lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date: Tue, 27 Apr 2010 08:59:59 +0200
From: Christian Sciberras <uuf6429@...il.com>
To: Shaqe Wan <sha8e@...oo.com>
Cc: full-disclosure@...ts.grok.org.uk
Subject: Re: Compliance Is Wasted Money, Study Finds

Perhaps you haven't noticed, this is Full-Disclosure, which at least, is
used to discuss security measures.
As such, it is only natural to argue with PCI's possible security flaws.

Besides, in a democratic society (where CC do operate as well), you can't
"force" someone to install an anti-virus just because _you_ think it is
secure.

The argument were compliance is wasted money still holds.

Cheers.




On Tue, Apr 27, 2010 at 7:36 AM, Shaqe Wan <sha8e@...oo.com> wrote:

> Hola,
>
> The problem is not weather they are educated against other standards or
> policies or not, the problem is that without this compliance you can't work
> with CC !!! Its something that is enforced on you !
>
> BTW: why don't people discuss what is the points missing in the PCI
> Compliance better than this argue ?
>
> Regards,
>
>
> ------------------------------
> *From:* Christian Sciberras <uuf6429@...il.com>
> *To:* Shaqe Wan <sha8e@...oo.com>
> *Cc:* full-disclosure@...ts.grok.org.uk
> *Sent:* Mon, April 26, 2010 4:19:27 PM
>
> *Subject:* Re: [Full-disclosure] Compliance Is Wasted Money, Study Finds
>
> OK.
>
> "All those in favour of PCI raises their hands."
>
> Kidding aside, of course it is a must, since the said companies doesn't
> have any notion of security before this happens.
> However, how much is this actually helpful? Now let's be honest, how much
> would it stop a potential attacker from getting into a system "protected" by
> PCI?
> Little, if at all.
>
> On the other hand, a company should adopt real and complete security
> practices.
>
> Again, my point is, these companies shouldn't be "educated" or limit their
> security to this standard. Because if they do (and I'm pretty sure they do)
> would make this standard pretty much useless.
>
> Anyway, I won't get into this argument, since no one will give a sh*t about
> it anyway.
>
> Cheers.
>
>
>
>
> On Mon, Apr 26, 2010 at 3:02 PM, Shaqe Wan <sha8e@...oo.com> wrote:
>
>> Christian,
>>
>> Did you read my first post?
>>
>> ((( IMO, PCI is not that big security policy, but without it your not
>> able to use the credit card companies gateway. I think its just the
>> basics that any company dealing with CC must implement. Because it shall be
>> nonsense to deal with CC, and not have an Anti-virus for example !! )))
>>
>> I am not stating that PCI is good in no way, but I am saying that its a
>> MUST for companies dealing with CC. And in a windows environment, an AV is
>> important.
>>
>> He probably thought that I am with the rules of PCI, or that I don't have
>> any idea that the world is not just WINDOWS !!!
>>
>> Regards,
>>
>> ------------------------------
>> *From:* Christian Sciberras <uuf6429@...il.com>
>> *To:* Shaqe Wan <sha8e@...oo.com>
>> *Cc:* full-disclosure@...ts.grok.org.uk
>> *Sent:* Mon, April 26, 2010 3:54:20 PM
>>
>> *Subject:* Re: [Full-disclosure] Compliance Is Wasted Money, Study Finds
>>
>> Why exactly are you complying with Nick's statements? I would have thought
>> you guys were arguing against said statements?
>>
>>
>> By the way, requirement #6 is particularly funny; it sounds peculiarly
>> redundant to me...
>>
>> Cheers.
>>
>>
>>
>>
>> On Mon, Apr 26, 2010 at 7:34 AM, Shaqe Wan <sha8e@...oo.com> wrote:
>>
>>>
>>>  Nick,
>>>
>>> Please if you don't know what the standards are, please read:
>>>
>>> https://www.pcisecuritystandards.org/security_standards/pci_dss.shtml
>>>
>>> See *Requirement #5*. Read that requirement carefully and its not bad to
>>> read it twice though in case you don't figure it out from the first glance !
>>>
>>> Also, I said that using an AV is some basic thing to do in any company
>>> that wants to deal with CC, its a basic thing for even companies not dealing
>>> with CC too !!! Or do you state that people must use a BOX with no AV
>>> installed on it? If you believe in that fact? Then please request a change
>>> in the PCI DSS requirements and make them force the usage of a non Windows
>>> O.S, such as any *n?x system.
>>>
>>> Finally, the topic here is not about "default allow vs default deny" and
>>> if I understand what that is or not! You can open a new discussion about
>>> that, and I shall join there and discuss it further with you, in case you
>>> need some clarification regarding it.
>>>
>>> Regards,
>>> Shaqe
>>>
>>>
>>> --- On *Sun, 4/25/10, Nick FitzGerald <nick@...us-l.demon.co.uk>* wrote:
>>>
>>>
>>> From: Nick FitzGerald <nick@...us-l.demon.co.uk>
>>> Subject: Re: [Full-disclosure] Compliance Is Wasted Money, Study Finds
>>> To: full-disclosure@...ts.grok.org.uk
>>> Date: Sunday, April 25, 2010, 1:57 PM
>>>
>>> Shaqe Wan wrote:
>>>
>>> <<snip>>
>>> > Because it shall be nonsense to deal with CC, and not have an
>>> Anti-virus for example !!
>>>
>>> Well, you see, _that_ is abject nonsense on its face.
>>>
>>> Do you have any understanding of one of the most basic of security
>>> issues -- default allow vs. default deny?
>>>
>>> There are many more secure ways to run systems _without_ antivirus
>>> software.
>>>
>>> Anyone authoritatively stating that antivirus software is a necessary
>>> component of a "reasonably secure" system is a fool.
>>>
>>> Anyone authoritatively stating that antivirus software is a necessary
>>> component of a "sufficiently secure" system is one (or more) of; a
>>> fool, a person with an unusually low standard of system security, or a
>>> shill for an antivirus producer.
>>>
>>> So _if_, as you and another recent poster strongly imply, the PCI
>>> standards include a specific _requirement_ for antivirus software, then
>>> the standards themselves are total nonsense...
>>>
>>>
>>>
>>> Regards,
>>>
>>> Nick FitzGerald
>>>
>>>
>>> _______________________________________________
>>> Full-Disclosure - We believe in it.
>>> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
>>> Hosted and sponsored by Secunia - http://secunia.com/
>>>
>>>
>>>
>>>
>>> _______________________________________________
>>> Full-Disclosure - We believe in it.
>>> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
>>> Hosted and sponsored by Secunia - http://secunia.com/
>>>
>>
>>
>>
>
>

Content of type "text/html" skipped

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists