I like the idea of canaries in documents, I think is a good point but obviously it only applies to certain types of data. Still a good idea.

Looking at OP, they seem a small shop, with a limited budget. Seriously the best recommendation I think is to use some kind of remote storage for data (works as long as the employee complies) and to make sure the access control is done in a decent way (reducing the blast of employee behaving maliciously). Anything else is probably out of reach for a small company without a security department.

Maybe I sounded too harsh, that’s just because in this post I have seen all kinds of comments who completely missed the point (IMHO) and suggested super complicated technical implementations that show how disconnected some people can be from real technical operations, despite the good tech skills.

DLP solutions are honestly a joke. 99% of the case they only cost you a fortune and prevent nothing. DLP is literally a corporate religion.

What you mentioned also makes sense if you are windows shop running AD. If you are not, setting it up to lock 1 workstation is insane.

Also, the moment the data gets put on the workstation you failed. Blocking USB is still a good idea, but does very little (network exfiltration is trivial, including with DLP solutions). So the idea to use remotely a machine is a decent control, and all efforts and resources should be put in place to prevent data leaving that machine. Obviously even this is imperfect, because if I can see the data on my screen I can take a picture and OCR it. So the effort needs to go in ensuring the data is accessed on a need basis.

Jamf doesn’t do anything for this problem, besides costing you a fortune in both license and maintenance/operation. Especially if you are not a Mac shop.

MDM at most can be used as a reactive tool to do something on the machine - as long as the one with the machine in their hand leaves the network connection on.

There are much cheaper solution to do that for 1 machine, and -as others correctly pointed out- the only solution (partial) here is not storing the data on a machine you don’t control. Period.

Yeah, that’s what I wrote too, but that is still a very fragile way. For once, you depend on a network connections, or in the local firewall not blocking you etc.

Reactive, on-demand ssh is something you can do for tech support, not for security imho.

Disk encryption is a control against lost or stolen device and malicious physical access (kinda). Storing the data elsewhere is more a control (or the basis for controls) against malicious insiders.

Your ability to SSH in the machine depends on the network connectivity. Knowing the IP does nothing if the SSH port is not forwarded by the router or if you don’t establish a reverse tunnel yourself with a public host. As a company you can do changes to the client device, but you can’t do them on the employee’s network (and they might not even be connected there). So the only option is to have the machine establish a reverse tunnel, and this removes even the need for dynamic DNS (which also might not work in certain ISPs).

The no-sudo is also easier said than done, that means you will need to assist every time the employee needs a new package installed, you need to set unattended upgrades and of course help with debugging should something break. Depending on the job type, this might be possible.

I still think this approach (lock laptop) is an old, ineffective approach (vs zero-trust + remote data).

Useful for standardized management of fleets, but requires personnel to maintain and configure it, but I don’t think it’s very effective (or feasible - I doubt they will even join the call for a 1-device contract) for what OP needs.

This is honestly an extremely expensive (in terms of skills, maintenance, chance of messing up) solution for a small shop that doesn’t mitigate at all the threats posed.

You said correctly, the employee has the final word on what happens to the data appearing on their screen. Especially in the case of client data (I.e., few and sensitive pieces of data), it might even be possible to take pictures of the screen (or type it manually) and all the time invested in (imperfect) solutions to restrict drives and network (essentially impossible unless you have a whitelist of IPs/URLs) goes out the window too.

To me it seems this problemi is simply approached from the wrong angle: once the data is on a machine you don’t trust, it’s gone. It’s not just the employee, it’s anybody who compromises that workstation or accesses it while left unlocked. The only approach to solving the issue OP is having is simply avoiding for the data to be stored on the machine in the first place, and making sure that the access is only for the data actually needed.

Data should be stored in the company-controlled infrastructure (be in cloud storage, object storage, a privileged-access workstation, etc.) and controls should be applied there (I.e., monitor for data transfers, network controls, etc.). This solves both the availability concerns (what if the laptop gets stolen, or breaks) and some of the security concerns. The employee will need to authenticate each time with a short-lived token to access the data, which means revoking access is also easy.

This still does not solve the fundamental problem: if the employee can see the data, they can take it. There is nothing that can be done about this, besides ensuring that the data is minimised and the employee has only access to what’s strictly needed.

For browser, there is a webapp that can be selfhosted. See here https://github.com/logseq/logseq/blob/master/docs/docker-web-app-guide.md

I think you need chromium browsers due to the API they use, but it should work.

No, 670k from 42 investors means less than 20k of investment per investor. 670k is already a number ridiculously small for VC funding, but 20k is basically nothing.

Also, after just a few years, 37 employees and 30k users the company became profitable, which is an insanely low period/scale for usual VC funded tech companies.

I am not a fan of some of his ideas either, especially the ones tending towards libertarianism. Some other ideas instead are quite decent, like how he thinks companies should give back to the community. He also built a tech company without VC funding and with a good share of ownership for workers (which I think is nice), without any marketing (which I despise as industry) and generally without the predatory nature that 98% of tech companies have nowadays.

I am sure you are referring to the Brave debacle of months back, and FWIW, I agree with his position on that particular issue. Anyway, considering that I have no ideas about the positions for the CEOs/founders of the alternatives, I think it’s still a very worthy compromise to have a good product (incl. nonfunctional qualities like privacy, ecological impact etc.).

Completely agree, I started seeing business hours popping up lately, I know that they know it’s an area of improvement.

It’s a premium service but it has very nice features and is a good product overall.

I continue to be one of the happiest customers for Kagi, a service that I am so happy to pay (for my family as well).

To be clear, there are some widgets that might be useful in some cases, but it should not be all you see (and it should definitely not include similar stuff as if the focus for any search is just to find more stuff to consume and please advertisers…).

Yes, you could run it in LAN only. You could access it via VPN only.

Obviously this adds friction in addition to security, but if that’s fine with you, you can.

Personally, if I think about reversed roles (I.e. some US newspaper putting an Italian gangster hat - a-la The Godfather to some politician with some offer-related pun) I wouldn’t think of it as racist, I would understand it’s not a statement about Italians in general. This also considering that being a gangster of course has plenty of negative connotations.

The whole thing feels to me like the attitude that is made fun on in Parks and Recreation and the Wamapoke. But anyway, the newspaper is shit and to be honest I find the substance of the article way worse than the image.

Thanks for the head’s up!

Yes, colonial mindset refers to the refusal of accepting other cultural backgrounds and cultural lenses, possibly due to an inherent belief that your own is superior or absolutely correct. This is not so uncommon in people coming from an imperial and hegemonic culture (like US). Edit: the colonial nature results evident from the fact that such position translates to the desire/pretense to impose a specific cultural lens or perspective even to facts, discussions etc. that belong to completely different contexts. The same attitude that colonizers have over the colonized.

I have already discussed the merits of the conversation, you refused to elaborate your thought in any way and you are limiting yourself to meta-comments that do not add anything to the conversation. In fact, you wasted several replies not saying anything but implying that your opinion is self-evident, which is a consistent symptom of that colonial mindset I was talking about.

You have been provided with a different, context-aware interpretation and you refused to engage with it at all, including challenging it, because being different from your own is automatically wrong and not deserving even of consideration. In fact you are still stuck on “racism against black people and indigenous people”, which means you didn’t even take into consideration that your interpretation of something happening in a cultural context you don’t understand might be wrong. Of course you also refused to elaborate on the way this is racist, or better, you did in another comment in this post with an explanation that has to do with how racial stereotypes have historically been used to discard opinions of minorities, which while being true doesn’t apply at all to this particular event and in general is quite tangential in Italian history, due to a completely different history compared to that of the US, especially when it comes to indigenous people.

So yeah, all in all I think you are showing a classic colonial mindset. Quite common in internet spaces where US culture is dominant, if it is of any consolation.

Or Albanians, Romanians and other people with a history of migration (at least in Italy).

That said, the racist dynamics in Italy are still different from those of a country with a much different history, linked to slavery and colonialism (thankfully Italian empire was a ridiculously failed attempt), with a different racial distribution in population. African migrants are for example a relatively new phenomenon. We are now at the 2nd generation give or take, and I have the feeling things will normalize ad they did for balcan people, as long as right-wing governments will not sabotage immigration on purpose to maintain it as a problem and gather votes…

And lord knows Italy has plenty of its own.

Not when it comes to Native Americans though.

Considering that this is a national newspaper meant for locals, I don’t think other culture’s baggage should necessarily be taken in consideration.

The “hunt” for the white man refers to her search for a white guy as a vice-president that can appeal to the “wasp” population. It’s a reference to western movies. The article is fully on her search for a vice-president and the “real” motivations for her choice.