eCommerce and

Effective June 30, 2008, the PCI Security Standards Council (SSC) has mandated that merchants must comply with Requirement 6.6. You know the one. It's the final requirement listed in Requirement 6: Develop and Maintain Secure Systems and Applications. It says:

6.6 Ensure that all web-facing applications are protected against known attacks by applying either of the following methods:

• Having all custom application code reviewed for common vulnerabilities by an organization that specializes in application security
• Installing an application layer firewall in front of web-facing applications.
  • Note: This method is considered a best practice until June 30, 2008, after which it becomes a requirement.

Changes in eCommerce 

What does this mean for us in eCommerce? Well, it means that you have a decision to make about how to secure your web-facing applications. Do you perform a manual code review or install an application layer firewall? How about both? Both are considered best practices for eCommerce security at this point and the PCI DSS standard will only grow to become more stringent, more specific, and likely extend beyond minimal security standards. So you may as well start now. There are four options for application code review, as outlined by the PCI SSC:

• Manual review of application source code
• Proper use of automated source code analyzer (scanning) tools
• Manual web application security vulnerability assessments
• Proper use of automated web application security vulnerability assessment (scanning)

If you don't have control over your source, make sure you're working with software packages/vendors that meet the new requirements.

Increased Vulnerability 

That's not all! I also received an email from McAfee, our Approved Scanning Vendor (ASV), letting us know that also effective June 30, 2008, the PCI SSC is requiring ASVs to change from version 1 to version 2 of the Common Vulnerability Scoring System (CVSS). What does the change mean for you? Well, it changes the way certain vulnerabilities are scored. Consequently, some low priority vulnerabilities from version 1 will now be scored as higher risk vulnerabilities and could cause a failing PCI network scan score, resulting in non-compliance until you can fix the issue. They pointed out that the top 5 vulnerabilities, statistically, are as follows:

• SSL Protocol Version 2 Detection -- Don't use SSLv2.
• Weak Supported SSL Ciphers Suites -- Don't use ciphers < 128bit encryption.
• Default Microsoft IIS Files and/or Frontpage Extensions Found -- Don't.
• OpenSSL Multiple Vulnerabilities < 0.9.8d -- Don't use OpenSSL below 0.9.8d; it's got a number of serious vulnerabilities.
• OpenSSL PKCS Padding RSA Signature Forgery Vulnerability -- Could allow an attacker to forge and RSA signature and pose as a trusted party.

You should work directly with your ASV if a vulnerability risk is uncovered. 

PCI Keeps us on our Toes 

Don't get comfortable once you've knocked these new requirements out. By October 2008, the PCI SSC will have released/required version 1.2 of the PCI DSS. The same 12 core requirements will apply. Supposedly, however, the newer version will "enhance the clarity of its technical requirements, offer improved flexibility..." (Thank God).

One last note: The PCI SSC website is www.pcisecuritystandards.org. Does anyone else think it's funny that when you visit http://pcisecuritystandards.org/ (sans "www"), that you get a security error? It's such an easy fix...
 

On the heels of Google Docs giving me a 404 Error that doesn't follow Google's own guidelines and Amazon going down to the tune of a $2.3 million, the largest alternative payment method provider couldn't just sit on the sidelines.  PayPal, not to be outdone by Google and Amazon, has now joined the ranks of mega sites dealing with recent errors and outages.

This last Wednesday, I went to PayPal's homepage, paypal.com, by typing the URL directly into my browser.  The page only partially loaded, showing lots of empty whitespace, noticeably absent formatting, and little navigation.  A big, almost empty, rectangle included two links in the lower left.  The first link read "Click here to retry".  The second link ironically read "Return to the homepage".  The title of the page read "Page Not Found - PayPal".  Several refreshes didn't clear up the issue.  Neither did clearing my cookies, cache and temporary files, restarting my browser, and retyping the URL.  Several minutes later, PayPal.com loaded fine.

Here is a screen shot of PayPal's home page give me the Page Not Found error.

Man, what's in the internet water and who will drink it next?

As I am slowly working my way up to “Excel Guru” around the office, I have been asked formula questions and excel functions that I never even knew existed. I remember the sense of accomplishment I felt when I wrote my first nested if-then function (that worked), ran my first advanced filter and created my first macro, all without having to ask for help. I felt like I could do anything in excel! The day I learned how to create a macro that would run several advanced filters for me, at two keystrokes, I danced around the office!

One day my manager came to me with a large excel file. He had all of his fields separated out into highly specific, individual cells that spanned across many, many columns. He needed the data from several columns and rows to be combined and shown in one cell. So, I needed a way to merge together several cells. The standard Merge Cell Feature in excel is helpful, but limiting. I searched the internet for a few minutes before I found the Merge Cell Wizard. This feature allows you to merge cells row by row as well as column by column.  What is great about the Merge Cells Wizard is that you can specify what separator to use: comma, tab, return, etc.

Needless to say, I was thrilled that I was able to complete the task. Using this plug-in saved hours, if not days worth of work. You can get the plug-in for a fee through www.ablebits.com, or search for a free download that will offer a 30 day trial. If it is a tool that you will utilize often, it is worth every penny! 

Sometimes Google creates guidelines for webmasters that Google doesn't follow itself.  Let me elaborate.  Last night, I went to Google Docs and was pleasantly surprised with a 404 error.  It was only pleasant because it's nice to know that even Google can't always satisfy Google standards, so I'm in good company.

For our non-nerds, in general, a 404 error is what users receive when they attempt to access a non existent page on a website.  This can happen for several reasons: the user may have incorrectly typed a URL, the page may no longer exist because it has been deleted, the page may have been moved to another location, the page may have been renamed, the link they followed may be broken or outdated, or a URL redirect, such as a 301 or 302, may have problems.

Google's 404 Error Page

I triggered the error by typing in the URL www.google.com/docs which redirected to http://docs.google.com/.  By the way, don't worry mankind, one browser refresh lead me to a working Google Docs home page.  Earth's productivity as we know it will have to halt another day.

Here is a screen shot of Google's 404 error, as presented to me:

Now, although I was surprised to have seen a 404 error from Google at all, this isn't what really surprised me.  Even Google's army of data centers can't get it right all of the time.  Also, I don't know of any uptime guarantees that come with Google Docs or any of Google's free services for that matter.  Some of Google's paid products or services do offer uptime guarantees, such as Google Apps Premier Edition, which includes a 99.9% uptime guarantee for Gmail.

What really surprised me, what really "pleasantly" surprised me, was the 404 error's presentation.

The text on the error page was extraordinarily simple, stating "Not Found Error 404".  The text was black on a white background.  Similarly, the title tag read "Not Found".  Also, the Google Docs favicon appeared in the FireFox browser tab.

However, Google's 404 page was not customized to provide help to Google's users.  Now, a non helpful 404 page is no epiphany.  Plenty of sites have 404 error pages as unwelcoming and unhelpful as Google's and plenty of great, free custom 404 error page recommendations are out there just waiting to be implemented.

Based on Google's definition of a "good custom 404 page", Google does not have a good custom 404 page

The irony in this example is that Google Webmaster Help Center provides Guidelines for creating useful custom 404 pages which recommends that webmasters create a custom 404 page.  The guidelines state "If you have access to your server, we recommend that you create a custom 404 page. A good custom 404 page will help people find the information they're looking for, as well as providing other helpful content and encouraging them to explore your site further."
Google's 404 page didn't do any of these things.  It didn't help people find the information they were looking for (Google Docs), was not customized to provide other helpful content (no other content was provided) and did not encourage them to explore their site further (no exploration opportunities existed).

So, based on Google's definition of a "good custom 404 page", Google does not have a good custom 404 page.

Based on Google's definition of an "effective 404 page", Google does not have an effective 404 page

Google's guidelines go on to describe how to create an "effective 404 page".  The guidelines state:

"Because a 404 page can also be a standard HTML page, you can customize it any way you want. Here are some suggestions for creating an effective 404 page that can help keep visitors on your site and help them find the information they're looking for:"

Then, the guidelines provide a bulleted list of suggestions.  Let's see how well Google does, in implementing their suggestions:

• Tell visitors clearly that the page they're looking for can't be found. Use language that is friendly and inviting.

Well, although the text doesn't say "what" isn't found, the page certainly presents the text "Not Found" loud and clear.  Obviously, the text "Not Found Error 404" is neither friendly nor inviting.

• Make sure your 404 page uses the same look and feel (including navigation) as the rest of your site.
  

Google's 404 page doesn't use any look and feel, or navigation, let alone a look and feel that is the same as the rest of Google.

• Consider adding links to your most popular articles or posts, as well as a link to your site's home page.
  

Google's 404 page doesn't contain any links to anywhere.

• Think about providing a way for users to report a broken link.

Google's 404 page doesn't provide a way for users to report anything.

• No matter how beautiful and useful your custom 404 page, you probably don't want it to appear in Google search results. In order to prevent 404 pages from being indexed by Google and other search engines, make sure that your webserver returns an actual 404 HTTP status code when a missing page is requested."

I didn't check the HTTP status code on Google's 404 page to see if Google's webserver returned an actual 404 or not.  Currently, it doesn't look like the 404 page appears in Google search results.

So, based on Google's definition of an "effective 404 page", Google does not have an effective 404 page.

Is Google a Google-friendly site?

What's really funny, is that Google's "Guidelines for creating useful custom 404 pages" are found under Googles' "Creating a Google-friendly site", which naturally begs the (very long) question:

If Google does not have a "good custom 404" page based on Google's definition of a good custom 404 page, and if Google does not have an "effective 404 page" based on Google's definition of an effective 404 page, which means that Google does not have a "useful custom 404 page" based on Google's "Guidelines for creating useful custom 404 page", and these guidelines are an element of "Creating a Google-friendly site" then...

Is Google a Google-friendly site?

Welcome to this week in eCommerce and Entrepreneurship.  Take a look cause the world of eCommerce is getting more interesting by the week.

• Brainstorming for keywords can be tough especially if you or your search marketer has hit their own form of writers block.  Search Engine Journal put out a list of tools to help with keyword generation. 
• “The Churchill Club of Silicon Valley just wrapped up one of its most anticipated events: the Annual Top Ten Tech Trends Debate. Five well-known and opinionated venture capitalists weighed in on what trends will take flight and what trends will fizzle out in the months ahead.” …more 
• I am not a fan of the Dallas Mavericks nor am I really a fan of Mark Cuban, not for any particular reason other than the fact that I am a Laker fan.  As a fan of the competition, one tends to feel a little sour towards the Mavericks owner.  As you may know though, he is one of us, an ecommerce nerd.  This week he pondered about how to beat Google, and what he came up with may interest you. 
• It is no secret that companies have discovered that employee health and well being cuts out on the amount of sick days used which cuts costs and increases productivity.  What about the employees that just plain play hooky?  Well a new technology has surfaced that can detect when an employee is lying over the phone.  From the article: “The technology means someone phoning in for a sickie will speak not to a sympathetic secretary but to a computer set up to check whether their voice is steady and reliable.” 
• In response to New York tax laws, Overstock.com has cancelled all relationships with affiliates in New York.

If you didn't already read Challenges of an Internet Retailer’s VOIP Implementation, then you may want to take a quick glance at that post to catch up on our previous issues.

Our decision to use the Grandstream GXP-2000 phones for our VOIP users had been haunting us for some time when a friend of mine recently “donated” a spare Cisco 7960 and a few Polycom IP phones to use. I was naturally excited to plug in phones that I knew were renowned for quality and performance. Both phones were well documented in the TrixBox community and I fully expected to be up and running in minutes. So I gave the Polycom’s a whirl: plugged them in, checked the IP address, logged in to each phone through a web interface and updated all of the settings that I expected to make them work with our TrixBox (version 2.5) implementation. Easy. They worked well. Done.

Then, excited like a kid at Christmas, I jumped over to the Cisco 7960, plugged it in, checked the IP address, opened a browser… “cannot display the webpage”. Oh. OK. So Cisco doesn’t have a user friendly web interface for the 7960. No problem. So I dove into settings on the phone. Cisco makes a great product and from the granularity and variety of options, it’s clear that this phone can be customized to work well with our system. So I manually plugged away on settings using the phone’s dial pad and rebooted the phone. Now, the phone won’t register with the TrixBox host. Hmmm. Everything seems correct. Maybe I missed a period somewhere… nope. So I tried changing a few settings and rebooting… nope. So I tried changing settings a half dozen or so more times…nope. OK, going to the TrixBox forums. A search for 7960 yields 469 results. OK, no problem. So I dig away, reading through numerous setup walkthroughs.

Finally, I come across a forum where a user posts a setup question relating to the same issue that I am having. He posted on 12/22/2006. The first reply to his post is a “bumped” response that was posted on 3/24/2008 with a very simple solution.

Seriously? It took 15 months to find the solution? Wow.

So, I didn’t want anyone else to have to go through the trouble of digging, here’s what got my Cisco 7960 to work with my implementation of TrixBox:

1. From the TrixBox command line, type “setup-cisco” 
2. Open http://trixboxhostname/maint 
3. In the Asterisk menu, select Endpoint Manager 
4. Click Cisco phones then click Add Phone 
5. Select the appropriate extension, phone type, and enter the phone’s MAC address 
6. In the Asterisk menu, select Config Edit 
7. Click /tftpboot then click SIPDefault.cnf 
8. In the edit window, find:
   
   • # NAT/Firewall Traversal
     nat_enable: "0"
   • and change the “0” to “1” (This is the step I was missing)
9. Manually configure your 7960 to point to your TrixBox host’s IP for tftpboot
10. Reboot your 7960

Tada!  It should work.