I was reading the blog post by the casino’s tech person and kept thinking to myself, “this is a casino; they may not be the most reliable narrator”. That said, CF was also stupid slow on taking down kiwi and stormfront, so they’re not great either.

Both of them suck and this whole thing is amusing to me. Hopefully this will serve to improve CF’s behaviour.

What was kiwi?

KiwiFarms, a forum dedicated to doxxing and IRL harassing of LGBTQ people, women, and anyone else they didn’t like. It was is a breeding ground for Nazis and other Conservative bigots and their ideologies, and they successfully harassed people into moving and hiding (or worse).

Edit: they’re still around

Schadrach
link
fedilink
English
47M

Specifically, it started out to track, dox, and harass Chris-Chan (originally just for being a weirdo though they eventually came out as trans and made news in 2021 for being arrested for incest). The nearly two decade old (since 2007) ongoing campaign against them means they are probably the single most documented human being in history.

They don’t often target women just for being women, but much like with trans people and furries they also hate a hate-on for crowdfunded youtube personalities and fat acceptance and all of those groups do have their share of women (especially the last one - fat acceptance is primarily about women). They even target fundamentalist Christians and Quiverfull families sometimes (which tend to be very Conservative).

Also, there’s no “was” - they still exist are are operating.

For those horrible enough to like this.

Sometimes each other too if my information is correct. So even if you are a bad person and want to harass innocent people, kiwi farms isn’t the place to be.

Bad people are bad people towards you too if you give them the chance. Just don’t be bad, much better. Don’t hate!

Schadrach
link
fedilink
English
17M

They target anyone a critical mass of their users think might be entertaining to target, and yeah that sometimes includes each other.

Better to give them a wide berth and try not to draw the attention of the snarling horde with too much time on it’s hands.

A website similar to 4chan, but much much worse. They’d dox pretty much anyone they didn’t like, often LGBTQ+ people and allies

It isn’t clodflare’s job to take down or in any way take a stance on what websites they are providing most likely only DDOS and DNS services for.

That’s for example why privacy sites can use them.

It’s the police or maybe hosting provider that should decide when/if to take down sites.

If cloudflare were hosting the site I think they have more responsibility.

I feel like if you’re protecting a site that has caused as much harm as kf, it might be morally correct to stop doing so.

What exactly has Cloudflare done to those poor casino thugs, they were only trying to extract more money from gambling addicts?!?

Both of course, but if I had to choose, Cloudflare. Definitely Cloudflare. That company must be purged by fire and magnets. Sure, casinos are evil, but they mostly stay in their lane doing their thing of preying on the vulnerable. When Cloudflare just straight up breaks half the internet for lunch and there’s, by design, no way around it.

In this particular story, if there’s any truth to it then it’s basically extortion. They could have just said that due to their usage profile they will need to switch to an enterprise license for the next billing period . Instead they tried to extort it within 24h lol.

And of course you have to buy a whole year of service (lol). This last thing is a symptom of a degenerate market with few competitors. No company that fears competition would try to pull that stunt.

No, the site had 2 weeks. They decided to argue with CF until that deadline was up.

Context?

My feed has been all about posts like this one https://programming.dev/post/14669153

If yours hasn’t you’re missing some stupid flame wars and nothing of value.

That makes sense, I don’t subscribe to !technology@lemmy.world and only ever check ALL if there’s an emergency or I’m logging into a fresh install of Sync.

originalucifer
link
fedilink
111
edit-2
7M

cloudflare has a known habit of taking heavy users and forcibly converting companies from a $250/m plan to a $12,000/month plan.

some people would be happy for that to happen to bad entities like an online casino, but really, to cloudflare the business use is irrelevant and it could happen to any of us.

the lesson is to minimize your cloudflare dependencies. if you have to use it, use it in an agile method where you can move to something else quickly should you need to.

@Evotech@lemmy.world
link
fedilink
12
edit-2
7M

12000 a month is probably chump change for a casino and money well spent at that for the features cloudflare provides

At my job, a reasonably sized it customer generates about 100-500k a month.

The casino has like millions of folks at $300/month according to a comment on another topic about this.

Based cloudflare.

For 12k a month just the DDoS protection would be worth it for a site of that nature and size but they also get CDN access with full control over the caching, and a web application firewall.

The way I see it the casino was trying to plate share at a buffet and got caught so now they are complaining about having to pay the correct amount.

Thank you

katy ✨
link
fedilink
367M

reminder that cloudflare routinely works with white supremacist and other hate sites to protect them and have most recently refused to stop hosting kiwi farms, as they were doxxing and threatening trans people

@uis@lemm.ee
link
fedilink
17
edit-2
7M

THIS MESSAGE (MATERIAL) CREATED AND (OR) DISTRIBUTED WITH PURPOSE OF HATE AND (OR) ENCOURAGING HATE.

You forgot to put it.

I heavilt dislike cloudflare, but this is not valid reason to hate them.

You have it wrong, which really shows what you stand for:

Cloudflare refused to block KiwiFarms as there was no evidence of criminal activity or violation of their policies, and doing so would tarnish their reputation in regards to free speech. They did stop hosting KiwiFarms, in September of 2022 (you can find their statement here) in response to a libelous pressure campaign ran by Keffals when she/they/it found out users were pulling out receipts of it engaging in lewd conversation with minors and providing them with DIY hormone replacement therapy kits without any medical oversight or parental consent.

And KF did not attack Keffals out of nowhere, it was only after she started engaging with Chris-chan as she was attempting to use him to boost her own reputation at a time when he was already in a perilous mind.

I’m not sure exactly where you got the “threatening trans people” from, that is the first I’ve heard of it. I know of one incident that is much more grave and potentially what you are referring to, but your reference leaves out almost the entire context of that one particular incident and there have been no repeats of it to my knowledge.

I’m not a fan of KiwiFarms, but they did not earn their censorship. It was the result of a successful attempt by a revisionist career troll to cover their tracks when they realized their goose was about to get cooked, nothing more. If you truly stand for free speech, you would realize just how dangerous the precedent set by such an unreliable source as Keffals is.

And yes, I realize that if my comment gains enough traction, it and its army will be at my throat and by no doubt have doxxed me in no time if they so choose. But that’s not going to keep me from preventing people like you from twisting the narrative.

The same place that regularly bullies and bear-baits ‘lulcows’ for entertainment? The same people who bullied an autistic adult over a shitty Sonic fan character webcomic?

Kilgore Trout
link
fedilink
English
217M

They don’t “work with white supremacists”. They try to self-polish the tremendous power the have, seeking neutrality in most cases.

You’re describing Twitter and Facebook as well.

Por qué no los dos?

BougieBirdie
link
fedilink
English
177M

Why are online casinos bad? I don’t understand this pervasive need some people have to force their way of life on others and take away their agency over their own lives. It comes off to me as some kind of superiority complex. “They’re too stupid to make their own decisions, I know better what’s best for them, I must protect them from themselves”.

Why are online casinos bad?

How can players be sure they are honest?

I must protect them from themselves.

People should be protected from scammers with fake (always lose) casinos.

There are ways to cryptographically verify bet integrity, but that’s not important. The point I was trying to make is that people should have the right to make their own decisions, even if you disagree with them, even if they’re objectively wrong.

If you are objecting about one person’s morals being forced on another then I totally agree.

Your delivery of that argument needs work because it comes across as wanting to defend scammers.

At no point was he defending scammers. This is insane.

Playing innocent and asking why online casinos are bad.

Yes. He’s asking a question? Why is an online casino bad?

If the casino follows all rules and regulations, then that is not bad.

If talking about sites that steal your money and don’t pay out when you “win”, then yes, that is bad, and a scam. But that’s not an online casino…that’s a scam. And also incredibly rare.

An online casino can make a shit ton of money by just following the rules. Why would they need to break the rules?

But that’s not an online casino…that’s a scam.

Excellent. You understand the point.

How can players be sure they are honest?

At the bottom of each gambling sites usually there are the banners for the license(s) the company holds. Complying with licenses (e.g., Maltese) ensures that the due paperwork (i.e., proving that Casino games are functioning according to their certification) is taken care of. So yes, national gambling authorities usually are the ones who protect people from scammers.

“functioning according to their certification” doesn’t prove to me that they aren’t shaving the odds or injecting sneaky code into the process. I have to trust in the technical ability of the regulators.

Also, I could write “regulated by the Maltese” on the bottom of any website, it doesn’t make it true.

They can’t add sneaky code to the process (without getting caught). For sensitive game code every single change needs to be tracked and reviewed by the authority. You get audited at least once a year, and then all the changes are reviewed. Authorities outsource the job for the technical reviews to specialized companies.

Also, what’s the point? The games already provide a margin to the host, why risking to go out of business for such an irrelevant gain (a few more %)? Add to this that usually casino games writers do just that, write games and sell those to N casinos. So the incentive for the casino games writers are even smaller.

Finally, yes you can write “license X”, but you can cross-check that information from the regulator itself, you don’t need to trust just the line on the site. The point is you as a customer can choose a trustworthy site, ideally one who is licensed in countries where regulations are quite tight (in Europe I would say Denmark), before putting your money somewhere.

At some point you need to trust “someone”, that’s how the whole world works. The gambling authorities are no different than the authorities that enforce the safety certifications for electrict equipment, or cars, or whatever.

If your concern is that you would lose money on casino games because the site rigged it, it’s a relatively silly concern. You will lose because the casino games are designed to make you lose in the long term, on average.

They can’t add sneaky code to the process (without getting caught).

That means that people have to check

For sensitive game code every single change needs to be tracked and reviewed by the authority. You get audited at least once a year, and then all the changes are reviewed. Authorities outsource the job for the technical reviews to specialized companies.

Or just ignore that and publish whatever you like.

why risking to go out of business for such an irrelevant gain

Why spend money to meet regulations?

Finally, yes you can write “license X”, but you can cross-check that information from the regulator itself, you don’t need to trust just the line on the site.

How many users actually do this? A very low percentage.

point is you as a customer can choose a trustworthy site,

The point is that many don’t.

If your concern is that you would lose money on casino games because the site rigged it, it’s a relatively silly concern.

Not really. It’s one of the reasons why online casinos can be bad.

The question was what is “wrong with online casinos”. So I gave an example. Others include money laundering, exploitation of addiction, exploitation of stupidity, waste of resources, tax evasion etc .

Have you ever made a single transaction online paying with your credit or debit card? How do you know the site didn’t steal or misuse your information?

The answer is that storing, transmitting or processing card data requires you to be PCI-DSS compliant, which is a very strict standard. If you get caught violating that you are out of business and fined in the abyss, which is a much bigger risk than stealing john doe’s pennies.

Sorry but from what you are saying it seems you simply don’t understand how compliance works.

That means that people have to check

And that is why you have at least annual audits (for each license, plus AML, plus other stuff), and why you need to present the whole chain of changes that happened to sensitive code.

Why spend money to meet regulations?

Because if you get caught not doing that you lose access to whole markets at once and get fined. There is no economic incentive as complying doesn’t cost nearly as much. Specifically, I told you that casino game makers are generally not casinos, they are software houses. So they can’t care less about rigging the games, their revenue comes from companies paying for using their games. Casinos also don’t care of rigging games because games are designed to leave them a certain margin anyway, so why doing it?

The point is that many don’t.

And that’s why national regulations are generally a safe umbrella. If you see a website (through advertisements) that means that website is allowed locally and already met the national regulations.

If you are in a non regulated country then you will need to do a tiny bit of research. You are putting money on a site, after all (you should do the same for everything you do online).

The question was what is “wrong with online casinos”. So I gave an example. Others include money laundering, exploitation of addiction, exploitation of stupidity, waste of resources, tax evasion etc

Yes, you gave examples based on your own speculations. It’s clear you have no idea how the industry works. Money laundering is something international law covers and is extremely tightly controlled, tax evasion is also completely insane for online businesses, because every transaction has a trail and there are tight regulations about what you need to report for every country where you operate. Exploitation of stupidity, sure. Some also exploit addiction, regulations exist for that too, and for some businesses addicts are terrible customers.

Question: what exactly is your experience with the gambling business?

Because to me it seems you are making stuff up or basing your statements on movies about gambling and oeganised crime, while the reality is much simpler: companies get money simply by having active users on their sites. Quantity is the name of the game.

How do you know the site didn’t steal or misuse your information?

Exactly. Scam websites can be casinos or shops or anything.

You are vehemently defending the “legitimate” casino industry whereas I am saying it’s easy to create scam casinos.

Yes, you gave examples based on your own speculations. It’s clear you have no idea how the industry works.

I know well how it works.

Money laundering is something international law covers and is extremely tightly controlled, tax evasion is also completely insane for online businesses, because every transaction has a trail and there are tight regulations about what you need to report for every country where you operate.

Casinos, on and offline, are excellent ways to launder. The amount of regulations trying to mitigate this risk proves my point.

Exploitation of stupidity, sure.

Glad we agree here.

Some also exploit addiction, regulations exist for that too, and for some businesses addicts are terrible customers.

Not for casinos. Gambling addiction is a casino’s main business. Why are there no windows in Vegas?

Question: what exactly is your experience with the gambling business?

Betfair, betfred, bet356, Ladbrokes etc.

Exchanges for sports and real life events I have little problem with.

I only have probems with sites that scam people with flashing lights and random number generators.

Quantity is the name of the game.

Yes. Online you can scam many more people with fake roulette tables.

“They’re too stupid to make their own decisions, I know better what’s best for them, I must protect them from themselves”.

I’ve never been given a reason to not think most people are morons

I presume you don’t consider yourself to be a part of the aforementioned majority? Do you believe it makes you superior? Do you believe you know better what’s best for them? Do you believe you must protect them from themselves, even at the cost of their self-determination?

zea
link
fedilink
87M

I’m not the person you’re replying to, but I am stupid enough to occasionally get close to falling for a scam. Rather than test my luck, I’d rather they didn’t exist.

Allowing someone to play a game in which the rules and odds are clear and up front, is not a scam. Full stop.

zea
link
fedilink
17M

True, but we’re not talking about clear and up front rules

You haven’t met most people. :)

The problem is every one of us is most people on something. ;P

bobburger
link
fedilink
17M

That’s 100% true. That’s why I’d like the help from experts to help me avoid being scammed, help me avoid drinking and eating poisoned food, or having to breath unhealthy air.

I don’t always know the full repercussions from the decisions I make so I really appreciate having some expert help. This is especially true of decisions shitty people try to coerce me into making when I’m desperate or emotionally vulnerable.

Sounds more like you just don’t know anything about the gambling industry. They run rigged games in predatory ways. They happily let organised crime launder money for a cut. They fight regulations designed to reduce problem gambling.

Nevertheless, nobody here is “forcing their way of life on others and taking away their agency over their own lives”. They’re just acknowledging that casinos have a long history of being absolute cunts.

They run rigged games in predatory ways.

I don’t know what you mean by this. Games have a fixed margin which is usually disclosed or can be computed (exactly like the 0 and 00 in the roulette skews the odds in the house’s favor if you want to do just black/red). There are then whole chapters in national regulations about random number generators to ensure the odds are correct and the games are not rigged (i.e., a game certified for 98% should have that outcome). Are games designed to have the house win a 2,5,7,9% margin? Sure, but this is out there in the open, there is nothing to “rig” in the same way having 0 or 00 is not “rigging” a game of roulette.

They happily let organised crime launder money for a cut.

At least in Europe, you get audited quite often and AML regulations are very tight. Laundering money via online gambling companies with their cooperation seems quite unlikely to me (and inefficient, possibly, but I don’t know).

They fight regulations designed to reduce problem gambling.

Some do, but not all, and not in all cases. Addicts are bad for business for gambling companies, or at least for some of them, moderate long-term customers are generally better (and require way less effort).

I don’t know what you know about gambling, I definitely think that the ethics are questionable, and I left the industry when I could also for those reasons, but the company I worked for was not very bad in this regards. Maybe you worked/had experience with some of the shady ones (like those who operate in illegal markets using a single license from a random tiny country)?

Who’s “they”? I don’t know much about the gambling industry but if it’s anything like any other industry then it’s not a centralized monolith but many independent business. As long as the founding principles aren’t inherently corrupt (and in the case of casinos they aren’t. Nobody is forced to play and everyone knows the house has an advantage and in the long term is guaranteed to win. Because of this it doesn’t make sense for the house to cheat and risk getting caught, it will win anyway.) there is no reason to think that the majority of the industry engages in criminal activity. This is a massive generalization.

I don’t know much about the gambling industry

You can stop there. You don’t know much about the gambling industry, defending them was just an opportunity to tell us your opinions on “some people”, none of whom are actually here.

Yes, my comment wasn’t about online casinos but about the people who think they have a right to tell others how to live their lives. I’m not defending the gambling industry, I think gambling is stupid. I’m defending the right of the people to make their own decisions.

My “defense of the gambling industry” was just me pointing out that as long as something isn’t inherently nonconsensual and the terms and conditions are clear there is no reason to forbid other people from doing it just because you disagree with it.

Nobody in this thread has forbidden anyone from doing anything. If you want a soapbox for your irrelevant opinions, start a blog.

Yes, my comment wasn’t about online casinos but about the people who think they have a right to tell others how to live their lives.

Who’s “they the people”? I don’t know much about the gambling industry the internet but if it’s anything like any other industry place then it’s not a centralized monolith but many independent business people.

Is meth bad? Would a company that specifically targets meth sales to the most likely drug using demographics be bad? Would a company that sold meth in shiny, futuristic containers that said “Lucky Dreams!” be bad?

Both can be true?

Yup

Cloudflare is a business. Businesses protect their profits. Online casinos are scams subject to regular massive DDOS by their scumbag competitors and by people who want them shut down. Cloudflare wasn’t going to eat that loss anymore so they kicked them to the curb to save money. Also the time frame wasn’t 24 hours. More like a month. This makes me suspect the scamming casino’s story more.

Dr. Moose
link
fedilink
English
17M

Cloudflare is a business. Businesses protect their profits

You say that like it’s ok to do shitty things as long as “you’re a business protecting profits”

I say that like its the way things are.

The purpose of the comment is clearly: “Cloudfare didn’t kick out the casinos because of a compromise with good ethics, but because it was making them lose money”. Please read it again.

Dr. Moose
link
fedilink
English
07M

I was just having issues with your opener which sounds whole lot like justification.

I’m not the person you were replying to, either.

Cloudflare as a business provides DDOS protection. If they kick out those who get ddos’s, what’s their value? (Sure, WAF etc. but you get the point).

Also, as much as casinos are ethically questionable, they are also business. Very regulated businesses even (while tech is kind of a Wild West).

@GoodEye8@lemm.ee
link
fedilink
English
37M

Online casinos are also tech. The devops in the article literally says they set up proxies to continue operating in countries where their main domain is blocked. I know the core domain of casinos are very regulated, but I doubt the entire tech aspect of online casinos are regulated. I imagine there’s plenty of fuckery to do there.

Also casinos will throw out people who benefit too much at the expense of the casino. The casino benefitted too much at the expense of Cloudflare and refused to share the profits, so Cloudflare did what any casino would do and kicked them out.

The entire tech aspect of online casinos is regulated, from procedure to register customers, to bonuses, to segmentation, to popups that you need to show during game, to responsible gaming features, to security controls in the infrastructure, to reporting etc. I worked for one and I took care of the compliance to licenses. Nothing is perfect, of course, but you are under tight scrutiny, especially when you start accumulating licenses.

I don’t think casinos will throw out anybody ATM, they mostly work on quantity of users, they don’t care of few individuals who win (in fact they are good business - they will most likely play again in the future). Actions are taken against specific segments of users that are deemed high risk (e.g. suspected sure-betters, syndicates etc.). There is no need to throw them out, usually limits are applied.

For cloudflare, still nobody explained to me how using features and bandwidth already available costed anything more for Cloudflare.

They provide a whole lot more to begin with.

Sure, which is why I said:

(Sure, WAF etc. but you get the point).

An online casino would mostly benefit from WAF, DDoS protection and caching.

The arguments I was responding to is like saying that if you get too many web attacks they should kick you because the WAF is not anymore profitable. It doesn’t make any sense.

They didn’t get kicked out. Just moved to a more expensive solution / pricing structure

Cloudflare wasn’t going to eat that loss anymore so they kicked them to the curb to save money.

I am arguing with the logic that claims this is reasonable, not discussing what they did.

I don’t have a problem saying that they should charge more, but it’s them who made an unlimited plan to become a monopoly charging 250/month.

And insurances provide monetary compensation until you become a common liability, too high to be covered by any sort of fee. DDOS protection is just the same. It’s only feasible if it happens rarely, like they usually happen. However if it’s a common occurrence it will just eat up the profits made by the fees and then some, which just is stupid to do in any case.

It’s a completely different thing. DDoS protection is not like insurance. Insurance is putting monetary value on a risk and paying off if that risk materialises. DDoS mitigation is a set of technical measures that are implemented. Most of the DDoS protections are features which are implemented (e.g., when the traffic is more than X, require captcha for all requests). It doesn’t have any marginal cost for the provider.

And you can argue the same for the network infrastructure. Once you have the bandwidth, as long as it’s not saturated it is a waste letting it idle.

So I really don’t see how even being under DDoS every day can “eat up your fees”. Maybe you can elaborate?

I should have elaborated on it a bit more, my bad.

While it’s true that DDoS is more of an active technology rather than a CYA thing. It does however also act as insurance when it comes to the “blame game”: if your site goes down it’s not your fault but the provider’s fault, meaning you might be able to recoup lost profits through a lawsuit.

Of course the only way to avoid this for the provider is to provide better and stronger systems, which normally would grow homogenous through more customers and/or growing fees for all customers, which would pay for better capacity and stronger protection by itself.

However here we have a client that is a high value target that others might want to take down at all costs. Even if they didn’t sue, a strong enough attack might, alongside naturally expected DDoS on other clients, not only take down this customer’s server, but others as well, which really isn’t something you want, for the reasons stated above. And rapidly increasing security could be not worth it, as it could devolve into an arms race by proxy with a high risk of the customer leaving if you raise their fees to much, leaving you with a system which’s maintenance will now dig into your profits due to a lost big income stream, or make other customers leave if you raise the general fee.

To be honest, I have never even heard of anybody who sued a service provider for failing to mitigate DDoS, or for letting an attack through a WAF, etc. I am quite positive that the contracts/T&C you sign when you subscribe to the services are rock solid, otherwise cloudflare would be under extreme liability. Also, usually you have the ability to customize the DDoS settings, choose thresholds etc. I really can’t imagine a company having any real chance of getting the provider to reimburse you. The only service that usually has SLA is the uptime of the CDN, which if breached should be compensated. I am quite sure that in the cheap plans the SLA is probably not very high.

Also, what you say about a customer that someone might want to take down is true for all customers that require DDoS protection. If they didn’t, they wouldn’t pay for the service on the first place. Cloudflare serves a bazillion customers who are much bigger targets than a casino, I don’t think they were afraid of the exposure. Also, when cloudflare receives a high DDoS attack, for them is awesome marketing. Imperva, Akamai, Cloudflare are basically identical and the selling point is exactly “how big can they tolerate?”.

Honestly rather than speculating on what we don’t know, I propose a simpler option: cloudflare plans are designed to get customers one foot in the door with a super cheap plan, to them each individual customer has basically no marginal cost. However, once the customers are in they can identify the ones they can squueze and find reasons to push more expensive plans. If they bump 1/30 of them, even if they other 29 will leave, they are in plus (250x29 < 10000 x 1).

To me this seems simply a business strategy. They specifically say “Unlimited & unmetered DDoS attack mitigation” in the cheapest plan, afterall.

It is similar in that there’s a pool of resource shared between all the clients, and the service provider can shift this resource around when in need.

You can make this argument for literally every business, though. Which business does not have a single pool of resources and multiple clients to consume them?

To me it seems a really arbitrary argument. Insurance companies estimate a risk, and if their chance to pay is almost certain, then for them there is no point in insuring you, they lose for sure so they refuse you.

DDoS protection services don’t pay if their customers get DDoS. Cloudflare doesn’t need to go and deploy more network appliances every time a customer gets DDoS’d, nor they need to hire additional engineers to implement features. They have done this already and if they do it’s a company-wide investment, not a per-client investment.

You can make this argument for literally every business, though. Which business does not have a single pool of resources and multiple clients to consume them?

The majority of factories. They get an order in and produce the product until that order is fulfilled. They don’t have to be running 24/7, it is just that that is the most profitable.

But if you stick to your “analogy”, a factory also chooses who their customers are. And if some are too demanding, they just drop them. Like the casinos.

OK, sorry. Digital services businesses.

Also, once factories have machines etc., they might prioritize one customer over another, but I doubt they decide a customer is not profitable. In fact, digital businesses don’t have by design the problems posed by the physical world, and this is especially true in b2c businesses…

Comparing Cloudflare to insurance companies is not how you’ll convince me they’re not acting like jerks lol

I don’t want TP convince anyone they are not like jerks, but rather highlight why a corporation would do something like this to a (most likely) lucrative client.

It’s not that they got DDoSed, it’s that unregulated off-shore gambling is illegal in many countries, so their IP addresses were getting blocked in these countries. The way CDNs like CloudFlare work is that many customers share the IP addresses, so they were getting other CloudFlare customers blocked as well.

CF wanted them to move to a “bring your own IP” plan so that their IP blocks wouldn’t affect other customers, and that came with the steep price tag.

That’s not what OC mentioned, which is what I was answering to. They mentioned the logic that getting DDoS made them unprofitable customers, I questioned it.

I perfectly understand the issue. If cloudflare was getting their IP blocked in countries where the casino was dodging regulations, they should have simply written that, and forced the customer to block traffic from those countries. The BYOIP is not the only way to solve it. Imperva forced the website i worked for to block Russia (which was not a market we were operating in) to prevent their IPs being blocked in Russia, for example. They didn’t bring it up as an option somehow, and that gives to this an extortion vibe.

I think they are only “very regulated” if they are based in certain western countries?

I used to hear a bunch of stories about issues getting payouts.

It doesn’t matter where you are based (as a company, if this is what you meant), it matters where you operate, and lots of countries are regulated (not only Western - which in many cases are not, incl. many US states). There are basically three types of markets: regulated, gray (not regulated, not forbidden) and black (forbidden). Different companies operate in different markets, depending on their strategy (and level of shadiness). Payment processing (deposits & payouts) is done using external providers (as many as possible to serve different countries), and there are quite a lot of regulations regarding money laundering, politically exposed people and so on that they have to comply with, both for gambling regulations and international laws (e.g., European laws are quite strict when it comes to AML).

Obviously you may have customers from a regulated country without “operating” there, which means advertising, offering the site in their language, etc. But, when you withdraw money identity verification is necessary, and companies can be fined (or worse) if they willingly retain customers from regulated markets without the local license.

So yeah, there are companies that do shady stuff, but mostly it depends on country regulations. The company I worked for targeted Nordic Europe (mix of gray and regulated markets) and South America (mostly gray markets, on the way to be regulated), for example. Usually gaming authorities are quite keen in collecting their taxes, so they tend to be quite active in pursuing those who violate their regulations (like if you decide to operate where you can’t).

That wasn’t it, Cloudflare didn’t like the way the casino was using Cloudflare’s IPs, since they were getting banned in multiple countries.

Cloudflare only offers byoIP as part of a business package, and that comes with extortionate pricing.

Where does online sports “betting” fit into this meme? Genuine ask because I have no experience or awareness of online casinos. Thanks.

They usually go hand in hand.

Generally if it’s connected to gambling there’s scummy stuff going on.

That was number 13. Online casinos.

whenever websites break, you can see cloudflare, and also online casinos!

Fuck CloudFlare – I don’t like monopolies or monopolike.

What’s the problem with CloudFlare? They’re trying to make a profit, and so in the long run are the same as anybody, but every interaction I’ve had with them recently has left me impressed.

Edit: The answer is that the way their thing works nullifies HTTPS.

Schadrach
link
fedilink
English
37M

What’s the problem with CloudFlare?

So far, not much other than being “too” content neutral for a lot of people. They have potential to be immensely horrible whenever they decide to engage in enshittification to maximize profits.

Apparently they also strip encryption off and see everything, too.

Schadrach
link
fedilink
English
27M

They see everything because they have to for some of the services they offer which gives them a huge potential to do terrible things that they have not actually pursued yet to date, hence the “so far” in my comment.

No terrible visible things, at least. God knows how much data they’ve hoovered up.

Schadrach
link
fedilink
English
37M

True. But that just falls back on the “not yet” part of things. They’re likely sitting on a massively valuable pile of user data and when they get greedy enough it’s going to be ugly.

they’re called crimeflare for a reason. besides being a government goldmine having access to everyone’s encrypted TLS traffic, they selectively enforce censorship in unethical ways.

why block kiwifarms when you still allow hosting monkey torture sites? or sites for sourcing bathtub HRT secretly sent to minors? they shouldn’t be policing the internet in the first place. this is dangerously close to invalidating Section 230 protections as well.

there’s so many more reasons it’s not even funny.

Dessalines
link
fedilink
37M

They’re a giant middleman getting everything you put into html forms unencrypted.

That includes all your usernames, passwords, and everything you submit via text boxes. Do not trust any site that uses cloudflare.

Oh hey, thanks for Lemmy!

Yeah, I’m a bit horrified to learn that Cloudflare is the crytographic endpoint for clients. I’m wondering how much stuff I’ve let them see while unaware now.

Y’know, because obviously nobody would voluntarily sign up for this kind of security bad practice. /s

Dessalines
link
fedilink
27M

No probs! Yeah it’s wild that a lot of people not only using cloudflare sites, but also running them, don’t seem to mind that cloudflare is hoovering up everything.

This is such a Lemmy take, good god.

“Cloudflare has been around for over a decade and doesn’t do anything nefarious with my data and have never shown any intention of doing so… but, consider this for a moment… what if they DID?”

This is such a Lemmy take

What makes it funnier is that he’s one of the main Lemmy devs lol

Dessalines
link
fedilink
27M

Trusting US corporations by default rule

NGL I’m struggling to follow that image, do you have a higher res version or an explanation if you don’t mind?

Dessalines
link
fedilink
5
edit-2
7M

Cloudflare has been around for over a decade and doesn’t do anything nefarious with my data and have never shown any intention of doing so

Citation needed.

Oops, I’ve got a citation for you.

https://blog.cloudflare.com/cloudflare-prism-secure-ciphers

I know the response will be what you already said in a previous comment about companies saying “trust us bro” so I’ll take the L on this one.

Dessalines
link
fedilink
57M

Appreciate the humility, thx.

Oh yeah I’ll do a full research next time I enter a web page to see who hosts it. If it’s by Amazon or Microsoft I’ll give green light.

Dessalines
link
fedilink
17M

None of the above is easily possible, a lot of us do it.

  1. They seem to hate my devices. Lots of captchas.
  2. They seem to hate when people bypass their country’s censorship. Using sites behind cloudflare through tor is pain without end.

They’ve gotten a lot better over Tor - that’s the main thing I’m thinking of, actually. I used to give up most of the time when captcha’d, but now with the JavaScript based verification I pretty much always can get in, even on mobile.

Most providers don’t give a shit about Tor, or actively try to block it. They actually went out of their way to make it easier.

I get so many cloudflare captchas browsing on Firefox. They mostly go away when I change my user agent string to Chrome. Making the Internet more hostile for a particular group of users is pretty shitty behavior in my book.

I use Firefox and can’t remember the last time I got a cloudflare captcha

Remember when google was beloved by everyone back then when they’re still have “don’t be evil” motto? Cloudflare right now is like google back then: super useful, provides a lot of free services that would be expensive on other providers. But unlike google, if cloudflare go full evil in the future, the impact will be much larger because they’re an mitm proxy capable of seeing unencrypted traffics across all websites under their wing. Right now they’re serving ~30% of top 10,000 websites and growing.

Oh, okay, so I’m not wrong that they’re good right now.

I’m a little unclear on how it works. Do they strip off HTTPS somehow? Otherwise, there’s not too much unencrypted traffic around anymore.

One of the services they provide is free SSL certificates. As part of that, they have the private key to decrypt the traffic. They aren’t trying to hide that— this is true of any service that hosts the SSL cert for your site.

Man, I thought we were done with this shit when HTTPS became standard.

With what? HTTPS has to terminate the encryption somewhere and that place has to have the private key to do so.

CloudFlare is providing the same service here as all other hosts of HTTPS websites do.

Well, depends. If it’s hosted on AWS and HTTPS terminates there like it’s supposed to, Amazon could look inside, but a human being would have to personally hack your container and extract the data, so that’s a bit better. If it’s something more like Wix, though, sure. (Is Wix still a thing?)

If you use the AWS load balancer product or their certificates, they have access to the private key, regardless of whether you forward traffic from the LB to the container over HTTPS or not.

If you terminate the SSL with your own certificate yourself, Amazon still installs the SSM agent by default on Linux boxes. That runs as root and they control it.

If you disable the SSM agent and terminate SSL within Linux boxes you control at AWS, then I don’t think they can access inside your host as long as you are using encrypted EBS volumes encrypted with your key.

Does that mean it wouldn’t be an issue if you bring an SSL cert from say ZeroSSL but use Cloudflare for DNS, caching, DDoS protection etc?

It’s not who issues the cert that matters, it is who hosts it. Hosting it includes having the private key. You always have to trust your website host, full stop.

For DNS and DDoS protection that wouldn’t directly be an issue.

For caching it would be breaking. You cannot cache what you cannot read (encrypted traffic can only be cached by the decrypting party).

Do they strip off HTTPS somehow?

Well yes, how else they can provide their services such as page caching, image optimizing, email address obfuscation, js minifications, ddos mitigation, etc unless they can see all data flowing between your server and your visitors in the clear?

Cloudflare is basically an MITM proxy. This blog post might be helpful if you want to know how mitm proxy works in general: https://vinodpattanshetti49.medium.com/how-the-mitm-proxy-works-8a329cc53fb

Jesus Christ, I didn’t realise.

Dessalines
link
fedilink
3
edit-2
7M

You have no proof that they’re “good right now”. The big five corporations were forwarding data to the NSA for years before the surveillance leaks exposed them.

Your privacy default should not be to trust an MITM, ever.

Dessalines
link
fedilink
67M

There’s no proof they aren’t doing anything nefarious with that data right now, other than company statements saying, “trust us”.

People default to trusting giant corporations first it seems.

@Crashumbc@lemmy.world
link
fedilink
English
17M

Their a corporation, at best they’re baby Hitler…

Dessalines
link
fedilink
27M

I’m not sure if this is ironic bc I’ve been exposed to too many irony-poisoned comments lately, but cloudflare exists to profit off your data. They’re not there to help you, your data and its trends are the product.

RIP your inbox. Enjoy a whole lot of self-righteous lectures in business ethics.

They are the world’s largest MITM as a service.

Create a post

Post funny things about programming here! (Or just rant about your favourite programming language.)

Rules:

  • Posts must be relevant to programming, programmers, or computer science.
  • No NSFW content.
  • Jokes must be in good taste. No hate speech, bigotry, etc.
  • 1 user online
  • 122 users / day
  • 145 users / week
  • 522 users / month
  • 2.5K users / 6 months
  • 1 subscriber
  • 1.6K Posts
  • 35.6K Comments
  • Modlog