| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Tue, 27 Apr 2010 17:07:31 +0200
From: Christian Sciberras <uuf6429@...il.com>
To: Mike Hale <eyeronic.design@...il.com>
Cc: full-disclosure@...ts.grok.org.uk
Subject: Re: Compliance Is Wasted Money, Study Finds
based on your own admission
On who's admission? Perhaps you should bother to cite sources next time?
And, how is quoting me in a different argument "your point"?
On Tue, Apr 27, 2010 at 4:55 PM, Mike Hale <eyeronic.design@...il.com>wrote:
> Point is, you're arguing for the sake of arguing, as you have no
> understanding what PCI is, based on your own admission.
>
> On Tue, Apr 27, 2010 at 7:51 AM, Christian Sciberras <uuf6429@...il.com>wrote:
>
>> Nice way of reading whatever feels right to you. Perhaps you'd have better
>> read what I wrote a few lines before that?
>>
>>
>>
>>
>>
>>
>> On Tue, Apr 27, 2010 at 4:43 PM, Mike Hale <eyeronic.design@...il.com>wrote:
>>
>>> "-they are arguing for the fun of it without any real arguments (why
>>> else prove me right on my arguments and later on deny it?)"
>>>
>>> So you fall into this category?
>>> On Tue, Apr 27, 2010 at 1:22 AM, Christian Sciberras <
>>> uuf6429@...il.com> wrote:
>>>
>>>> In short, you just said that PCI compliance _is_ a waste of time and
>>>> money.
>>>>
>>>> Why else would you protect something which is bound to fail anyway?!
>>>>
>>>> This is a lost battle, as I said no one cares about the arguments
>>>> because these people fall into three categories:
>>>> -they believe the illusion that PCI by itself enhances security
>>>> -they do there job and don't give a f*ck about it
>>>> -they are arguing for the fun of it without any real arguments (why else
>>>> prove me right on my arguments and later on deny it?)
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>> On Tue, Apr 27, 2010 at 10:03 AM, Shaqe Wan <sha8e@...oo.com> wrote:
>>>>
>>>>> You won't know not now, not ever. Maybe they do get a commission for
>>>>> your AV installation, who knows ! But maybe they think it is something that
>>>>> everybody needs so the force it. To get to know the true answer, we need to
>>>>> sit down with the guys who wrote the requirements and brainstorm with them
>>>>> those issues. We shall keep just running around and around in a circle here,
>>>>> because no one here "if no CC company guy is around" can give a definite
>>>>> answer. Just our simple argues !
>>>>>
>>>>> As I said before, I have to use it on a windows box, because its a
>>>>> requirement, its not my opinion at all.
>>>>>
>>>>> I 100% agree with you about most of the companies seek the paper work
>>>>> and get PCI certified and don't really bother about true security measures,
>>>>> but in the end if a breach is discovered they are the ones who shall get the
>>>>> penalty in the face, not us :)
>>>>>
>>>>> NB: I don't use an AV, never did, and never will :p
>>>>>
>>>>> Regards,
>>>>>
>>>>> ------------------------------
>>>>> *From:* Christian Sciberras <uuf6429@...il.com>
>>>>> *To:* Shaqe Wan <sha8e@...oo.com>
>>>>> *Cc:* full-disclosure@...ts.grok.org.uk
>>>>> *Sent:* Tue, April 27, 2010 10:37:24 AM
>>>>>
>>>>> *Subject:* Re: [Full-disclosure] Compliance Is Wasted Money, Study
>>>>> Finds
>>>>>
>>>>> Surely being forced to install an anti-virus only brings in a monopoly?
>>>>> How do I know that PCI Standards writers are getting a nice commission off
>>>>> me installing the anti-virus? (I know they don't, I'm just hypothesizing).
>>>>>
>>>>> You stated it yourself, an anti-virus may not do any difference, it is
>>>>> there as per PCI standard.....so what is it's use? Why the heck do I have to
>>>>> install something useless?
>>>>>
>>>>> Lastly, that is where you are wrong, there is no "base starting point"
>>>>> companies don't give a shit about proper security measures, they get
>>>>> PCI-certified and all security ends there.
>>>>> That is the freaken problem.
>>>>>
>>>>> NB: I do use anti-virus software, what I specified above is not in any
>>>>> way my opinion about anti-virus vendors, etc.
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>> On Tue, Apr 27, 2010 at 9:25 AM, Shaqe Wan <sha8e@...oo.com> wrote:
>>>>>
>>>>>> Hi,
>>>>>>
>>>>>> I don't actually beleive there is a "democratic society". No such
>>>>>> thing exists. If it does? Then ask the organizations who made the compliance
>>>>>> requirements drop them and make audits based on some other measure that you
>>>>>> believe is more secure and has less flaws in it. Finally, regarding the AV
>>>>>> issue that I wish I end here, is that "I don't believe that an AV shall make
>>>>>> your box secure, but its a requirement to be done - Added by PCI"
>>>>>>
>>>>>> And yes I have noticed that FD is for such security measures
>>>>>> discussion, but never thought of joining it and discussing with others until
>>>>>> a couple of days ago when I saw this topic.
