| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <i2of37852831004252208qb0ba9787lba5ae19c37e55525@mail.gmail.com> Date: Sun, 25 Apr 2010 22:08:19 -0700 From: Mike Hale <eyeronic.design@...il.com> To: nick@...us-l.demon.co.uk Cc: full-disclosure@...ts.grok.org.uk Subject: Re: Compliance Is Wasted Money, Study Finds "Then, as I said, the PCI requirements are total nonsense..." You say this based on absolutely zero understanding of what the requirements are, by your own admission? On Sun, Apr 25, 2010 at 8:40 PM, Nick FitzGerald <nick@...us-l.demon.co.uk> wrote: > Tracy Reed to me: > >> > Anyone authoritatively stating that antivirus software is a necessary >> > component of a "reasonably secure" system is a fool. >> >> No, they just think all the world is Windows. > > My comments were, and still are, OS agnostic. > > It matters not what the OS -- anyone authoritatively stating that > antivirus software is a necessary component of a "reasonably secure" > system is a fool. > > Ditto my second comment... > >> > So _if_, as you and another recent poster strongly imply, the PCI >> > standards include a specific _requirement_ for antivirus software, then >> > the standards themselves are total nonsense... >> >> PCI only requires antivirus for systems commonly affected by >> viruses. ... > > Then, as I said, the PCI requirements are total nonsense... > >> ... This means Windows. PCI security council has said that UN*X >> OSs etc. are not required to have antivirus. > > So what system and application integrity requirements do they require > for those OSes (presumably "instead of antivirus")? > > Your response strengthens my belief that PCI is dangerous because it > enshrines small-minded ignorance as "best practice" (or, at least, as > "minimally acceptable practice") without recognizing the possibility > that there may be better options that have not been so, ummm "over > sold" as to become perceived as necessary. > > > > Regards, > > Nick FitzGerald > > > _______________________________________________ > Full-Disclosure - We believe in it. > Charter: http://lists.grok.org.uk/full-disclosure-charter.html > Hosted and sponsored by Secunia - http://secunia.com/ > -- 09 F9 11 02 9D 74 E3 5B D8 41 56 C5 63 56 88 C0 _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists