[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <v2i3af3d47c1004270833hde4b4c17hcde94f4135c776f5@mail.gmail.com>
Date: Tue, 27 Apr 2010 17:33:32 +0200
From: Christian Sciberras <uuf6429@...il.com>
To: Mike Hale <eyeronic.design@...il.com>
Cc: full-disclosure@...ts.grok.org.uk
Subject: Re: Compliance Is Wasted Money, Study Finds
My point isn't about a particular section, nor whether the amount of
experience I have in PCI DSS compliance (which is next to novice).
The point is, what s PCI aiming at?
Real security, or just a way companies can excuse their incompetence by
citing full PCI compliance?
Which reminds me, it wasn't I that brought anti-viruses to the discussion.
Cheers.
On Tue, Apr 27, 2010 at 5:16 PM, Mike Hale <eyeronic.design@...il.com>wrote:
> Actually, you're right. You're not the one who said that, I apologize.
>
> But I maintain that you're arguing over something that you don't
> understand. You took one section (the anti-virus one) and got your panties
> in a bunch over a security standard that says you *should* run anti-virus.
> You completely ignored that PCI allows you to have compensating controls in
> place for virtually any requirement.
>
> On Tue, Apr 27, 2010 at 8:07 AM, Christian Sciberras <uuf6429@...il.com>wrote:
>
>> based on your own admission
>>
>> On who's admission? Perhaps you should bother to cite sources next time?
>> And, how is quoting me in a different argument "your point"?
>>
>>
>>
>>
>>
>>
>> On Tue, Apr 27, 2010 at 4:55 PM, Mike Hale <eyeronic.design@...il.com>wrote:
>>
>>> Point is, you're arguing for the sake of arguing, as you have no
>>> understanding what PCI is, based on your own admission.
>>>
>>> On Tue, Apr 27, 2010 at 7:51 AM, Christian Sciberras <uuf6429@...il.com>wrote:
>>>
>>>> Nice way of reading whatever feels right to you. Perhaps you'd have
>>>> better read what I wrote a few lines before that?
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>> On Tue, Apr 27, 2010 at 4:43 PM, Mike Hale <eyeronic.design@...il.com>wrote:
>>>>
>>>>> "-they are arguing for the fun of it without any real arguments (why
>>>>> else prove me right on my arguments and later on deny it?)"
>>>>>
>>>>> So you fall into this category?
>>>>> On Tue, Apr 27, 2010 at 1:22 AM, Christian Sciberras <
>>>>> uuf6429@...il.com> wrote:
>>>>>
>>>>>> In short, you just said that PCI compliance _is_ a waste of time and
>>>>>> money.
>>>>>>
>>>>>> Why else would you protect something which is bound to fail anyway?!
>>>>>>
>>>>>> This is a lost battle, as I said no one cares about the arguments
>>>>>> because these people fall into three categories:
>>>>>> -they believe the illusion that PCI by itself enhances security
>>>>>> -they do there job and don't give a f*ck about it
>>>>>> -they are arguing for the fun of it without any real arguments (why
>>>>>> else prove me right on my arguments and later on deny it?)
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>> On Tue, Apr 27, 2010 at 10:03 AM, Shaqe Wan <sha8e@...oo.com> wrote:
>>>>>>
>>>>>>> You won't know not now, not ever. Maybe they do get a commission
>>>>>>> for your AV installation, who knows ! But maybe they think it is something
>>>>>>> that everybody needs so the force it. To get to know the true answer, we
>>>>>>> need to sit down with the guys who wrote the requirements and brainstorm
>>>>>>> with them those issues. We shall keep just running around and around in a
>>>>>>> circle here, because no one here "if no CC company guy is around" can give a
>>>>>>> definite answer. Just our simple argues !
>>>>>>>
>>>>>>> As I said before, I have to use it on a windows box, because its a
>>>>>>> requirement, its not my opinion at all.
>>>>>>>
>>>>>>> I 100% agree with you about most of the companies seek the paper work
>>>>>>> and get PCI certified and don't really bother about true security measures,
>>>>>>> but in the end if a breach is discovered they are the ones who shall get the
>>>>>>> penalty in the face, not us :)
>>>>>>>
>>>>>>> NB: I don't use an AV, never did, and never will :p
>>>>>>>
>>>>>>> Regards,
>>>>>>>
>>>>>>> ------------------------------
>>>>>>> *From:* Christian Sciberras <uuf6429@...il.com>
>>>>>>> *To:* Shaqe Wan <sha8e@...oo.com>
>>>>>>> *Cc:* full-disclosure@...ts.grok.org.uk
>>>>>>> *Sent:* Tue, April 27, 2010 10:37:24 AM
>>>>>>>
>>>>>>> *Subject:* Re: [Full-disclosure] Compliance Is Wasted Money, Study
>>>>>>> Finds
>>>>>>>
>>>>>>> Surely being forced to install an anti-virus only brings in a
>>>>>>> monopoly? How do I know that PCI Standards writers are getting a nice
>>>>>>> commission off me installing the anti-virus? (I know they don't, I'm just
>>>>>>> hypothesizing).
>>>>>>>
>>>>>>> You stated it yourself, an anti-virus may not do any difference, it
>>>>>>> is there as per PCI standard.....so what is it's use? Why the heck do I have
>>>>>>> to install something useless?
>>>>>>>
>>>>>>> Lastly, that is where you are wrong, there is no "base starting
>>>>>>> point" companies don't give a shit about proper security measures, they get
>>>>>>> PCI-certified and all security ends there.
>>>>>>> That is the freaken problem.
>>>>>>>
>>>>>>> NB: I do use anti-virus software, what I specified above is not in
>>>>>>> any way my opinion about anti-virus vendors, etc.
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>> On Tue, Apr 27, 2010 at 9:25 AM, Shaqe Wan <sha8e@...oo.com> wrote:
>>>>>>>
>>>>>>>> Hi,
>>>>>>>>
>>>>>>>> I don't actually beleive there is a "democratic society". No such
>>>>>>>> thing exists. If it does? Then ask the organizations who made the compliance
>>>>>>>> requirements drop them and make audits based on some other measure that you
>>>>>>>> believe is more secure and has less flaws in it. Finally, regarding the AV
>>>>>>>> issue that I wish I end here, is that "I don't believe that an AV shall make
>>>>>>>> your box secure, but its a requirement to be done - Added by PCI"
>>>>>>>>
>>>>>>>> And yes I have noticed that FD is for such security measures
>>>>>>>> discussion, but never thought of joining it and discussing with others until
>>>>>>>> a couple of days ago when I saw this topic.
>>>>>>>>
>>>>>>>> Finally, the compliance can be taken of as a base starting point,
>>>>>>>> and then moving further, like that it shall not be a waste of money !
>>>>>>>>
>>>>>>>> Regards,
>>>>>>>>
>>>>>>>>
>>>>>>>> ------------------------------
>>>>>>>> *From:* Christian Sciberras <uuf6429@...il.com>
>>>>>>>> *To:* Shaqe Wan <sha8e@...oo.com>
>>>>>>>> *Cc:* full-disclosure@...ts.grok.org.uk
>>>>>>>> *Sent:* Tue, April 27, 2010 9:59:59 AM
>>>>>>>>
>>>>>>>> *Subject:* Re: [Full-disclosure] Compliance Is Wasted Money, Study
>>>>>>>> Finds
>>>>>>>>
>>>>>>>> Perhaps you haven't noticed, this is Full-Disclosure, which at
>>>>>>>> least, is used to discuss security measures.
>>>>>>>> As such, it is only natural to argue with PCI's possible security
>>>>>>>> flaws.
>>>>>>>>
>>>>>>>> Besides, in a democratic society (where CC do operate as well), you
>>>>>>>> can't "force" someone to install an anti-virus just because _you_ think it
>>>>>>>> is secure.
>>>>>>>>
>>>>>>>> The argument were compliance is wasted money still holds.
>>>>>>>>
>>>>>>>> Cheers.
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>> On Tue, Apr 27, 2010 at 7:36 AM, Shaqe Wan <sha8e@...oo.com> wrote:
>>>>>>>>
>>>>>>>>> Hola,
>>>>>>>>>
>>>>>>>>> The problem is not weather they are educated against other
>>>>>>>>> standards or policies or not, the problem is that without this compliance
>>>>>>>>> you can't work with CC !!! Its something that is enforced on you !
>>>>>>>>>
>>>>>>>>> BTW: why don't people discuss what is the points missing in the PCI
>>>>>>>>> Compliance better than this argue ?
>>>>>>>>>
>>>>>>>>> Regards,
>>>>>>>>>
>>>>>>>>>
>>>>>>>>> ------------------------------
>>>>>>>>> *From:* Christian Sciberras <uuf6429@...il.com>
>>>>>>>>> *To:* Shaqe Wan <sha8e@...oo.com>
>>>>>>>>> *Cc:* full-disclosure@...ts.grok.org.uk
>>>>>>>>> *Sent:* Mon, April 26, 2010 4:19:27 PM
>>>>>>>>>
>>>>>>>>> *Subject:* Re: [Full-disclosure] Compliance Is Wasted Money, Study
>>>>>>>>> Finds
>>>>>>>>>
>>>>>>>>> OK.
>>>>>>>>>
>>>>>>>>> "All those in favour of PCI raises their hands."
>>>>>>>>>
>>>>>>>>> Kidding aside, of course it is a must, since the said companies
>>>>>>>>> doesn't have any notion of security before this happens.
>>>>>>>>> However, how much is this actually helpful? Now let's be honest,
>>>>>>>>> how much would it stop a potential attacker from getting into a system
>>>>>>>>> "protected" by PCI?
>>>>>>>>> Little, if at all.
>>>>>>>>>
>>>>>>>>> On the other hand, a company should adopt real and complete
>>>>>>>>> security practices.
>>>>>>>>>
>>>>>>>>> Again, my point is, these companies shouldn't be "educated" or
>>>>>>>>> limit their security to this standard. Because if they do (and I'm pretty
>>>>>>>>> sure they do) would make this standard pretty much useless.
>>>>>>>>>
>>>>>>>>> Anyway, I won't get into this argument, since no one will give a
>>>>>>>>> sh*t about it anyway.
>>>>>>>>>
>>>>>>>>> Cheers.
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>> On Mon, Apr 26, 2010 at 3:02 PM, Shaqe Wan <sha8e@...oo.com>wrote:
>>>>>>>>>
>>>>>>>>>> Christian,
>>>>>>>>>>
>>>>>>>>>> Did you read my first post?
>>>>>>>>>>
>>>>>>>>>> ((( IMO, PCI is not that big security policy, but without it your
>>>>>>>>>> not able to use the credit card companies gateway. I think its
>>>>>>>>>> just the basics that any company dealing with CC must implement. Because it
>>>>>>>>>> shall be nonsense to deal with CC, and not have an Anti-virus for example !!)))
>>>>>>>>>>
>>>>>>>>>> I am not stating that PCI is good in no way, but I am saying that
>>>>>>>>>> its a MUST for companies dealing with CC. And in a windows environment, an
>>>>>>>>>> AV is important.
>>>>>>>>>>
>>>>>>>>>> He probably thought that I am with the rules of PCI, or that I
>>>>>>>>>> don't have any idea that the world is not just WINDOWS !!!
>>>>>>>>>>
>>>>>>>>>> Regards,
>>>>>>>>>>
>>>>>>>>>> ------------------------------
>>>>>>>>>> *From:* Christian Sciberras <uuf6429@...il.com>
>>>>>>>>>> *To:* Shaqe Wan <sha8e@...oo.com>
>>>>>>>>>> *Cc:* full-disclosure@...ts.grok.org.uk
>>>>>>>>>> *Sent:* Mon, April 26, 2010 3:54:20 PM
>>>>>>>>>>
>>>>>>>>>> *Subject:* Re: [Full-disclosure] Compliance Is Wasted Money,
>>>>>>>>>> Study Finds
>>>>>>>>>>
>>>>>>>>>> Why exactly are you complying with Nick's statements? I would have
>>>>>>>>>> thought you guys were arguing against said statements?
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>> By the way, requirement #6 is particularly funny; it sounds
>>>>>>>>>> peculiarly redundant to me...
>>>>>>>>>>
>>>>>>>>>> Cheers.
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>> On Mon, Apr 26, 2010 at 7:34 AM, Shaqe Wan <sha8e@...oo.com>wrote:
>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>> Nick,
>>>>>>>>>>>
>>>>>>>>>>> Please if you don't know what the standards are, please read:
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>> https://www.pcisecuritystandards.org/security_standards/pci_dss.shtml
>>>>>>>>>>>
>>>>>>>>>>> See *Requirement #5*. Read that requirement carefully and its
>>>>>>>>>>> not bad to read it twice though in case you don't figure it out from the
>>>>>>>>>>> first glance !
>>>>>>>>>>>
>>>>>>>>>>> Also, I said that using an AV is some basic thing to do in any
>>>>>>>>>>> company that wants to deal with CC, its a basic thing for even companies not
>>>>>>>>>>> dealing with CC too !!! Or do you state that people must use a BOX with no
>>>>>>>>>>> AV installed on it? If you believe in that fact? Then please request a
>>>>>>>>>>> change in the PCI DSS requirements and make them force the usage of a non
>>>>>>>>>>> Windows O.S, such as any *n?x system.
>>>>>>>>>>>
>>>>>>>>>>> Finally, the topic here is not about "default allow vs default
>>>>>>>>>>> deny" and if I understand what that is or not! You can open a new discussion
>>>>>>>>>>> about that, and I shall join there and discuss it further with you, in case
>>>>>>>>>>> you need some clarification regarding it.
>>>>>>>>>>>
>>>>>>>>>>> Regards,
>>>>>>>>>>> Shaqe
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>> --- On *Sun, 4/25/10, Nick FitzGerald <nick@...us-l.demon.co.uk>
>>>>>>>>>>> * wrote:
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>> From: Nick FitzGerald <nick@...us-l.demon.co.uk>
>>>>>>>>>>> Subject: Re: [Full-disclosure] Compliance Is Wasted Money, Study
>>>>>>>>>>> Finds
>>>>>>>>>>> To: full-disclosure@...ts.grok.org.uk
>>>>>>>>>>> Date: Sunday, April 25, 2010, 1:57 PM
>>>>>>>>>>>
>>>>>>>>>>> Shaqe Wan wrote:
>>>>>>>>>>>
>>>>>>>>>>> <<snip>>
>>>>>>>>>>> > Because it shall be nonsense to deal with CC, and not have an
>>>>>>>>>>> Anti-virus for example !!
>>>>>>>>>>>
>>>>>>>>>>> Well, you see, _that_ is abject nonsense on its face.
>>>>>>>>>>>
>>>>>>>>>>> Do you have any understanding of one of the most basic of
>>>>>>>>>>> security
>>>>>>>>>>> issues -- default allow vs. default deny?
>>>>>>>>>>>
>>>>>>>>>>> There are many more secure ways to run systems _without_
>>>>>>>>>>> antivirus
>>>>>>>>>>> software.
>>>>>>>>>>>
>>>>>>>>>>> Anyone authoritatively stating that antivirus software is a
>>>>>>>>>>> necessary
>>>>>>>>>>> component of a "reasonably secure" system is a fool.
>>>>>>>>>>>
>>>>>>>>>>> Anyone authoritatively stating that antivirus software is a
>>>>>>>>>>> necessary
>>>>>>>>>>> component of a "sufficiently secure" system is one (or more)
>>>>>>>>>>> of; a
>>>>>>>>>>> fool, a person with an unusually low standard of system security,
>>>>>>>>>>> or a
>>>>>>>>>>> shill for an antivirus producer.
>>>>>>>>>>>
>>>>>>>>>>> So _if_, as you and another recent poster strongly imply, the PCI
>>>>>>>>>>>
>>>>>>>>>>> standards include a specific _requirement_ for antivirus
>>>>>>>>>>> software, then
>>>>>>>>>>> the standards themselves are total nonsense...
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>> Regards,
>>>>>>>>>>>
>>>>>>>>>>> Nick FitzGerald
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>> _______________________________________________
>>>>>>>>>>> Full-Disclosure - We believe in it.
>>>>>>>>>>> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
>>>>>>>>>>> Hosted and sponsored by Secunia - http://secunia.com/
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>> _______________________________________________
>>>>>>>>>>> Full-Disclosure - We believe in it.
>>>>>>>>>>> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
>>>>>>>>>>> Hosted and sponsored by Secunia - http://secunia.com/
>>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>
>>>>>> _______________________________________________
>>>>>> Full-Disclosure - We believe in it.
>>>>>> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
>>>>>> Hosted and sponsored by Secunia - http://secunia.com/
>>>>>>
>>>>>
>>>>>
>>>>>
>>>>> --
>>>>> 09 F9 11 02 9D 74 E3 5B D8 41 56 C5 63 56 88 C0
>>>>>
>>>>
>>>>
>>>
>>>
>>> --
>>> 09 F9 11 02 9D 74 E3 5B D8 41 56 C5 63 56 88 C0
>>>
>>
>>
>
>
> --
> 09 F9 11 02 9D 74 E3 5B D8 41 56 C5 63 56 88 C0
>
Content of type "text/html" skipped
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists