[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <q2o3af3d47c1004271038x9d05a8f8z308a835a148b529b@mail.gmail.com>
Date: Tue, 27 Apr 2010 19:38:42 +0200
From: Christian Sciberras <uuf6429@...il.com>
To: Mike Hale <eyeronic.design@...il.com>
Cc: full-disclosure@...ts.grok.org.uk
Subject: Re: Compliance Is Wasted Money, Study Finds
Haven't had my coffee yet... ;)
I thought so, that would explain everything. :)
Cheers,
On Tue, Apr 27, 2010 at 6:30 PM, Mike Hale <eyeronic.design@...il.com>wrote:
> "The point is, what s PCI aiming at?"
> It's aiming for a basic level of security among companies that process
> credit cards. Nothing more. You have to remember that PCI didn't come
> about in a vacuum. It was created to solve a specific problem that the
> major credit cards faced in regards to the security posture of their
> processors.
>
> The two alternatives for the Payment Card Industry are:
> 1) The base level of security specified by PCI
> 2) No base level of security, with most companies not implementing any
> security whatsoever.
>
> PCI does not stop a company from enacting stricter and better security
> controls. If your internal security is better than what PCI specifies, but
> you do not meet one of the requirements, you use the compensating control
> mechanism to justify it.
>
> For the record, I apologize for the 'panties in a bunch' comment. I lost
> track of who said what, and you did not bring up the AV stuff. Haven't had
> my coffee yet... ;)
>
> On Tue, Apr 27, 2010 at 8:33 AM, Christian Sciberras <uuf6429@...il.com>wrote:
>
>> My point isn't about a particular section, nor whether the amount of
>> experience I have in PCI DSS compliance (which is next to novice).
>> The point is, what s PCI aiming at?
>> Real security, or just a way companies can excuse their incompetence by
>> citing full PCI compliance?
>> Which reminds me, it wasn't I that brought anti-viruses to the discussion.
>>
>> Cheers.
>>
>>
>>
>>
>>
>> On Tue, Apr 27, 2010 at 5:16 PM, Mike Hale <eyeronic.design@...il.com>wrote:
>>
>>> Actually, you're right. You're not the one who said that, I apologize.
>>>
>>> But I maintain that you're arguing over something that you don't
>>> understand. You took one section (the anti-virus one) and got your panties
>>> in a bunch over a security standard that says you *should* run anti-virus.
>>> You completely ignored that PCI allows you to have compensating controls in
>>> place for virtually any requirement.
>>>
>>> On Tue, Apr 27, 2010 at 8:07 AM, Christian Sciberras <
>>> uuf6429@...il.com> wrote:
>>>
>>>> based on your own admission
>>>>
>>>> On who's admission? Perhaps you should bother to cite sources next time?
>>>> And, how is quoting me in a different argument "your point"?
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>> On Tue, Apr 27, 2010 at 4:55 PM, Mike Hale <eyeronic.design@...il.com>wrote:
>>>>
>>>>> Point is, you're arguing for the sake of arguing, as you have no
>>>>> understanding what PCI is, based on your own admission.
>>>>>
>>>>> On Tue, Apr 27, 2010 at 7:51 AM, Christian Sciberras <
>>>>> uuf6429@...il.com> wrote:
>>>>>
>>>>>> Nice way of reading whatever feels right to you. Perhaps you'd have
>>>>>> better read what I wrote a few lines before that?
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>> On Tue, Apr 27, 2010 at 4:43 PM, Mike Hale <eyeronic.design@...il.com
>>>>>> > wrote:
>>>>>>
>>>>>>> "-they are arguing for the fun of it without any real arguments
>>>>>>> (why else prove me right on my arguments and later on deny it?)"
>>>>>>>
>>>>>>> So you fall into this category?
>>>>>>> On Tue, Apr 27, 2010 at 1:22 AM, Christian Sciberras <
>>>>>>> uuf6429@...il.com> wrote:
>>>>>>>
>>>>>>>> In short, you just said that PCI compliance _is_ a waste of time and
>>>>>>>> money.
>>>>>>>>
>>>>>>>> Why else would you protect something which is bound to fail anyway?!
