Advice for ebook site

Visuddhi · 03-07-2011, 09:46 PM

Hi Mobilread people

Firstly thanks for the forum, I’ve found lots of useful stuff.

I’m looking for some advice on running an ebook website. The site will be for free books for a very specific audience. I’ve tried googleing but it keeps coming up with stuff about drm and other unrelated material.

The first thing I’m trying for understand is security.
Is there a way I make sure that uploaded epub (etc) files are safe (both for server and for downloaders)

My concerns are that someone could rename a file with epub extension, or that there can be some extra code in it.

I’m not in a hurry but any pointers would be very much appreciated

Thanks

Worldwalker · 03-07-2011, 11:11 PM

This section is for feedback about MobileRead, not questions about how to run a website.

HarryT · 03-08-2011, 04:25 AM

Moved to the "General Discussions" forum.

queentess · 03-08-2011, 08:45 AM

Quote:

Originally Posted by Visuddhi

Hi Mobilread people
The first thing I’m trying for understand is security.
Is there a way I make sure that uploaded epub (etc) files are safe (both for server and for downloaders)

My concerns are that someone could rename a file with epub extension, or that there can be some extra code in it.

If you're having random people upload files, first you need to be able to verify that the files are legal to redistribute.

PeterT · 03-08-2011, 09:14 AM

If you want to ensure that files are technically ePub maybe ensure that each and every upload is accepted by epubCheck --> http://code.google.com/p/epubcheck/

I am not going to even attempt an answer on the redistributable issue...

jbcohen · 03-08-2011, 09:33 AM

In the real world one of the hats I wear is a US Federal Government Security Officer and as such my coworkers are often in charge of keeping your IRS tax data private and making sure that your Social Security information does not get out so yes I know quite a bit about the matter.

First, lets talk to secrutiy. This is generally handled by a user name and password combination that the user assigns him or herself. Here are some general points that may not be obvious: 1) There needs to be a sunset of the password, meaning that the password must be changed after a period of time, typically two months less for more security but more bother to your customers and longer for less security but less bother for your customers; 2) Password Reuse - Customers can't reuse passwords within a set number of password changes, typically eight, meaning that the customer must change his/her password eight times before being able to reuse a password; 3) Password * - The password should never be visible on the screen as your customer types it in and instead * are subsitituted; 4) Brute Force - This is when a hacker attacks your servers by randomly trying every possible combination of characters, letters and numbers, you defeat this by limiting the number of retries typically three then the account locks out and the customer needs to call in when the tech verifiys that this is the customer not a hacker; 5) Mirroring - This is when a hacker creates a site that is idential to yours but has nothing to do with yours and is an attempt to get your customers to order your products through him and get his/her credit card information, you defeat this by use of a special image, at signup you assign a image to the customer, such as a image of a book and tell him/her that its not me unless you see this image, which will change on ocasion, T Rowe Price does this, doesn't prevent the hacker from mirroring your site makes their job harder; 6) Advertising - not just for maketing, you send out an email advertisment on a random basis and the customer needs to acknowledge it by a simple action such as clicking on the add, this ensures that the customer is indeed talking to you not a hacker, again does not stop a hacker but makes the job harder.

The way that you ensure that files are safe is a security check on the files on your servers periodically. If the customer is talking to you and not a mirrored site they can be assured that there is no virus on the files. The customer needs to be logged in to download anything even the free ones that way you can control the security of the files and ensure that there are no viruses.

I know what I am talking about is very time consuming but its what the IRS does. The way you get around your concern is there are two types of accounts: admin and customer. Customers can not alter the files while they are on the servers, the only thing they can do to them is download, they can not rename, they can not alter the files while they are on the server in any way unless they have an admin account and only you have that and your password changes every month or so. Thus if there is any problem with the files there is one and only one person holding the smoking gun and that's you. And you do checks on the files ocasionally, the IRS does you should see what they do when they check the integrity of your four year old tax return, they check the activity on the return and if its anything but you, the one who filed the return security officers get very scared.

The only other two pieces of advice that I can offer non-security is:

1) Take your books and catagorize them into small catagories, fiction and non fiction doesn't cut it, try many sub catagories such as presidential, spy, thriller novels (these are thriller novels about spies where a national president is involved in some way, doesn't have to be US can be brittish prime minister or Panastani).

2) Offer a free sample, such as the first paragrpah or two then charge for the rest.

Visuddhi · 03-08-2011, 10:11 PM

I’m not too concerned with the redistribution issue at the moment, I think i’ll be able to handle it if there are any problems, the books should only be free for distribution. I will probably have an admin group who will have permissions to add ‘official’ files to the site, but people with a login account can add ‘work in progress files’ to a forum or some other db.

At this stage it is still only an idea and second or third project in line so I’m just planning.

Actually one of the main reasons I want to set up the site is because of the category issue.
What I want to do is somehow use the metadata to for the categories. I want to have the books with complete metadata (The epub3 spec seems to be trying to address most of the deficiencies in the metadata) and make a browsable and searchable library based on this.

I need to figure out a way to extract the metadata from the epub file and put it into a sql db and then make a nice way to display it. (Now that I write it down it seems to be a bit of a calibre reinvention.)

I’m thinking that it will probably be easiest to work with epub version and then create other formats from these. Epub is now fairly easy to edit for most people.

Are the results of epubcheck trustworthy? From reading other threads I get the impression that it seems to be not so reliable, or have they done something to improve it?

@jbcohen thank you for spending the time to write that. I hadn’t thought about the mirror sites at all. Perhaps later if you don’t mind I might ask you for some more specific advice.

03-07-2011, 09:46 PM	#1
Visuddhi Member Posts: 20 Karma: 1204 Join Date: Jan 2011 Device: kindle 3	Advice for ebook site Hi Mobilread people Firstly thanks for the forum, I’ve found lots of useful stuff. I’m looking for some advice on running an ebook website. The site will be for free books for a very specific audience. I’ve tried googleing but it keeps coming up with stuff about drm and other unrelated material. The first thing I’m trying for understand is security. Is there a way I make sure that uploaded epub (etc) files are safe (both for server and for downloaders) My concerns are that someone could rename a file with epub extension, or that there can be some extra code in it. I’m not in a hurry but any pointers would be very much appreciated Thanks

Similar Threads
Thread	Thread Starter	Forum	Replies	Last Post
Ebook advice and guidance	Radioteacher	Workshop	2	01-17-2010 04:43 PM
Need advice for new ebook site	suelange	News	26	03-19-2009 01:41 PM
Hi All - New to site - Advice on Sony PRS700 please	vally	Introduce Yourself	6	01-31-2009 12:13 PM
Advice on first eBook - Conan	Spellbot 5000	Upload Help	5	05-29-2008 04:04 PM

03-07-2011, 11:11 PM	#2
Worldwalker Curmudgeon Posts: 3,085 Karma: 722357 Join Date: Feb 2010 Device: PRS-505	This section is for feedback about MobileRead, not questions about how to run a website.

03-08-2011, 04:25 AM	#3
HarryT eBook Enthusiast Posts: 85,544 Karma: 93383043 Join Date: Nov 2006 Location: UK Device: Kindle Oasis 2, iPad Pro 10.5", iPhone 6	Moved to the "General Discussions" forum.

03-08-2011, 09:14 AM	#5
PeterT Grand Sorcerer Posts: 12,177 Karma: 73448616 Join Date: Nov 2007 Location: Toronto Device: Nexus 7, Clara, Touch, Tolino EPOS	If you want to ensure that files are technically ePub maybe ensure that each and every upload is accepted by epubCheck --> http://code.google.com/p/epubcheck/ I am not going to even attempt an answer on the redistributable issue...

03-08-2011, 09:33 AM	#6
jbcohen Wizard Posts: 3,025 Karma: 11196738 Join Date: Oct 2010 Location: Piper College Device: Samsung A21	In the real world one of the hats I wear is a US Federal Government Security Officer and as such my coworkers are often in charge of keeping your IRS tax data private and making sure that your Social Security information does not get out so yes I know quite a bit about the matter. First, lets talk to secrutiy. This is generally handled by a user name and password combination that the user assigns him or herself. Here are some general points that may not be obvious: 1) There needs to be a sunset of the password, meaning that the password must be changed after a period of time, typically two months less for more security but more bother to your customers and longer for less security but less bother for your customers; 2) Password Reuse - Customers can't reuse passwords within a set number of password changes, typically eight, meaning that the customer must change his/her password eight times before being able to reuse a password; 3) Password * - The password should never be visible on the screen as your customer types it in and instead * are subsitituted; 4) Brute Force - This is when a hacker attacks your servers by randomly trying every possible combination of characters, letters and numbers, you defeat this by limiting the number of retries typically three then the account locks out and the customer needs to call in when the tech verifiys that this is the customer not a hacker; 5) Mirroring - This is when a hacker creates a site that is idential to yours but has nothing to do with yours and is an attempt to get your customers to order your products through him and get his/her credit card information, you defeat this by use of a special image, at signup you assign a image to the customer, such as a image of a book and tell him/her that its not me unless you see this image, which will change on ocasion, T Rowe Price does this, doesn't prevent the hacker from mirroring your site makes their job harder; 6) Advertising - not just for maketing, you send out an email advertisment on a random basis and the customer needs to acknowledge it by a simple action such as clicking on the add, this ensures that the customer is indeed talking to you not a hacker, again does not stop a hacker but makes the job harder. The way that you ensure that files are safe is a security check on the files on your servers periodically. If the customer is talking to you and not a mirrored site they can be assured that there is no virus on the files. The customer needs to be logged in to download anything even the free ones that way you can control the security of the files and ensure that there are no viruses. I know what I am talking about is very time consuming but its what the IRS does. The way you get around your concern is there are two types of accounts: admin and customer. Customers can not alter the files while they are on the servers, the only thing they can do to them is download, they can not rename, they can not alter the files while they are on the server in any way unless they have an admin account and only you have that and your password changes every month or so. Thus if there is any problem with the files there is one and only one person holding the smoking gun and that's you. And you do checks on the files ocasionally, the IRS does you should see what they do when they check the integrity of your four year old tax return, they check the activity on the return and if its anything but you, the one who filed the return security officers get very scared. The only other two pieces of advice that I can offer non-security is: 1) Take your books and catagorize them into small catagories, fiction and non fiction doesn't cut it, try many sub catagories such as presidential, spy, thriller novels (these are thriller novels about spies where a national president is involved in some way, doesn't have to be US can be brittish prime minister or Panastani). 2) Offer a free sample, such as the first paragrpah or two then charge for the rest.

03-08-2011, 10:11 PM	#7
Visuddhi Member Posts: 20 Karma: 1204 Join Date: Jan 2011 Device: kindle 3	I’m not too concerned with the redistribution issue at the moment, I think i’ll be able to handle it if there are any problems, the books should only be free for distribution. I will probably have an admin group who will have permissions to add ‘official’ files to the site, but people with a login account can add ‘work in progress files’ to a forum or some other db. At this stage it is still only an idea and second or third project in line so I’m just planning. Actually one of the main reasons I want to set up the site is because of the category issue. What I want to do is somehow use the metadata to for the categories. I want to have the books with complete metadata (The epub3 spec seems to be trying to address most of the deficiencies in the metadata) and make a browsable and searchable library based on this. I need to figure out a way to extract the metadata from the epub file and put it into a sql db and then make a nice way to display it. (Now that I write it down it seems to be a bit of a calibre reinvention.) I’m thinking that it will probably be easiest to work with epub version and then create other formats from these. Epub is now fairly easy to edit for most people. Are the results of epubcheck trustworthy? From reading other threads I get the impression that it seems to be not so reliable, or have they done something to improve it? @jbcohen thank you for spending the time to write that. I hadn’t thought about the mirror sites at all. Perhaps later if you don’t mind I might ask you for some more specific advice.

Advert

Advert