cre loaded

eCommerce Hosting Manager Denver Prophit Shares Inaccurate Information

February 9, 2010 in SSL Certificates by CEO/Founder, Supreme Center Hosting  |  Comments Off

In a recent post on his blog, Denver Prophit made some insinuations that I felt needed addressed. As many of those who are, or have been associated with CRE Loaded, Denver feels the lack of truth is the best way to profit off those who are Internet Illiterate.

Denver Prophit said; “If you request identity information such as billing address, name and telephone number, you need a secure encrypted channel to send it. You also need good P3P in place.

Fact is, CRE Loaded, osCommerce and 99% of all open source eCommerce applications never considered SSL important, that is until a couple years ago. Furthermore, an article on the InformationWeek website, ["Black Hat: Security Pro Shows How To Bypass SSL,"] suggests that MITM attacks are not impossible:

…Marlinspike explained that he obtained such data by placing proxy software he’d written, called ‘sslstrip,’ on a node of a Tor network, to conduct what’s known as a man-in-the-middle attack. The proxy software intercepts HTTPS traffic, generates and signs security certificates, and mediates data passing between the client and server, capturing everything in the process.

Martinspike captured 16 credit card numbers, seven PayPal logins, and 300 other miscellaneous secure login sessions in only 24 hours.

Marlinspike went on to say that:

Lots of times the security of HTTPS comes down to the security of HTTP, and HTTP is not secure…

Denver Prophit said; “The PCI standard requires Internet retailers to complete a 12-step security audit that must be certified annually and checked every three months.

That may be true IF you accept credit cards on your website. However, if you use a payment processor, such as Authorize.net, Google Checkout or PayPal for example, PCI compliance is not your responsibility.

I emailed PCI Security Standards and received this reply:

As described in PCI Data Security Standard Requirements and Security Assessment Procedures (available at https://www.pcisecuritystandards.org) the PCI Data Security Standard is intended to protect cardholder data and sensitive authentication data. As described on page 4 of that document cardholder data includes the primary account number, cardholder name, service code and expiration date, while sensitive authentication data includes full magnetic stripe data, CAV2/CVC2/CVV2/CID, and the PIN/PIN Block.”

You’ll notice that although cardholder name is mentioned, billing address and telephone number are not mentioned. Why? That is Not the information they [the card issuer] wants to protect. So, why would a small business owner need a “secure encrypted channel” if they are not accepting credit cards on their website?

Denver Prophit mentioned RSA in his post; “The point I stress, here, is * Encrypting transmission of cardholder data and sensitive information across public networks. your admin pages HAVE to be encrypted because it stores sensitive information and is required by federal law. See RSA.com 2005 A Corporate Minefield: FTC Demands “Reasonable & Appropriate” Measures to Protect Digital Assets (August 04) http://www.rsa.com/press_release.aspx?id=5991 (accessed January 14, 2009)

I am glad you mentioned RSA. Taking the time to read that press release, one would find that Art Coviello, president and CEO at RSA Security Inc. stated; “The question that many organizations are now asking is ‘what constitutes reasonable and appropriate action?’ In an increasingly complex regulatory environment, finding a comprehensive answer to that question can be a laborious task.

Who deceides what is “reasonable & appropriate?” One definition of reasonable is “Not excessive or extreme; fair.” The legal definition of reasonable is “Suitable; just; proper; ordinary; fair; usual. The term reasonable is a generic and relative one and applies to that which is appropriate for a particular situation.” (West’s Encyclopedia of American Law, edition 2. Copyright 2008 The Gale Group, Inc. All rights reserved.)

Based on Denver’s analysis, a small business owner, which would account for 90% of EOS Online Merchant’s user base, would be unable to do business on the Internet, if all that Denver claims is absolute. And, its is not.

Do the developers of CRE Loaded understand PCI Compliance?

August 19, 2009 in eCommerce by CEO/Founder, Supreme Center Hosting  |  2 Comments

The CRE developers recently released their CRE Loaded 6.4 PCI edition, touting full compliance with the Payment Card Industry (PCI) security rules. I won’t discuss the fact that v6.4 was released unfinished with bugs, and in fact, security issues. I do however want to focus on their lack of knowledge of the PCI security rules, or their inability to properly educate their customers on compliance.

A customer recently spoke with Michael Miller, head of CRE Developement, and was told that she needed to be PCI compliant and suggested she use CRE Secure. He also stated that she needed to use a host that was also PCI Compliant and recommended that she use their PCI compliant hosting partner – at a cost of $500/month. This customer explained to Mr. Miller that she does not collect credit cardholder data on her site and uses third-party payment gateway Authorize.Net to process payments. Mr. Miller stated that Authorize.Net is Not PCI compliant. Six days later, CRE made an about face and released a newsletter titled “CRE Loaded Announces PCI Compliance Connection to Authorize.Net.” Within the newsletter, CRE writes:

“CRE now connects directly to Chase Orbital and Authorize.Net If your current gateway is not listed above, ask your current merchant bank provider how you can easily make the switch over to Authorize.Net.”

I’m confused. CRE is creating a “PCI Compliance Connection” with, according to Michael Miller of CRE, a third-party payment gateway that is Not PCI Compliant? It is clear to me that Mr. Miller wanted my customer to use their CRE Secure for credit card processing. Suggesting that Authorize.Net is not PCI Compliant is a disingenuous way of drumming up business for the “Evil Overlord.” Fact is, Authorize.Net is PCI Compliant:

“Authorize.Net also complies with payment industry-specific requirements known as the Payment Card Industry Data Security Standard (PCI DSS v1.1). Our Qualified Security Assessor is Trustwave and we completed our most recent audit in May 2008.”

Visiting the Authorize.Net website and verifying their compliance is so easy, even a money can do it.

PCI Compliance Myths

One myth about PCI Compliance is that every merchant must be PCI Compliant. Fact is, if you use a third-party payment gateway such as Authorize.Net or PayPal, then you are not required to be PCI Compliant – the third-party processor is.

Another myth is you, not only are you required to be be PCI Compliant, but you must also use a PCI Compliant hosting provider. Again, if you use a third-party payment gateway such as Authorize.Net or PayPal then you, and your hosting provider, are not required to be PCI Compliant.

What is required?

As described in PCI Data Security Standard Requirements and Security Assessment Procedures (available at https://www.pcisecuritystandards.org), the PCI Data Security Standard is intended to protect cardholder data and sensitive authentication data. As described on page 4 of that document, cardholder data includes the primary account number, cardholder name, service code and expiration date, while sensitive authentication data includes full magnetic stripe data, CAV2/CVC2/CVV2/CID, and the PIN/PIN Block.

In short, if you and your hosting provider collect, store, process and transmit cardholder data and sensitive authentication data, then you and your hosting provider are must be PCI Compliant.

PCI Compliance does not mean Breach-Free. “It’s a mistake for anyone to equate compliant with impossible to breach,” says David Taylor, CISSP and founder of the PCI Knowledge Base. “There is no way that a committee that has to consider what is “reasonable” and “affordable” to its members and the industry as a whole can possibly design a set of standards that can prevent one clever hacker from figuring out a way to break in, then sharing his/her hack with millions via the Internet,” Taylor says.

If a hosting provider, and merchant using that hosting provider, does not collect, store, process, and transmit any data that falls under the requirements of PCI, then neither host or merchant must comply with the PCI Data Security Standard Requirements and Security Assessment Procedures.

Don’t let anyone sell you on the idea of PCI Compliance. If you use a third-party payment gateway, and are happy with the service they provide, then you do not need to do anything. That being said, there is no reason why you should not ask your hosting provider if they collect, store, process, and transmit any data that falls under the requirements of PCI, and if they do, are they PCI Compliant? There is always that chance that a hacker can break in and steal credit card data. If the hosting provider is not PCI Compliant, the hosting provider could be fined – causing the provider to shut down, leaving you and your business in limbo.

The majority of our customers prefer to use PayPal as their preferred payment processor. Therefore, we do not collect, store, process, or transmit cardholder data or sensitive authentication data. All merchants using our shared hosting services also use third-party payment gateways. What does this mean? Our shared hosting services will continue to be affordable. Within the next 30-days or so, we will start offering PCI Compliant dedicated solutions. However, we will continue to offer affordable dedicated solutions to those customers who prefer to use a third-party payment gateway. Hosting your eCommerce website does not have to be an expensive process. Shelling out $500/month for a PCI compliant hosting provider is unnecessary.

Eos Online Merchant – First Look, Maybe The Last

January 16, 2009 in Open Source, SSL Certificates by CEO/Founder, Supreme Center Hosting  |  Comments Off

sslI stumbled on Eos Online Merchant [another osCommerce fork based off CRE Loaded] back in November when The Evil Greedy Overlord [Sal Iozzia of Chain Reaction Web] sprang the new pricing structure on the CRE community. David Graham, former employee of Chain Reaction and Dean of the osCommerce University, is part of the Eos Online Merchant collaboration led by StrikeHawk eCommerce. Knowing David, and what kind of person he is, I was optimistic that this application would end up beating CRE like a rented mule… now I am not so sure.

I downloaded and installed Eos in November. The installer, outside of a few cosmetic changes, was what I would have expected. Once I completed the installation, I loaded the backend and attempted to login… took me a couple of tries before I realized that the url was https, not http. I went right to the config file[s] and set SSL to false and tried again. Doh. These guys are forcing SSL! Could not figure out why they would consider forcing SSL so, I headed to osC U and sent David a private message:

“Hey David ~

Why is Eos forcing SSL? By default, SSL is set to true in the config files and setting it to false does no bit of good – it always wants to load the admin panel using HTTPS. I don’t know, not many people are going to go out and buy an SSL cert to test an application.”

David’s response:

“Security. Traffic on development and other frequently unsecured sites can give valuable clues to the structure of a live site. There is also the common practice of setting up a site before installing a certificate without changing all passwords at the time the site is taken live. Sucks to give your access codes away without even knowing it.

Any (ecommerce) host (or webmaster) should know how to generate a free cert usable for testing, and a test which does not include observation of correct behavior of the code and any templates applied under SSL conditions is not a valid test”

Hmmm… okay. He then went on to say:

“I think we all should be aware that PCI and other standards are going to have a heavy impact on the industry. This is one of them. While some planning needs to be done to deal with these issues yet, one thing we intend to do with EOS is to force SSL out of the box. It covers a frequently overlooked security hole to which no one should have to fall prey.“

Wait a minute… shouldn’t the SSL part of the application be my choice and responsibility? And since when is SSL the Only way to secure a website? So, I asked that and others questions in the thread “ESO 0.52 Alpha SSL Management.” Both David and inetbiz harped on credit cards. My position is not all websites accept credit cards and many that do use a third party processor such as PayPal or 2Checkout making SSL unnecessary. Both kept pointing out standards such as those of the PCI Security Standards Council, or Federal Trade Commission guidelines [suggestions], none mind you are law and again, if you do not accept credit cards on your website, then those standards or guidelines will never apply to you.

I could not figure out why they believe SSL is necessary enough to:

A.) Force it on the end user and,
B.) Treat the end user as if they are not capable of making their own decisions.

Is it that they are trying to create a new standard hoping it will catch on like bell bottoms in the 70’s?

I don’t find the need to force SSL necessary and said so in the thread:

“I still think forcing SSL is a bad idea. Again, an unsuspecting user will not be a happy camper after taking the time to download and install the application only to find out they can’t use it without an SSL cert – like I did. SSL is not necessary on many sites using an application such as EOS, CRE or osC unless you plan on accepting CC’s directly on your site. Many are using other payment gateway’s and payment processors [e.g. PayPal] which already have SSL in place.

As far as security goes, there are other ways to secure a site without the need for an SSL cert. There are not too many cases of someone hijacking usernames and passwords during transmission – there is more to it than that. If that were the case, all sites would be using SSL. Anyone with good knowledge of .htaccess, or those willing to take the time to learn, can secure their sites without the cost of a cert. One of the biggest issues is failure to use the correct permissions on configuration files and not using or improperly using .htaccess – not theft of passwords from the zeros and ones.

I think it would be better to STRESS the use of SSL on an ecommerce site – not forcing its use.”

David said:

“I think you are right, there is more to security than securing the transmission stream. However, being a little insecure is like being a little bit pregnant.”

Then he went on about credit cards again…

Fact is, nearly all the reasons they gave for forcing SSL really hold little water. Sure, SSL is a good thing and SSL certificates should be used on ALL sites that accept and process credit cards. However, by David’s and inetbizs’ standards, even the lowly hobby html site needs SSL. What really stuck out was when inetbiz said:

“We sell and so do many others a very inexpensive $14.95 RapidSSL certificate good for one year.”

That sounds way too much like a sales pitch, doesn’t it? So, Eos was created to sell products and services? That’s CRE loaded, isn’t it?

So my conclusion is that you don’t need Eos Online Merchant. I don’t think it’s worth all the hassle. There are plenty of free alternatives around that won’t force your to purchase and install other products or services in order to use it. It may be an open source application but its obvious that its a closed community and the “developers” don’t take kindly to anything that questions their ideas – have a look at the thread, specifically page 2 and decide for yourself.

CRE tells community to get Fucked

October 26, 2008 in CRE Loaded by CEO/Founder, Supreme Center Hosting  |  Comments Off

Not long after posting my previous message, Sal the “Evil Greedy Overlord” banned me from the forums once again [truth must hurt]. This was after he acted like a child and replaced my forum avatar with a picture of a troll with purple hair just because I have the temerity to tell the truth. Just today, a new forum member contacted me via our web sites contact us form and brought my attention to CRE’s new business model… telling the community, their client base, to get F@#$ed.

You would think that considering the downward spiral that CRE is in, they would refrain from treating those who are using the application [and any potential users] disrespectfully. Below you will find two recent posts by CRE employees.

The following was posted by maestro:

i find it completely dis-heartening that so many outside the CRE “CoRE” can so easily get into such pissing contests, no matter who started it, and then have the balls to use the very forum they seem to detest to tout “Their New Cart” i dont mind it being done of course, everyone is entitled to it. Just seems to me if you want your own cart version you should start your own forums too and stop bashing the very foundation that so many of us have not only helped to create, but have profited from over the years! If you dont like the way CRE is handled/run/managed then apply for a job and DO BETTER! or get F@#$ed! it would also be respectable to completely 100% cease and desist using, developing for, and profiting from any CRE based code, especially if you insist on “slamming” that very code! Just my two cents worth on all the flaming content of this post. maestro (Gerald Bullard Jr Jacksonville, FL)

Another CRE employee, datazen, was just as unprofessional:

htimmes,

You are correct, I find it hard to believe that you alone fixed over 750 bugs. Perhaps in your 10 year old mind you counted to 750 but I still find it hard to believe that you alone have made a better version of CRE.

You assume we only use FireFox but in fact we test with the top 90% of all used browsers.

Safari and Chrome are not one of those yet but of course your 10 year old mind already knows this so I am simply repeating myself.

I have noticed by most of your 25 posts that you are not contributing to the better cause here – you are doing nothing more than trying to cause breaks in the community floor. This is simply not needed.

If you did in fact fix valid bugs, donate them to the community as we all did and still do. Help CRE become a better product. If you want to get paid for your work, apply for a job with CRE (minimum age is 16).

Quote::
Sal, During our discussion, you said you will put an end to having your staff criticize me?

Oh, but it’s ok for you to continue??? WHAAAAAAAAAAAAAAAAAAAA!!!!!

What a fraking baby!! Go cry again to Sal – perhaps he will fire me and hire you in my place!

_________________
Scott Logsdon
Software Development Manager
Chain Reaction eCommerce, Inc.

I was not surprised to see that Sal Iozzia never made mention to the fact that his employees [datazen & maestro] were acting the fool by making fun of forum members and telling people to get F@#$ed. No apology for the position someone in his employ took or for how this employees treated customers and forum members. The “Evil Greedy Overlords” only response was:

As much as I would love to never ban a forum user – it just is not possible.

I stated that I would not CENSOR anyone. And I have not. I have taken action to police the community from those that want to harm it.

I did not say i would never ban anyone again, read the post again. We are here as a community to make CRE great. To make a great open source product that is powerful and meets our needs. And to do that we need order and stability. Not chaos and flame wars.

As for censorship, you can read every word of every passionate or flame baiting post of recent days. None have been censored. We do reserve the right to edit a post and remove links to websites that are essentially spam advertisements.

Also the work in underway to reinstate forum signatures. More on that in another post.

Our problem on the forums now is a good problem to have. Sparks will fly, I have been challenged both by the community and internally within the development team, quality of our product is important to everyone. I believe that CRE Team and CRE Community will be better for this energy, this passion. As long as we always come back to respecting one another.

If you’re reading this far into this thread and still wondering if CRE is the right place for you. Well I can tell you this. CRE Loaded is hard at work making our product great. And the community is hard at work adding value and helping each other out. The volume of energy you find here is directly proportional to the value and potential everyone perceives to be in the product and in the community.

Thanks for your support of CRE Loaded!

_________________
Regards,
Salvatore Iozzia
Founder and Chief Visionary Officer (Evil Overlord)
Chain Reaction Ecommerce Inc.
Makers of CRE Loaded

What, nothing to say about maestro telling the community to get F@#$ed? Nothing about datazen calling a forum member a ten-year-old? I dare ask:

1. Where is the professionalism?
2. Who does the hiring at CRE?
3. Who is running the show?

Personally, I don’t find any of this hard to believe. If I were a nieve person I may not have believed it if I had not read it all for myself. Is it any wonder why things are so bad at CRE that end users are desperately trying to find something to replace CRE with? Can the entire CRE crew be that oblivious to what is going on that they compound the issue by continuing to treat what customers they do have left as though they did not need them?

CRE Loaded just got worse

October 20, 2008 in CRE Loaded by CEO/Founder, Supreme Center Hosting  |  Comments Off

I could all out flame CRE Loaded and Salvatore Iozzia here today but what good would it do? I doubt very highly that it would make any real difference to the current CRE Loaded open source model. Fact is, I had plenty to say in the “Sal’s Message to the Community” thread at the CRE Loaded forums regarding past and current issues, and it seems Sal is oblivious to the opinion’s that were offered. He somehow managed to muster up enough backbone to to create the post, while flip flopping on the entire issue. The entire post looks like it was pulled out of a page from the past with many of the more well-known forum members taking a whack at Sal’s pride.

By know it is probably obvious that I am not new to CRE Loaded. I started using it back in 2003-2004 when it was still in [bug filled] version v6.15. I even did work for Sal [installations, contribution additions] while I was upstarting my hosting business. That was until he screwed me out of $500 for worked I performed and about the time that David Graham, of the osCommerce University, suggested that Sal start selling CRE Loaded. I remember having a chat conversation with David regarding sale of the open source application but was never aware that he suggested it [or I am getting too old to remember]. I gently poked David in the aforementioned thread by saying “If your suggesting that you persuaded Sal to sell CRE then, Shame on you! It was you sir who created the Ugly Monster!” His response clearly showed that he was as pissed as I… “Yeah, well, I never intended anyone to mislead the public about the GPL and its implications either. Which is why EOS itself is free and will remain so.” What? is it possible that Salvatore Iozzia could mislead the end user? Sure it is. I read posts by Sal, and his now world famous moderator Gerald, regarding the GPL license. It was clear to me that what they were trying to do was mislead the lesser informed end user that they really were not permitted to do anything with CRE… but pay for it.

Now this brings up a new question… what exactly was the end user paying for? That ultimately is a very good question. At this point, I have no idea. David Graham recently blogged about this in his post “CRE Launches New Open Source Model” and stated that “My original concept when proposing CRE Loaded commercialization was to charge a standard fee per copy distributed with a 30 to 90 day support window, following which support could be obtained on a contract basis.” Okay, so the end user was paying for support? Hmmm… having had conversations with owners of other companies that were using, or had clients using CRE Loaded, this was clearly not the case. Apparently, support was one thing that was missing from the $200 price tag for Pro and $300 price tag for B2B.

Okay, so what do I think about all of this? What was missing from the launch of the new model and CRE 6.2 was Value-Added Services. By definition, it would be the term for non-core services… services that add value to a standard service offering. This could be any number of things. Using CRE as an example, the value-added services could be Support, plugins, templates, etc. As an active supporter of Open Source applications since 2003, we offer web site hosting and hosting services for a variety of open source applications and provide value-added services such as free professional installation and free support for a variety of issues that a customer my experience while using the application. We also provide web site programming services for these applications at a nominal [and below industry standard] fee.

So my question is… why is it that Sal thought it a good idea to sell CRE when he could have offered additional value-added services at reasonable rates? These services could have been any or all of those mentioned above. Support/Maintenance contracts could have been offered to those who either do not have the experience necessary to modify code or just did not want to. Plugins, that could not be found for free at osCommerce.com, could have been developed in-house and sold in the CRE store. Same goes for custom templates. Any service or a combination of services could have been offered to the CRE end user, whom I might add would have been more than happy to pay for. However, the “Evil Greedy Overlord” could not help himself. He not only put unreasonable price tags on the open source application, he charged 2 arms and a leg for additional services that really should have been part of the “support” the end user was supposed to get.

So what have we learned from all this? Never, and I mean never pay for open source applications. The whole idea behind open source is that the source code should be free. This does not mean that everything should be free [contributions, support, templates, hosting, etc], but that the application itself should be free. Granted, the GPL license states that you can sell the code. That is correct, sir. Let’s use Linux as an example. Linus Torvalds wrote and released Linux as open source and it can be found everywhere for $0. Why is it that Red Hat is selling it then? Well, they are not selling the Linux source code. What they are selling is value-added services in the forum of features that can not be found in the original source, support and improved & robust versions.

Finally, we have also learned that you can’t trust anyone who calls themselves the “Evil Overlord.”

  • Domain Availability

    Domain Name: Choose Extension: