|
|
Subscribe / Log in / New account

WineHQ database compromised

WineHQ database compromised

Posted Oct 12, 2011 0:25 UTC (Wed) by jake (editor, #205)
In reply to: WineHQ database compromised by Cyberax
Parent article: WineHQ database compromised

> On completely unrelated note, does LWN store credit card numbers?

No we do not (thankfully) ... we transmit them to the credit card processor and are done with them at that point. For monthly subscriptions, we get back a magic cookie that can be used to charge the same account, but we don't keep credit card information.

We sleep *much* easier that way ...

jake

to post comments

WineHQ database compromised

Posted Oct 12, 2011 0:51 UTC (Wed) by aaron (guest, #282) [Link] (5 responses)

Tokenized card storage is a Good Thing.

BTW, as one of many sysadmins handling PCI compliance (in addition to our usual duties), can you comment on how the process worked for you?

There's a good talk coming up in Seattle this Thursday, on audit logging on Linux for compliance. Apparently, it's not as trivial as one might hope.

PCI compliance

Posted Oct 12, 2011 1:01 UTC (Wed) by corbet (editor, #1) [Link] (4 responses)

With our previous processor, the compliance process turned out to be such a silly hassle that we eventually gave up on it. They kept screaming, for example, that our version of SSH had known vulnerabilities - even though the distributor had long since patched those vulnerabilities out. All that mattered was The Checklist, which had little to do with how secure we actually were.

The penalty for not being certified was a crushing $25/month; there came a point where we realized it just wasn't worth the trouble. $25/month also made it clear just how important the credit card system thought PCI compliance certification was.

Now we don't let credit card numbers pass through the site at all, and things are a lot easier.

PCI compliance

Posted Oct 12, 2011 9:10 UTC (Wed) by njwhite (guest, #51848) [Link]

> They kept screaming, for example, that our version of
> SSH had known vulnerabilities - even though the distributor had long since patched those
> vulnerabilities out. All that mattered was The Checklist, which had little to do with how
> secure we actually were.

Yep, that sounds about our experience, too. I ended up writing a script to scrape info of patched CVE issues from our distribution's website and emailing the PCI people a list of links to "prove" that said patches have been applied.

It's all, I think, so that the card processor can push the liability for any losses away from them.

PCI compliance

Posted Oct 12, 2011 16:44 UTC (Wed) by aaron (guest, #282) [Link]

They kept screaming, for example, that our version of SSH had known vulnerabilities - even though the distributor had long since patched those vulnerabilities out.

I assume that was the ASV*, not the processor. Ours simply needed to be told the the CVEs were patched (which Debian & Ubuntu are good at doing, and more importantly, documenting.) It was a good impetus to turn off the detailed version info on our daemons. <smirk>Information leak, y'know.</smirk>

Interestingly, an SSL cert. company that recently suffered security problems also happens to be an ASV.


* ASV: Approved Scanning Vendor - a company approved by the PCI Security Standards Council to perform very basic (Nessus-style) vulnerability scans. Scans are required quarterly. Subscriptions aren't cheap.

PCI compliance

Posted Oct 12, 2011 21:59 UTC (Wed) by rickmoen (subscriber, #6943) [Link]

FWIW: As someone who's gone through many, many rounds of proving PCI compliance, I can say that, yes, it's a hassle proving, each time, that your installed version of a security-sensitive package includes backported fixes not reflected in its publicly scan-able version number. I've worked out a routine where I keep handy a canned response that I can quote to answer that objection, which I haul out each testing cycle, with only minimal use of everyone's time.

Rick Moen
rick@linuxmafia.com

PCI compliance

Posted Oct 13, 2011 4:05 UTC (Thu) by k8to (guest, #15413) [Link]

I work for a vendor who sells software that is sometimes used as part of the PCI compliance picture.

It's all too familiar to hear from customers (from auditors) that their scan-thing found a red item. Usually these red items represent bugs in the scanners, but they don't care (neither the auditor, nor the customers).

Fortunately our software doesn't have to actually pass the test software (it doesn't touch the card stream). So I point out some of the clauses of PCI compliance that say they don't have to care, and suddenly they're happy.

Sigh.

WineHQ database compromised

Posted Oct 12, 2011 6:19 UTC (Wed) by Felix.Braun (guest, #3032) [Link]

I can certainly empathise that you feel relieved of that particular responsibility. However, I for one am not particularly sure, I trust your credit card processor more, than I trust you guys. This being said, I do trust you in selecting a reasonably sane credit card processor, so I don't worry too much.

WineHQ database compromised

Posted Oct 12, 2011 17:27 UTC (Wed) by quotemstr (subscriber, #45331) [Link] (1 responses)

What kind of password hashing does LWN use?

WineHQ database compromised

Posted Oct 12, 2011 18:13 UTC (Wed) by jake (editor, #205) [Link]

> What kind of password hashing does LWN use?

bcrypt hashing ... see http://lwn.net/Articles/433905/ for a few more details ...

jake


Copyright © 2025, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds