Stiles & Bates

[Steve]

Hi Chaps,

My word - we really are getting down to it here!

Neil is absolutely correct, because we agree that the definition of 'secure' on the web means that data is encrypted and stored on an httpS server. We agree therefore that the name and address details are not secure.

What I have been labouring to explain is that in the context of the entire transaction process, from placing the order, providing details and card details, the system we designed breaks this information up and processes and stores in different places. As far as I am aware, no other woodworking sites have gone to these lengths. It is, by comparison, 'super' secure.

In designing a secure system, you have to define the process and apply appropiate levels of security to the various stages of that process.
This is precisely what we have done on the shopping system for Stiles and Bates.
The problem we have here is that my good friends on the forum are labouring under the impression that name and address details should be treated with the same level of security as card numbers.

There is no reason whatsoever to do this because these details are defined 'open' or 'PD' (Public domain).

Actually - let me refine that statement. There is only ONE reason to encrypt name and address details - to dupe the customer into a FALSE sense of security as far as name and addresses are concerned!

Many shopping systems take all the details at once and place them all on the same server at the same time. This level of security is certainly high enough. Our system takes it a couple of levels higher - it should be serving as the security benchmark for the list!

Steve

 

[Steve]

wonder why the address can't be handled as securely as the card details... I think. Maybe

Hi Alf,

That's the crucial question, and the answer is that the name and address details can't be handled as securely as the card details - it simply cannot be done.
Firstly, they are already open so it is like concreting up the stable door when the horse moved out twenty years ago, and secondly, the goods have to be picked, packed, addressed and delivered.
That entire process is open to varying degreees, with the delivery process being wide open.

To put it in stark context, a temporary hourly-paid delivery driver with no background check will know that you have taken delivery of something from Smiths Woodworking. He will know the name, the address and whether or not the house was occupied at a certain time of the day.
He will also be able to assess how easy it is to gain access to the house, garden or workshop, and whether any points of access are in view of neighbours or passers by.
He will also know whether the place was alarmed and whether or not there is a dog.
Now I'm not suggesting that every delivery driver is bent - I'm just pointing out that from a security point of view, it's a non starter!

That is the 'open' end of the transaction cycle from Stiles and Bates or indeed anyone else. My point is that your name and address have to be subject to a different security regime altogether - nothing at all to do with encryption.

I really hope that's made sense to everyone!

Steve

 

[Alf]

But Steve, that's like saying there's no point being ex-directory 'cos the BT engineer knows the number :? The total absence of double-glazing salesmen ringing my number tell me it's still worth doing. Oh never mind. Thanks for taking the time anyway.

Cheers, Alf

 

[Johnboy]

I assume those who object to their names and addresses not being encrypted are on the electoral role? If so your name and address are avilable to anybody who is interested anyway. Much easier to get them from there than from a secure server. I think the objections to Stiles and Bates system are ludicrous.

John

 

[mudman]

I assume those who object to their names and addresses not being encrypted are on the electoral role? If so your name and address are avilable to anybody who is interested anyway. Much easier to get them from there than from a secure server. I think the objections to Stiles and Bates system are ludicrous.
John

There's an old adage in the retail trade, "the customer is always right".

Steve is falling into a trap that is as old as IT, that is assuming he knows better than the customer, and that because he knows better, that he shouldn't do what the customer wants.

Generally, the IT guy putting in the system does know better. He also knows that putting in a feature that the customer may want is a waste of time and money. But, if the customer is adamant that he wants it and it won't break the system, then he should get it anyway.

You've missed the point here by quite a long way Steve. The point isn't whether or not the customer's name and address details are secure, but that the customer wants his details to be secure.

It would be interesting to know the number of people who don't buy anything from Stiles and Bates' site because they can't see that little locked padlock when they start to enter the transaction and thus go no further.

 

[Aragorn]

It would be interesting to know the number of people who don't buy anything from Stiles and Bates' site because they can't see that little locked padlock when they start to enter the transaction and thus go no further.

Just joined this topic and only read the last few posts, but if I don't see the "https" and the little padlock sign I don't ever proceed to enter sensitive info.
If I were to try to order from Stiles and Bates', they would loose my online custom just for that alone.

 

[Waka]

All

I seem to have opened a good discussion here on the whys and wherefors of odering on the web.

I read with interest all the comments but alas I'm not sure I understand all the technical stuff. The take my simple mind is that my credit card details are sure, but my address details are not as secure.

I like the bit about ex-directory which I have been for many years, do I get the phone calls from unwanted saleman, yes I do. So I guess my details are not that secure.

I will take the advise of the knowledgable and give Stiles & Bates a chance and order over the net.

Waka

 

[Martin]

Hi All,

This is a good thread, and a subject that I've discussed with Neil in the past (specifically on the subject of Stiles & Bates). For what it's worth, I've ordered from S&B on many occasions using the web site, and on several occasions have been extremely impressed with their customer service (eg. they didn't have a spalted beech turning blank of suitable quality and specified size available, so they threw in one that was slightly smaller free of charge). On another occasion they emailed personally to say that my order would not be shipped before the bank holiday weekend due to an open day they were running on the Saturday (I didn't expect them to anyway, but the fact that they emailed was top notch customer service).

All I can say is that if you choose not to use S&B based on what are IMO minor security concerns then you're missing out on a great woodworking supplier. I haven't visited them in person, but very much get the impression that they are a small, family run business that really cares about giving good service. Unfortunately you can't always say the same about some of the other larger (and in the eyes of some "more secure") retailers.

My take on the security side is just the same as Steve's - your address is in the public domain anyway. The transmission of your address across a non-secure link is a relatively minor security concern IMO, especially if separated from order details and credit card details.

Cheers,
Martin.

 

[Steve]

Hello all,

The mind positively boggles.
Despite my best efforts, the points made by Neil, Aragorn, Mudman et al have won the day. I find myself in the strange position of having to downgrade the security of a site so that people think it is more secure.

Steve

 

[ike]

I find myself in the strange position of having to downgrade the security of a site so that people think it is more secure.

A small crumb of comfort. Given some previous comments, S & B might get more orders! Alas not mine, being sadly broke

 

[mudman]

Despite my best efforts, the points made by Neil, Aragorn, Mudman et al have won the day. I find myself in the strange position of having to downgrade the security of a site so that people think it is more secure.

Steve

Actually Steve, you did reassure me that my credit card details are safe and secure on the S&B site. I was trying to point out that people (myself included) want their personal details to be secure as well, even if they can be accessed by looking at the electoral roll.
You do have to remember that lists of names and addresses along with e-mail addresses are very valuable to some people. Especially if you can say such things as 'These people actively buy over the internet', 'These people are interested in such and such'. Anything that direct marketing peolpe can take an interest in.

BTW, is it possible that both of the servers (personal details and credit card details) can handle the data securely? Surely this would enhance the security and not downgrade it (even if it doesn't make any difference in reality).

 

[Steve]

Hi Mud,

Your personal details, name, address, telephone/fax numbers, email address/es, buying habits, holiday destinations are all there for the buying anytime anybody wants them. Further, the attitudinal profile of you and anyone living at your address is also available. Likely political leanings, life insurance levels, investments, savings, number of bank and building society accounts and so on are also available, perfectly legally.
Your mortgage payments, credit card payments, borrowing levels, HP and catalogue payment history is also available, as is that of any and all living at your address and those that have lived at your address during the last ten years.
There is also 'bad' information stored about you, me and just about the entire adult population. Information compiled poorly and/or interpreted badly. Some organisations draw overall profiles from postcode data alone - downmarket insurance companies, for example.
I could go on - and on.
We live in a data and transaction-driven world. There are those who manage to function outside that world, but they are masters of the craft and know how to give the data gatherers a bum steer. It is pretty easy when you know how.

This information is gathered from a bewildering number of sources, but I can tell you for an absolute rock solid 22 carat fact that these people have got more chance of a flying beer with Elvis than they have of getting any information whatsoever about Stiles and Bates customers from Stiles and Bates. Dave Bates would not sell the information at any price.
I know my word and opinion counts for naff all on this forum, but you can certainly take my word for that.

The incredible irony is that it is that people trust the large corporations and are wary of the smaller companies. The reality is that the corporates share information extremely efficiently - often automatically - when most smaller companies regard customer information as a matter of personal trust.

BTW, is it possible that both of the servers (personal details and credit card details) can handle the data securely? You do have to remember that lists of names and addresses along with e-mail addresses are very valuable to some people.

That's it. Final straw. I surrender. I give up.
I shall find a wall, stand before it and rock my head so that my forehead makes repeated contact with said wall.

Steve

 

[Steve]

Hi Ike,

Your point is well made, and it is shared by Dave Bates who, whilst finding the situation as frustrating as I (well - almost!), realises that it is customer perceptions that count, not the realities.
In a matter of a year or two, there will be legislation insisting that card details and name and address details are handled separately and the system we are about to suspend will be rolled out once more.

The irony that I have to admit is now beginning to make me angry is that hardly ANY UK woodworking sites meet the requirements of the recent legislation, and I know of none - not a single one - that has a security regime as strong as Stiles and Bates. Further - S&B don't charge your card until they send the order.

Yet with all that, a company that observes the very highest standards of integrity can suffer because of a self-appointed arbiter of internet security. I too am a woodworker. I too order over the net. I've ordered from Rutlands, had my card charged and waited ten weeks for the goods to show up - as documented on this site. Stiles and Bates just don't do that - read Martin's posting! When Dave Bates briefed me, he stated that he wanted the absolute best he could have for his company and his customers.
That is what we provided, and we were proud to do so and very proud of the site. The site is used as an example for user dynamics and security.

The world is, indeed, a strange place and getting stranger.

I really am very pineappled off about this and I hope that Alf and colleagues will allow me to use that phrase because it is genuine and heart-felt, not malicious or abusive.

Steve

 

[Steve]

Hi Mud,

I've just read on your profile that you're an IT consultant.
Please tell me this isn't true.

Steve

 

[Aragorn]

Hi Steve
Just read the thread from the beginning because of your strong words.
Thanks for clearing this up. I feel totally reassured about ordering from S&B online.

 

[Alf]

I know my word and opinion counts for naff all on this forum

Steve, with the greatest of respect; don't be daft. :roll: I appreciate the time and trouble you've taken to try and explain it all for the likes of technology-challenged me. I'd love to say I get it, but to be honest I still don't. It's not your fault; it's mine and the very little explanation the average Joe and Josephine get on the whole subject. I'm sorry we've driven you to the stage of head meets wall; been there, done that and wouldn't wish it on you or anybody. 'Pologies, mate. When the legislation come in you can look forward to telling us "I told you so", so that's something to look forward to anyway...

Cheers, Alf

 

[Rattie]

I think much of the bother in this thread came from the assumption that address details should be transferred via the HTTPS protocol, rather than open HTTP. That's a common and understandable concern, we've been taught to entrust data vaulable to us only to the "padlocked connection".

That does make sense with data that only we know, e.g. credit card details, banking logins etc.

When we fill in a form using open HTTP, the only places that its easy to gain any intelligence on what we type are: local to us - on the company network, using a packet sniffer, local to the server - using similar techniques, or at some echelon listening station that considers our tool purchases detrimental to state security :wink:

Everywhere else on the internet, via which our form data is passed, the data is vague and useless, finding safety in numbers.

The compelling reason to send credit card details via HTTPS, is that we don't trust "Dodgy Kevin" in IT.

I hope that ramble made some sense, rather than enflamed Steve any more, he's done a great job on the site.

Cheers

Martyn

 

[Newbie_Neil]

Hi Steve

Yet with all that, a company that observes the very highest standards of integrity can suffer because of a self-appointed arbiter of internet security.

I assume that you mean me. At all times I have stressed that S&B have an excellent site. My only concern has been that the name and address details are not handled securely via an https server, it is what people demand. As mudman says, "there's an old adage in the retail trade, the customer is always right".

My intention when I started out to produce the list was to make as many sites as possible available to all woodworkers. A by-product of this was the level of security on the site.

Indeed, it was your good self that wrote the security section in The List.

The tests I have used have been very simple. 1. Are name and address etc. handled securely? 2, Are card details handled securely?

Steve, this is purely for my personal interest, is there any technical reason why the system couldn't have been designed to handle the processing of the name and address details securely via an https server whilst leaving everything else exactly as it is?

Cheers
Neil

 

[mudman]

Steve,
Sorry to have wound you up but I do know how you feel. I also think that you have missed the point.
I do believe that the credit card details on the Stiles and Bates site are secure; you have convinced me of that. I do think that there are many more and easier ways that criminals can get hold of such things anyway. But again that is beside the point.

What is the point is the customer's perception of what is secure. Your average Joe Punter doesn't know that his personal details are readily available to all and sundry. What he knows is that all the authorities tell him that he mustn't ever put personal details into a website order form unless the little padlock is at the bottom of the screen. In today's world of paranoia about the security of the Internet, more and more on-line shoppers will be aware of this.

When people proceed to checkout and realise that the entry of name and address details are not secure, then they will very likely not proceed any further because they will assume that the rest will not be secure either. They won't even get to the next secure part of the checkout and see that it is secure because they will make the assumption that it is all like that from the start. Sale lost.

You seem to be saying that this is going to mean that you will have to downgrade the security of the site and that this is all terrible because you will have to put it all back in again when the law says so. Sorry, but I really can't understand that attitude.
Now I may be wrong, but I assume that it is possible to place both the personal details and the credit card details on separate secure servers. If this isn't possible, then tell me so and I'll shut up now.
So, you implement that change so that even if it isn't necessary from a process point of view the personal details are handled securely. This means that Joe Punter sees the little padlock from the start and is happy to continue. Then, when the law changes and everything has to be handled separately, Stiles and Bates have the systems in place to take advantage of the fact that it is very unlikely that other sites will have the necessary security in place to satisfy the law, (will they have to stop trading until they do?).

Remember that this entire thread came about because the perception is that S&B's site is not secure because the personal details aren't handled securely. This is obviously wrong with respect to credit card processing but you need to address this perception and you won't do that by explaining in detail at the start of each transaction just how things work behind the scenes.

And yes, I am an IT consultant but not in your area. I work principally within the IBM mainframe environment so can be counted as an average user who knows nothing about how these things work on the Internet. What I do know about though is designing large complex systems, listening to customers, determining the requirements and then implementing what they want not what I think they need.

 

[Shady]

Careful there mudman: at the risk of entering a potential flamefest while still new to the site ( ), You said:

What I do know about though is designing large complex systems, listening to customers, determining the requirements and then implementing what they want not what I think they need.

That would explain IBM's fall from world domination then: it is a given that no customer in the market for a large information system actually knows what they want. The process of systems analysis and design is a mutual process of exploration/dialogue/education between the user/customer and the systems house, in which both sides' understanding evolves toward achieving improvement - or at least, it should be if you actually want to provide a useable solution, as opposed to 'take the fees and run' or 'lock them in to our service provision for ever'... :wink: (Yup - guess what I do for a living...)

And - I work in the military/government security environment... Trust me, I have to say, I read the list of websites and stopped after the first 10 or so reputable firms were rubbished - it is simply an unreasonably harsh assessment, based on a 'total security' approach which is inappropriate. As an example, are all those of you who want your name and address encrypted on these sites also people who have never, ever, ever let a restaurant employee take your credit card out of sight to return and present you the bill? You may be, but I doubt it. And to read that you won't use a websystem, but will give your card details to an individual over the phone...

I should also add that, if you're really paranoid about all this, the last thing you should ever do is encrypt information like your name and address alongside your card details... Why? because that's exactly how we broke the German's 'enigma' code in the war, and remains the best way of cracking any encryption - it's called a 'crib', and is based on the fact that because your name/address is inherently available through a raft of other sources, I (or 'Bob, Ted or Alice', to use the classic cryptologist's notional 'hackers') can then compare the coded gobbledegook with the known name/address and work out the key: then I can apply that key to your encrypted credit card details - and hey presto! you just bought me a new Lie Neilsen...So the entire argument in favour of encrypting names/addresses is based on a misunderstanding of what secure actually means...

There is, as Steve said, far more chance of malicious use of those personal details that are on paper than there is a transient name and address that is 'floating through the ether' unconnected to any other information. As an aside, if you want to scare yourselves, search for 'Spybot S&D' on the web (it's freeware). This programme will show you how many data collecting webcrawlers have been installed on your machine without your knowledge... (and yes, they'll get through firewalls because they are not 'virus' code..)

Yes the customer is always right, but if the particular customer is displaying an inflexible reaction to perfectly sensible technology that helps a service organisation increase its profitability, then option 1 is to attempt to discuss the issue with them, as has been done by Steve here. Option 2 is to let them go elsewhere and concentrate on the customers who generate a reasonable return for the amount of effort that has to be invested in attracting their custom. (This is in no way trying to be rude or anything - just to point out that S&B's business is making money, not reassuring that proportion of their potential customers who does not wish to be reassured unless the answer is the one they want to hear.)