We have lots of special stuff

For reasons I'd rather not go into here, I had to shift my Clan Lord accounts from one credit card from a company run by bitter, angry, hostile people, to another credit card from a company run by naive, innocent and still friendly people. This should be a pretty easy process. Clan Lord is an Internet game, so the transaction should be able to be handled online. Just go to the web site and do it, right?

Ha ha ha.

I love Delta Tao. I think pretty much all of the people involved with Clan Lord are bright, hard working, creative people. That being said, I won't hesitate to call them on things when someone's head is firmly planted up his own backside. Since this is a business and customer service aspect, that head and backside belong to Joe Williams.

Joe is many wonderful things, but sometimes he can get a little fixated on crazy notions, like Clan Lord will someday have 10,000 people online at once, and therefore we can't have story GMs because they don't scale... That type of thing. Joe ideally wants to build a product that runs with zero human intervention, other than a raft of monthly checks being produced from it. Because dealing with people, be it customers, or staff, is, well, a pain in the ass, let's be honest. It cuts into valuable family time.

A long time ago, over a year, Joe made this promise on his web site:

Note: This web site is only as secure as regular e-mail.If this panics you, contact Delta Tao for instructions. We are planning to secure this site as soon as practically possible. After that time this won't be an issue and you will be able to see the data that should be here now.

Everytime this issue of changing billing information comes up for me, and it comes up often due to my clever schemes to avoid creditors, I run against this. I've transacted business with fly-by-night porno sites that had blurry screen captures from hotel soft-core smut films who could manage secure transactions. They even did secure transactions and recurring billing. They were especially good at the recurring billing part, but that's another story.

So, once again I find myself having to employ carrier pigeon subcontracted from the Brinks company to get my credit card information to Delta Tao's top secret headquarters. Along with this, I decide to send the usual nose-tweaking email to Joe to bitch about the site still not being secure after almost two years. In fairness, Joe got back to me promptly, as he almost always does in matters involving accounts and billing. He justified the current state of slipshod security with this:

Really, we are planning to secure the site, someday. It's trickier than it sounds, since we have lots of special stuff.

This leaves me scratching my head a bit. I went over to my own web hosting company, and poked around. If I wanted to secure Nosuch, I could do it tomorrow if I didn't mind changing the url so the domain matched the hosting company's security certificate. Assuming I'm anal retentive, which I am, and I am sure Joe is too, I would want it to work under my own domain, so I'd have to cough up about $300 to get a security certificate issued. Then, it would have to be installed on the web server. Then, you configure some directories of the web server to be secure.

Then you are done. It's not like there isn't a form on the insecure version of the site to gather billing information. That's already done. Maybe no one told Joe that it's there, but it is there. So all we need to do is squeeze that form through SSL after you install your security certificate. That's it. How you get that information off of the web server to Nancy who does billing stuff is your private dirty secret, but hopefully you'll do it in a secure way. I mean, for crying out loud, assuming that form just takes the data and shoves it into an email which is sent to her, just get PGP installed on the web server and encrypt the damn email. I'm sure Nancy can figure out how to decrypt it.

I know there are dozen projects that I haven't finished that I'd like to get around to doing. But, I'm not running a business, and taking money from customers. Maybe Joe doesn't get out much, but you look like like an amateur transacting credit card business in an insecure way. There are shareware companies with $10 products that have figured out this stuff.

The real horror story is probably the authentication method the web site uses when you log in as a member. God help us all if that web server is remotely located from Clan Lord server, because I'd be willing to bet my butt plug that the account and password are sent to the Clan Lord server in plain text. And I suspect the real reason it's not secure yet is that script, which needs to communicate with the Clan Lord server, can't be made secure because the listener on the Clan Lord server side can't do SSL connections. The mind boggles if this is the case.

I'll just continue to hope that it's because Joe is lazy, and not that the insecurities in the Clan Lord web site run really deep. It's nice and quiet here with my head in the sand...

Full disclosure dictates I must state that Delta Tao handled my transaction promptly, in less than 12 hours, on a Saturday. This isn't a general pot shot at their overall customer service, which they've been good with in my experience. It's just about the insecure web site issue.
posted 1:22 AM | link |