MobileRead Forums - View Single Post

jbcohen · 03-08-2011, 09:33 AM

In the real world one of the hats I wear is a US Federal Government Security Officer and as such my coworkers are often in charge of keeping your IRS tax data private and making sure that your Social Security information does not get out so yes I know quite a bit about the matter.

First, lets talk to secrutiy. This is generally handled by a user name and password combination that the user assigns him or herself. Here are some general points that may not be obvious: 1) There needs to be a sunset of the password, meaning that the password must be changed after a period of time, typically two months less for more security but more bother to your customers and longer for less security but less bother for your customers; 2) Password Reuse - Customers can't reuse passwords within a set number of password changes, typically eight, meaning that the customer must change his/her password eight times before being able to reuse a password; 3) Password * - The password should never be visible on the screen as your customer types it in and instead * are subsitituted; 4) Brute Force - This is when a hacker attacks your servers by randomly trying every possible combination of characters, letters and numbers, you defeat this by limiting the number of retries typically three then the account locks out and the customer needs to call in when the tech verifiys that this is the customer not a hacker; 5) Mirroring - This is when a hacker creates a site that is idential to yours but has nothing to do with yours and is an attempt to get your customers to order your products through him and get his/her credit card information, you defeat this by use of a special image, at signup you assign a image to the customer, such as a image of a book and tell him/her that its not me unless you see this image, which will change on ocasion, T Rowe Price does this, doesn't prevent the hacker from mirroring your site makes their job harder; 6) Advertising - not just for maketing, you send out an email advertisment on a random basis and the customer needs to acknowledge it by a simple action such as clicking on the add, this ensures that the customer is indeed talking to you not a hacker, again does not stop a hacker but makes the job harder.

The way that you ensure that files are safe is a security check on the files on your servers periodically. If the customer is talking to you and not a mirrored site they can be assured that there is no virus on the files. The customer needs to be logged in to download anything even the free ones that way you can control the security of the files and ensure that there are no viruses.

I know what I am talking about is very time consuming but its what the IRS does. The way you get around your concern is there are two types of accounts: admin and customer. Customers can not alter the files while they are on the servers, the only thing they can do to them is download, they can not rename, they can not alter the files while they are on the server in any way unless they have an admin account and only you have that and your password changes every month or so. Thus if there is any problem with the files there is one and only one person holding the smoking gun and that's you. And you do checks on the files ocasionally, the IRS does you should see what they do when they check the integrity of your four year old tax return, they check the activity on the return and if its anything but you, the one who filed the return security officers get very scared.

The only other two pieces of advice that I can offer non-security is:

1) Take your books and catagorize them into small catagories, fiction and non fiction doesn't cut it, try many sub catagories such as presidential, spy, thriller novels (these are thriller novels about spies where a national president is involved in some way, doesn't have to be US can be brittish prime minister or Panastani).

2) Offer a free sample, such as the first paragrpah or two then charge for the rest.

03-08-2011, 09:33 AM	#6
jbcohen Wizard Posts: 3,032 Karma: 11196738 Join Date: Oct 2010 Location: Where am I? Device: Kindle Paperwhite Signature edition and a Samsung S24 Ultra	In the real world one of the hats I wear is a US Federal Government Security Officer and as such my coworkers are often in charge of keeping your IRS tax data private and making sure that your Social Security information does not get out so yes I know quite a bit about the matter. First, lets talk to secrutiy. This is generally handled by a user name and password combination that the user assigns him or herself. Here are some general points that may not be obvious: 1) There needs to be a sunset of the password, meaning that the password must be changed after a period of time, typically two months less for more security but more bother to your customers and longer for less security but less bother for your customers; 2) Password Reuse - Customers can't reuse passwords within a set number of password changes, typically eight, meaning that the customer must change his/her password eight times before being able to reuse a password; 3) Password * - The password should never be visible on the screen as your customer types it in and instead * are subsitituted; 4) Brute Force - This is when a hacker attacks your servers by randomly trying every possible combination of characters, letters and numbers, you defeat this by limiting the number of retries typically three then the account locks out and the customer needs to call in when the tech verifiys that this is the customer not a hacker; 5) Mirroring - This is when a hacker creates a site that is idential to yours but has nothing to do with yours and is an attempt to get your customers to order your products through him and get his/her credit card information, you defeat this by use of a special image, at signup you assign a image to the customer, such as a image of a book and tell him/her that its not me unless you see this image, which will change on ocasion, T Rowe Price does this, doesn't prevent the hacker from mirroring your site makes their job harder; 6) Advertising - not just for maketing, you send out an email advertisment on a random basis and the customer needs to acknowledge it by a simple action such as clicking on the add, this ensures that the customer is indeed talking to you not a hacker, again does not stop a hacker but makes the job harder. The way that you ensure that files are safe is a security check on the files on your servers periodically. If the customer is talking to you and not a mirrored site they can be assured that there is no virus on the files. The customer needs to be logged in to download anything even the free ones that way you can control the security of the files and ensure that there are no viruses. I know what I am talking about is very time consuming but its what the IRS does. The way you get around your concern is there are two types of accounts: admin and customer. Customers can not alter the files while they are on the servers, the only thing they can do to them is download, they can not rename, they can not alter the files while they are on the server in any way unless they have an admin account and only you have that and your password changes every month or so. Thus if there is any problem with the files there is one and only one person holding the smoking gun and that's you. And you do checks on the files ocasionally, the IRS does you should see what they do when they check the integrity of your four year old tax return, they check the activity on the return and if its anything but you, the one who filed the return security officers get very scared. The only other two pieces of advice that I can offer non-security is: 1) Take your books and catagorize them into small catagories, fiction and non fiction doesn't cut it, try many sub catagories such as presidential, spy, thriller novels (these are thriller novels about spies where a national president is involved in some way, doesn't have to be US can be brittish prime minister or Panastani). 2) Offer a free sample, such as the first paragrpah or two then charge for the rest.