Hello FD,
the Nmap poject is currently conducting a survey to improve Nmap and its
companion tools and to update the http://sectools.org website.
You can help Nmap by filling out the survey at http://nmap.org/survey
Regards
--
Henri
___
Perhaps you haven't noticed, this is Full-Disclosure, which at least, is
used to discuss security measures.
As such, it is only natural to argue with PCI's possible security flaws.
Besides, in a democratic society (where CC do operate as well), you can't
force someone to install an anti-virus
Surely being forced to install an anti-virus only brings in a monopoly? How
do I know that PCI Standards writers are getting a nice commission off me
installing the anti-virus? (I know they don't, I'm just hypothesizing).
You stated it yourself, an anti-virus may not do any difference, it is
Lastly, that is where you are wrong, there is no base starting point
companies don't give a shit about proper security measures, they get
PCI-certified and all security ends there.
That is the freaken problem.
Well, when this occurs, they are not compliant = Epic FAIL = wasted dollars.
i.e. they
Why are you saying wasted money? They didn't waste it, they allocated that
sum to cater for PCI compliance and they are still PCI compliant.
Ie, it is not wasted in the sense that they obtained what they wanted. The
point in question is, does PCI obtain what it should be?
However, as many already
In short, you just said that PCI compliance _is_ a waste of time and money.
Why else would you protect something which is bound to fail anyway?!
This is a lost battle, as I said no one cares about the arguments because
these people fall into three categories:
-they believe the illusion that PCI
Where did I say that its a waste of time and money?
Here you go:
I 100% agree with you about most of the companies seek the paper work and
get PCI certified and don't really bother about true security measures, but
in the end if a breach is discovered they are the ones who shall get the
penalty
There is a big difference between being secure and being compliant.If its a
company's desire to be compliant, they may never be secure. However, if they
strive to be secure, they will always be compliant no mater what framework they
are chasing.
I agree... money spent on compliance is
INVITATION
Note that we are entering the last few days to submit work to one of the
InfoWare 2010 events. Please consider to contribute and encourage your
team members and fellow scientists to contribute to the following
federated events.
The submission deadline is April 30, 2010.
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
-
Debian Security Advisory DSA-2021-2 secur...@debian.org
http://www.debian.org/security/Giuseppe Iuculano
April 26, 2010
Your comparison doesn't work.
It's not A versus B, it's A versus C, with C being Company does
nothing because it can't afford a thorough security program.
On Mon, Apr 26, 2010 at 2:07 PM, Michel Messerschmidt
li...@michel-messerschmidt.de wrote:
On Mon, Apr 26, 2010 at 06:02:48AM -0700, Shaqe
Has everyone on this list read the PCI DSS requirements?
They are freely available, at www.pcisecuritystandards.org.
AV is about 4 requirements out of over 230 requirements, covering secure
coding/development, patching, network security, hardening systems, least
privilege, robust authenticaiton,
# Exploit Title: ZDI-10-078: NovellZENworks Configuration Management
UploadServlet Remote Code Execution Vulnerability
# Date: 2009-04-26
# Author: tucanalamigo http://tucanalamigo.blogspot.com
# Software Link:
http://www.novell.com/products/zenworks/configurationmanagement/
# Version: 10.2
#
Pieter,
I somehow agree with you that using an AV is not always necessary if you have
implemented a good protection for your environment, but I mean in my previous
comments that using an AV is a requirement of PCI, it is forced on us. If you
deal with CC then you need to get compliant and
Hola,
The problem is not weather they are educated against other standards or
policies or not, the problem is that without this compliance you can't work
with CC !!! Its something that is enforced on you !
BTW: why don't people discuss what is the points missing in the PCI Compliance
better
Pieter,
I somehow agree with you that using an AV is not
always necessary if you have implemented a good protection for your
environment, but I mean in my previous comments that using an AV is a
requirement of PCI, it is forced on us. If you deal with CC then you
need to get compliant and that
Michel,
Sorry, I didn't understand your first question!
Regarding your 2nd question. You won't get compliant if you update your AV on a
annually basis. You shall fail the quarter check done by an QSA(s). So first
check is not available. For me if the companies staff is well educated and a we
Yep, your right. The auditors nowadays even ask for an AV on a *n?x OS (what a
shame) !!!
From: Digital X digital...@gmail.com
To: Tracy Reed tr...@ultraviolet.org; Nick FitzGerald
n...@virus-l.demon.co.uk
Cc: Full-disclosure full-disclosure@lists.grok.org.uk
Great survey enjoyed filling it :)
With you good luck.
Regards,
From: Henri Doreau henri.dor...@gmail.com
To: Full disclosure full-disclosure@lists.grok.org.uk
Sent: Tue, April 27, 2010 9:32:00 AM
Subject: [Full-disclosure] 2010 Nmap/SecTools.org survey
Hi,
I don't actually beleive there is a democratic society. No such thing exists.
If it does? Then ask the organizations who made the compliance requirements
drop them and make audits based on some other measure that you believe is more
secure and has less flaws in it. Finally, regarding the
You won't know not now, not ever. Maybe they do get a commission for your AV
installation, who knows ! But maybe they think it is something that everybody
needs so the force it. To get to know the true answer, we need to sit down with
the guys who wrote the requirements and brainstorm with them
FYI,
The Evolution of PCI DSS
http://www.net-security.org/secworld.php?id=9202
Guys, they are evolving, so be calm :)
From: Christian Sciberras uuf6...@gmail.com
To: Shaqe Wan sh...@yahoo.com
Cc: full-disclosure@lists.grok.org.uk
Sent: Tue, April 27, 2010
What's your choice:
Company A installs an anti-virus and updates it regularly (BTW
regularly
includes once a year).
Company B has a recovery concept, incident response team,
vulnerability
monitoring, patch management, NIDS, security training but no
anti-virus.
You do realize that PCI says
Where did I say that its a waste of time and money?
Hmmm, strange !!!
BTW: I argued a lot with my managers about the PCI stuff, but no one gives you
an ear, so let me be categorized in category #2 of yours :D
From: Christian Sciberras uuf6...@gmail.com
To:
Christian,
I said most not all :)
And yes for me I don't give the f*ck about it, as long as there is no one that
hears you. Do I have to jump from a tower so they see what I am stating?
Cheers
From: Christian Sciberras uuf6...@gmail.com
To: Shaqe Wan
Has everyone on this list read the PCI DSS requirements?
They are freely available, at www.pcisecuritystandards.org.
Were you even following the thread? There's been at least 4 times were
different people cited different parts of the standard.
But I would suppose that there's always the
Nice way of reading whatever feels right to you. Perhaps you'd have better
read what I wrote a few lines before that?
On Tue, Apr 27, 2010 at 4:43 PM, Mike Hale eyeronic.des...@gmail.comwrote:
-they are arguing for the fun of it without any real arguments (why else
prove me right on my
based on your own admission
On who's admission? Perhaps you should bother to cite sources next time?
And, how is quoting me in a different argument your point?
On Tue, Apr 27, 2010 at 4:55 PM, Mike Hale eyeronic.des...@gmail.comwrote:
Point is, you're arguing for the sake of arguing, as
My point isn't about a particular section, nor whether the amount of
experience I have in PCI DSS compliance (which is next to novice).
The point is, what s PCI aiming at?
Real security, or just a way companies can excuse their incompetence by
citing full PCI compliance?
Which reminds me, it
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Description of Vulnerability:
- -
Drupal (http://drupal.org) is a robust content management system (CMS)
written in PHP and MySQL. The Drupal Better Formats module
(http://drupal.org/project/better_formats) contains a
-they are arguing for the fun of it without any real arguments (why else
prove me right on my arguments and later on deny it?)
So you fall into this category?
On Tue, Apr 27, 2010 at 1:22 AM, Christian Sciberras uuf6...@gmail.comwrote:
In short, you just said that PCI compliance _is_ a waste of
Point is, you're arguing for the sake of arguing, as you have no
understanding what PCI is, based on your own admission.
On Tue, Apr 27, 2010 at 7:51 AM, Christian Sciberras uuf6...@gmail.comwrote:
Nice way of reading whatever feels right to you. Perhaps you'd have better
read what I wrote a
Actually, you're right. You're not the one who said that, I apologize.
But I maintain that you're arguing over something that you don't
understand. You took one section (the anti-virus one) and got your panties
in a bunch over a security standard that says you *should* run anti-virus.
You
The point is, what s PCI aiming at?
It's aiming for a basic level of security among companies that process
credit cards. Nothing more. You have to remember that PCI didn't come
about in a vacuum. It was created to solve a specific problem that the
major credit cards faced in regards to the
On Tue, 27 Apr 2010 12:07:17 -0400
Justin C. Klein Keane jus...@madirish.net wrote:
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Description of Vulnerability:
- -
Drupal (http://drupal.org) is a robust content management system (CMS)
written in PHP and MySQL.
Haven't had my coffee yet... ;)
I thought so, that would explain everything. :)
Cheers,
On Tue, Apr 27, 2010 at 6:30 PM, Mike Hale eyeronic.des...@gmail.comwrote:
The point is, what s PCI aiming at?
It's aiming for a basic level of security among companies that process
credit cards.
Besides, in a democratic society (where CC do operate as well), you can't
force someone to install an anti-virus just because _you_ think it is
secure.
This isn't a democracy .. it's a business.
You want to process credit cards in-house, you need to comply with the
PCI standards. It
My point isn't about a particular section, nor whether the amount of
experience I have in PCI DSS compliance (which is next to novice).
So we can agree that you're arguing about something with which you have
no experience?
The point is, what s PCI aiming at?
It's on the first
I wanted to share a neat little trick I discovered while playing with
gcc's FORTIFY_SOURCE feature. For those who don't know, this feature
attempts to prevent exploitation of a subset of buffer overflows by
inserting a set of checks at compile-time, including stack canaries
for some functions.
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Hello,
I did not apply for a CVE identifier because there are folks who would
argue that the conditions described below do not qualify as a
vulnerability. I must confess I'm ignorant of the CVE guidelines
surrounding such a situation. Any further
You need admin privileges for it. It's not a vulnerability, it's a
feature.
-Original Message-
From: full-disclosure-boun...@lists.grok.org.uk
[mailto:full-disclosure-boun...@lists.grok.org.uk] On Behalf Of Justin
C. Klein Keane
Sent: Tuesday, April 27, 2010 3:07 PM
To:
On Tue, 27 Apr 2010 13:48:11 EDT, Michael Holstein said:
You've already stated in a prior email that you have no involvement with
PCI implementation on either side of the fence (hell no, was your
answer, I believe) .. so I don't see where you're really qualified to
make a categorical
If a business wants to accept credit cards as a means of payment (based on
volume) then part of their agreement is that they must undergo compliance to
a standard implemented by the industry
PCI (Payment Card Industry) compliances is what people HAVE to do, as in
FORCED to do whether they
If a business wants to accept credit cards as a means of payment (based on
volume) then part of their agreement is that they must undergo compliance to
a standard implemented by the industry
PCI (Payment Card Industry) compliances is what people HAVE to do, as in
FORCED to do whether they
--On Tuesday, April 27, 2010 13:37:39 -0700 J Roger securityho...@gmail.com
wrote:
Is PCI Compliance a giant bluff from VISA? Have any large companies ever been
forced to stop processing CCs because they failed to be PCI compliant?
They don't force you to stop processing. They fine you.
Discovered a security flaw in a production system you had no authority or
permission to audit? Afraid to disclose the information for fear of
prosecution? Don't stress too much, you have some protection if you redefine
yourself as a vulnerability journalist
According to a recent Wired article on
An important lesson from childhood, sharing, could help keep you out of
jail.
According to the following (dated) Wired article,
http://www.wired.com/threatlevel/2009/12/stephen-watt/ Stephen Watt got
screwed because he supplied his friend with a software tool he wrote and his
friend used it to
47 matches
Mail list logo
