I like the idea of canaries in documents, I think is a good point but obviously it only applies to certain types of data. Still a good idea.

Looking at OP, they seem a small shop, with a limited budget. Seriously the best recommendation I think is to use some kind of remote storage for data (works as long as the employee complies) and to make sure the access control is done in a decent way (reducing the blast of employee behaving maliciously). Anything else is probably out of reach for a small company without a security department.

Maybe I sounded too harsh, that’s just because in this post I have seen all kinds of comments who completely missed the point (IMHO) and suggested super complicated technical implementations that show how disconnected some people can be from real technical operations, despite the good tech skills.

DLP solutions are honestly a joke. 99% of the case they only cost you a fortune and prevent nothing. DLP is literally a corporate religion.

What you mentioned also makes sense if you are windows shop running AD. If you are not, setting it up to lock 1 workstation is insane.

Also, the moment the data gets put on the workstation you failed. Blocking USB is still a good idea, but does very little (network exfiltration is trivial, including with DLP solutions). So the idea to use remotely a machine is a decent control, and all efforts and resources should be put in place to prevent data leaving that machine. Obviously even this is imperfect, because if I can see the data on my screen I can take a picture and OCR it. So the effort needs to go in ensuring the data is accessed on a need basis.

Jamf doesn’t do anything for this problem, besides costing you a fortune in both license and maintenance/operation. Especially if you are not a Mac shop.

MDM at most can be used as a reactive tool to do something on the machine - as long as the one with the machine in their hand leaves the network connection on.

There are much cheaper solution to do that for 1 machine, and -as others correctly pointed out- the only solution (partial) here is not storing the data on a machine you don’t control. Period.

Yeah, that’s what I wrote too, but that is still a very fragile way. For once, you depend on a network connections, or in the local firewall not blocking you etc.

Reactive, on-demand ssh is something you can do for tech support, not for security imho.

Disk encryption is a control against lost or stolen device and malicious physical access (kinda). Storing the data elsewhere is more a control (or the basis for controls) against malicious insiders.

Your ability to SSH in the machine depends on the network connectivity. Knowing the IP does nothing if the SSH port is not forwarded by the router or if you don’t establish a reverse tunnel yourself with a public host. As a company you can do changes to the client device, but you can’t do them on the employee’s network (and they might not even be connected there). So the only option is to have the machine establish a reverse tunnel, and this removes even the need for dynamic DNS (which also might not work in certain ISPs).

The no-sudo is also easier said than done, that means you will need to assist every time the employee needs a new package installed, you need to set unattended upgrades and of course help with debugging should something break. Depending on the job type, this might be possible.

I still think this approach (lock laptop) is an old, ineffective approach (vs zero-trust + remote data).

Useful for standardized management of fleets, but requires personnel to maintain and configure it, but I don’t think it’s very effective (or feasible - I doubt they will even join the call for a 1-device contract) for what OP needs.

This is honestly an extremely expensive (in terms of skills, maintenance, chance of messing up) solution for a small shop that doesn’t mitigate at all the threats posed.

You said correctly, the employee has the final word on what happens to the data appearing on their screen. Especially in the case of client data (I.e., few and sensitive pieces of data), it might even be possible to take pictures of the screen (or type it manually) and all the time invested in (imperfect) solutions to restrict drives and network (essentially impossible unless you have a whitelist of IPs/URLs) goes out the window too.

To me it seems this problemi is simply approached from the wrong angle: once the data is on a machine you don’t trust, it’s gone. It’s not just the employee, it’s anybody who compromises that workstation or accesses it while left unlocked. The only approach to solving the issue OP is having is simply avoiding for the data to be stored on the machine in the first place, and making sure that the access is only for the data actually needed.

Data should be stored in the company-controlled infrastructure (be in cloud storage, object storage, a privileged-access workstation, etc.) and controls should be applied there (I.e., monitor for data transfers, network controls, etc.). This solves both the availability concerns (what if the laptop gets stolen, or breaks) and some of the security concerns. The employee will need to authenticate each time with a short-lived token to access the data, which means revoking access is also easy.