>>>>>>>>
>>>>>>>> This is a lost battle, as I said no one cares about the arguments
>>>>>>>> because these people fall into three categories:
>>>>>>>> -they believe the illusion that PCI by itself enhances security
>>>>>>>> -they do there job and don't give a f*ck about it
>>>>>>>> -they are arguing for the fun of it without any real arguments (why
>>>>>>>> else prove me right on my arguments and later on deny it?)
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>> On Tue, Apr 27, 2010 at 10:03 AM, Shaqe Wan <sha8e@...oo.com>wrote:
>>>>>>>>
>>>>>>>>> You won't know not now, not ever. Maybe they do get a commission
>>>>>>>>> for your AV installation, who knows ! But maybe they think it is something
>>>>>>>>> that everybody needs so the force it. To get to know the true answer, we
>>>>>>>>> need to sit down with the guys who wrote the requirements and brainstorm
>>>>>>>>> with them those issues. We shall keep just running around and around in a
>>>>>>>>> circle here, because no one here "if no CC company guy is around" can give a
>>>>>>>>> definite answer. Just our simple argues !
>>>>>>>>>
>>>>>>>>> As I said before, I have to use it on a windows box, because its a
>>>>>>>>> requirement, its not my opinion at all.
>>>>>>>>>
>>>>>>>>> I 100% agree with you about most of the companies seek the paper
>>>>>>>>> work and get PCI certified and don't really bother about true security
>>>>>>>>> measures, but in the end if a breach is discovered they are the ones who
>>>>>>>>> shall get the penalty in the face, not us :)
>>>>>>>>>
>>>>>>>>> NB: I don't use an AV, never did, and never will :p
>>>>>>>>>
>>>>>>>>> Regards,
>>>>>>>>>
>>>>>>>>> ------------------------------
>>>>>>>>> *From:* Christian Sciberras <uuf6429@...il.com>
>>>>>>>>> *To:* Shaqe Wan <sha8e@...oo.com>
>>>>>>>>> *Cc:* full-disclosure@...ts.grok.org.uk
>>>>>>>>> *Sent:* Tue, April 27, 2010 10:37:24 AM
>>>>>>>>>
>>>>>>>>> *Subject:* Re: [Full-disclosure] Compliance Is Wasted Money, Study
>>>>>>>>> Finds
>>>>>>>>>
>>>>>>>>> Surely being forced to install an anti-virus only brings in a
>>>>>>>>> monopoly? How do I know that PCI Standards writers are getting a nice
>>>>>>>>> commission off me installing the anti-virus? (I know they don't, I'm just
>>>>>>>>> hypothesizing).
>>>>>>>>>
>>>>>>>>> You stated it yourself, an anti-virus may not do any difference, it
>>>>>>>>> is there as per PCI standard.....so what is it's use? Why the heck do I have
>>>>>>>>> to install something useless?
>>>>>>>>>
>>>>>>>>> Lastly, that is where you are wrong, there is no "base starting
>>>>>>>>> point" companies don't give a shit about proper security measures, they get
>>>>>>>>> PCI-certified and all security ends there.
>>>>>>>>> That is the freaken problem.
>>>>>>>>>
>>>>>>>>> NB: I do use anti-virus software, what I specified above is not in
>>>>>>>>> any way my opinion about anti-virus vendors, etc.
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>> On Tue, Apr 27, 2010 at 9:25 AM, Shaqe Wan <sha8e@...oo.com>wrote:
>>>>>>>>>
>>>>>>>>>> Hi,
>>>>>>>>>>
>>>>>>>>>> I don't actually beleive there is a "democratic society". No such
>>>>>>>>>> thing exists. If it does? Then ask the organizations who made the compliance
>>>>>>>>>> requirements drop them and make audits based on some other measure that you
>>>>>>>>>> believe is more secure and has less flaws in it. Finally, regarding the AV
>>>>>>>>>> issue that I wish I end here, is that "I don't believe that an AV shall make
>>>>>>>>>> your box secure, but its a requirement to be done - Added by PCI"
>>>>>>>>>>
>>>>>>>>>> And yes I have noticed that FD is for such security measures
>>>>>>>>>> discussion, but never thought of joining it and discussing with others until
>>>>>>>>>> a couple of days ago when I saw this topic.
>>>>>>>>>>
>>>>>>>>>> Finally, the compliance can be taken of as a base starting point,
>>>>>>>>>> and then moving further, like that it shall not be a waste of money !
>>>>>>>>>>
>>>>>>>>>> Regards,
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>> ------------------------------
>>>>>>>>>> *From:* Christian Sciberras <uuf6429@...il.com>
>>>>>>>>>> *To:* Shaqe Wan <sha8e@...oo.com>
>>>>>>>>>> *Cc:* full-disclosure@...ts.grok.org.uk
>>>>>>>>>> *Sent:* Tue, April 27, 2010 9:59:59 AM
>>>>>>>>>>
>>>>>>>>>> *Subject:* Re: [Full-disclosure] Compliance Is Wasted Money,
>>>>>>>>>> Study Finds
>>>>>>>>>>
>>>>>>>>>> Perhaps you haven't noticed, this is Full-Disclosure, which at
>>>>>>>>>> least, is used to discuss security measures.
>>>>>>>>>> As such, it is only natural to argue with PCI's possible security
>>>>>>>>>> flaws.
>>>>>>>>>>
>>>>>>>>>> Besides, in a democratic society (where CC do operate as well),
>>>>>>>>>> you can't "force" someone to install an anti-virus just because _you_ think
>>>>>>>>>> it is secure.
>>>>>>>>>>
>>>>>>>>>> The argument were compliance is wasted money still holds.
>>>>>>>>>>
>>>>>>>>>> Cheers.
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>> On Tue, Apr 27, 2010 at 7:36 AM, Shaqe Wan <sha8e@...oo.com>wrote:
>>>>>>>>>>
>>>>>>>>>>> Hola,
>>>>>>>>>>>
>>>>>>>>>>> The problem is not weather they are educated against other
>>>>>>>>>>> standards or policies or not, the problem is that without this compliance
>>>>>>>>>>> you can't work with CC !!! Its something that is enforced on you !
>>>>>>>>>>>
>>>>>>>>>>> BTW: why don't people discuss what is the points missing in the
>>>>>>>>>>> PCI Compliance better than this argue ?
>>>>>>>>>>>
>>>>>>>>>>> Regards,
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>> ------------------------------
>>>>>>>>>>> *From:* Christian Sciberras <uuf6429@...il.com>
>>>>>>>>>>> *To:* Shaqe Wan <sha8e@...oo.com>
>>>>>>>>>>> *Cc:* full-disclosure@...ts.grok.org.uk
>>>>>>>>>>> *Sent:* Mon, April 26, 2010 4:19:27 PM
>>>>>>>>>>>
>>>>>>>>>>> *Subject:* Re: [Full-disclosure] Compliance Is Wasted Money,
>>>>>>>>>>> Study Finds
>>>>>>>>>>>
>>>>>>>>>>> OK.
>>>>>>>>>>>
>>>>>>>>>>> "All those in favour of PCI raises their hands."
>>>>>>>>>>>
>>>>>>>>>>> Kidding aside, of course it is a must, since the said companies
>>>>>>>>>>> doesn't have any notion of security before this happens.
>>>>>>>>>>> However, how much is this actually helpful? Now let's be honest,
>>>>>>>>>>> how much would it stop a potential attacker from getting into a system
>>>>>>>>>>> "protected" by PCI?
>>>>>>>>>>> Little, if at all.
>>>>>>>>>>>
>>>>>>>>>>> On the other hand, a company should adopt real and complete
>>>>>>>>>>> security practices.
>>>>>>>>>>>
>>>>>>>>>>> Again, my point is, these companies shouldn't be "educated" or
>>>>>>>>>>> limit their security to this standard. Because if they do (and I'm pretty
>>>>>>>>>>> sure they do) would make this standard pretty much useless.
>>>>>>>>>>>
>>>>>>>>>>> Anyway, I won't get into this argument, since no one will give a
>>>>>>>>>>> sh*t about it anyway.
>>>>>>>>>>>
>>>>>>>>>>> Cheers.
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>> On Mon, Apr 26, 2010 at 3:02 PM, Shaqe Wan <sha8e@...oo.com>wrote:
>>>>>>>>>>>
>>>>>>>>>>>> Christian,
>>>>>>>>>>>>
>>>>>>>>>>>> Did you read my first post?
>>>>>>>>>>>>
>>>>>>>>>>>> ((( IMO, PCI is not that big security policy, but without it
>>>>>>>>>>>> your not able to use the credit card companies gateway. I think
>>>>>>>>>>>> its just the basics that any company dealing with CC must implement. Because
>>>>>>>>>>>> it shall be nonsense to deal with CC, and not have an Anti-virus for example
>>>>>>>>>>>> !! )))
>>>>>>>>>>>>
>>>>>>>>>>>> I am not stating that PCI is good in no way, but I am saying
>>>>>>>>>>>> that its a MUST for companies dealing with CC. And in a windows environment,
>>>>>>>>>>>> an AV is important.
>>>>>>>>>>>>
>>>>>>>>>>>> He probably thought that I am with the rules of PCI, or that I
>>>>>>>>>>>> don't have any idea that the world is not just WINDOWS !!!
>>>>>>>>>>>>
>>>>>>>>>>>> Regards,
>>>>>>>>>>>>
>>>>>>>>>>>> ------------------------------
>>>>>>>>>>>> *From:* Christian Sciberras <uuf6429@...il.com>
>>>>>>>>>>>> *To:* Shaqe Wan <sha8e@...oo.com>
>>>>>>>>>>>> *Cc:* full-disclosure@...ts.grok.org.uk
>>>>>>>>>>>> *Sent:* Mon, April 26, 2010 3:54:20 PM
>>>>>>>>>>>>
>>>>>>>>>>>> *Subject:* Re: [Full-disclosure] Compliance Is Wasted Money,
>>>>>>>>>>>> Study Finds
>>>>>>>>>>>>
>>>>>>>>>>>> Why exactly are you complying with Nick's statements? I would
>>>>>>>>>>>> have thought you guys were arguing against said statements?
>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>> By the way, requirement #6 is particularly funny; it sounds
>>>>>>>>>>>> peculiarly redundant to me...
>>>>>>>>>>>>
>>>>>>>>>>>> Cheers.
>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>> On Mon, Apr 26, 2010 at 7:34 AM, Shaqe Wan <sha8e@...oo.com>wrote:
>>>>>>>>>>>>
>>>>>>>>>>>>>
>>>>>>>>>>>>> Nick,
>>>>>>>>>>>>>
>>>>>>>>>>>>> Please if you don't know what the standards are, please read:
>>>>>>>>>>>>>
>>>>>>>>>>>>>
>>>>>>>>>>>>> https://www.pcisecuritystandards.org/security_standards/pci_dss.shtml
>>>>>>>>>>>>>
>>>>>>>>>>>>> See *Requirement #5*. Read that requirement carefully and its
>>>>>>>>>>>>> not bad to read it twice though in case you don't figure it out from the
>>>>>>>>>>>>> first glance !
>>>>>>>>>>>>>
>>>>>>>>>>>>> Also, I said that using an AV is some basic thing to do in any
>>>>>>>>>>>>> company that wants to deal with CC, its a basic thing for even companies not
>>>>>>>>>>>>> dealing with CC too !!! Or do you state that people must use a BOX with no
>>>>>>>>>>>>> AV installed on it? If you believe in that fact? Then please request a
>>>>>>>>>>>>> change in the PCI DSS requirements and make them force the usage of a non
>>>>>>>>>>>>> Windows O.S, such as any *n?x system.
>>>>>>>>>>>>>
>>>>>>>>>>>>> Finally, the topic here is not about "default allow vs default
>>>>>>>>>>>>> deny" and if I understand what that is or not! You can open a new discussion
>>>>>>>>>>>>> about that, and I shall join there and discuss it further with you, in case
>>>>>>>>>>>>> you need some clarification regarding it.
>>>>>>>>>>>>>
>>>>>>>>>>>>> Regards,
>>>>>>>>>>>>> Shaqe
>>>>>>>>>>>>>
>>>>>>>>>>>>>
>>>>>>>>>>>>> --- On *Sun, 4/25/10, Nick FitzGerald <
>>>>>>>>>>>>> nick@...us-l.demon.co.uk>* wrote:
>>>>>>>>>>>>>
>>>>>>>>>>>>>
>>>>>>>>>>>>> From: Nick FitzGerald <nick@...us-l.demon.co.uk>
>>>>>>>>>>>>> Subject: Re: [Full-disclosure] Compliance Is Wasted Money,
>>>>>>>>>>>>> Study Finds
>>>>>>>>>>>>> To: full-disclosure@...ts.grok.org.uk
>>>>>>>>>>>>> Date: Sunday, April 25, 2010, 1:57 PM
>>>>>>>>>>>>>
>>>>>>>>>>>>> Shaqe Wan wrote:
>>>>>>>>>>>>>
>>>>>>>>>>>>> <<snip>>
>>>>>>>>>>>>> > Because it shall be nonsense to deal with CC, and not have an
>>>>>>>>>>>>> Anti-virus for example !!
>>>>>>>>>>>>>
>>>>>>>>>>>>> Well, you see, _that_ is abject nonsense on its face.
>>>>>>>>>>>>>
>>>>>>>>>>>>> Do you have any understanding of one of the most basic of
>>>>>>>>>>>>> security
>>>>>>>>>>>>> issues -- default allow vs. default deny?
>>>>>>>>>>>>>
>>>>>>>>>>>>> There are many more secure ways to run systems _without_
>>>>>>>>>>>>> antivirus
>>>>>>>>>>>>> software.
>>>>>>>>>>>>>
>>>>>>>>>>>>> Anyone authoritatively stating that antivirus software is a
>>>>>>>>>>>>> necessary
>>>>>>>>>>>>> component of a "reasonably secure" system is a fool.
>>>>>>>>>>>>>
>>>>>>>>>>>>> Anyone authoritatively stating that antivirus software is a
>>>>>>>>>>>>> necessary
>>>>>>>>>>>>> component of a "sufficiently secure" system is one (or more)
>>>>>>>>>>>>> of; a
>>>>>>>>>>>>> fool, a person with an unusually low standard of system
>>>>>>>>>>>>> security, or a
>>>>>>>>>>>>> shill for an antivirus producer.
>>>>>>>>>>>>>
>>>>>>>>>>>>> So _if_, as you and another recent poster strongly imply, the
>>>>>>>>>>>>> PCI
>>>>>>>>>>>>> standards include a specific _requirement_ for antivirus
>>>>>>>>>>>>> software, then
>>>>>>>>>>>>> the standards themselves are total nonsense...
>>>>>>>>>>>>>
>>>>>>>>>>>>>
>>>>>>>>>>>>>
>>>>>>>>>>>>> Regards,
>>>>>>>>>>>>>
>>>>>>>>>>>>> Nick FitzGerald
>>>>>>>>>>>>>
>>>>>>>>>>>>>
>>>>>>>>>>>>> _______________________________________________
>>>>>>>>>>>>> Full-Disclosure - We believe in it.
>>>>>>>>>>>>> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
>>>>>>>>>>>>> Hosted and sponsored by Secunia - http://secunia.com/
>>>>>>>>>>>>>
>>>>>>>>>>>>>
>>>>>>>>>>>>>
>>>>>>>>>>>>>
>>>>>>>>>>>>> _______________________________________________
>>>>>>>>>>>>> Full-Disclosure - We believe in it.
>>>>>>>>>>>>> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
>>>>>>>>>>>>> Hosted and sponsored by Secunia - http://secunia.com/
>>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>
>>>>>>>> _______________________________________________
>>>>>>>> Full-Disclosure - We believe in it.
>>>>>>>> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
>>>>>>>> Hosted and sponsored by Secunia - http://secunia.com/
>>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>> --
>>>>>>> 09 F9 11 02 9D 74 E3 5B D8 41 56 C5 63 56 88 C0
>>>>>>>
>>>>>>
>>>>>>
>>>>>
>>>>>
>>>>> --
>>>>> 09 F9 11 02 9D 74 E3 5B D8 41 56 C5 63 56 88 C0
>>>>>
>>>>
>>>>
>>>
>>>
>>> --
>>> 09 F9 11 02 9D 74 E3 5B D8 41 56 C5 63 56 88 C0
>>>
>>
>>
>
>
> --
> 09 F9 11 02 9D 74 E3 5B D8 41 56 C5 63 56 88 C0
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
>
Content of type "text/html" skipped
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists