I am a security professional. I would personally not care less to make the distinction, as both are very generic terms that are used very liberally in the industry.

So I don’t see any reason not to call this hacking. This was not an intended feature. It was a gap, which has been used to perform things that the application writer did not intended (not in this form). If fits with the definition of hacking as far as I can tell. In any case, this is not an academic discussion, it is a security advisory or an article that talks about it.

Lack of rate limiting is a code vulnerability if we are talking about an API endpoint.

Not that discussion makes any sense at all…

Also, “not securing” doesn’t mean much. Security is not a boolean. They probably have some controls, but they still have a gap in the lack of rate limiting.

Public financing of the press, newspapers stopping being garbage and selling subscriptions like they have always done, pay per article (cents), donations. Just some ideas of economically viable alternatives. There are good niche newspapers which survive with such models, it’s not like I am making it up.

I would say the opposite: advertising alone is not sustainable for the press because it creates wrong incentives (grab attention, clicks). This is why 90% of newspapers have the same garbage, short, generic articles. This is why you get rage baits, fake news etc. too, to some extent. So yes, you get websites online, but you get no information…

Also in Italy, but I think once the data protection agencies will get on it, it will be forbidden. It will take some time, but there is no way that’s a legitimate use of consent.

The GDPR says that if you use consent as the legal basis for processing data, such consent must be free. This means that there cannot be consequences if you give or not give the consent. If there are, then the consent is not free anymore. Paying money for a service is absolutely legal, obviously, what probably is not legal is extracting your consent by offering you a discount (which is the flipside of “pay to avoid tracking”).

I just wanted to specify a bit, not that you said anything incorrect.

Yes, that’s true. I guess that is for sure a better metric that being “international”.

Many do both, I would say the vast majority. Same regulations and licenses apply, in fact. Simply some companies invest more in casino (which are purchased games from vendors in the vast majority of cases), some invest more in sportsbook. I guess the OP’s case is the former, but it’s not a very relevant distinction to make.

If you are cloudflare and you suspect they broke ToS you quote which ToS has been broken, you specify which country blocking the customer is trying or has tried to circumvent and you force the customer to either move away or enforce geo-blocking for those countries (or have a separate account for those with your own IPs). There is no reason to cancel the whole account if the blocking is country-specific and there is no way that 10k a month is anyway a sufficient benefit for cloudflare for their IPs to be blocked in a country (affecting potentially hundreds or thousand of customers).

I despise gambling, I don’t gamble myself and I consider it a tax on those who don’t know math. That said, I worked for a gambling company and I know that different companies target different types of customers. Also they have responsible gambling programs that are more or less serious (some of which might be required by regulations). The company I worked for operated in Scandinavia and was sportsbook heavy (vs casino heavy), and had quite serious measures against suspected addicts (immediate block, calling the person on the phone if there were any signs like long sessions etc., proof of income to set limits proportional to income etc.), because it was considered bad for business. Many companies in general are terrible, and especially those who depend on casino games, where the margins are fixed and the dynamics are more prone to create addiction (available 24/7, quick feedback etc.).

No they don’t, at least for Sweden. I remember when they regulated the market in Sweden (I was working for a gambling company at the time and I had to run the security & compliance for the Swedish license). There is no such thing as open market for gambling where the market is regulated (Sweden, Denmark, Estonia, not sure if Norway finally regulated).

As far as I know, a handful of companies got regulated at the first round, some failed and could not operate in Sweden (this might mean you actually need to deny access to users from Sweden - since you do KYC you know) for quite some time (before they eventually managed to get the license).

The problem (why the other user mentions all similar sites) is that the big companies (say Kindred group, Betsson) tend to spin up many alternative brands with different looks to attract different customers.

Also, most of the companies that operate in Scandinavia use the Maltese license, but that works only in unregulated markets (Finland, Iceland and Norway for example - unless something changed in the last 3 years). That said, getting a license once you have another is quite simple usually. The Swedish license for example is easier to get than and very similar to the Danish one, so if you operate in Denmark you can just fill in the paperwork and you should be easily able to pick that one up.

Online casinos can become international very simply, it doesn’t necessarily mean it’s a big company. You usually get a license and can operate in that country + a number of gray markets. Ofc there are also huge companies, but “international” doesn’t mean much for an online business.

I worked for an online casino in the past. What they do is a standard in the industry. The company I worked for was a small startup and onwed hundreds of domains, mostly just to protect the brand, 98% of which redirected to the main domain, with a few serving slightly different sites for different jurisdictions (e.g. Ontario regulations require that everything happens under a .ca domain). The “blocking evasion” doesn’t require CF to do anything, besides forcing the customer to block traffic from certain countries (the ones where you are suspected to evade the block). At this point - if the casino is really operating in the black or gray markets - they can just set ingress to their site outside CF for those countries only if they really wanted. I worked also for a company who was doing this to allow traffic from Russia, changing every day mirrors (and they had an IT department of maybe 20, it was a joke), and Russia was the main market for them.

