lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <x2rf37852831004270930tb5a446e0m88c3d68ea64dc7c8@mail.gmail.com>
Date: Tue, 27 Apr 2010 09:30:54 -0700
From: Mike Hale <eyeronic.design@...il.com>
Cc: full-disclosure@...ts.grok.org.uk
Subject: Re: Compliance Is Wasted Money, Study Finds

"The point is, what s PCI aiming at?"
It's aiming for a basic level of security among companies that process
credit cards.  Nothing more.  You have to remember that PCI didn't come
about in a vacuum.  It was created to solve a specific problem that the
major credit cards faced in regards to the security posture of their
processors.

The two alternatives for the Payment Card Industry are:
1)  The base level of security specified by PCI
2)  No base level of security, with most companies not implementing any
security whatsoever.

PCI does not stop a company from enacting stricter and better security
controls.  If your internal security is better than what PCI specifies, but
you do not meet one of the requirements, you use the compensating control
mechanism to justify it.

For the record, I apologize for the 'panties in a bunch' comment.  I lost
track of who said what, and you did not bring up the AV stuff.  Haven't had
my coffee yet...  ;)

On Tue, Apr 27, 2010 at 8:33 AM, Christian Sciberras <uuf6429@...il.com>wrote:

> My point isn't about a particular section, nor whether the amount of
> experience I have in PCI DSS compliance (which is next to novice).
> The point is, what s PCI aiming at?
> Real security, or just a way companies can excuse their incompetence by
> citing full PCI compliance?
> Which reminds me, it wasn't I that brought anti-viruses to the discussion.
>
> Cheers.
>
>
>
>
>
> On Tue, Apr 27, 2010 at 5:16 PM, Mike Hale <eyeronic.design@...il.com>wrote:
>
>> Actually, you're right.  You're not the one who said that, I apologize.
>>
>> But I maintain that you're arguing over something that you don't
>> understand.  You took one section (the anti-virus one) and got your panties
>> in a bunch over a security standard that says you *should* run anti-virus.
>> You completely ignored that PCI allows you to have compensating controls in
>> place for virtually any requirement.
>>
>>   On Tue, Apr 27, 2010 at 8:07 AM, Christian Sciberras <uuf6429@...il.com
>> > wrote:
>>
>>> based on your own admission
>>>
>>> On who's admission? Perhaps you should bother to cite sources next time?
>>> And, how is quoting me in a different argument "your point"?
>>>
>>>
>>>
>>>
>>>
>>>
>>> On Tue, Apr 27, 2010 at 4:55 PM, Mike Hale <eyeronic.design@...il.com>wrote:
>>>
>>>> Point is, you're arguing for the sake of arguing, as you have no
>>>> understanding what PCI is, based on your own admission.
>>>>
>>>> On Tue, Apr 27, 2010 at 7:51 AM, Christian Sciberras <uuf6429@...il.com
>>>> > wrote:
>>>>
>>>>> Nice way of reading whatever feels right to you. Perhaps you'd have
>>>>> better read what I wrote a few lines before that?
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>> On Tue, Apr 27, 2010 at 4:43 PM, Mike Hale <eyeronic.design@...il.com>wrote:
>>>>>
>>>>>>  "-they are arguing for the fun of it without any real arguments (why
>>>>>> else prove me right on my arguments and later on deny it?)"
>>>>>>
>>>>>> So you fall into this category?
>>>>>>   On Tue, Apr 27, 2010 at 1:22 AM, Christian Sciberras <
>>>>>> uuf6429@...il.com> wrote:
>>>>>>
>>>>>>> In short, you just said that PCI compliance _is_ a waste of time and
>>>>>>> money.
>>>>>>>
>>>>>>> Why else would you protect something which is bound to fail anyway?!
>>>>>>>
>>>>>>> This is a lost battle, as I said no one cares about the arguments
>>>>>>> because these people fall into three categories:
>>>>>>> -they believe the illusion that PCI by itself enhances security
>>>>>>> -they do there job and don't give a f*ck about it
>>>>>>> -they are arguing for the fun of it without any real arguments (why
>>>>>>> else prove me right on my arguments and later on deny it?)
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>> On Tue, Apr 27, 2010 at 10:03 AM, Shaqe Wan <sha8e@...oo.com> wrote:
>>>>>>>
>>>>>>>>  You won't know not now, not ever. Maybe they do get a commission
>>>>>>>> for your AV installation, who knows ! But maybe they think it is something
>>>>>>>> that everybody needs so the force it. To get to know the true answer, we
>>>>>>>> need to sit down with the guys who wrote the requirements and brainstorm
>>>>>>>> with them those issues. We shall keep just running around and around in a
>>>>>>>> circle here, because no one here "if no CC company guy is around" can give a
>>>>>>>> definite answer. Just our simple argues !
>>>>>>>>
>>>>>>>> As I said before, I have to use it on a windows box, because its a
>>>>>>>> requirement, its not my opinion at all.
>>>>>>>>
>>>>>>>> I 100% agree with you about most of the companies seek the paper
>>>>>>>> work and get PCI certified and don't really bother about true security
>>>>>>>> measures, but in the end if a breach is discovered they are the ones who
>>>>>>>> shall get the penalty in the face, not us :)
>>>>>>>>
>>>>>>>> NB: I don't use an AV, never did, and never will :p
>>>>>>>>
>>>>>>>> Regards,
>>>>>>>>
>>>>>>>>  ------------------------------
>>>>>>>> *From:* Christian Sciberras <uuf6429@...il.com>
>>>>>>>> *To:* Shaqe Wan <sha8e@...oo.com>
>>>>>>>> *Cc:* full-disclosure@...ts.grok.org.uk
>>>>>>>> *Sent:* Tue, April 27, 2010 10:37:24 AM
>>>>>>>>
>>>>>>>> *Subject:* Re: [Full-disclosure] Compliance Is Wasted Money, Study
>>>>>>>> Finds
>>>>>>>>
>>>>>>>> Surely being forced to install an anti-virus only brings in a
>>>>>>>> monopoly? How do I know that PCI Standards writers are getting a nice
>>>>>>>> commission off me installing the anti-virus? (I know they don't, I'm just
>>>>>>>> hypothesizing).
>>>>>>>>
>>>>>>>> You stated it yourself, an anti-virus may not do any difference, it
>>>>>>>> is there as per PCI standard.....so what is it's use? Why the heck do I have
>>>>>>>> to install something useless?
>>>>>>>>
>>>>>>>> Lastly, that is where you are wrong, there is no "base starting
>>>>>>>> point" companies don't give a shit about proper security measures, they get
>>>>>>>> PCI-certified and all security ends there.
>>>>>>>> That is the freaken problem.
>>>>>>>>
>>>>>>>> NB: I do use anti-virus software, what I specified above is not in
>>>>>>>> any way my opinion about anti-virus vendors, etc.
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>> On Tue, Apr 27, 2010 at 9:25 AM, Shaqe Wan <sha8e@...oo.com> wrote:
>>>>>>>>
>>>>>>>>>  Hi,
>>>>>>>>>
>>>>>>>>> I don't actually beleive there is a "democratic society". No such
>>>>>>>>> thing exists. If it does? Then ask the organizations who made the compliance
>>>>>>>>> requirements drop them and make audits based on some other measure that you
>>>>>>>>> believe is more secure and has less flaws in it. Finally, regarding the AV
>>>>>>>>> issue that I wish I end here, is that "I don't believe that an AV shall make
>>>>>>>>> your box secure, but its a requirement to be done - Added by PCI"
>>>>>>>>>
>>>>>>>>> And yes I have noticed that FD is for such security measures
>>>>>>>>> discussion, but never thought of joining it and discussing with others until
>>>>>>>>> a couple of days ago when I saw this topic.
>>>>>>>>>
>>>>>>>>> Finally, the compliance can be taken of as a base starting point,
>>>>>>>>> and then moving further, like that it shall not be a waste of money !
>>>>>>>>>
>>>>>>>>> Regards,
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>  ------------------------------
>>>>>>>>> *From:* Christian Sciberras <uuf6429@...il.com>
>>>>>>>>> *To:* Shaqe Wan <sha8e@...oo.com>
>>>>>>>>> *Cc:* full-disclosure@...ts.grok.org.uk
>>>>>>>>> *Sent:* Tue, April 27, 2010 9:59:59 AM
>>>>>>>>>
>>>>>>>>> *Subject:* Re: [Full-disclosure] Compliance Is Wasted Money, Study
>>>>>>>>> Finds
>>>>>>>>>
>>>>>>>>> Perhaps you haven't noticed, this is Full-Disclosure, which at
>>>>>>>>> least, is used to discuss security measures.
>>>>>>>>> As such, it is only natural to argue with PCI's possible security
>>>>>>>>> flaws.
>>>>>>>>>
>>>>>>>>> Besides, in a democratic society (where CC do operate as well), you
>>>>>>>>> can't "force" someone to install an anti-virus just because _you_ think it
>>>>>>>>> is secure.
>>>>>>>>>
>>>>>>>>> The argument were compliance is wasted money still holds.
>>>>>>>>>
>>>>>>>>> Cheers.
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>> On Tue, Apr 27, 2010 at 7:36 AM, Shaqe Wan <sha8e@...oo.com>wrote:
>>>>>>>>>
>>>>>>>>>>  Hola,
>>>>>>>>>>
>>>>>>>>>> The problem is not weather they are educated against other
>>>>>>>>>> standards or policies or not, the problem is that without this compliance
>>>>>>>>>> you can't work with CC !!! Its something that is enforced on you !
>>>>>>>>>>
>>>>>>>>>> BTW: why don't people discuss what is the points missing in the
>>>>>>>>>> PCI Compliance better than this argue ?
>>>>>>>>>>
>>>>>>>>>> Regards,
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>  ------------------------------
>>>>>>>>>> *From:* Christian Sciberras <uuf6429@...il.com>
>>>>>>>>>> *To:* Shaqe Wan <sha8e@...oo.com>
>>>>>>>>>> *Cc:* full-disclosure@...ts.grok.org.uk
>>>>>>>>>> *Sent:* Mon, April 26, 2010 4:19:27 PM
>>>>>>>>>>
>>>>>>>>>> *Subject:* Re: [Full-disclosure] Compliance Is Wasted Money,
>>>>>>>>>> Study Finds
>>>>>>>>>>
>>>>>>>>>> OK.
>>>>>>>>>>
>>>>>>>>>> "All those in favour of PCI raises their hands."
>>>>>>>>>>
>>>>>>>>>> Kidding aside, of course it is a must, since the said companies
>>>>>>>>>> doesn't have any notion of security before this happens.
>>>>>>>>>> However, how much is this actually helpful? Now let's be honest,
>>>>>>>>>> how much would it stop a potential attacker from getting into a system
>>>>>>>>>> "protected" by PCI?
>>>>>>>>>> Little, if at all.
>>>>>>>>>>
>>>>>>>>>> On the other hand, a company should adopt real and complete
>>>>>>>>>> security practices.
>>>>>>>>>>
>>>>>>>>>> Again, my point is, these companies shouldn't be "educated" or
>>>>>>>>>> limit their security to this standard. Because if they do (and I'm pretty
>>>>>>>>>> sure they do) would make this standard pretty much useless.
>>>>>>>>>>
>>>>>>>>>> Anyway, I won't get into this argument, since no one will give a
>>>>>>>>>> sh*t about it anyway.
>>>>>>>>>>
>>>>>>>>>> Cheers.
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>> On Mon, Apr 26, 2010 at 3:02 PM, Shaqe Wan <sha8e@...oo.com>wrote:
>>>>>>>>>>
>>>>>>>>>>>  Christian,
>>>>>>>>>>>
>>>>>>>>>>> Did you read my first post?
>>>>>>>>>>>
>>>>>>>>>>> ((( IMO, PCI is not that big security policy, but without it
>>>>>>>>>>> your not able to use the credit card companies gateway. I think
>>>>>>>>>>> its just the basics that any company dealing with CC must implement. Because
>>>>>>>>>>> it shall be nonsense to deal with CC, and not have an Anti-virus for example
>>>>>>>>>>> !! )))
>>>>>>>>>>>
>>>>>>>>>>> I am not stating that PCI is good in no way, but I am saying that
>>>>>>>>>>> its a MUST for companies dealing with CC. And in a windows environment, an
>>>>>>>>>>> AV is important.
>>>>>>>>>>>
>>>>>>>>>>> He probably thought that I am with the rules of PCI, or that I
>>>>>>>>>>> don't have any idea that the world is not just WINDOWS !!!
>>>>>>>>>>>
>>>>>>>>>>> Regards,
>>>>>>>>>>>
>>>>>>>>>>>  ------------------------------
>>>>>>>>>>> *From:* Christian Sciberras <uuf6429@...il.com>
>>>>>>>>>>> *To:* Shaqe Wan <sha8e@...oo.com>
>>>>>>>>>>> *Cc:* full-disclosure@...ts.grok.org.uk
>>>>>>>>>>> *Sent:* Mon, April 26, 2010 3:54:20 PM
>>>>>>>>>>>
>>>>>>>>>>> *Subject:* Re: [Full-disclosure] Compliance Is Wasted Money,
>>>>>>>>>>> Study Finds
>>>>>>>>>>>
>>>>>>>>>>> Why exactly are you complying with Nick's statements? I would
>>>>>>>>>>> have thought you guys were arguing against said statements?
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>> By the way, requirement #6 is particularly funny; it sounds
>>>>>>>>>>> peculiarly redundant to me...
>>>>>>>>>>>
>>>>>>>>>>> Cheers.
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>> On Mon, Apr 26, 2010 at 7:34 AM, Shaqe Wan <sha8e@...oo.com>wrote:
>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>>    Nick,
>>>>>>>>>>>>
>>>>>>>>>>>> Please if you don't know what the standards are, please read:
>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>> https://www.pcisecuritystandards.org/security_standards/pci_dss.shtml
>>>>>>>>>>>>
>>>>>>>>>>>> See *Requirement #5*. Read that requirement carefully and its
>>>>>>>>>>>> not bad to read it twice though in case you don't figure it out from the
>>>>>>>>>>>> first glance !
>>>>>>>>>>>>
>>>>>>>>>>>> Also, I said that using an AV is some basic thing to do in any
>>>>>>>>>>>> company that wants to deal with CC, its a basic thing for even companies not
>>>>>>>>>>>> dealing with CC too !!! Or do you state that people must use a BOX with no
>>>>>>>>>>>> AV installed on it? If you believe in that fact? Then please request a
>>>>>>>>>>>> change in the PCI DSS requirements and make them force the usage of a non
>>>>>>>>>>>> Windows O.S, such as any *n?x system.
>>>>>>>>>>>>
>>>>>>>>>>>> Finally, the topic here is not about "default allow vs default
>>>>>>>>>>>> deny" and if I understand what that is or not! You can open a new discussion
>>>>>>>>>>>> about that, and I shall join there and discuss it further with you, in case
>>>>>>>>>>>> you need some clarification regarding it.
>>>>>>>>>>>>
>>>>>>>>>>>> Regards,
>>>>>>>>>>>> Shaqe
>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>> --- On *Sun, 4/25/10, Nick FitzGerald <nick@...us-l.demon.co.uk
>>>>>>>>>>>> >* wrote:
>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>> From: Nick FitzGerald <nick@...us-l.demon.co.uk>
>>>>>>>>>>>> Subject: Re: [Full-disclosure] Compliance Is Wasted Money, Study
>>>>>>>>>>>> Finds
>>>>>>>>>>>> To: full-disclosure@...ts.grok.org.uk
>>>>>>>>>>>> Date: Sunday, April 25, 2010, 1:57 PM
>>>>>>>>>>>>
>>>>>>>>>>>>  Shaqe Wan wrote:
>>>>>>>>>>>>
>>>>>>>>>>>> <<snip>>
>>>>>>>>>>>> > Because it shall be nonsense to deal with CC, and not have an
>>>>>>>>>>>> Anti-virus for example !!
>>>>>>>>>>>>
>>>>>>>>>>>> Well, you see, _that_ is abject nonsense on its face.
>>>>>>>>>>>>
>>>>>>>>>>>> Do you have any understanding of one of the most basic of
>>>>>>>>>>>> security
>>>>>>>>>>>> issues -- default allow vs. default deny?
>>>>>>>>>>>>
>>>>>>>>>>>> There are many more secure ways to run systems _without_
>>>>>>>>>>>> antivirus
>>>>>>>>>>>> software.
>>>>>>>>>>>>
>>>>>>>>>>>> Anyone authoritatively stating that antivirus software is a
>>>>>>>>>>>> necessary
>>>>>>>>>>>> component of a "reasonably secure" system is a fool.
>>>>>>>>>>>>
>>>>>>>>>>>> Anyone authoritatively stating that antivirus software is a
>>>>>>>>>>>> necessary
>>>>>>>>>>>> component of a "sufficiently secure" system is one (or more) of;
>>>>>>>>>>>> a
>>>>>>>>>>>> fool, a person with an unusually low standard of system
>>>>>>>>>>>> security, or a
>>>>>>>>>>>> shill for an antivirus producer.
>>>>>>>>>>>>
>>>>>>>>>>>> So _if_, as you and another recent poster strongly imply, the
>>>>>>>>>>>> PCI
>>>>>>>>>>>> standards include a specific _requirement_ for antivirus
>>>>>>>>>>>> software, then
>>>>>>>>>>>> the standards themselves are total nonsense...
>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>> Regards,
>>>>>>>>>>>>
>>>>>>>>>>>> Nick FitzGerald
>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>> _______________________________________________
>>>>>>>>>>>> Full-Disclosure - We believe in it.
>>>>>>>>>>>> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
>>>>>>>>>>>> Hosted and sponsored by Secunia - http://secunia.com/
>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>> _______________________________________________
>>>>>>>>>>>> Full-Disclosure - We believe in it.
>>>>>>>>>>>> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
>>>>>>>>>>>> Hosted and sponsored by Secunia - http://secunia.com/
>>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>
>>>>>>> _______________________________________________
>>>>>>> Full-Disclosure - We believe in it.
>>>>>>> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
>>>>>>> Hosted and sponsored by Secunia - http://secunia.com/
>>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>  --
>>>>>> 09 F9 11 02 9D 74 E3 5B D8 41 56 C5 63 56 88 C0
>>>>>>
>>>>>
>>>>>
>>>>
>>>>
>>>> --
>>>> 09 F9 11 02 9D 74 E3 5B D8 41 56 C5 63 56 88 C0
>>>>
>>>
>>>
>>
>>
>> --
>> 09 F9 11 02 9D 74 E3 5B D8 41 56 C5 63 56 88 C0
>>
>
>


-- 
09 F9 11 02 9D 74 E3 5B D8 41 56 C5 63 56 88 C0

Content of type "text/html" skipped

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