>>>>>>
>>>>>> Finally, the compliance can be taken of as a base starting point, and
>>>>>> then moving further, like that it shall not be a waste of money !
>>>>>>
>>>>>> Regards,
>>>>>>
>>>>>>
>>>>>> ------------------------------
>>>>>> *From:* Christian Sciberras <uuf6429@...il.com>
>>>>>> *To:* Shaqe Wan <sha8e@...oo.com>
>>>>>> *Cc:* full-disclosure@...ts.grok.org.uk
>>>>>> *Sent:* Tue, April 27, 2010 9:59:59 AM
>>>>>>
>>>>>> *Subject:* Re: [Full-disclosure] Compliance Is Wasted Money, Study
>>>>>> Finds
>>>>>>
>>>>>> Perhaps you haven't noticed, this is Full-Disclosure, which at least,
>>>>>> is used to discuss security measures.
>>>>>> As such, it is only natural to argue with PCI's possible security
>>>>>> flaws.
>>>>>>
>>>>>> Besides, in a democratic society (where CC do operate as well), you
>>>>>> can't "force" someone to install an anti-virus just because _you_ think it
>>>>>> is secure.
>>>>>>
>>>>>> The argument were compliance is wasted money still holds.
>>>>>>
>>>>>> Cheers.
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>> On Tue, Apr 27, 2010 at 7:36 AM, Shaqe Wan <sha8e@...oo.com> wrote:
>>>>>>
>>>>>>> Hola,
>>>>>>>
>>>>>>> The problem is not weather they are educated against other standards
>>>>>>> or policies or not, the problem is that without this compliance you can't
>>>>>>> work with CC !!! Its something that is enforced on you !
>>>>>>>
>>>>>>> BTW: why don't people discuss what is the points missing in the PCI
>>>>>>> Compliance better than this argue ?
>>>>>>>
>>>>>>> Regards,
>>>>>>>
>>>>>>>
>>>>>>> ------------------------------
>>>>>>> *From:* Christian Sciberras <uuf6429@...il.com>
>>>>>>> *To:* Shaqe Wan <sha8e@...oo.com>
>>>>>>> *Cc:* full-disclosure@...ts.grok.org.uk
>>>>>>> *Sent:* Mon, April 26, 2010 4:19:27 PM
>>>>>>>
>>>>>>> *Subject:* Re: [Full-disclosure] Compliance Is Wasted Money, Study
>>>>>>> Finds
>>>>>>>
>>>>>>> OK.
>>>>>>>
>>>>>>> "All those in favour of PCI raises their hands."
>>>>>>>
>>>>>>> Kidding aside, of course it is a must, since the said companies
>>>>>>> doesn't have any notion of security before this happens.
>>>>>>> However, how much is this actually helpful? Now let's be honest, how
>>>>>>> much would it stop a potential attacker from getting into a system
>>>>>>> "protected" by PCI?
>>>>>>> Little, if at all.
>>>>>>>
>>>>>>> On the other hand, a company should adopt real and complete security
>>>>>>> practices.
>>>>>>>
>>>>>>> Again, my point is, these companies shouldn't be "educated" or limit
>>>>>>> their security to this standard. Because if they do (and I'm pretty sure
>>>>>>> they do) would make this standard pretty much useless.
>>>>>>>
>>>>>>> Anyway, I won't get into this argument, since no one will give a sh*t
>>>>>>> about it anyway.
>>>>>>>
>>>>>>> Cheers.
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>> On Mon, Apr 26, 2010 at 3:02 PM, Shaqe Wan <sha8e@...oo.com> wrote:
>>>>>>>
>>>>>>>> Christian,
>>>>>>>>
>>>>>>>> Did you read my first post?
>>>>>>>>
>>>>>>>> ((( IMO, PCI is not that big security policy, but without it your
>>>>>>>> not able to use the credit card companies gateway. I think its just
>>>>>>>> the basics that any company dealing with CC must implement. Because it shall
>>>>>>>> be nonsense to deal with CC, and not have an Anti-virus for example !!)))
>>>>>>>>
>>>>>>>> I am not stating that PCI is good in no way, but I am saying that
>>>>>>>> its a MUST for companies dealing with CC. And in a windows environment, an
>>>>>>>> AV is important.
>>>>>>>>
>>>>>>>> He probably thought that I am with the rules of PCI, or that I don't
>>>>>>>> have any idea that the world is not just WINDOWS !!!
>>>>>>>>
>>>>>>>> Regards,
>>>>>>>>
>>>>>>>> ------------------------------
>>>>>>>> *From:* Christian Sciberras <uuf6429@...il.com>
>>>>>>>> *To:* Shaqe Wan <sha8e@...oo.com>
>>>>>>>> *Cc:* full-disclosure@...ts.grok.org.uk
>>>>>>>> *Sent:* Mon, April 26, 2010 3:54:20 PM
>>>>>>>>
>>>>>>>> *Subject:* Re: [Full-disclosure] Compliance Is Wasted Money, Study
>>>>>>>> Finds
>>>>>>>>
>>>>>>>> Why exactly are you complying with Nick's statements? I would have
>>>>>>>> thought you guys were arguing against said statements?
>>>>>>>>
>>>>>>>>
>>>>>>>> By the way, requirement #6 is particularly funny; it sounds
>>>>>>>> peculiarly redundant to me...
>>>>>>>>
>>>>>>>> Cheers.
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>> On Mon, Apr 26, 2010 at 7:34 AM, Shaqe Wan <sha8e@...oo.com> wrote:
>>>>>>>>
>>>>>>>>>
>>>>>>>>> Nick,
>>>>>>>>>
>>>>>>>>> Please if you don't know what the standards are, please read:
>>>>>>>>>
>>>>>>>>>
>>>>>>>>> https://www.pcisecuritystandards.org/security_standards/pci_dss.shtml
>>>>>>>>>
>>>>>>>>> See *Requirement #5*. Read that requirement carefully and its not
>>>>>>>>> bad to read it twice though in case you don't figure it out from the first
>>>>>>>>> glance !
>>>>>>>>>
>>>>>>>>> Also, I said that using an AV is some basic thing to do in any
>>>>>>>>> company that wants to deal with CC, its a basic thing for even companies not
>>>>>>>>> dealing with CC too !!! Or do you state that people must use a BOX with no
>>>>>>>>> AV installed on it? If you believe in that fact? Then please request a
>>>>>>>>> change in the PCI DSS requirements and make them force the usage of a non
>>>>>>>>> Windows O.S, such as any *n?x system.
>>>>>>>>>
>>>>>>>>> Finally, the topic here is not about "default allow vs default
>>>>>>>>> deny" and if I understand what that is or not! You can open a new discussion
>>>>>>>>> about that, and I shall join there and discuss it further with you, in case
>>>>>>>>> you need some clarification regarding it.
>>>>>>>>>
>>>>>>>>> Regards,
>>>>>>>>> Shaqe
>>>>>>>>>
>>>>>>>>>
>>>>>>>>> --- On *Sun, 4/25/10, Nick FitzGerald <nick@...us-l.demon.co.uk>*wrote:
>>>>>>>>>
>>>>>>>>>
>>>>>>>>> From: Nick FitzGerald <nick@...us-l.demon.co.uk>
>>>>>>>>> Subject: Re: [Full-disclosure] Compliance Is Wasted Money, Study
>>>>>>>>> Finds
>>>>>>>>> To: full-disclosure@...ts.grok.org.uk
>>>>>>>>> Date: Sunday, April 25, 2010, 1:57 PM
>>>>>>>>>
>>>>>>>>> Shaqe Wan wrote:
>>>>>>>>>
>>>>>>>>> <<snip>>
>>>>>>>>> > Because it shall be nonsense to deal with CC, and not have an
>>>>>>>>> Anti-virus for example !!
>>>>>>>>>
>>>>>>>>> Well, you see, _that_ is abject nonsense on its face.
>>>>>>>>>
>>>>>>>>> Do you have any understanding of one of the most basic of security
>>>>>>>>> issues -- default allow vs. default deny?
>>>>>>>>>
>>>>>>>>> There are many more secure ways to run systems _without_ antivirus
>>>>>>>>> software.
>>>>>>>>>
>>>>>>>>> Anyone authoritatively stating that antivirus software is a
>>>>>>>>> necessary
>>>>>>>>> component of a "reasonably secure" system is a fool.
>>>>>>>>>
>>>>>>>>> Anyone authoritatively stating that antivirus software is a
>>>>>>>>> necessary
>>>>>>>>> component of a "sufficiently secure" system is one (or more) of;
>>>>>>>>> a
>>>>>>>>> fool, a person with an unusually low standard of system security,
>>>>>>>>> or a
>>>>>>>>> shill for an antivirus producer.
>>>>>>>>>
>>>>>>>>> So _if_, as you and another recent poster strongly imply, the PCI
>>>>>>>>> standards include a specific _requirement_ for antivirus software,
>>>>>>>>> then
>>>>>>>>> the standards themselves are total nonsense...
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>> Regards,
>>>>>>>>>
>>>>>>>>> Nick FitzGerald
>>>>>>>>>
>>>>>>>>>
>>>>>>>>> _______________________________________________
>>>>>>>>> Full-Disclosure - We believe in it.
>>>>>>>>> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
>>>>>>>>> Hosted and sponsored by Secunia - http://secunia.com/
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>> _______________________________________________
>>>>>>>>> Full-Disclosure - We believe in it.
>>>>>>>>> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
>>>>>>>>> Hosted and sponsored by Secunia - http://secunia.com/
>>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>
>>>>>>
>>>>>
>>>>>
>>>>
>>>> _______________________________________________
>>>> Full-Disclosure - We believe in it.
>>>> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
>>>> Hosted and sponsored by Secunia - http://secunia.com/
>>>>
>>>
>>>
>>>
>>> --
>>> 09 F9 11 02 9D 74 E3 5B D8 41 56 C5 63 56 88 C0
>>>
>>
>>
>
>
> --
> 09 F9 11 02 9D 74 E3 5B D8 41 56 C5 63 56 88 C0
>
Content of type "text/html" skipped
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists