| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Tue, 27 Apr 2010 16:51:21 +0200
From: Christian Sciberras <uuf6429@...il.com>
To: Mike Hale <eyeronic.design@...il.com>
Cc: full-disclosure@...ts.grok.org.uk
Subject: Re: Compliance Is Wasted Money, Study Finds
Nice way of reading whatever feels right to you. Perhaps you'd have better
read what I wrote a few lines before that?
On Tue, Apr 27, 2010 at 4:43 PM, Mike Hale <eyeronic.design@...il.com>wrote:
> "-they are arguing for the fun of it without any real arguments (why else
> prove me right on my arguments and later on deny it?)"
>
> So you fall into this category?
> On Tue, Apr 27, 2010 at 1:22 AM, Christian Sciberras <uuf6429@...il.com>wrote:
>
>> In short, you just said that PCI compliance _is_ a waste of time and
>> money.
>>
>> Why else would you protect something which is bound to fail anyway?!
>>
>> This is a lost battle, as I said no one cares about the arguments because
>> these people fall into three categories:
>> -they believe the illusion that PCI by itself enhances security
>> -they do there job and don't give a f*ck about it
>> -they are arguing for the fun of it without any real arguments (why else
>> prove me right on my arguments and later on deny it?)
>>
>>
>>
>>
>>
>>
>> On Tue, Apr 27, 2010 at 10:03 AM, Shaqe Wan <sha8e@...oo.com> wrote:
>>
>>> You won't know not now, not ever. Maybe they do get a commission for
>>> your AV installation, who knows ! But maybe they think it is something that
>>> everybody needs so the force it. To get to know the true answer, we need to
>>> sit down with the guys who wrote the requirements and brainstorm with them
>>> those issues. We shall keep just running around and around in a circle here,
>>> because no one here "if no CC company guy is around" can give a definite
>>> answer. Just our simple argues !
>>>
>>> As I said before, I have to use it on a windows box, because its a
>>> requirement, its not my opinion at all.
>>>
>>> I 100% agree with you about most of the companies seek the paper work and
>>> get PCI certified and don't really bother about true security measures, but
>>> in the end if a breach is discovered they are the ones who shall get the
>>> penalty in the face, not us :)
>>>
>>> NB: I don't use an AV, never did, and never will :p
>>>
>>> Regards,
>>>
>>> ------------------------------
>>> *From:* Christian Sciberras <uuf6429@...il.com>
>>> *To:* Shaqe Wan <sha8e@...oo.com>
>>> *Cc:* full-disclosure@...ts.grok.org.uk
>>> *Sent:* Tue, April 27, 2010 10:37:24 AM
>>>
>>> *Subject:* Re: [Full-disclosure] Compliance Is Wasted Money, Study Finds
>>>
>>> Surely being forced to install an anti-virus only brings in a monopoly?
>>> How do I know that PCI Standards writers are getting a nice commission off
>>> me installing the anti-virus? (I know they don't, I'm just hypothesizing).
>>>
>>> You stated it yourself, an anti-virus may not do any difference, it is
>>> there as per PCI standard.....so what is it's use? Why the heck do I have to
>>> install something useless?
>>>
>>> Lastly, that is where you are wrong, there is no "base starting point"
>>> companies don't give a shit about proper security measures, they get
>>> PCI-certified and all security ends there.
>>> That is the freaken problem.
>>>
>>> NB: I do use anti-virus software, what I specified above is not in any
>>> way my opinion about anti-virus vendors, etc.
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>> On Tue, Apr 27, 2010 at 9:25 AM, Shaqe Wan <sha8e@...oo.com> wrote:
>>>
>>>> Hi,
>>>>
>>>> I don't actually beleive there is a "democratic society". No such thing
>>>> exists. If it does? Then ask the organizations who made the compliance
>>>> requirements drop them and make audits based on some other measure that you
>>>> believe is more secure and has less flaws in it. Finally, regarding the AV
>>>> issue that I wish I end here, is that "I don't believe that an AV shall make
>>>> your box secure, but its a requirement to be done - Added by PCI"
>>>>
>>>> And yes I have noticed that FD is for such security measures discussion,
>>>> but never thought of joining it and discussing with others until a couple of
>>>> days ago when I saw this topic.
>>>>
>>>> Finally, the compliance can be taken of as a base starting point, and
>>>> then moving further, like that it shall not be a waste of money !
