Archive for the ‘General’ Category

What is Ogg Vorbis?

Wednesday, May 5th, 2010

Ogg Vorbis is an open source audio codec which is used for compressing and decompressing audio files. It is an alternative to MP3 media codecs patented by Fraunhofer IIS, AT&T-Bell Labs, Thomson-Brandt, CCETT, and others. Ogg Theora is the open source alternative to H.264 administered by MPEG LA.

In 2001, now director of the Xiph.org Foundation, worked for Green Witch, an online company that competed with Music Match. Fraunhofer, one of the MP3 patent holders with Thompson, bought a stake in Music Match and charged Green Witch $60m to license MP3 for the year. Green Witch couldn’t pay and was sold to a company that owned another web radio provider, iCAST. Ogg Vorbis was created to escape the MP3 noose and avoid a repeat of history.

There are several software application providers who use Ogg Theora as its video codec. Opera 10.5 which offers HTML5 video is one of them. The popularity of this codec is increasing since license fee for MP3 is controlled by a group of companies and for several businesses, an open source version makes a better business sense.

If you want MP3, you have to pay Thompson, which helped create MP3 along with three other companies. Decoding costs $0.75 for a patent and software license per unit, but if you want to encode the media – which, of course, you have to – then that’s priced at up to $5.00 per unit.

Tags: , , ,
Posted in General | 1 Comment »

PCI compliance

Wednesday, February 10th, 2010

The Payment Card Industry Data Security Standard is a worldwide information security standard assembled by the Payment Card Industry Security Standards Council (PCI SSC). The standard was created to help organizations that process card payments prevent credit card fraud through increased controls around data and its exposure to compromise. The standard applies to all organizations which hold, process, or pass cardholder information from any card branded with the logo of one of the card brands.

If you are a host who sell business critical web environment that process credit card data, you need to know how to help your customers acquire compliance. LogicSupport helps their customers acquire PCI compliance by directly working with their data centers and any approved scan vendors ( ASV). Only certified ASVs can perform PCI-sanctioned compliance audits.

A detailed ASV list is given below for reference :-

https://www.pcisecuritystandards.org/pdfs/asv_report.html

Most of these ASVs provide you a report to work on or help you to clear them by providing technical assistance. If at any point, you need consultation with a security expert, you could always approach us and we will be able to guide you with our experience. We can even assist you by providing engineers who are experts at helping you clear the vulnerable scores.

An ASV bases the audit result on the Common Vulnerability Scoring System (CVSS), Version 2, score that is calculated for every vulnerability. Scores range from 0 to 10.0, with 4.0 or higher indicating failure to comply with PCI standards.

Any asset that contains at least one vulnerability with CVSS score of 4.0 or higher is considered non-compliant. And, if at least one asset is non-compliant, the entire organization is considered to be non-compliant.

Also, any vulnerability that exposes an asset to XSS or SQL injection indicates failure to comply with PCI standards, regardless of CVSS score.

The CVSS system rates all vulnerabilities on a scale of 0.0 to 10.0 with 10.0 representing the greatest security risk. A ranking of 4.0 or higher indicates failure to comply with PCI standards.

A moderate vulnerability, which ranges from 0.0 to 3.9 on the CVSS system can only be exploited locally and requires authentication. A successful attacker has little or no access to unrestricted information, cannot destroy or corrupt information, and cannot cause outages on any systems. Examples include default or guessable SNMP community names and the OpenSSL PRNG Internal State Discovery vulnerability.

A severe vulnerability, which ranges from 4.0 to 6.9 on the CVSS system, can be exploited with a moderate level of hacking experience and may or may not require authentication. A successful attacker has partial access to restricted information, can destroy some information, and can disable individual target systems on a network. Examples include Anonymous FTP Writeable and Weak LAN Manager hashing permitted.

A critical vulnerability, which ranges from 7.0 and 10.0 on the CVSS system, can be exploited with easy access and requires little or no authentication. A successful attacker has access to confidential information, can corrupt or delete data, and can cause a system outage. Examples include the ability of anonymous users can obtain a Windows password policy.

Though compliance is not the final word for web security, it will go a long way in helping our payments and card data secure on the web.

Tags: , , ,
Posted in General | 1 Comment »

Choose your customers

Sunday, January 31st, 2010

I’ve always had people asking me what is the secret behind retaining customers long term. LogicSupport has been in business for over 6 years now, and serviced several customers since its inception. I am so glad to mention here that some of our first time customers are still in business with us. It is an amazing achievement for our team because this trust is something we have earned over the years and there were certainly no shortcuts to achieve this.

As a webhost or any business for that matter, choosing your customers can have a profound effect in running your business. If done right, it can do a world of good to your future business and if done wrong, there is no worse mistake you can possibly make. They try to hack your data, gain illegal entry and even sabotage your entire business. I know that being able to choose your customers is a luxury these days, when you are trying your best to stay ahead of the competition. I also know that choosing alone do not win long term clients, it takes a lot of hard work and followup.

A retrospection in this regard is the order of the day in the wake of a customer who tried to ruin our business not long ago, after a series of threats and black mailing incident. Vladimir from prelovac.com signed up as a regular customer through our server management promotion program. He came to us with one big bargain, promising a review if we do our job well. Little did I know that he was going to use this tool to black mail us and get the work done without making payment.

His server security was tightened with all the update sent to him with relevant details. He went through the server security list and spotted, a feature listed in the website was not performed in the security report. It is well known that certain security features are incompatible with certain server environments. In such cases, we will only install what is relevant to the prevailing server environment. He immediately opened a ticket with us in our support queue demanding the missing module to be installed. The tech on duty explained to him that the installations were carried out after checking compatibility, but he demanded the changes should be updated immediately.

Since he needed to see the change anyway, the admin went ahead with changing the settings of the web server. The admin performed the installation and finally completed it with the changed settings. Client finally saw that the conflicting settings made some of his existing sites to not load as desired. All those changes had to be reverted and we did it as quickly as we could. As anyone in the hosting security management knows, web server recompilations involve some downtime and when the customer approved this reset, there was very little we could do. I tried to call him several times and keep in touch with him all through the matter, but he either never picked the call or it went to his voice mailbox. I even sent him an apology on behalf of the admin, just to make sure the client understands why the admin carried out the re-installation of the web server, only to learn they were misinterpreted.

He demanded that he should be issued a refund since he wasn’t happy with the service. We issued a 100% refund as per our customer satisfaction guarantee policy, though we know the server underwent all the required security setup.

I got an email the next day, asking me to compensate further for the downtime, with $2000 worth of damages and one year of free service, failing which he will write a public review and wreck our business. Why would be ask for one year of free service if he doubted our abilities? I tried to call him again trying my best to make sure things remain cordial. He never picked my calls.

I sensed the matter was out of hand and that he was really trying to get free work done and was resorting to blackmail. I refused to give free service or any further servicing of his server and offered to cancel immediately, to which no response was arrived.

As he went public, a reputed forum pulled down his thread after they realized he was trying to drive traffic to his personal blog prelovac.com. I gave my reply in one of the forums about his intentions but he never came up with a response to the community members, instead he decided to post the review in his personal blog with comments disallowed.

Let this story be a lesson for anyone who is signing up customers in a frenzy. Please know your customer before you take them in. It is best to cross check your customer history, especially of those who signup for your smallest plans. They may simply be seeking an entry to your business process, but their intentions may be different. I have seen hackers who signup for start-up plans and eventually screw up the entire server and the hosting owner’s business. Please try to stay away from them…

Tags: ,
Posted in General | 2 Comments »