[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <m2o3af3d47c1004231539o64a120e9w77ae8a5c251153d0@mail.gmail.com>
Date: Sat, 24 Apr 2010 00:39:19 +0200
From: Christian Sciberras <uuf6429@...il.com>
To: "Thor (Hammer of God)" <Thor@...merofgod.com>
Cc: "security-basics@...urityfocus.com" <security-basics@...urityfocus.com>,
full-disclosure <full-disclosure@...ts.grok.org.uk>
Subject: Re: Compliance Is Wasted Money, Study Finds
Sorry, forgot to reply to your quoting me about false sense of security. Let
me explain myself.
It is relatively easier to forget real security concerns (such as [really]
bad coding) when one follows a checklist for "high security" (quoting
pcisecuritystandards.org).
Unless I missed something (which I don't think I did) PCI/DSS doesn't help
at all since it is putting security methodologies over your project
manager's desk, rather then get a IT Security specialist do the job.
Cheers.
On Sat, Apr 24, 2010 at 12:33 AM, Christian Sciberras <uuf6429@...il.com>wrote:
> No problem with that.
>
> 1) No.
> 2) Planning to, but no.
> 3) Heavens no.
> 4) I've looked into whether it was into our best interest to use PCI. (it
> was decided that it wasn't worth the trouble)
> At that time, I knew about PCI but not its details, at which point we got
> someone to explain in detail for us.
> The end decision wasn't mine, though.
> We do take security as a main concern, however, it is preferred to have a
> more realistic approach to security rather then restrict employees' access
> (by signing some oath..).
>
> Regards,
> Christian Sciberras.
>
>
>
>
>
> On Sat, Apr 24, 2010 at 12:22 AM, Thor (Hammer of God) <
> Thor@...merofgod.com> wrote:
>
>> Marketing propaganda? I have no idea what you are talking about.
>>
>>
>>
>> Before commenting on PCI not helping at all and at the most being a false
>> sense of security, let me ask:
>>
>> 1) Does the company you work for perform PCI audits?
>>
>> 2) Is the company you work for required to undergo PCI audits?
>>
>> 3) Are you certified to be able to perform a PCI audit?
>>
>> 4) Have you ever been directly involved with, as in contributing to,
>> a PCI audit, and if so, in what capacity?
>>
>>
>>
>> I would like to see some truthful expansion on the answers to those
>> questions before continuing dialog about if PCI contributes to security or
>> not.
>>
>>
>>
>> t
>>
>>
>>
>> *From:* Christian Sciberras [mailto:uuf6429@...il.com]
>> *Sent:* Friday, April 23, 2010 3:02 PM
>> *To:* Mike Hale
>> *Cc:* Stephen Mullins; full-disclosure; security-basics@...urityfocus.com;
>> Thor (Hammer of God)
>>
>> *Subject:* Re: [Full-disclosure] Compliance Is Wasted Money, Study Finds
>>
>>
>>
>> If you strive for security, and weave that into your network,
>> complying with PCI should be cake.
>>
>> Uhm.. No. NO. PCI is an unnecessary hassle. What makes signing a document
>> any more secure then having server facing the wild of the net?
>>
>> Truth is, PCI doesn't help in security at all. It at most a sense of false
>> security (and at least serves as a recreational exercise for auditors).
>>
>> Thor, I'm not arguing with the article, since I didn't read it, and I
>> won't bother to. I just want to point out some hard facts about PCI/DSS
>> which you call "no big deal".
>> I surely agree with that, but what is not a big deal for you doesn't mean
>> it ain't for the rest of the world.
>> What stops an uninformed programmer from complying with PCI/DSS (or at
>> least, think to) and leave RFI/XSS/whatever holes everywhere?
>> That said, security flaws are just about everywhere so no need to get
>> critical about it. For now at least.
>>
>> The point isn't "who" should be using credit cards or not, it's a matter
>> of security.
>>
>> I find it strange that you're excusing marketing propaganda.
>>
>> Sincere regards,
>> Christian Sciberras.
>>
>>
>> On Fri, Apr 23, 2010 at 7:42 PM, Mike Hale <eyeronic.design@...il.com>
>> wrote:
>>
>> Look at the PCI requirements.
>>
>> What's unreasonable about them? Which portions are *NOT* part of
>> having a secure network?
>>
>> If you strive for security, and weave that into your network,
>> complying with PCI should be cake.
>>
>>
>> On Fri, Apr 23, 2010 at 10:40 AM, Stephen Mullins
>> <steve.mullins.work@...il.com> wrote:
>> >>I don't see what the hubbub is
>> >
>> > Some people in the information security industry actually care about
>> > securing systems and the information they contain rather than filling
>> > in check boxes. Compliance may ensure a minimum standard is met, but
>> > it does not ensure or imply that real security is being maintained at
>> > an organization.
>> >
>> > As you say, PCI has become a cost of doing business whereas having a
>> > secure network is apparently not a cost of doing business. This is a
>> > problem.
>> >
>> > Crazy notion, I know.
>> >
>> > On Fri, Apr 23, 2010 at 1:18 PM, Thor (Hammer of God)
>> > <Thor@...merofgod.com> wrote:
>> >> How can you say it is “wasted”? It doesn’t matter if you are a “fan” of
>> it
>> >> or not, in the same way that it doesn’t matter if you are a “fan” of
>> the 4%
>> >> surcharge retail establishments pay to accept the credit card as
>> payment.
>> >> Using your logic, you would way it is “wasted money,” and might bring
>> into
>> >> question the “value” of the surcharge, etc. It is simply a cost of
>> doing
>> >> business.
>> >>
>> >>
>> >>
>> >> If you choose to offload processing to a payment gateway, then that
>> will
>> >> also incur a cost. Depending on your volume, that cost may or may not
>> be
>> >> higher than you processing them yourself while complying to standards.
>> The
>> >> implementation of actual security measures will be different. But you
>> can’t
>> >> “handle” credit cards in the classic sense of the word without
>> complying
>> >> with PCI. If you pass along the transaction to a gateway, you are not
>> >> handling it. If you DO handle it, then you have to comply with PCI.
>> If you
>> >> process less than 1 million transactions a year, you can “self audit.”
>> If
>> >> you process more, you have to be audit by a PCI auditor.
>> >>
>> >>
>> >>
>> >> None of this MEANS you are secure, it means you comply. If you don’t
>> like
>> >> PCI, then don’t process credit cards, or come up with your own. I
>> still
>> >> don’t really see what all the hubbub is about here.
>> >>
>> >>
>> >>
>> >> t
>> >>
>> >>
>> >>
>> >> From: Christian Sciberras [mailto:uuf6429@...il.com]
>> >> Sent: Friday, April 23, 2010 9:29 AM
>> >> To: Thor (Hammer of God)
>> >> Cc: Christopher Gilbert; Mike Hale; full-disclosure;
>> >> security-basics@...urityfocus.com
>> >> Subject: Re: [Full-disclosure] Compliance Is Wasted Money, Study Finds
>> >>
>> >>
>> >>
>> >> it is simply part of the cost of doing business in that market.
>> >> A.k.a. wasted money. Truth be told, I'm no fan of PCI.
>> >> Other companies get the same functionality (accept the storage of
>> credit
>> >> cards) without worrying about PCI/DSS (e.g. through Payment Gateways).
>> >> In the end, as a service, what do I want, an inventory of credit cards,
>> or a
>> >> stable payment system? The later I guess.
>> >> As to security, it totally depends on implementation; one can handle
>> credit
>> >> cards without the need of standards compliance.
>> >>
>> >> My two cents.
>> >>
>> >> Regards,
>> >> Christian Sciberras.
>> >>
>> >>
>> >> On Fri, Apr 23, 2010 at 6:07 PM, Thor (Hammer of God) <
>> Thor@...merofgod.com>
>> >> wrote:
>> >>
>> >> Another thing that I think people fail to keep in mind is that when it
>> comes
>> >> to PCI, it is part of a contractual agreement between the entity and
>> card
>> >> facility they are working with. If a business wants to accept credit
>> cards
>> >> as a means of payment (based on volume) then part of their agreement is
>> that
>> >> they must undergo compliance to a standard implemented by the
>> industry. I
>> >> don’t know why people get all emotional about it and throw up their
>> hands
>> >> with all the “this is wasted money” positioning – it’s not wasted at
>> all; it
>> >> is simply part of the cost of doing business in that market.
>> >>
>> >>
>> >>
>> >> t
>> >>
>> >>
>> >>
>> >> From: full-disclosure-bounces@...ts.grok.org.uk
>> >> [mailto:full-disclosure-bounces@...ts.grok.org.uk] On Behalf Of
>> Christopher
>> >> Gilbert
>> >> Sent: Thursday, April 22, 2010 4:48 PM
>> >> To: Mike Hale
>> >> Cc: full-disclosure; security-basics@...urityfocus.com
>> >> Subject: Re: [Full-disclosure] Compliance Is Wasted Money, Study Finds
>> >>
>> >>
>> >>
>> >> The paper concludes that companies are underinvesting in--or improperly
>> >> prioritizing--the protection of their secrets. Nowhere does it state
>> that
>> >> the money spent on compliance is money wasted.
>> >>
>> >> On Wed, Apr 21, 2010 at 5:44 PM, Mike Hale <eyeronic.design@...il.com>
>> >> wrote:
>> >>
>> >> I find the findings completely flawed. Am I missing something?
>> >>
>> >>
>> >>
>> >> _______________________________________________
>> >> Full-Disclosure - We believe in it.
>> >> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
>> >> Hosted and sponsored by Secunia - http://secunia.com/
>> >>
>> >>
>> >>
>> >> _______________________________________________
>> >> Full-Disclosure - We believe in it.
>> >> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
>> >> Hosted and sponsored by Secunia - http://secunia.com/
>> >>
>> >
>> > _______________________________________________
>> > Full-Disclosure - We believe in it.
>> > Charter: http://lists.grok.org.uk/full-disclosure-charter.html
>> > Hosted and sponsored by Secunia - http://secunia.com/
>> >
>>
>>
>> --
>> 09 F9 11 02 9D 74 E3 5B D8 41 56 C5 63 56 88 C0
>>
>> _______________________________________________
>>
>> Full-Disclosure - We believe in it.
>> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
>> Hosted and sponsored by Secunia - http://secunia.com/
>>
>>
>>
>
>
Content of type "text/html" skipped
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists