LaserDisc Database :: View topic - Is LDDB GDPR / PCI DSS / B&Q / ICI compliant?

GDPR / PCI DSS / pseudonimisation / PII / salt / SAR

teddanson wrote:

GDPR / PCI DSS / pseudonimisation / PII / salt / SAR

Since you seem to know what these words mean, could you enlighten us?

I seriously thought you made that stuff up. Never in my life have I read a forum post with so many terms totally unknown to me. Reading it again...still looks like a gag, but there don’t seem to be any jokes.

If you think about something else, I'm interested!

Keeping all of your packages up to date on Debian stable can proactively mitigate a good chunk. Keep up to date on release notes for stuff you installed outside of the package manager.

Sanitization everywhere, but still use prepared statements with user input.

Glaring logs in parts of the code where funny business can happen.

My only weakness is to be still running on PHP5.6 because moving to PHP7 breaks down a LOT of things.

Author:	teddanson [ 18 Mar 2021, 11:31 ]
Post subject:	Is LDDB GDPR / PCI DSS / B&Q / ICI compliant?
Just a question that's circling my noggin' for a while and thought to ask. Is the site GDPR and PCI DSS compliant? I guess in terms of pseudonimisation and PII and all the rest of it I'm asking are database entries given the salt and pepper treatment and so on. I imagine a SAR request would yield little given we all use usernames/pseudonyms and so on. But is financial and PII data looked after and how? Understood if the answer needs to be somewhat coy in terms of protecting the integrity of the site. I'm just curious more than anything.

Author:	signofzeta [ 18 Mar 2021, 13:41 ]
Post subject:	Re: Is LDDB GDPR / PCI DSS / B&Q / ICI compliant?
...what?

Author:	admin [ 18 Mar 2021, 16:15 ]
Post subject:	Re: Is LDDB GDPR / PCI DSS / B&Q / ICI compliant?
teddanson wrote: GDPR / PCI DSS / pseudonimisation / PII / salt / SAR Since you seem to know what these words mean, could you enlighten us? I have a cookie validation popup (yearly), a Privacy section, passwords are salted and hashed one-way, and accounts are deleted when someone requests it. I do not have financial information such as CC numbers or other Government IDs, etc. It's REALLY simple and minimalist. What else is needed? Julien

Author:	teddanson [ 18 Mar 2021, 17:26 ]
Post subject:	Re: Is LDDB GDPR / PCI DSS / B&Q / ICI compliant?
admin wrote: teddanson wrote: GDPR / PCI DSS / pseudonimisation / PII / salt / SAR Since you seem to know what these words mean, could you enlighten us? No offence intended. I wasn't being pedantic, I'm just curious how it's managed with regards the storefront and thanks for the insight. From what you've said it's a tight ship, that was never in doubt! For anyone unfamiliar with the acronyms I'm referring to, hopefully this helps: GDPR: General Data Protection Regulation. More information here: https://gdpr.eu/ PCI DSS: Refers to data security standards around payment methods. pseudonimisation: Is data, more specifically personal data, if any, able to be linked to a user or is the data randomised/encrypted/pseunonimised etc? More of a GDPR thing but also security. PII: Personally identifiable information. E.g. name, address, date of birth etc salt/pepper: Refers to data that's appended to existing data e.g. databases and adding data to a password that has been hashed, for example. SAR: Subject access request. Requesting your data from an organisation.

Author:	signofzeta [ 18 Mar 2021, 17:35 ]
Post subject:	Re: Is LDDB GDPR / PCI DSS / B&Q / ICI compliant?
I seriously thought you made that stuff up. Never in my life have I read a forum post with so many terms totally unknown to me. Reading it again...still looks like a gag, but there don’t seem to be any jokes.

LaserDisc Database https://forum.lddb.com/

Is LDDB GDPR / PCI DSS / B&Q / ICI compliant? https://forum.lddb.com/viewtopic.php?f=8&t=9708	Page 1 of 1

Author:	teddanson [ 18 Mar 2021, 17:37 ]
Post subject:	Re: Is LDDB GDPR / PCI DSS / B&Q / ICI compliant?
signofzeta wrote: I seriously thought you made that stuff up. Never in my life have I read a forum post with so many terms totally unknown to me. Reading it again...still looks like a gag, but there don’t seem to be any jokes. Ah no, not my intention at all. My explanation of each acronym is a little brief, apologies I just knocked it up quick and dirty. Legitimate questions and no offence intended to anyone.

Author:	cplusplus [ 19 Mar 2021, 02:13 ]
Post subject:	Re: Is LDDB GDPR / PCI DSS / B&Q / ICI compliant?
My main concern is if LDDB will be containerized so we can scale it in k8s for the day that thousands of concurrent users arrive!

Author:	admin [ 19 Mar 2021, 02:45 ]
Post subject:	Re: Is LDDB GDPR / PCI DSS / B&Q / ICI compliant?
Extra details: Since the website is nearly 20 years old, I had my share of learning about the "bad guys" out there. 0/ Up to date Debian 10/recent kernel SPECTRE, MELTDOWN and ZombieLoad mitigated: The latest CPU bug headache: ZombieLoad 1/ China and Iran IPs are constantly blocked. Too many hack attempts. 2/ TOR exit nodes are blocked. I don't like anonymous hacking. You can see on https://banhammer.lddb.com/ that the world spam/hack center is Brazil these days. But we do have some good members from Brazil, can't block the whole country. 3/ I had the database crash twice in the past. One time was recoverable, the 2nd time was not. Now I backup EVERYTHING daily in a distant storage + log every modifying SQL query in a local text file. In theory we can at most lose 24h if everything burns down -- like it happened to many websites at OVH Strasbourg last week. 4/ Also had a successful SQL injection hack in... 2014? They found a way to access the password stored in the database but quickly realized they were hashed+salted and gave up. Then they checked my sister's eShop database and found the Credit Card table empty and completely gave up. Another successful hack (well, more of a cache poisoning) fixed here: HACK ATTEMPT on LDDb.com Since then, anything resembling a SQL statement in a HTTP query will get your banned for 1 month. Trying again will block you for 12 months. Same for trying to get SMTP or IMAP account passwords. 5/ I follow reports like https://www.openbugbounty.org/reports/1566947/ As far as I can tell, I fixed all the bugs but the website is not updating to reflect that. 6/ No more username with @ that are actually the account email address 7/ No more disclosing the seller's address in a buying transaction notice 8/ Accessing 2 non-existing (404) pages in a row will block you for a while. All internal links are valid, you should never click on a bad one unless you modified something manually. 9/ I have a special welcome message for script kiddies running automated attacks with popular scripts bundles. If you think about something else, I'm interested! Julien

Author:	cplusplus [ 19 Mar 2021, 03:40 ]
Post subject:	Re: Is LDDB GDPR / PCI DSS / B&Q / ICI compliant?
admin wrote: If you think about something else, I'm interested! Keeping all of your packages up to date on Debian stable can proactively mitigate a good chunk. Keep up to date on release notes for stuff you installed outside of the package manager. Sanitization everywhere, but still use prepared statements with user input. Glaring logs in parts of the code where funny business can happen.

Author:	admin [ 19 Mar 2021, 03:55 ]
Post subject:	Re: Is LDDB GDPR / PCI DSS / B&Q / ICI compliant?
cplusplus wrote: Keeping all of your packages up to date on Debian stable can proactively mitigate a good chunk. Keep up to date on release notes for stuff you installed outside of the package manager. My only weakness is to be still running on PHP5.6 because moving to PHP7 breaks down a LOT of things. The code base started on PHP4! It's the next code upgrade I need to work on. cplusplus wrote: Sanitization everywhere, but still use prepared statements with user input. I learnt that the hard way... Fixed a lot of issues there. But they need to try many permutations before finding anything useful. 99.99% of the time the weird URLs will get them banned right away. cplusplus wrote: Glaring logs in parts of the code where funny business can happen. Fail2ban (instant email notification to me) Apache logs (keeping 4 weeks worth) take care of that Julien

Author:	teddanson [ 19 Mar 2021, 21:03 ]
Post subject:	Re: Is LDDB GDPR / PCI DSS / B&Q / ICI compliant?
Is it possible to enable MFA on logins? Even perhaps as a voluntary setting?

Author:	cplusplus [ 19 Mar 2021, 21:59 ]
Post subject:	Re: Is LDDB GDPR / PCI DSS / B&Q / ICI compliant?
admin wrote: My only weakness is to be still running on PHP5.6 because moving to PHP7 breaks down a LOT of things. Yeah a good chunk of the internet is still on PHP5. I'm not sure if you have looked at something like https://github.com/sstalle/php7cc It is deprecated, but the other go-to scanners require PHP7. PHPStorm is nice too, but expensive. You might could get everything done within the 30 day trial though. I think it has a migration tool or inspector. Also helps you see stuff like "variable used but not declared" (PHP insanity, and I don't mean "variable declared but not used"!)

Author:	jlehmusk [ 20 Mar 2021, 13:46 ]
Post subject:	Re: Is LDDB GDPR / PCI DSS / B&Q / ICI compliant?
In the spirit of GDPR, I would like to see an option to reject 3rd party cookies, including GoogleAnalytics.

Author:	cplusplus [ 20 Mar 2021, 15:38 ]
Post subject:	Re: Is LDDB GDPR / PCI DSS / B&Q / ICI compliant?
It is good to set that at the browser level.

Page 1 of 1	All times are UTC [ DST ]
Powered by phpBB © 2000, 2002, 2005, 2007 phpBB Group http://www.phpbb.com/

Author:	jlehmusk [ 20 Mar 2021, 21:36 ]
Post subject:	Re: Is LDDB GDPR / PCI DSS / B&Q / ICI compliant?
That is what I prefer to do also, but many times there is a need to access the site from new device or browser and finding the correct settings is unfeasible.