It is currently 28 Mar 2024, 14:14




 Page 1 of 1 [ 15 posts ] 
Author Message
 Post subject: Is LDDB GDPR / PCI DSS / B&Q / ICI compliant?
PostPosted: 18 Mar 2021, 11:31 
Absolute fan
Absolute fan
User avatar

Joined: 16 Nov 2018, 14:21
Posts: 1570
Location: New Delaware
Has thanked: 448 times
Been thanked: 493 times
Just a question that's circling my noggin' for a while and thought to ask. Is the site GDPR and PCI DSS compliant? I guess in terms of pseudonimisation and PII and all the rest of it I'm asking are database entries given the salt and pepper treatment and so on.

I imagine a SAR request would yield little given we all use usernames/pseudonyms and so on. But is financial and PII data looked after and how? Understood if the answer needs to be somewhat coy in terms of protecting the integrity of the site. I'm just curious more than anything. :thumbup:
_________________
Blog: The Coterie / L'boxd: Diary
Pioneer CLD-R7G, CLD-D925 | Yamaha APD-2 | DVDO Edge, VP50 Pro
Offline
 Profile  
 
 Post subject: Re: Is LDDB GDPR / PCI DSS / B&Q / ICI compliant?
PostPosted: 18 Mar 2021, 13:41 
Jedi Knight
Jedi Knight
User avatar

Joined: 14 Jan 2010, 09:44
Posts: 5968
Location: Ann Arbor
Has thanked: 1273 times
Been thanked: 1089 times
...what?
_________________
All about LD care, inner sleeves, shrink wrap, etc.

https://youtu.be/b3O-vHpHRpM
Offline
 Profile  
 
 Post subject: Re: Is LDDB GDPR / PCI DSS / B&Q / ICI compliant?
PostPosted: 18 Mar 2021, 16:15 
Site Admin
Site Admin
User avatar

Joined: 07 Aug 2002, 23:37
Posts: 4540
Location: Tokyo
Has thanked: 292 times
Been thanked: 1136 times
teddanson wrote:
GDPR / PCI DSS / pseudonimisation / PII / salt / SAR


Since you seem to know what these words mean, could you enlighten us?

I have a cookie validation popup (yearly), a Privacy section, passwords are salted and hashed one-way, and accounts are deleted when someone requests it. I do not have financial information such as CC numbers or other Government IDs, etc. It's REALLY simple and minimalist.

What else is needed?

Julien
_________________
HARDWARE DATABASE
HLD-X0/9 LD-S9 OPPO 105/205 SL-1200G
LDD-1 MSC-4000 R2144 PONTUS II C45 MC257
Offline
 Profile  
 
 Post subject: Re: Is LDDB GDPR / PCI DSS / B&Q / ICI compliant?
PostPosted: 18 Mar 2021, 17:26 
Absolute fan
Absolute fan
User avatar

Joined: 16 Nov 2018, 14:21
Posts: 1570
Location: New Delaware
Has thanked: 448 times
Been thanked: 493 times
admin wrote:
teddanson wrote:
GDPR / PCI DSS / pseudonimisation / PII / salt / SAR


Since you seem to know what these words mean, could you enlighten us?


No offence intended. I wasn't being pedantic, I'm just curious how it's managed with regards the storefront and thanks for the insight. From what you've said it's a tight ship, that was never in doubt! :thumbup:

For anyone unfamiliar with the acronyms I'm referring to, hopefully this helps:

GDPR: General Data Protection Regulation. More information here: https://gdpr.eu/

PCI DSS: Refers to data security standards around payment methods.

pseudonimisation: Is data, more specifically personal data, if any, able to be linked to a user or is the data randomised/encrypted/pseunonimised etc? More of a GDPR thing but also security.

PII: Personally identifiable information. E.g. name, address, date of birth etc

salt/pepper: Refers to data that's appended to existing data e.g. databases and adding data to a password that has been hashed, for example.

SAR: Subject access request. Requesting your data from an organisation.
_________________
Blog: The Coterie / L'boxd: Diary
Pioneer CLD-R7G, CLD-D925 | Yamaha APD-2 | DVDO Edge, VP50 Pro
Offline
 Profile  
 
 Post subject: Re: Is LDDB GDPR / PCI DSS / B&Q / ICI compliant?
PostPosted: 18 Mar 2021, 17:35 
Jedi Knight
Jedi Knight
User avatar

Joined: 14 Jan 2010, 09:44
Posts: 5968
Location: Ann Arbor
Has thanked: 1273 times
Been thanked: 1089 times
I seriously thought you made that stuff up. Never in my life have I read a forum post with so many terms totally unknown to me. Reading it again...still looks like a gag, but there don’t seem to be any jokes.
_________________
All about LD care, inner sleeves, shrink wrap, etc.

https://youtu.be/b3O-vHpHRpM
Offline
 Profile  
 
 Post subject: Re: Is LDDB GDPR / PCI DSS / B&Q / ICI compliant?
PostPosted: 18 Mar 2021, 17:37 
Absolute fan
Absolute fan
User avatar

Joined: 16 Nov 2018, 14:21
Posts: 1570
Location: New Delaware
Has thanked: 448 times
Been thanked: 493 times
signofzeta wrote:
I seriously thought you made that stuff up. Never in my life have I read a forum post with so many terms totally unknown to me. Reading it again...still looks like a gag, but there don’t seem to be any jokes.


Ah no, not my intention at all. My explanation of each acronym is a little brief, apologies I just knocked it up quick and dirty. Legitimate questions and no offence intended to anyone. :thumbup:
_________________
Blog: The Coterie / L'boxd: Diary
Pioneer CLD-R7G, CLD-D925 | Yamaha APD-2 | DVDO Edge, VP50 Pro
Offline
 Profile  
 
 Post subject: Re: Is LDDB GDPR / PCI DSS / B&Q / ICI compliant?
PostPosted: 19 Mar 2021, 02:13 
Hardcore fan
Hardcore fan
User avatar

Joined: 13 Aug 2018, 03:18
Posts: 1512
Has thanked: 443 times
Been thanked: 584 times
My main concern is if LDDB will be containerized so we can scale it in k8s for the day that thousands of concurrent users arrive! :ugeek:
Offline
 Profile  
 
 Post subject: Re: Is LDDB GDPR / PCI DSS / B&Q / ICI compliant?
PostPosted: 19 Mar 2021, 02:45 
Site Admin
Site Admin
User avatar

Joined: 07 Aug 2002, 23:37
Posts: 4540
Location: Tokyo
Has thanked: 292 times
Been thanked: 1136 times
Extra details:

Since the website is nearly 20 years old, I had my share of learning about the "bad guys" out there.

0/ Up to date Debian 10/recent kernel
SPECTRE, MELTDOWN and ZombieLoad mitigated: The latest CPU bug headache: ZombieLoad

1/ China and Iran IPs are constantly blocked.

Too many hack attempts.

2/ TOR exit nodes are blocked.

I don't like anonymous hacking.

You can see on https://banhammer.lddb.com/ that the world spam/hack center is Brazil these days.
But we do have some good members from Brazil, can't block the whole country.

3/ I had the database crash twice in the past. One time was recoverable, the 2nd time was not.

Now I backup EVERYTHING daily in a distant storage + log every modifying SQL query in a local text file. In theory we can at most lose 24h if everything burns down -- like it happened to many websites at OVH Strasbourg last week.

4/ Also had a successful SQL injection hack in... 2014? They found a way to access the password stored in the database but quickly realized they were hashed+salted and gave up. Then they checked my sister's eShop database and found the Credit Card table empty and completely gave up.

Another successful hack (well, more of a cache poisoning) fixed here: HACK ATTEMPT on LDDb.com

Since then, anything resembling a SQL statement in a HTTP query will get your banned for 1 month.
Trying again will block you for 12 months.

Same for trying to get SMTP or IMAP account passwords.

5/ I follow reports like https://www.openbugbounty.org/reports/1566947/
As far as I can tell, I fixed all the bugs but the website is not updating to reflect that.

6/ No more username with @ that are actually the account email address

7/ No more disclosing the seller's address in a buying transaction notice

8/ Accessing 2 non-existing (404) pages in a row will block you for a while. All internal links are valid, you should never click on a bad one unless you modified something manually.

9/ I have a special welcome message for script kiddies running automated attacks with popular scripts bundles.

If you think about something else, I'm interested!

Julien
_________________
HARDWARE DATABASE
HLD-X0/9 LD-S9 OPPO 105/205 SL-1200G
LDD-1 MSC-4000 R2144 PONTUS II C45 MC257
Offline
 Profile  
 
 Post subject: Re: Is LDDB GDPR / PCI DSS / B&Q / ICI compliant?
PostPosted: 19 Mar 2021, 03:40 
Hardcore fan
Hardcore fan
User avatar

Joined: 13 Aug 2018, 03:18
Posts: 1512
Has thanked: 443 times
Been thanked: 584 times
admin wrote:
If you think about something else, I'm interested!

Keeping all of your packages up to date on Debian stable can proactively mitigate a good chunk. Keep up to date on release notes for stuff you installed outside of the package manager.

Sanitization everywhere, but still use prepared statements with user input.

Glaring logs in parts of the code where funny business can happen.
Offline
 Profile  
 
 Post subject: Re: Is LDDB GDPR / PCI DSS / B&Q / ICI compliant?
PostPosted: 19 Mar 2021, 03:55 
Site Admin
Site Admin
User avatar

Joined: 07 Aug 2002, 23:37
Posts: 4540
Location: Tokyo
Has thanked: 292 times
Been thanked: 1136 times
cplusplus wrote:
Keeping all of your packages up to date on Debian stable can proactively mitigate a good chunk. Keep up to date on release notes for stuff you installed outside of the package manager.


My only weakness is to be still running on PHP5.6 because moving to PHP7 breaks down a LOT of things.
The code base started on PHP4!

It's the next code upgrade I need to work on.

cplusplus wrote:
Sanitization everywhere, but still use prepared statements with user input.


I learnt that the hard way... Fixed a lot of issues there.
But they need to try many permutations before finding anything useful.
99.99% of the time the weird URLs will get them banned right away.

cplusplus wrote:
Glaring logs in parts of the code where funny business can happen.


Fail2ban (instant email notification to me) Apache logs (keeping 4 weeks worth) take care of that :-)

Julien
_________________
HARDWARE DATABASE
HLD-X0/9 LD-S9 OPPO 105/205 SL-1200G
LDD-1 MSC-4000 R2144 PONTUS II C45 MC257
Offline
 Profile  
 
 Post subject: Re: Is LDDB GDPR / PCI DSS / B&Q / ICI compliant?
PostPosted: 19 Mar 2021, 21:03 
Absolute fan
Absolute fan
User avatar

Joined: 16 Nov 2018, 14:21
Posts: 1570
Location: New Delaware
Has thanked: 448 times
Been thanked: 493 times
Is it possible to enable MFA on logins? Even perhaps as a voluntary setting?
_________________
Blog: The Coterie / L'boxd: Diary
Pioneer CLD-R7G, CLD-D925 | Yamaha APD-2 | DVDO Edge, VP50 Pro
Offline
 Profile  
 
 Post subject: Re: Is LDDB GDPR / PCI DSS / B&Q / ICI compliant?
PostPosted: 19 Mar 2021, 21:59 
Hardcore fan
Hardcore fan
User avatar

Joined: 13 Aug 2018, 03:18
Posts: 1512
Has thanked: 443 times
Been thanked: 584 times
admin wrote:
My only weakness is to be still running on PHP5.6 because moving to PHP7 breaks down a LOT of things.

Yeah a good chunk of the internet is still on PHP5.

I'm not sure if you have looked at something like https://github.com/sstalle/php7cc
It is deprecated, but the other go-to scanners require PHP7.

PHPStorm is nice too, but expensive. You might could get everything done within the 30 day trial though. I think it has a migration tool or inspector. Also helps you see stuff like "variable used but not declared" (PHP insanity, and I don't mean "variable declared but not used"!)
Offline
 Profile  
 
 Post subject: Re: Is LDDB GDPR / PCI DSS / B&Q / ICI compliant?
PostPosted: 20 Mar 2021, 13:46 
Shows curiousity
Shows curiousity
User avatar

Joined: 02 Aug 2011, 14:37
Posts: 21
Location: Finland
Has thanked: 1 time
Been thanked: 1 time
In the spirit of GDPR, I would like to see an option to reject 3rd party cookies, including GoogleAnalytics.
Offline
 Profile  
 
 Post subject: Re: Is LDDB GDPR / PCI DSS / B&Q / ICI compliant?
PostPosted: 20 Mar 2021, 15:38 
Hardcore fan
Hardcore fan
User avatar

Joined: 13 Aug 2018, 03:18
Posts: 1512
Has thanked: 443 times
Been thanked: 584 times
It is good to set that at the browser level.
Offline
 Profile  
 
 Post subject: Re: Is LDDB GDPR / PCI DSS / B&Q / ICI compliant?
PostPosted: 20 Mar 2021, 21:36 
Shows curiousity
Shows curiousity
User avatar

Joined: 02 Aug 2011, 14:37
Posts: 21
Location: Finland
Has thanked: 1 time
Been thanked: 1 time
That is what I prefer to do also, but many times there is a need to access the site from new device or browser and finding the correct settings is unfeasible.
Offline
 Profile  
 
Display posts from previous:  Sort by  
 Page 1 of 1 [ 15 posts ] 


Who is online

Users browsing this forum: No registered users and 6 guests


You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot post attachments in this forum

Search for:
Jump to: