Surely being forced to install an anti-virus only brings in a monopoly? How do I know that PCI Standards writers are getting a nice commission off me installing the anti-virus? (I know they don't, I'm just hypothesizing).
You stated it yourself, an anti-virus may not do any difference, it is there as per PCI standard.....so what is it's use? Why the heck do I have to install something useless? Lastly, that is where you are wrong, there is no "base starting point" companies don't give a shit about proper security measures, they get PCI-certified and all security ends there. That is the freaken problem. NB: I do use anti-virus software, what I specified above is not in any way my opinion about anti-virus vendors, etc. On Tue, Apr 27, 2010 at 9:25 AM, Shaqe Wan <[email protected]> wrote: > Hi, > > I don't actually beleive there is a "democratic society". No such thing > exists. If it does? Then ask the organizations who made the compliance > requirements drop them and make audits based on some other measure that you > believe is more secure and has less flaws in it. Finally, regarding the AV > issue that I wish I end here, is that "I don't believe that an AV shall make > your box secure, but its a requirement to be done - Added by PCI" > > And yes I have noticed that FD is for such security measures discussion, > but never thought of joining it and discussing with others until a couple of > days ago when I saw this topic. > > Finally, the compliance can be taken of as a base starting point, and then > moving further, like that it shall not be a waste of money ! > > Regards, > > > ------------------------------ > *From:* Christian Sciberras <[email protected]> > *To:* Shaqe Wan <[email protected]> > *Cc:* [email protected] > *Sent:* Tue, April 27, 2010 9:59:59 AM > > *Subject:* Re: [Full-disclosure] Compliance Is Wasted Money, Study Finds > > Perhaps you haven't noticed, this is Full-Disclosure, which at least, is > used to discuss security measures. > As such, it is only natural to argue with PCI's possible security flaws. > > Besides, in a democratic society (where CC do operate as well), you can't > "force" someone to install an anti-virus just because _you_ think it is > secure. > > The argument were compliance is wasted money still holds. > > Cheers. > > > > > On Tue, Apr 27, 2010 at 7:36 AM, Shaqe Wan <[email protected]> wrote: > >> Hola, >> >> The problem is not weather they are educated against other standards or >> policies or not, the problem is that without this compliance you can't work >> with CC !!! Its something that is enforced on you ! >> >> BTW: why don't people discuss what is the points missing in the PCI >> Compliance better than this argue ? >> >> Regards, >> >> >> ------------------------------ >> *From:* Christian Sciberras <[email protected]> >> *To:* Shaqe Wan <[email protected]> >> *Cc:* [email protected] >> *Sent:* Mon, April 26, 2010 4:19:27 PM >> >> *Subject:* Re: [Full-disclosure] Compliance Is Wasted Money, Study Finds >> >> OK. >> >> "All those in favour of PCI raises their hands." >> >> Kidding aside, of course it is a must, since the said companies doesn't >> have any notion of security before this happens. >> However, how much is this actually helpful? Now let's be honest, how much >> would it stop a potential attacker from getting into a system "protected" by >> PCI? >> Little, if at all. >> >> On the other hand, a company should adopt real and complete security >> practices. >> >> Again, my point is, these companies shouldn't be "educated" or limit their >> security to this standard. Because if they do (and I'm pretty sure they do) >> would make this standard pretty much useless. >> >> Anyway, I won't get into this argument, since no one will give a sh*t >> about it anyway. >> >> Cheers. >> >> >> >> >> On Mon, Apr 26, 2010 at 3:02 PM, Shaqe Wan <[email protected]> wrote: >> >>> Christian, >>> >>> Did you read my first post? >>> >>> ((( IMO, PCI is not that big security policy, but without it your not >>> able to use the credit card companies gateway. I think its just the >>> basics that any company dealing with CC must implement. Because it shall be >>> nonsense to deal with CC, and not have an Anti-virus for example !! ))) >>> >>> I am not stating that PCI is good in no way, but I am saying that its a >>> MUST for companies dealing with CC. And in a windows environment, an AV is >>> important. >>> >>> He probably thought that I am with the rules of PCI, or that I don't have >>> any idea that the world is not just WINDOWS !!! >>> >>> Regards, >>> >>> ------------------------------ >>> *From:* Christian Sciberras <[email protected]> >>> *To:* Shaqe Wan <[email protected]> >>> *Cc:* [email protected] >>> *Sent:* Mon, April 26, 2010 3:54:20 PM >>> >>> *Subject:* Re: [Full-disclosure] Compliance Is Wasted Money, Study Finds >>> >>> Why exactly are you complying with Nick's statements? I would have >>> thought you guys were arguing against said statements? >>> >>> >>> By the way, requirement #6 is particularly funny; it sounds peculiarly >>> redundant to me... >>> >>> Cheers. >>> >>> >>> >>> >>> On Mon, Apr 26, 2010 at 7:34 AM, Shaqe Wan <[email protected]> wrote: >>> >>>> >>>> Nick, >>>> >>>> Please if you don't know what the standards are, please read: >>>> >>>> https://www.pcisecuritystandards.org/security_standards/pci_dss.shtml >>>> >>>> See *Requirement #5*. Read that requirement carefully and its not bad >>>> to read it twice though in case you don't figure it out from the first >>>> glance ! >>>> >>>> Also, I said that using an AV is some basic thing to do in any company >>>> that wants to deal with CC, its a basic thing for even companies not >>>> dealing >>>> with CC too !!! Or do you state that people must use a BOX with no AV >>>> installed on it? If you believe in that fact? Then please request a change >>>> in the PCI DSS requirements and make them force the usage of a non Windows >>>> O.S, such as any *n?x system. >>>> >>>> Finally, the topic here is not about "default allow vs default deny" and >>>> if I understand what that is or not! You can open a new discussion about >>>> that, and I shall join there and discuss it further with you, in case you >>>> need some clarification regarding it. >>>> >>>> Regards, >>>> Shaqe >>>> >>>> >>>> --- On *Sun, 4/25/10, Nick FitzGerald <[email protected]>*wrote: >>>> >>>> >>>> From: Nick FitzGerald <[email protected]> >>>> Subject: Re: [Full-disclosure] Compliance Is Wasted Money, Study Finds >>>> To: [email protected] >>>> Date: Sunday, April 25, 2010, 1:57 PM >>>> >>>> Shaqe Wan wrote: >>>> >>>> <<snip>> >>>> > Because it shall be nonsense to deal with CC, and not have an >>>> Anti-virus for example !! >>>> >>>> Well, you see, _that_ is abject nonsense on its face. >>>> >>>> Do you have any understanding of one of the most basic of security >>>> issues -- default allow vs. default deny? >>>> >>>> There are many more secure ways to run systems _without_ antivirus >>>> software. >>>> >>>> Anyone authoritatively stating that antivirus software is a necessary >>>> component of a "reasonably secure" system is a fool. >>>> >>>> Anyone authoritatively stating that antivirus software is a necessary >>>> component of a "sufficiently secure" system is one (or more) of; a >>>> fool, a person with an unusually low standard of system security, or a >>>> shill for an antivirus producer. >>>> >>>> So _if_, as you and another recent poster strongly imply, the PCI >>>> standards include a specific _requirement_ for antivirus software, then >>>> the standards themselves are total nonsense... >>>> >>>> >>>> >>>> Regards, >>>> >>>> Nick FitzGerald >>>> >>>> >>>> _______________________________________________ >>>> Full-Disclosure - We believe in it. >>>> Charter: http://lists.grok.org.uk/full-disclosure-charter.html >>>> Hosted and sponsored by Secunia - http://secunia.com/ >>>> >>>> >>>> >>>> >>>> _______________________________________________ >>>> Full-Disclosure - We believe in it. >>>> Charter: http://lists.grok.org.uk/full-disclosure-charter.html >>>> Hosted and sponsored by Secunia - http://secunia.com/ >>>> >>> >>> >>> >> >> > >
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
