Perhaps you haven't noticed, this is Full-Disclosure, which at least, is used to discuss security measures. As such, it is only natural to argue with PCI's possible security flaws.
Besides, in a democratic society (where CC do operate as well), you can't "force" someone to install an anti-virus just because _you_ think it is secure. The argument were compliance is wasted money still holds. Cheers. On Tue, Apr 27, 2010 at 7:36 AM, Shaqe Wan <[email protected]> wrote: > Hola, > > The problem is not weather they are educated against other standards or > policies or not, the problem is that without this compliance you can't work > with CC !!! Its something that is enforced on you ! > > BTW: why don't people discuss what is the points missing in the PCI > Compliance better than this argue ? > > Regards, > > > ------------------------------ > *From:* Christian Sciberras <[email protected]> > *To:* Shaqe Wan <[email protected]> > *Cc:* [email protected] > *Sent:* Mon, April 26, 2010 4:19:27 PM > > *Subject:* Re: [Full-disclosure] Compliance Is Wasted Money, Study Finds > > OK. > > "All those in favour of PCI raises their hands." > > Kidding aside, of course it is a must, since the said companies doesn't > have any notion of security before this happens. > However, how much is this actually helpful? Now let's be honest, how much > would it stop a potential attacker from getting into a system "protected" by > PCI? > Little, if at all. > > On the other hand, a company should adopt real and complete security > practices. > > Again, my point is, these companies shouldn't be "educated" or limit their > security to this standard. Because if they do (and I'm pretty sure they do) > would make this standard pretty much useless. > > Anyway, I won't get into this argument, since no one will give a sh*t about > it anyway. > > Cheers. > > > > > On Mon, Apr 26, 2010 at 3:02 PM, Shaqe Wan <[email protected]> wrote: > >> Christian, >> >> Did you read my first post? >> >> ((( IMO, PCI is not that big security policy, but without it your not >> able to use the credit card companies gateway. I think its just the >> basics that any company dealing with CC must implement. Because it shall be >> nonsense to deal with CC, and not have an Anti-virus for example !! ))) >> >> I am not stating that PCI is good in no way, but I am saying that its a >> MUST for companies dealing with CC. And in a windows environment, an AV is >> important. >> >> He probably thought that I am with the rules of PCI, or that I don't have >> any idea that the world is not just WINDOWS !!! >> >> Regards, >> >> ------------------------------ >> *From:* Christian Sciberras <[email protected]> >> *To:* Shaqe Wan <[email protected]> >> *Cc:* [email protected] >> *Sent:* Mon, April 26, 2010 3:54:20 PM >> >> *Subject:* Re: [Full-disclosure] Compliance Is Wasted Money, Study Finds >> >> Why exactly are you complying with Nick's statements? I would have thought >> you guys were arguing against said statements? >> >> >> By the way, requirement #6 is particularly funny; it sounds peculiarly >> redundant to me... >> >> Cheers. >> >> >> >> >> On Mon, Apr 26, 2010 at 7:34 AM, Shaqe Wan <[email protected]> wrote: >> >>> >>> Nick, >>> >>> Please if you don't know what the standards are, please read: >>> >>> https://www.pcisecuritystandards.org/security_standards/pci_dss.shtml >>> >>> See *Requirement #5*. Read that requirement carefully and its not bad to >>> read it twice though in case you don't figure it out from the first glance ! >>> >>> Also, I said that using an AV is some basic thing to do in any company >>> that wants to deal with CC, its a basic thing for even companies not dealing >>> with CC too !!! Or do you state that people must use a BOX with no AV >>> installed on it? If you believe in that fact? Then please request a change >>> in the PCI DSS requirements and make them force the usage of a non Windows >>> O.S, such as any *n?x system. >>> >>> Finally, the topic here is not about "default allow vs default deny" and >>> if I understand what that is or not! You can open a new discussion about >>> that, and I shall join there and discuss it further with you, in case you >>> need some clarification regarding it. >>> >>> Regards, >>> Shaqe >>> >>> >>> --- On *Sun, 4/25/10, Nick FitzGerald <[email protected]>* wrote: >>> >>> >>> From: Nick FitzGerald <[email protected]> >>> Subject: Re: [Full-disclosure] Compliance Is Wasted Money, Study Finds >>> To: [email protected] >>> Date: Sunday, April 25, 2010, 1:57 PM >>> >>> Shaqe Wan wrote: >>> >>> <<snip>> >>> > Because it shall be nonsense to deal with CC, and not have an >>> Anti-virus for example !! >>> >>> Well, you see, _that_ is abject nonsense on its face. >>> >>> Do you have any understanding of one of the most basic of security >>> issues -- default allow vs. default deny? >>> >>> There are many more secure ways to run systems _without_ antivirus >>> software. >>> >>> Anyone authoritatively stating that antivirus software is a necessary >>> component of a "reasonably secure" system is a fool. >>> >>> Anyone authoritatively stating that antivirus software is a necessary >>> component of a "sufficiently secure" system is one (or more) of; a >>> fool, a person with an unusually low standard of system security, or a >>> shill for an antivirus producer. >>> >>> So _if_, as you and another recent poster strongly imply, the PCI >>> standards include a specific _requirement_ for antivirus software, then >>> the standards themselves are total nonsense... >>> >>> >>> >>> Regards, >>> >>> Nick FitzGerald >>> >>> >>> _______________________________________________ >>> Full-Disclosure - We believe in it. >>> Charter: http://lists.grok.org.uk/full-disclosure-charter.html >>> Hosted and sponsored by Secunia - http://secunia.com/ >>> >>> >>> >>> >>> _______________________________________________ >>> Full-Disclosure - We believe in it. >>> Charter: http://lists.grok.org.uk/full-disclosure-charter.html >>> Hosted and sponsored by Secunia - http://secunia.com/ >>> >> >> >> > >
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