This still does not solve the fundamental problem: if the employee can see the data, they can take it. There is nothing that can be done about this, besides ensuring that the data is minimised and the employee has only access to what’s strictly needed.

Nftables is the modern iptables FYI. Linux firewall.

To be honest, I have never even heard of anybody who sued a service provider for failing to mitigate DDoS, or for letting an attack through a WAF, etc. I am quite positive that the contracts/T&C you sign when you subscribe to the services are rock solid, otherwise cloudflare would be under extreme liability. Also, usually you have the ability to customize the DDoS settings, choose thresholds etc. I really can’t imagine a company having any real chance of getting the provider to reimburse you. The only service that usually has SLA is the uptime of the CDN, which if breached should be compensated. I am quite sure that in the cheap plans the SLA is probably not very high.

Also, what you say about a customer that someone might want to take down is true for all customers that require DDoS protection. If they didn’t, they wouldn’t pay for the service on the first place. Cloudflare serves a bazillion customers who are much bigger targets than a casino, I don’t think they were afraid of the exposure. Also, when cloudflare receives a high DDoS attack, for them is awesome marketing. Imperva, Akamai, Cloudflare are basically identical and the selling point is exactly “how big can they tolerate?”.

Honestly rather than speculating on what we don’t know, I propose a simpler option: cloudflare plans are designed to get customers one foot in the door with a super cheap plan, to them each individual customer has basically no marginal cost. However, once the customers are in they can identify the ones they can squueze and find reasons to push more expensive plans. If they bump 1/30 of them, even if they other 29 will leave, they are in plus (250x29 < 10000 x 1).

To me this seems simply a business strategy. They specifically say “Unlimited & unmetered DDoS attack mitigation” in the cheapest plan, afterall.

I am in no way using this definition right now, I am using the definition you provided (established businesses) and I generally use it interchangeably with “licensed”, because to operate you need at least a license.

So it’s not a tautology.

There are enough illegitimate online casinos to create a problem for the whole industry.

Incorrect. Also creating a problem for is not defining the industry itself. There are phishing bank sites to create a problem for the banking industry, but only an idiot would answer “they steal your identity/card details” to the question “why are online banks bad”.

They don’t have enough users so they need to squeeze their regular punters harder.

Incorrect. You forgot to address “how”. I will also add another item to the “you have no idea what you are talking about”. Players losing is a sure way to lose even more customers. In fact if you knew something about the industry you would know that new companies operate on much lower margins that established ones. Bet365 might operate on a 7-9% margin, a new company operates on 1,2,3%. The idea that squeezing more existing customers, besides being technically impossible, is absurd. It’s a huge business risk (you lose your license and then you will have 0 customers).

Even your beloved “legitimate” casinos do “rig” games by offering different odds at different times to different people.

First, I don’t like casinos, despite having worked for one, I have played on less sites than you did. I like even less bullshit though, hence my pleasure in clearing the world from yours. Second, that is not rigging at all. You know it, I know it, it is absolutely not what you meant, and I am embarrassed for you for trying to use this terrible rethorical trick to now bend the word rigging. Rigging means that you expect the odds to win are X but instead behind the scene are Y (<X). Offering odds first of all is not a casino thing, it’s a sportsbook thing, and second of all is transparent to the user. Finally, odds obviously change over time, as estimated probability does…

Listen, you are just a guy on the internet with a big mouth and a family supply of bad faith. I showed you multiple times that your claim are bullshit and that much smarter people than you took care of the problems you claim affect casinos (rigged games and money laundering).

You failed to provide any argument from any of your claims and now you proved to argue in bad faith. As promised, I will make you a favour and block you, so you don’t have to keep embarrassing yourself. Take this as a chance to reflect on maybe not arguing on something you don’t understand fully, and maybe to learn from someone who knows more than you, as I try to do in the many occasions where I make mistakes or know little about something. Your claim at the moment is false. It’s a conspiracy theory that you repeat and might believe, but it’s false. Deal with it. You can use the very real and many reasons to consider casinos bad, do that.

Indeed I want to make a distinction. Because thinking legitimate casinos rig games is completely different from thinking scammy ones do.

In fact, you had no argument whatsoever to prove those do, including your external sources that recommended basically in all cases to stick to licensed sites, proving that there is a difference (duh). On the other hand, having worked in the industry and understanding both how casinos integrate games and how compliance works, I have explained to you why there are generally not technical means AND no economic incentive for legitimate casinos to rig games.

I will repeat the points for you:

• legitimate casinos undergo certification and audits. Every piece of code change is analyzed periodically and so does the functionality of basically everything on the sites.
• most importantly, casinos don’t develop games, they purchase them from providers. They don’t have access to the code, as games are served directly by the maker, so they can’t change the code to tweak odds.
• the game makers don’t have any incentive of jeopardizing their whole business to let a customer earn more money illegally.

The above applies to essentially every licensed casino, every legitimate casino.

You failed to acknowledge any of these points, and you argued for 15 comments about scammy websites, bringing now the conversation back to where we started.

The reason why I want an agreement that legitimate (not some!) casinos don’t rig games is specifically because I provided arguments (technical and economical) for why that’s the case. So your refusal to make any distinction while also refusing to provide any proof to support your claim just results in a vague and messy discussion, exactly like your insane definition of “online casinos” that includes scam websites. You refuse to be accurate :)

But a problem very much related to “what’s wrong with online casinos”.

It’s not. It’s something casinos (real ones) can’t do anything about, the same way banks or shops can’t do anything about. This is an extremely tiny problem because official means exist to recognize legitimate ones since there are trusted authorities that certify them. In fact, given the existence of central national authorities it is much easy to be sure that a casino is legitimate than a shop, for example. I will tell you more: rigged games (and therefore fake casinos) are a MINOR problem in the industry in general. It is absolutely a terrible argument to say what’s wrong with casinos, because it’s something the vast majority of the people will never even encounter in a life of gambling. However, there are plenty of reasons why casinos can be considered bad based on the regular operations of legitimate casinos, not based on your fairytales.

So yes, I am stuck on wanting an acknowledgement that legitimate casinos don’t rig games because I know how that works, unlike you. Here is how I conclude this conversation, since we are at a moot point:

If you fail to acknowledge tha rigging games is very very unlikely (I will keep the theoretical possibility in case there are suicidal CEOs) in legitimate casinos, then I will call your argument bullshit until you have any proof. Specifically, you should explain what economic incentive do legitimate casinos (licensed) to rig games, and how do you think they can do that. If you fail to provide any argument in support of this while also refusing to make a distinction in your original claim, then I know you are arguing in bad faith, so I will simply block you and move on.

I give up. You refuse to engage in good faith.

What user can tell is irrelevant, we are talking about your “taxonomy” and the properties that carries being in one or other category.

You might not be able to distinguish a legitimate casinos by a fake one, but if in your opinion legitimate ones also rig games, this is irrelevant. If they don’t, then what users can tell is a completely separate problem.

Yes, but I am asking to answer according to your own definition! I specified it, I quotes it, I wrote YOUR in caps, I can’t add flashing lights or I would.

You provided a definition, I am asking a simple question with that definition in mind.

According to YOUR definition, do legitimate casinos rig games?

Come on, how many more comments do you need to answer this simple query?

Your quote:

Here’s the definition I’m happy with. Legitimate casinos = established businesses in the casino industry Fake casinos = scammers Online casinos = legitimate casinos + fake casinos

You forgot already? A link to your own comment.

You have defined legitimate casinos as ones that don’t rig games.

I didn’t define shit, you defined legitimate casino as a partition of online casino.