If what is told in the article is true - I.e. 95% of the traffic was through the main website - then it doesn’t look like they were really doing this sort of evading deliberately, considering that in that 5% you have all your alternative TLDs plus the traffic from gray/black markets. Having hundreds of domains and some small percentage of traffic from black markets is something that just happens, it’s different from continuously registering new domains for providing access where the previous ones got DNS blocked (this is domain block). It doesn’t seem this is what they were doing based on the article, and if they were, then CF emails didn’t mention it, which is insane.

Obviously we don’t know the full story, so everything has to he taken with a grain of salt.

It does require fact-checking. You might ask a human and get someone with 10 fingers on one hand, you might ask people in the background and get blobs merged on each other. The fact check in images is absolutely necessary and consists of verifying that the generate image adheres to your prompt and that the objects in it match their intended real counterparts.

I do agree that it’s a different type of fact checking, but that’s because an image is not inherently correct or wrong, it only is if compared to your prompt and (where applicable) to reality.

Agree. Social housing has been one of the first areas to suffer from cuts everywhere. It is a problem on its own, which short term rental makes worse.

The problem is that building is basically an irreversible use of land. It’s only recently that we started seeing land as a commodity (few centuries) and with the current state of affairs, it’s insane to leave it as such. Soil is too precious and too scarce to let market inefficiencies waste it. We should really explore all options before we decide to simply build more, especially in Europe where the population growth is basically null.

Soil consumption is one of the many environmental problems we face. Polluting and consuming more soil to condition the market is nonsense IMHO. Governments should simply regulate more so that people vacationing will go to hotels and houses will be available for residents. This also addresses the issue of locals being pushed further and further away in the cities they live, which creating more houses doesn’t solve (it will just be the next round of isolated dormitory periferic areas, which have already tons of problems).

Short term rentals for houses was a very good and lucrative idea, but it’s harmful to basically everyone but the landlords who rent out houses there. As such, we should simply strongly regulate it to discourage it as much as possible, if not banning it directly.

Computationally infeasible? It’s as expensive if every user made a single login (if they use bcrypt for passwords).

They don’t need to do it for every user, they need to do it for one only. Salting is fairly irrelevant in this context. And we are talking about resources for Microsoft, or Google, or Apple. And this is also assuming they can’t further segment the customers by other metadata, such as location (in this case for example, Spanish users), which will drastically reduce the number of users to try. If every Spanish person had a user, you need 47kk hashes. Years ago single rigs pumped more than 10k bcrypt/s. That would be 1h of computation give or take? Assuming a fraction of that and not the immense computing power of big tech, it’s still something completely achievable for an investigation.

But the question is “why”? Email addresses are personal but not secrets, there is no reason to add complexity and worsen the UX for such a feature imo. If anybody is not comfortable with this particular piece of data being associated with their account, they can just use a recovery phrase. It is by no means a necessary feature. What would be the advantage of having a recovery email “obscured”? The advantage of the functionality as-is is that it’s trivial to see what you have configured, it’s trivial to change address etc.

All of this to add an ineffective amount of privacy. If someone is under investigation, having the hash of the recovery email is in many case sufficient. Asking Apple/Gmail/Microsoft if the hash matches any of their customers covers probably 98% of the population. Billions of emails are also available through breaches, so there is very very high chance that if someone used their personal email, it’s either with one of the big providers, or it has been leaked before. If it’s not, and you used a private provider with no data, then there is no problem even if the address is obtained, as that cannot be further used to de-anonymize you.

Sure, but that’s essentially a weaker recovery password (which also is an option in Proton).

Also that poses quite some challenges for email verification (say, you make a typo when you first write your address), let alone the fact that you won’t see what emails you have configured essentially, which is also bad UX.

I think it’s much simpler to have recovery email as it is and -if one doesn’t want to associate proton account with any other account- offer other recovery methods, which are available (phrase and phone number).

https://proton.me/legal/law-enforcement

Here the mention clearly the data mentioned in the privacy policy which in turns clearly states that you MAY provide a recovery account which will be associated with your account. I also think that anybody that should be concerned for this should understand that law enforcement can get ALL the data the company has on you.

How do you imagine a recovery email to work, if the provider doesn’t store it, and you lost access to your email by definition in the moment you need it? Recovery email is not needed, you can totally use your account without and proton doesn’t ask for it. It’s a feature where you obviously are disclosing that piece of information and link two accounts. It’s either that or not using that feature.