| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Sat, 24 Apr 2010 00:56:52 +0200
From: Christian Sciberras <uuf6429@...il.com>
To: "Thor (Hammer of God)" <Thor@...merofgod.com>
Cc: "security-basics@...urityfocus.com" <security-basics@...urityfocus.com>,
full-disclosure <full-disclosure@...ts.grok.org.uk>
Subject: Re: Compliance Is Wasted Money, Study Finds
I just want to emphasize on a point you mentioned right now:
It means companies illustrate a *base* of practices required to handle
consumer credit card data.
So why waste resources, time and money when one would be better off with
proper security measures?
As Mr Hale said, it's a piece of cake if you had the right stuff already
going. Problem is, it's a piece of expensive cake.
I just want[ed] to make my point clear, I don't see any discussion into this
at all.
As I already said, it is not my intention to argue with the original
message.
Cheers.
On Sat, Apr 24, 2010 at 12:46 AM, Thor (Hammer of God) <Thor@...merofgod.com
> wrote:
> OK – so, when you say “to use PCI” what do you mean? I get the feeling
> that you are equating being “PCI certified” as something people just “get”
> to show other people they are “secure.” Hence your use of “marketing
> propaganda.”
>
>
>
> People don’t go through an audit and get PCI certified so that they can
> claim they are secure. It doesn’t work like that. PCI (Payment Card
> Industry) compliances is what people HAVE to do, as in FORCED to do whether
> they want to or not, in order to be able to process credit cards. If you
> process less than 1 million xactions per year, you can “self audit.” Can
> you lie? Sure. But you’ll get your ability to process payments yanked if
> they catch you. More than that requires an auditor. If that auditor finds
> you have horrible security controls in place, you will fail. If they pass
> you anyway, they can lose their certification to audit. If you fail, you
> have x time to get with the program and be audited again.
>
>
>
> It’s just a way for the CC industry to make sure the people handling card
> info follow best practices for security. That’s all it means – it is a
> certification FOR the industry BY the industry. No one ever said it mean
> people had “real security.” It means companies illustrate a base of
> practices required to handle consumer credit card data. That’s it.
>
>
>
> And I totally agree with Mike Hale’s comments about “if you are really
> secure, as in ‘already secure’ then it’s cake.” I don’t know that I would
> say “cake” as it depends on the scope of audit, but he’s right. If you
> already have a drive to secure your infrastructure, then PCI should be
> easy. My requirements for security are far more strict than PCI. Yours may
> or may not be, so you’ll have to adjust as necessary.
>
>
>
> Regarding code, I do believe that in PCI audits for dev that you have to
> illustrate an SDL, in which case things like XSS and BOs and such would be
> part of.
>
>
>
> That’s the skinny on PCI J
>
>
>
> t
>
>
>
> *From:* Christian Sciberras [mailto:uuf6429@...il.com]
> *Sent:* Friday, April 23, 2010 3:34 PM
>
> *To:* Thor (Hammer of God)
> *Cc:* Mike Hale; Stephen Mullins; full-disclosure;
> security-basics@...urityfocus.com
>
> *Subject:* Re: [Full-disclosure] Compliance Is Wasted Money, Study Finds
>
>
>
> No problem with that.
>
> 1) No.
> 2) Planning to, but no.
> 3) Heavens no.
> 4) I've looked into whether it was into our best interest to use PCI. (it
> was decided that it wasn't worth the trouble)
> At that time, I knew about PCI but not its details, at which point we got
> someone to explain in detail for us.
> The end decision wasn't mine, though.
> We do take security as a main concern, however, it is preferred to have a
> more realistic approach to security rather then restrict employees' access
> (by signing some oath..).
>
> Regards,
> Christian Sciberras.
>
>
>
> On Sat, Apr 24, 2010 at 12:22 AM, Thor (Hammer of God) <
> Thor@...merofgod.com> wrote:
>
> Marketing propaganda? I have no idea what you are talking about.
>
>
>
> Before commenting on PCI not helping at all and at the most being a false
> sense of security, let me ask:
>
> 1) Does the company you work for perform PCI audits?
>
> 2) Is the company you work for required to undergo PCI audits?
>
> 3) Are you certified to be able to perform a PCI audit?
>
> 4) Have you ever been directly involved with, as in contributing to,
> a PCI audit, and if so, in what capacity?
>
>
>
> I would like to see some truthful expansion on the answers to those
> questions before continuing dialog about if PCI contributes to security or
> not.
>
>
>
> t
>
>
>
> *From:* Christian Sciberras [mailto:uuf6429@...il.com]
> *Sent:* Friday, April 23, 2010 3:02 PM
> *To:* Mike Hale
> *Cc:* Stephen Mullins; full-disclosure; security-basics@...urityfocus.com;
> Thor (Hammer of God)
>
>
> *Subject:* Re: [Full-disclosure] Compliance Is Wasted Money, Study Finds
>
>
>
> If you strive for security, and weave that into your network,
> complying with PCI should be cake.
>
> Uhm.. No. NO. PCI is an unnecessary hassle. What makes signing a document
> any more secure then having server facing the wild of the net?
>
> Truth is, PCI doesn't help in security at all. It at most a sense of false
> security (and at least serves as a recreational exercise for auditors).
>
> Thor, I'm not arguing with the article, since I didn't read it, and I won't
> bother to. I just want to point out some hard facts about PCI/DSS which you
> call "no big deal".
> I surely agree with that, but what is not a big deal for you doesn't mean
> it ain't for the rest of the world.
> What stops an uninformed programmer from complying with PCI/DSS (or at
> least, think to) and leave RFI/XSS/whatever holes everywhere?
> That said, security flaws are just about everywhere so no need to get
> critical about it. For now at least.
>
> The point isn't "who" should be using credit cards or not, it's a matter of
> security.
>
> I find it strange that you're excusing marketing propaganda.
>
> Sincere regards,
> Christian Sciberras.
>
> On Fri, Apr 23, 2010 at 7:42 PM, Mike Hale <eyeronic.design@...il.com>
> wrote:
>
> Look at the PCI requirements.
>
> What's unreasonable about them? Which portions are *NOT* part of
> having a secure network?
>
> If you strive for security, and weave that into your network,
> complying with PCI should be cake.
>
>
> On Fri, Apr 23, 2010 at 10:40 AM, Stephen Mullins
> <steve.mullins.work@...il.com> wrote:
> >>I don't see what the hubbub is
> >
> > Some people in the information security industry actually care about
> > securing systems and the information they contain rather than filling
> > in check boxes. Compliance may ensure a minimum standard is met, but
> > it does not ensure or imply that real security is being maintained at
> > an organization.
> >
> > As you say, PCI has become a cost of doing business whereas having a
> > secure network is apparently not a cost of doing business. This is a
> > problem.
> >
> > Crazy notion, I know.
> >
> > On Fri, Apr 23, 2010 at 1:18 PM, Thor (Hammer of God)
> > <Thor@...merofgod.com> wrote:
> >> How can you say it is “wasted”? It doesn’t matter if you are a “fan” of
> it
> >> or not, in the same way that it doesn’t matter if you are a “fan” of the
> 4%
> >> surcharge retail establishments pay to accept the credit card as
> payment.
> >> Using your logic, you would way it is “wasted money,” and might bring
> into
> >> question the “value” of the surcharge, etc. It is simply a cost of
> doing
> >> business.
> >>
> >>
> >>
> >> If you choose to offload processing to a payment gateway, then that will
> >> also incur a cost. Depending on your volume, that cost may or may not
> be
> >> higher than you processing them yourself while complying to standards.
> The
> >> implementation of actual security measures will be different. But you
> can’t
> >> “handle” credit cards in the classic sense of the word without complying
> >> with PCI. If you pass along the transaction to a gateway, you are not
> >> handling it. If you DO handle it, then you have to comply with PCI. If
> you
> >> process less than 1 million transactions a year, you can “self audit.”
> If
> >> you process more, you have to be audit by a PCI auditor.
> >>
> >>
> >>
> >> None of this MEANS you are secure, it means you comply. If you don’t
> like
> >> PCI, then don’t process credit cards, or come up with your own. I still
> >> don’t really see what all the hubbub is about here.
> >>
> >>
> >>
> >> t
> >>
> >>
> >>
> >> From: Christian Sciberras [mailto:uuf6429@...il.com]
> >> Sent: Friday, April 23, 2010 9:29 AM
> >> To: Thor (Hammer of God)
> >> Cc: Christopher Gilbert; Mike Hale; full-disclosure;
> >> security-basics@...urityfocus.com
> >> Subject: Re: [Full-disclosure] Compliance Is Wasted Money, Study Finds
> >>
> >>
> >>
> >> it is simply part of the cost of doing business in that market.
> >> A.k.a. wasted money. Truth be told, I'm no fan of PCI.
> >> Other companies get the same functionality (accept the storage of credit
> >> cards) without worrying about PCI/DSS (e.g. through Payment Gateways).
> >> In the end, as a service, what do I want, an inventory of credit cards,
> or a
> >> stable payment system? The later I guess.
> >> As to security, it totally depends on implementation; one can handle
> credit
> >> cards without the need of standards compliance.
> >>
> >> My two cents.
> >>
> >> Regards,
> >> Christian Sciberras.
> >>
> >>
> >> On Fri, Apr 23, 2010 at 6:07 PM, Thor (Hammer of God) <
> Thor@...merofgod.com>
> >> wrote:
> >>
> >> Another thing that I think people fail to keep in mind is that when it
> comes
> >> to PCI, it is part of a contractual agreement between the entity and
> card
> >> facility they are working with. If a business wants to accept credit
> cards
> >> as a means of payment (based on volume) then part of their agreement is
> that
> >> they must undergo compliance to a standard implemented by the industry.
> I
> >> don’t know why people get all emotional about it and throw up their
> hands
> >> with all the “this is wasted money” positioning – it’s not wasted at
> all; it
> >> is simply part of the cost of doing business in that market.
> >>
> >>
> >>
> >> t
> >>
> >>
> >>
> >> From: full-disclosure-bounces@...ts.grok.org.uk
> >> [mailto:full-disclosure-bounces@...ts.grok.org.uk] On Behalf Of
> Christopher
> >> Gilbert
> >> Sent: Thursday, April 22, 2010 4:48 PM
> >> To: Mike Hale
> >> Cc: full-disclosure; security-basics@...urityfocus.com
> >> Subject: Re: [Full-disclosure] Compliance Is Wasted Money, Study Finds
> >>
> >>
> >>
> >> The paper concludes that companies are underinvesting in--or improperly
> >> prioritizing--the protection of their secrets. Nowhere does it state
> that
> >> the money spent on compliance is money wasted.
> >>
> >> On Wed, Apr 21, 2010 at 5:44 PM, Mike Hale <eyeronic.design@...il.com>
> >> wrote:
> >>
> >> I find the findings completely flawed. Am I missing something?
> >>
> >>
> >>
> >> _______________________________________________
> >> Full-Disclosure - We believe in it.
> >> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> >> Hosted and sponsored by Secunia - http://secunia.com/
> >>
> >>
> >>
> >> _______________________________________________
> >> Full-Disclosure - We believe in it.
> >> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> >> Hosted and sponsored by Secunia - http://secunia.com/
> >>
> >
> > _______________________________________________
> > Full-Disclosure - We believe in it.
> > Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> > Hosted and sponsored by Secunia - http://secunia.com/
> >
>
> --
> 09 F9 11 02 9D 74 E3 5B D8 41 56 C5 63 56 88 C0
>
> _______________________________________________
>
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
>
>
>
>
>
Content of type "text/html" skipped
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists