programs that are more or less serious (some of which might be required by regulations). The company I worked for operated in Scandinavia and was sportsbook heavy (vs casino heavy), and had quite serious measures against suspected addicts (immediate block, calling the person on the phone if there were any signs like long sessions etc., proof of income to set limits proportional to income etc.), because it was considered bad for business. Many companies in general are terrible, and especially those who depend on casino games, where the margins are fixed and the dynamics are more prone to create addiction (available 24/7, quick feedback etc.).
No they don’t, at least for Sweden. I remember when they regulated the market in Sweden (I was working for a gambling company at the time and I had to run the security & compliance for the Swedish license). There is no such thing as open market for gambling where the market is regulated (Sweden, Denmark, Estonia, not sure if Norway finally regulated).
As far as I know, a handful of companies got regulated at the first round, some failed and could not operate in Sweden (this might mean you actually need to deny access to users from Sweden - since you do KYC you know) for quite some time (before they eventually managed to get the license).
The problem (why the other user mentions all similar sites) is that the big companies (say Kindred group, Betsson) tend to spin up many alternative brands with different looks to attract different customers.
Also, most of the companies that operate in Scandinavia use the Maltese license, but that works only in unregulated markets (Finland, Iceland and Norway for example - unless something changed in the last 3 years). That said, getting a license once you have another is quite simple usually. The Swedish license for example is easier to get than and very similar to the Danish one, so if you operate in Denmark you can just fill in the paperwork and you should be easily able to pick that one up.
Online casinos can become international very simply, it doesn’t necessarily mean it’s a big company. You usually get a license and can operate in that country + a number of gray markets. Ofc there are also huge companies, but “international” doesn’t mean much for an online business.
I worked for an online casino in the past. What they do is a standard in the industry. The company I worked for was a small startup and onwed hundreds of domains, mostly just to protect the brand, 98% of which redirected to the main domain, with a few serving slightly different sites for different jurisdictions (e.g. Ontario regulations require that everything happens under a .ca domain). The “blocking evasion” doesn’t require CF to do anything, besides forcing the customer to block traffic from certain countries (the ones where you are suspected to evade the block). At this point - if the casino is really operating in the black or gray markets - they can just set ingress to their site outside CF for those countries only if they really wanted. I worked also for a company who was doing this to allow traffic from Russia, changing every day mirrors (and they had an IT department of maybe 20, it was a joke), and Russia was the main market for them.
If what is told in the article is true - I.e. 95% of the traffic was through the main website - then it doesn’t look like they were really doing this sort of evading deliberately, considering that in that 5% you have all your alternative TLDs plus the traffic from gray/black markets. Having hundreds of domains and some small percentage of traffic from black markets is something that just happens, it’s different from continuously registering new domains for providing access where the previous ones got DNS blocked (this is domain block). It doesn’t seem this is what they were doing based on the article, and if they were, then CF emails didn’t mention it, which is insane.
Obviously we don’t know the full story, so everything has to he taken with a grain of salt.
I am a security professional. I would personally not care less to make the distinction, as both are very generic terms that are used very liberally in the industry.
So I don’t see any reason not to call this hacking. This was not an intended feature. It was a gap, which has been used to perform things that the application writer did not intended (not in this form). If fits with the definition of hacking as far as I can tell. In any case, this is not an academic discussion, it is a security advisory or an article that talks about it.