Look what triple jump you are making to avoid saying a very simple thing: legitimate casinos, defined as YOU did (established businesses in the casino industry) don’t rig games. All because you can’t admit to be wrong :)

So, I will ask once again:

• do legitimate casinos, as in YOUR definition, rig games, according to you?

Yes or no question.

Yes. Not necessarily knowingly. Income from internet gambling is tainted.

I would argue with this point, but I won’t. It doesn’t matter, I accept the theoretical possibility of money laundering. For some reason I was mistakenly taking the top comment of this thread as your comment. I even quoted it several times and you didn’t note that that’s not your comment… my bad.

It’s YOUR definition ahahah I literally took what you said and I am asking a question.

YOU said, legitimate + fake = online. I asked to which you applied the answer and you said online. Now you are saying it doesn’t?

So, do we agree that legitimate casinos don’t rig games?

Also, you mentioned taking a cut to help laundering money, now you are retracting saying “are exposed”. No dude, taking a cut has intentionality behind, being exposed is a natural risk for any business which moves money. You claimed the first.

So, one last time:

• do legitimate casinos rig games?
• do legitimate casinos help laundering money?

So both legitimate and fake? In other words you believe that both legitimate and fake casinos rig games, both help laundering money and both fight against regulations?

It’s a simple question, show a tiny bit of good faith :)

Answer the question, your definition doesn’t add much.

To which ones does your initial answer apply? Both legitimate and fake casinos?

It’s not a hard question.

P.s. I bet you wouldn’t be able to show me a fake casino if I asked. That’s because they are not a common problem. You are overinflating it to make your absurd definition more reasonable. But let’s not get into this…

Not part of the discussion. You are straining pretty hard in your efforts to “win”.

I am making an example to prove a point. The point is simple “industry” doesn’t contain the scammers who try to abuse it.

Yes, they do. The clue is in the name.

Genius take!

Answer the question, though. I repost it for your own convenience. We clear out all the bullshit semantic you brought up, and go straight to the point:

Let’s pretend you actually believe your bs, and let’s make a distinction:

Online casinos = established businesses in the casino industry, operating with at least a license.
Fake casinos = scam websites that operate without a license and which spoof an online casino with the purpose of scamming users (in whatever way).

To which ones do you think your initial answer applies:

They run rigged games in predatory ways. They happily let organised crime launder money for a cut. They fight regulations designed to reduce problem gambling.

?

• Do you think that online casinos as defined above run rigged games?
• Do you think they help laundering money?

Incorrect. Learn to recognize ‘spoofing’ and ‘phishing’

Jesus… Let me spell it out even more clearly: if someone is creating a new standard for banking sites, they don’t expect those goddamn measures to apply to phishing websites, because they are not considered part of the industry. Nobody discussing the banking industry would consider phishing sites PART OF it. it’s relevant to discussing phishin FOR the industry, but it’s not a problem OF banking sites. Because “banking site” means inherently a legitimate banking site.

Incorrect. OP clearly wrote “online casinos”.

And online casinos don’t include fake online casinos.

But ok, let’s clarify once and for all.

Let’s pretend you actually believe your bs, and let’s make a distinction:

• Online casinos = established businesses in the casino industry, operating with at least a license.
• Fake casinos = scam websites that operate without a license and which spoof an online casino with the purpose of scamming users (in whatever way).

To which ones do you think your initial answer applies:

They run rigged games in predatory ways. They happily let organised crime launder money for a cut. They fight regulations designed to reduce problem gambling.

?

Do you think that online casinos as defined above run rigged games? Do you think they help laundering money?

At least I will give you an out and you don’t need to keep climbing mirrors.

You clearly have a guilty conscious about the money you earned from gamblers. Or you are being paid for this shilling.

No, I simply don’t like bullshit, and your arguments are full of it. I strongly dislike the gambling industry, but for reasons based on facts, not on what I heard in the beauty salon :) In fact, my whole point is that there are good, solid reasons to dislike gambling and online casinos. The bullshit you quoted is not part of it because it’s false.