[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <n2kf37852831004270816t3b26a89esfe913d936bc4e15a@mail.gmail.com>
Date: Tue, 27 Apr 2010 08:16:26 -0700
From: Mike Hale <eyeronic.design@...il.com>
To: Christian Sciberras <uuf6429@...il.com>
Cc: full-disclosure@...ts.grok.org.uk
Subject: Re: Compliance Is Wasted Money, Study Finds
Actually, you're right. You're not the one who said that, I apologize.
But I maintain that you're arguing over something that you don't
understand. You took one section (the anti-virus one) and got your panties
in a bunch over a security standard that says you *should* run anti-virus.
You completely ignored that PCI allows you to have compensating controls in
place for virtually any requirement.
On Tue, Apr 27, 2010 at 8:07 AM, Christian Sciberras <uuf6429@...il.com>wrote:
> based on your own admission
>
> On who's admission? Perhaps you should bother to cite sources next time?
> And, how is quoting me in a different argument "your point"?
>
>
>
>
>
>
> On Tue, Apr 27, 2010 at 4:55 PM, Mike Hale <eyeronic.design@...il.com>wrote:
>
>> Point is, you're arguing for the sake of arguing, as you have no
>> understanding what PCI is, based on your own admission.
>>
>> On Tue, Apr 27, 2010 at 7:51 AM, Christian Sciberras <uuf6429@...il.com>wrote:
>>
>>> Nice way of reading whatever feels right to you. Perhaps you'd have
>>> better read what I wrote a few lines before that?
>>>
>>>
>>>
>>>
>>>
>>>
>>> On Tue, Apr 27, 2010 at 4:43 PM, Mike Hale <eyeronic.design@...il.com>wrote:
>>>
>>>> "-they are arguing for the fun of it without any real arguments (why
>>>> else prove me right on my arguments and later on deny it?)"
>>>>
>>>> So you fall into this category?
>>>> On Tue, Apr 27, 2010 at 1:22 AM, Christian Sciberras <
>>>> uuf6429@...il.com> wrote:
>>>>
>>>>> In short, you just said that PCI compliance _is_ a waste of time and
>>>>> money.
>>>>>
>>>>> Why else would you protect something which is bound to fail anyway?!
>>>>>
>>>>> This is a lost battle, as I said no one cares about the arguments
>>>>> because these people fall into three categories:
>>>>> -they believe the illusion that PCI by itself enhances security
>>>>> -they do there job and don't give a f*ck about it
>>>>> -they are arguing for the fun of it without any real arguments (why
>>>>> else prove me right on my arguments and later on deny it?)
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>> On Tue, Apr 27, 2010 at 10:03 AM, Shaqe Wan <sha8e@...oo.com> wrote:
>>>>>
>>>>>> You won't know not now, not ever. Maybe they do get a commission for
>>>>>> your AV installation, who knows ! But maybe they think it is something that
>>>>>> everybody needs so the force it. To get to know the true answer, we need to
>>>>>> sit down with the guys who wrote the requirements and brainstorm with them
>>>>>> those issues. We shall keep just running around and around in a circle here,
>>>>>> because no one here "if no CC company guy is around" can give a definite
>>>>>> answer. Just our simple argues !
>>>>>>
>>>>>> As I said before, I have to use it on a windows box, because its a
>>>>>> requirement, its not my opinion at all.
>>>>>>
>>>>>> I 100% agree with you about most of the companies seek the paper work
>>>>>> and get PCI certified and don't really bother about true security measures,
>>>>>> but in the end if a breach is discovered they are the ones who shall get the
>>>>>> penalty in the face, not us :)
>>>>>>
>>>>>> NB: I don't use an AV, never did, and never will :p
>>>>>>
>>>>>> Regards,
>>>>>>
>>>>>> ------------------------------
>>>>>> *From:* Christian Sciberras <uuf6429@...il.com>
>>>>>> *To:* Shaqe Wan <sha8e@...oo.com>
>>>>>> *Cc:* full-disclosure@...ts.grok.org.uk
>>>>>> *Sent:* Tue, April 27, 2010 10:37:24 AM
>>>>>>
>>>>>> *Subject:* Re: [Full-disclosure] Compliance Is Wasted Money, Study
>>>>>> Finds
>>>>>>
>>>>>> Surely being forced to install an anti-virus only brings in a
>>>>>> monopoly? How do I know that PCI Standards writers are getting a nice
>>>>>> commission off me installing the anti-virus? (I know they don't, I'm just
>>>>>> hypothesizing).
>>>>>>
>>>>>> You stated it yourself, an anti-virus may not do any difference, it is
>>>>>> there as per PCI standard.....so what is it's use? Why the heck do I have to
>>>>>> install something useless?
>>>>>>
>>>>>> Lastly, that is where you are wrong, there is no "base starting point"
>>>>>> companies don't give a shit about proper security measures, they get
>>>>>> PCI-certified and all security ends there.
>>>>>> That is the freaken problem.
>>>>>>
>>>>>> NB: I do use anti-virus software, what I specified above is not in any
>>>>>> way my opinion about anti-virus vendors, etc.
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>> On Tue, Apr 27, 2010 at 9:25 AM, Shaqe Wan <sha8e@...oo.com> wrote:
>>>>>>
>>>>>>> Hi,
>>>>>>>
>>>>>>> I don't actually beleive there is a "democratic society". No such
>>>>>>> thing exists. If it does? Then ask the organizations who made the compliance
>>>>>>> requirements drop them and make audits based on some other measure that you
>>>>>>> believe is more secure and has less flaws in it. Finally, regarding the AV
>>>>>>> issue that I wish I end here, is that "I don't believe that an AV shall make
>>>>>>> your box secure, but its a requirement to be done - Added by PCI"
>>>>>>>
>>>>>>> And yes I have noticed that FD is for such security measures
>>>>>>> discussion, but never thought of joining it and discussing with others until
>>>>>>> a couple of days ago when I saw this topic.
>>>>>>>
>>>>>>> Finally, the compliance can be taken of as a base starting point, and
>>>>>>> then moving further, like that it shall not be a waste of money !
>>>>>>>
>>>>>>> Regards,
>>>>>>>
>>>>>>>
>>>>>>> ------------------------------
>>>>>>> *From:* Christian Sciberras <uuf6429@...il.com>
>>>>>>> *To:* Shaqe Wan <sha8e@...oo.com>
>>>>>>> *Cc:* full-disclosure@...ts.grok.org.uk
>>>>>>> *Sent:* Tue, April 27, 2010 9:59:59 AM
>>>>>>>
>>>>>>> *Subject:* Re: [Full-disclosure] Compliance Is Wasted Money, Study
>>>>>>> Finds
>>>>>>>
>>>>>>> Perhaps you haven't noticed, this is Full-Disclosure, which at least,
>>>>>>> is used to discuss security measures.
>>>>>>> As such, it is only natural to argue with PCI's possible security
>>>>>>> flaws.
>>>>>>>
>>>>>>> Besides, in a democratic society (where CC do operate as well), you
>>>>>>> can't "force" someone to install an anti-virus just because _you_ think it
>>>>>>> is secure.
>>>>>>>
>>>>>>> The argument were compliance is wasted money still holds.
>>>>>>>
>>>>>>> Cheers.
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>> On Tue, Apr 27, 2010 at 7:36 AM, Shaqe Wan <sha8e@...oo.com> wrote:
>>>>>>>
>>>>>>>> Hola,
>>>>>>>>
>>>>>>>> The problem is not weather they are educated against other standards
>>>>>>>> or policies or not, the problem is that without this compliance you can't
>>>>>>>> work with CC !!! Its something that is enforced on you !
>>>>>>>>
>>>>>>>> BTW: why don't people discuss what is the points missing in the PCI
>>>>>>>> Compliance better than this argue ?
>>>>>>>>
>>>>>>>> Regards,
>>>>>>>>
>>>>>>>>
>>>>>>>> ------------------------------
>>>>>>>> *From:* Christian Sciberras <uuf6429@...il.com>
>>>>>>>> *To:* Shaqe Wan <sha8e@...oo.com>
>>>>>>>> *Cc:* full-disclosure@...ts.grok.org.uk
>>>>>>>> *Sent:* Mon, April 26, 2010 4:19:27 PM
>>>>>>>>
>>>>>>>> *Subject:* Re: [Full-disclosure] Compliance Is Wasted Money, Study
>>>>>>>> Finds
>>>>>>>>
>>>>>>>> OK.
>>>>>>>>
>>>>>>>> "All those in favour of PCI raises their hands."
>>>>>>>>
>>>>>>>> Kidding aside, of course it is a must, since the said companies
>>>>>>>> doesn't have any notion of security before this happens.
>>>>>>>> However, how much is this actually helpful? Now let's be honest, how
>>>>>>>> much would it stop a potential attacker from getting into a system
>>>>>>>> "protected" by PCI?
>>>>>>>> Little, if at all.
>>>>>>>>
>>>>>>>> On the other hand, a company should adopt real and complete security
>>>>>>>> practices.
>>>>>>>>
>>>>>>>> Again, my point is, these companies shouldn't be "educated" or limit
>>>>>>>> their security to this standard. Because if they do (and I'm pretty sure
>>>>>>>> they do) would make this standard pretty much useless.
>>>>>>>>
>>>>>>>> Anyway, I won't get into this argument, since no one will give a
>>>>>>>> sh*t about it anyway.
>>>>>>>>
>>>>>>>> Cheers.
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>> On Mon, Apr 26, 2010 at 3:02 PM, Shaqe Wan <sha8e@...oo.com> wrote:
>>>>>>>>
>>>>>>>>> Christian,
>>>>>>>>>
>>>>>>>>> Did you read my first post?
>>>>>>>>>
>>>>>>>>> ((( IMO, PCI is not that big security policy, but without it your
>>>>>>>>> not able to use the credit card companies gateway. I think its
>>>>>>>>> just the basics that any company dealing with CC must implement. Because it
>>>>>>>>> shall be nonsense to deal with CC, and not have an Anti-virus for example !!)))
>>>>>>>>>
>>>>>>>>> I am not stating that PCI is good in no way, but I am saying that
>>>>>>>>> its a MUST for companies dealing with CC. And in a windows environment, an
>>>>>>>>> AV is important.
>>>>>>>>>
>>>>>>>>> He probably thought that I am with the rules of PCI, or that I
>>>>>>>>> don't have any idea that the world is not just WINDOWS !!!
>>>>>>>>>
>>>>>>>>> Regards,
>>>>>>>>>
>>>>>>>>> ------------------------------
>>>>>>>>> *From:* Christian Sciberras <uuf6429@...il.com>
>>>>>>>>> *To:* Shaqe Wan <sha8e@...oo.com>
>>>>>>>>> *Cc:* full-disclosure@...ts.grok.org.uk
>>>>>>>>> *Sent:* Mon, April 26, 2010 3:54:20 PM
>>>>>>>>>
>>>>>>>>> *Subject:* Re: [Full-disclosure] Compliance Is Wasted Money, Study
>>>>>>>>> Finds
>>>>>>>>>
>>>>>>>>> Why exactly are you complying with Nick's statements? I would have
>>>>>>>>> thought you guys were arguing against said statements?
>>>>>>>>>
>>>>>>>>>
>>>>>>>>> By the way, requirement #6 is particularly funny; it sounds
>>>>>>>>> peculiarly redundant to me...
>>>>>>>>>
>>>>>>>>> Cheers.
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>> On Mon, Apr 26, 2010 at 7:34 AM, Shaqe Wan <sha8e@...oo.com>wrote:
>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>> Nick,
>>>>>>>>>>
>>>>>>>>>> Please if you don't know what the standards are, please read:
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>> https://www.pcisecuritystandards.org/security_standards/pci_dss.shtml
>>>>>>>>>>
>>>>>>>>>> See *Requirement #5*. Read that requirement carefully and its not
>>>>>>>>>> bad to read it twice though in case you don't figure it out from the first
>>>>>>>>>> glance !
>>>>>>>>>>
>>>>>>>>>> Also, I said that using an AV is some basic thing to do in any
>>>>>>>>>> company that wants to deal with CC, its a basic thing for even companies not
>>>>>>>>>> dealing with CC too !!! Or do you state that people must use a BOX with no
>>>>>>>>>> AV installed on it? If you believe in that fact? Then please request a
>>>>>>>>>> change in the PCI DSS requirements and make them force the usage of a non
>>>>>>>>>> Windows O.S, such as any *n?x system.
>>>>>>>>>>
>>>>>>>>>> Finally, the topic here is not about "default allow vs default
>>>>>>>>>> deny" and if I understand what that is or not! You can open a new discussion
>>>>>>>>>> about that, and I shall join there and discuss it further with you, in case
>>>>>>>>>> you need some clarification regarding it.
>>>>>>>>>>
>>>>>>>>>> Regards,
>>>>>>>>>> Shaqe
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>> --- On *Sun, 4/25/10, Nick FitzGerald <nick@...us-l.demon.co.uk>*wrote:
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>> From: Nick FitzGerald <nick@...us-l.demon.co.uk>
>>>>>>>>>> Subject: Re: [Full-disclosure] Compliance Is Wasted Money, Study
>>>>>>>>>> Finds
>>>>>>>>>> To: full-disclosure@...ts.grok.org.uk
>>>>>>>>>> Date: Sunday, April 25, 2010, 1:57 PM
>>>>>>>>>>
>>>>>>>>>> Shaqe Wan wrote:
>>>>>>>>>>
>>>>>>>>>> <<snip>>
>>>>>>>>>> > Because it shall be nonsense to deal with CC, and not have an
>>>>>>>>>> Anti-virus for example !!
>>>>>>>>>>
>>>>>>>>>> Well, you see, _that_ is abject nonsense on its face.
>>>>>>>>>>
>>>>>>>>>> Do you have any understanding of one of the most basic of security
>>>>>>>>>>
>>>>>>>>>> issues -- default allow vs. default deny?
>>>>>>>>>>
>>>>>>>>>> There are many more secure ways to run systems _without_ antivirus
>>>>>>>>>>
>>>>>>>>>> software.
>>>>>>>>>>
>>>>>>>>>> Anyone authoritatively stating that antivirus software is a
>>>>>>>>>> necessary
>>>>>>>>>> component of a "reasonably secure" system is a fool.
>>>>>>>>>>
>>>>>>>>>> Anyone authoritatively stating that antivirus software is a
>>>>>>>>>> necessary
>>>>>>>>>> component of a "sufficiently secure" system is one (or more) of; a
>>>>>>>>>>
>>>>>>>>>> fool, a person with an unusually low standard of system security,
>>>>>>>>>> or a
>>>>>>>>>> shill for an antivirus producer.
>>>>>>>>>>
>>>>>>>>>> So _if_, as you and another recent poster strongly imply, the PCI
>>>>>>>>>> standards include a specific _requirement_ for antivirus software,
>>>>>>>>>> then
>>>>>>>>>> the standards themselves are total nonsense...
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>> Regards,
>>>>>>>>>>
>>>>>>>>>> Nick FitzGerald
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>> _______________________________________________
>>>>>>>>>> Full-Disclosure - We believe in it.
>>>>>>>>>> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
>>>>>>>>>> Hosted and sponsored by Secunia - http://secunia.com/
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>> _______________________________________________
>>>>>>>>>> Full-Disclosure - We believe in it.
>>>>>>>>>> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
>>>>>>>>>> Hosted and sponsored by Secunia - http://secunia.com/
>>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>
>>>>>>
>>>>>
>>>>> _______________________________________________
>>>>> Full-Disclosure - We believe in it.
>>>>> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
>>>>> Hosted and sponsored by Secunia - http://secunia.com/
>>>>>
>>>>
>>>>
>>>>
>>>> --
>>>> 09 F9 11 02 9D 74 E3 5B D8 41 56 C5 63 56 88 C0
>>>>
>>>
>>>
>>
>>
>> --
>> 09 F9 11 02 9D 74 E3 5B D8 41 56 C5 63 56 88 C0
>>
>
>
--
09 F9 11 02 9D 74 E3 5B D8 41 56 C5 63 56 88 C0
Content of type "text/html" skipped
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists