Skip to main content

Posts

Showing posts from November, 2010

Using AWS for larger business

Netflix is one of those really secretive companies, there have beens some interesting articles how they run the operations for the disc delivery, but not much on the way the deliver digital content. I came across this really cool article on how they use AWS:

http://www.readwriteweb.com/cloud/2010/11/why-netflix-switched-its-api-a.php

Pretty interesting read. Not sure I agree with some of the statements about less system admin and less database folks when they use AWS. I can understand less datacenter staff, but managing virtual or cloud infrastructure is just as much work. Obviously this is only the case when its running customized software and databases built internally (such as netflix). You still need to release software, manage the databases, and handle the same problems you would if you were doing it all in house.

The only items you don't need to worry about would be the following:

Backups
Provisioning new hardware (which is pretty simple if you run your own vmware in …

PCI compliance and SSLv2

So I am doing a PCI audit, and one of the requirements is that there must not be weak cipher support enabled on systems which collect credit cards from the web. I started doing some testing around some of the larger ecommerce sites out there, and it had some pretty startling findings. SSLv3 has been in Browsers since 1996 (think mozilla 2.0... way before we had firefox).

http://blog.zenone.org/2009/03/pci-compliance-disable-sslv2-and-weak.html

From my testing these sites to have SSLv2 disabled: google, paypal, delta, etrade

These sites don’t have SSLv2 disabled, this is strictly against PCI: Home depot, bank of America, Scottrade, Microsoft, Amazon, QVC, Dell, Orbitz

Really concerning that these big commerce sites allow something like that to slip by the auditors. Time to hire me to fix your compliance :)