New on LowEndTalk? Please Register and read our Community Rules.
All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
Comments
Another, pardon me, not so smart argumentation. The fact that panels get hacked does by no means prove that panels can't be made reasonably secure.
But I get your point, another version of the "100% isn't feasible, so let's sh-t on it anyway and let's use cheap crap"...
How about "Not every patient can be saved in a hospital, so let's not build hospitals but let's hand out a bandage and some painkillers to ill people"? * roll eyes
THE LAW
Global internet with George W Bush II leading the ring there buddy?
@Dorkfiles
Right, the usa has pretty much worn down and bent laws. But that's not the issue here. It was them providers who love to bring up the law (where it's convenient).
Actually no, my argument is different. Using a proprietary solution (a custom panel in this case) does not make it secure, it is security by obscurity. The only way to make it more secure would be to use an open source solution, where multiple people can review it and find and fix flaws. In this regard i think WHMCS would be much more secure if the files were not encoded.
Let's ignore for a moment that "open source is (at least an unconditional requirement for) security" and "obscurity not security" are religious/political beliefs and not facts ...
(as heartbleed amply demonstrated)
No. No again.
Security, insofar as software is concerned, is achieved by technical/engineering means, an important example of which is not using C/C++ but a language that is better suited for high quality programs.
Or, more rudely, security in software is achieved by not using flawed designs, based on committee decisions (usually strongly driven by commercial interests), implemented in crap "languages" (like PHP), by not using other crap tools (like lousy DBs and lousy libraries), by not running it on crap http(s) servers, by not running it on poorly designed and even worse configured and maintained systems.
In other words: A high level medical specialist is not the only way to have a healthy dog. Not beating it with rusty iron bars and not aiming torches and throwing stones at it, might in fact improve the poor animals health very very considerably.
Not at all. I am using my real name when I do business, i.e. not a fake name on the incorporating papers. I am using a real address and real bank account, etc. Nothing is fake.
I am not using another corporation or a fake one in my relationships with another corporation. My company has my real data, my real address and my real financial data.
You do not need to know where I, as a person, live. You enter a relation with prometeus, which hires my company, which hires me to do support. On none of these links at any point there is any fake data, it is also fully available online, so the law is fully respected.
You are frustrated you do not know whom to shoot in case i delete your data? Tough luck, you will need to hire a private investigator to get you that information and a professional hitter to come to my place. Too expensive? Sorry, that wont work on 7$ a month.
Good, give me then an example of a a properly designed and implemented secure system for storing and maintaining customer data, which is accessible over the internet. I agree that WHMCS is not the best thing out there and has had security flaws in the future. So suggest me what to use instead?
@Maounique
You are getting ever more ridiculous.
Even if I knew where you live it wouldn't come to my mind to send anyone after you. And btw. I would also not think that you would delete my data (on my VPS). You must have a pretty weird mind to think otherwise.
To the matter: You are wrong. Every client doing business with Prometeus (or any other european provider) is entitled to know your real name. Not your address. But your real name.
And your construct (through a company working for Prometeus) doesn't change that at all. In fact, you might even live outside the EU and Prometeus (a EU company) were still obliged to have you communicating with clients of them using your real name.
That is nothing to do with how your internal relationship with Prometeus is. It is only to do with EU legal requirements in client and business interaction.
And btw. I personally do not even care about your real name as long as you competently and politely interact with me in your support job. You may well do that as John as far as I'm concerned.
But it's rightout ridiculous that you who publicly states that he uses fake names both as client and in your support job do at the same time postulate that everyone else is obliged to use their real name while the company can have their staff use fake names.
@bsdguy, just drop it already..
@rds100
I'm neither attacking you nor do I say that there are good alternatives to WHMCS.
What I'm saying is that when providers bring up "legal requirements" they shouldn't forget that legal requirements exist for both sides. And protecting client data and privacy is such a legal requirement.
Maybe not yours (I don't your company) but look, there are some VERY big hosting providers and if they did care they could certainly afford to have something solid built. After all that's part of the business and of the laws and I as a client am certainly not to worry about how providers meet that requirement.
Let me put it differently: Assume on day X the next big PHP hole opens up and your client data are found on some hacker site. On that day X your business will be dead meat. And what little will be left will be sue out by clients.
So maybe some providers should understand that this problem will not eternally stay a clients problem. Sooner or later it will - and very painfully - be a providers problem, too.
Maybe it'd be smarter to think about solutions.
Because? You say so? Come back when you have arguments, OK
@bsdguy i don't feel attacked
I just didn't like the "provider stores client data in WHMCS which is not secure, they should do better". I don't know what's better. As was demonstrated above, building an own custom system is not necessarily more secure. Linode, OVH and Hetzner are not small companies, they can afford to hire good programmers and have a properly engineered solution. Yet it didn't work for them.
And PHP sux and is not secure. Yes, it sux. So should we invent and implement our own programming language and then write a custom panel in this language, hoping that everything will be more secure then? I don't think so.
To my knowledge WHMCS is currently the best known industry practice for storing customer details for hosting companies. Blesta might be better in time, because most of it is not encoded, but for now it's still too new to be 100% usable.
Because he is perfectly capable of repeating the same non-sense over and over until this is 10+ pages long and finally locked. So yea, be smarter and drop it, we all get the point
I dont personally mind fake details, as long as country is correct so proper VAT can be accounted. You cant ask 1000s people for identity card.
Haha, you're just enjoying this.
Or maybe it did - depending on their priorities (of which security could well be a lowly one)
No need. There are better suited programming languages available. And, you see, it's not even about protecting a panel from nsa's tao team. Protecting it against script kiddies and low to mid level hackers would be a major progress.
Again, the point isn't about high level security. It's about not-lousy security or even about security not being a total non-concern.
Whoever you mean with "he" (Maounique, myself, ...), you might want to have some arguments ready if you care about being taken seriously.
Nope. Not at all. But I hate hypocrisy, lies, gross lack of fairness, and ignorance of valid concerns.
"You just have to give me everything, name, address, phone, email, payment details - and I give you a fake name" is just an untenable position.
Prometeus is registered company in Italy, their business details are published on their website. You're giving Prometeus your personal details (name, address, phone, email; not sure what you mean by payment details, did you want to get service for free?), not some random support person. If the support representative leaks some data, then you can sue the company. And keep in mind there's probably a bunch of technicians in the background whose name you also don't know, and who may have more access than some random support person (probably not the case with Maounique, but yeah).
Link. I think you remember wrong or some other legislation.
Really. On what criteria? You need to know the name of the trashman working for the company which clears the thrash from your bank? Or only the people which have access to your data from the audit company or the other banks to which you make payments? What is the criteria on which you can go to a company you are a customer of and demand the list of names on the payroll of the companies that are selling them various services? Perhaps you need to know the real name of the people which sold Prometeus the servers? Or the names of the ones which negotiated from the carriers or datacenter? Where are we drawing the line?
Can I pay you with monopoly money?
Well, I meant things like a credit card number or a banking account.
And yes, of course I could sue them if they leaked my info. The problem though is that whenever one interacts with persons from a company that person must be identifiable, which usually happens by telling their name. This is btw. also in the interest of the company because a) in the end they will be liable and b) knowingly or intentionally providing false information is generally considered as an indicator of fraudulent intention.
With background personel it's different because they do not interact with clients.
And this is perfectly done by giving everyone a unique account in whmcs and other panels. The company knows exactly who screwed up and everyone will be able to do that by checking the logs even forensically.
Will my real name given to you prevent screw-ups? Reduce them? Will it help the already 100% case of positive identification in case it is one needed? No.
So, why do you exactly need to know my name? Which law requires it?
Probably quite a few, since using fake details is fraud, and you need your details to be attributable to you to have an enforceable contract. A legal beagle could probably go on and on about it.
I'm neutral about what details you choose to put in for low end providers, generally I'd say use your real credentials if you trust the company.
Again a completely bent interpretation. It's about persons interacting with the client, not the cleaning man.
It's not my job to educate you but I can give you a hint: legal interaction.
As a support person you have access to information (and to VPSs) that trashmen do not have and you interact with the client, speaking and acting for the company (within the limits of your job).
Frankly, it's evident that you don't care shit for the matter. Again and again you bend things, introduce extremes, etc. only to stick to your position, no matter how untenable it is.
just everybody be friendly and nice to each other, than there will be no need to use any fake blabla in the world for anything. amen.
Will my real name given to you prevent screw-ups? Reduce them? Will it help the already 100% case of positive identification in case it is one needed? No.
So, why do you exactly need to know my name? Which law requires it?
I'm not even interested in your real name (and I already said that before).
I'm interested in you not bending everything the way it suits you. You can't cite the law where it's convenient and ignore (or pretend to not know) it where it doesn't suit you.
And again: You have my full name and address and more; I have never abused any VPS or created trouble; I have payed - short, I'm a customer and a good one. Don't forget that.
You however have publicly stated that you used a fake name as a client and it's also known that you use a fake name now in support. Not exactly the best position in this discussion.
Yes. And, way worse, in court it's considered a strong indicator of fraudulent intention.
Well, I already told you that nothing is fake. My company name, my name to them, the contract between prometeus and my company, all are recorded as the law requires. If you know of a law that requires a company to disclose the name of their contractor's employees to any customer which asks, please link it.
You both have strong, opposing positions and neither is going to convince the other that their own viewport is wrong, clearly. I'm not sure why either of you are wasting life on this anymore. You've both made yourselves very clear.
@Zen this is general business conduct. Failure to do so, depending on your region, can result in business licensing being revoked.
I would like to know this as well. As far as I know using an alias or pseudonym is perfectly fine. No, the answer "the law says it's not allowed" is not acceptable. If you can't quote the exact law at least try to back up you claim with some reputable source.