>>>>
>>>> Regards,
>>>>
>>>>
>>>> ------------------------------
>>>> *From:* Christian Sciberras <uuf6429@...il.com>
>>>> *To:* Shaqe Wan <sha8e@...oo.com>
>>>> *Cc:* full-disclosure@...ts.grok.org.uk
>>>> *Sent:* Tue, April 27, 2010 9:59:59 AM
>>>>
>>>> *Subject:* Re: [Full-disclosure] Compliance Is Wasted Money, Study
>>>> Finds
>>>>
>>>> Perhaps you haven't noticed, this is Full-Disclosure, which at least, is
>>>> used to discuss security measures.
>>>> As such, it is only natural to argue with PCI's possible security flaws.
>>>>
>>>> Besides, in a democratic society (where CC do operate as well), you
>>>> can't "force" someone to install an anti-virus just because _you_ think it
>>>> is secure.
>>>>
>>>> The argument were compliance is wasted money still holds.
>>>>
>>>> Cheers.
>>>>
>>>>
>>>>
>>>>
>>>> On Tue, Apr 27, 2010 at 7:36 AM, Shaqe Wan <sha8e@...oo.com> wrote:
>>>>
>>>>> Hola,
>>>>>
>>>>> The problem is not weather they are educated against other standards or
>>>>> policies or not, the problem is that without this compliance you can't work
>>>>> with CC !!! Its something that is enforced on you !
>>>>>
>>>>> BTW: why don't people discuss what is the points missing in the PCI
>>>>> Compliance better than this argue ?
>>>>>
>>>>> Regards,
>>>>>
>>>>>
>>>>> ------------------------------
>>>>> *From:* Christian Sciberras <uuf6429@...il.com>
>>>>> *To:* Shaqe Wan <sha8e@...oo.com>
>>>>> *Cc:* full-disclosure@...ts.grok.org.uk
>>>>> *Sent:* Mon, April 26, 2010 4:19:27 PM
>>>>>
>>>>> *Subject:* Re: [Full-disclosure] Compliance Is Wasted Money, Study
>>>>> Finds
>>>>>
>>>>> OK.
>>>>>
>>>>> "All those in favour of PCI raises their hands."
>>>>>
>>>>> Kidding aside, of course it is a must, since the said companies doesn't
>>>>> have any notion of security before this happens.
>>>>> However, how much is this actually helpful? Now let's be honest, how
>>>>> much would it stop a potential attacker from getting into a system
>>>>> "protected" by PCI?
>>>>> Little, if at all.
>>>>>
>>>>> On the other hand, a company should adopt real and complete security
>>>>> practices.
>>>>>
>>>>> Again, my point is, these companies shouldn't be "educated" or limit
>>>>> their security to this standard. Because if they do (and I'm pretty sure
>>>>> they do) would make this standard pretty much useless.
>>>>>
>>>>> Anyway, I won't get into this argument, since no one will give a sh*t
>>>>> about it anyway.
>>>>>
>>>>> Cheers.
>>>>>
>>>>>
>>>>>
>>>>>
>>>>> On Mon, Apr 26, 2010 at 3:02 PM, Shaqe Wan <sha8e@...oo.com> wrote:
>>>>>
>>>>>> Christian,
>>>>>>
>>>>>> Did you read my first post?
>>>>>>
>>>>>> ((( IMO, PCI is not that big security policy, but without it your not
>>>>>> able to use the credit card companies gateway. I think its just the
>>>>>> basics that any company dealing with CC must implement. Because it shall be
>>>>>> nonsense to deal with CC, and not have an Anti-virus for example !!)))
>>>>>>
>>>>>> I am not stating that PCI is good in no way, but I am saying that its
>>>>>> a MUST for companies dealing with CC. And in a windows environment, an AV is
>>>>>> important.
>>>>>>
>>>>>> He probably thought that I am with the rules of PCI, or that I don't
>>>>>> have any idea that the world is not just WINDOWS !!!
>>>>>>
>>>>>> Regards,
>>>>>>
>>>>>> ------------------------------
>>>>>> *From:* Christian Sciberras <uuf6429@...il.com>
>>>>>> *To:* Shaqe Wan <sha8e@...oo.com>
>>>>>> *Cc:* full-disclosure@...ts.grok.org.uk
>>>>>> *Sent:* Mon, April 26, 2010 3:54:20 PM
>>>>>>
>>>>>> *Subject:* Re: [Full-disclosure] Compliance Is Wasted Money, Study
>>>>>> Finds
>>>>>>
>>>>>> Why exactly are you complying with Nick's statements? I would have
>>>>>> thought you guys were arguing against said statements?
>>>>>>
>>>>>>
>>>>>> By the way, requirement #6 is particularly funny; it sounds peculiarly
>>>>>> redundant to me...
>>>>>>
>>>>>> Cheers.
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>> On Mon, Apr 26, 2010 at 7:34 AM, Shaqe Wan <sha8e@...oo.com> wrote:
>>>>>>
>>>>>>>
>>>>>>> Nick,
>>>>>>>
>>>>>>> Please if you don't know what the standards are, please read:
>>>>>>>
>>>>>>> https://www.pcisecuritystandards.org/security_standards/pci_dss.shtml
>>>>>>>
>>>>>>> See *Requirement #5*. Read that requirement carefully and its not
>>>>>>> bad to read it twice though in case you don't figure it out from the first
>>>>>>> glance !
>>>>>>>
>>>>>>> Also, I said that using an AV is some basic thing to do in any
>>>>>>> company that wants to deal with CC, its a basic thing for even companies not
>>>>>>> dealing with CC too !!! Or do you state that people must use a BOX with no
>>>>>>> AV installed on it? If you believe in that fact? Then please request a
>>>>>>> change in the PCI DSS requirements and make them force the usage of a non
>>>>>>> Windows O.S, such as any *n?x system.
>>>>>>>
>>>>>>> Finally, the topic here is not about "default allow vs default deny"
>>>>>>> and if I understand what that is or not! You can open a new discussion about
>>>>>>> that, and I shall join there and discuss it further with you, in case you
>>>>>>> need some clarification regarding it.
>>>>>>>
>>>>>>> Regards,
>>>>>>> Shaqe
>>>>>>>
>>>>>>>
>>>>>>> --- On *Sun, 4/25/10, Nick FitzGerald <nick@...us-l.demon.co.uk>*wrote:
>>>>>>>
>>>>>>>
>>>>>>> From: Nick FitzGerald <nick@...us-l.demon.co.uk>
>>>>>>> Subject: Re: [Full-disclosure] Compliance Is Wasted Money, Study
>>>>>>> Finds
>>>>>>> To: full-disclosure@...ts.grok.org.uk
>>>>>>> Date: Sunday, April 25, 2010, 1:57 PM
>>>>>>>
>>>>>>> Shaqe Wan wrote:
>>>>>>>
>>>>>>> <<snip>>
>>>>>>> > Because it shall be nonsense to deal with CC, and not have an
>>>>>>> Anti-virus for example !!
>>>>>>>
>>>>>>> Well, you see, _that_ is abject nonsense on its face.
>>>>>>>
>>>>>>> Do you have any understanding of one of the most basic of security
>>>>>>> issues -- default allow vs. default deny?
>>>>>>>
>>>>>>> There are many more secure ways to run systems _without_ antivirus
>>>>>>> software.
>>>>>>>
>>>>>>> Anyone authoritatively stating that antivirus software is a necessary
>>>>>>>
>>>>>>> component of a "reasonably secure" system is a fool.
>>>>>>>
>>>>>>> Anyone authoritatively stating that antivirus software is a necessary
>>>>>>>
>>>>>>> component of a "sufficiently secure" system is one (or more) of; a
>>>>>>> fool, a person with an unusually low standard of system security, or
>>>>>>> a
>>>>>>> shill for an antivirus producer.
>>>>>>>
>>>>>>> So _if_, as you and another recent poster strongly imply, the PCI
>>>>>>> standards include a specific _requirement_ for antivirus software,
>>>>>>> then
>>>>>>> the standards themselves are total nonsense...
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>> Regards,
>>>>>>>
>>>>>>> Nick FitzGerald
>>>>>>>
>>>>>>>
>>>>>>> _______________________________________________
>>>>>>> Full-Disclosure - We believe in it.
>>>>>>> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
>>>>>>> Hosted and sponsored by Secunia - http://secunia.com/
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>> _______________________________________________
>>>>>>> Full-Disclosure - We believe in it.
>>>>>>> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
>>>>>>> Hosted and sponsored by Secunia - http://secunia.com/
>>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>
>>>>>
>>>>
>>>>
>>>
>>>
>>
>> _______________________________________________
>> Full-Disclosure - We believe in it.
>> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
>> Hosted and sponsored by Secunia - http://secunia.com/
>>
>
>
>
> --
> 09 F9 11 02 9D 74 E3 5B D8 41 56 C5 63 56 88 C0
>
Content of type "text/html" skipped
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists