"Where did I say that its a waste of time and money? " Here you go: "I 100% agree with you about most of the companies seek the paper work and get PCI certified and don't really bother about true security measures, but in the end if a breach is discovered they are the ones who shall get the penalty in the face, not us :)"
"BTW: I argued a lot with my managers about the PCI stuff, but no one gives you an ear, so let me be categorized in category #2 of yours :D" Then I'm afraid this argument ends here. Cheers. On Tue, Apr 27, 2010 at 10:28 AM, Shaqe Wan <[email protected]> wrote: > Where did I say that its a waste of time and money? > > Hmmm, strange !!! > > BTW: I argued a lot with my managers about the PCI stuff, but no one gives > you an ear, so let me be categorized in category #2 of yours :D > > ------------------------------ > *From:* Christian Sciberras <[email protected]> > *To:* Shaqe Wan <[email protected]> > *Cc:* [email protected] > *Sent:* Tue, April 27, 2010 11:22:59 AM > > *Subject:* Re: [Full-disclosure] Compliance Is Wasted Money, Study Finds > > In short, you just said that PCI compliance _is_ a waste of time and money. > > Why else would you protect something which is bound to fail anyway?! > > This is a lost battle, as I said no one cares about the arguments because > these people fall into three categories: > -they believe the illusion that PCI by itself enhances security > -they do there job and don't give a f*ck about it > -they are arguing for the fun of it without any real arguments (why else > prove me right on my arguments and later on deny it?) > > > > > > On Tue, Apr 27, 2010 at 10:03 AM, Shaqe Wan <[email protected]> wrote: > >> You won't know not now, not ever. Maybe they do get a commission for your >> AV installation, who knows ! But maybe they think it is something that >> everybody needs so the force it. To get to know the true answer, we need to >> sit down with the guys who wrote the requirements and brainstorm with them >> those issues. We shall keep just running around and around in a circle here, >> because no one here "if no CC company guy is around" can give a definite >> answer. Just our simple argues ! >> >> As I said before, I have to use it on a windows box, because its a >> requirement, its not my opinion at all. >> >> I 100% agree with you about most of the companies seek the paper work and >> get PCI certified and don't really bother about true security measures, but >> in the end if a breach is discovered they are the ones who shall get the >> penalty in the face, not us :) >> >> NB: I don't use an AV, never did, and never will :p >> >> Regards, >> >> ------------------------------ >> *From:* Christian Sciberras <[email protected]> >> *To:* Shaqe Wan <[email protected]> >> *Cc:* [email protected] >> *Sent:* Tue, April 27, 2010 10:37:24 AM >> >> *Subject:* Re: [Full-disclosure] Compliance Is Wasted Money, Study Finds >> >> Surely being forced to install an anti-virus only brings in a monopoly? >> How do I know that PCI Standards writers are getting a nice commission off >> me installing the anti-virus? (I know they don't, I'm just hypothesizing). >> >> You stated it yourself, an anti-virus may not do any difference, it is >> there as per PCI standard.....so what is it's use? Why the heck do I have to >> install something useless? >> >> Lastly, that is where you are wrong, there is no "base starting point" >> companies don't give a shit about proper security measures, they get >> PCI-certified and all security ends there. >> That is the freaken problem. >> >> NB: I do use anti-virus software, what I specified above is not in any way >> my opinion about anti-virus vendors, etc. >> >> >> >> >> >> >> >> On Tue, Apr 27, 2010 at 9:25 AM, Shaqe Wan <[email protected]> wrote: >> >>> Hi, >>> >>> I don't actually beleive there is a "democratic society". No such thing >>> exists. If it does? Then ask the organizations who made the compliance >>> requirements drop them and make audits based on some other measure that you >>> believe is more secure and has less flaws in it. Finally, regarding the AV >>> issue that I wish I end here, is that "I don't believe that an AV shall make >>> your box secure, but its a requirement to be done - Added by PCI" >>> >>> And yes I have noticed that FD is for such security measures discussion, >>> but never thought of joining it and discussing with others until a couple of >>> days ago when I saw this topic. >>> >>> Finally, the compliance can be taken of as a base starting point, and >>> then moving further, like that it shall not be a waste of money ! >>> >>> Regards, >>> >>> >>> ------------------------------ >>> *From:* Christian Sciberras <[email protected]> >>> *To:* Shaqe Wan <[email protected]> >>> *Cc:* [email protected] >>> *Sent:* Tue, April 27, 2010 9:59:59 AM >>> >>> *Subject:* Re: [Full-disclosure] Compliance Is Wasted Money, Study Finds >>> >>> Perhaps you haven't noticed, this is Full-Disclosure, which at least, is >>> used to discuss security measures. >>> As such, it is only natural to argue with PCI's possible security flaws. >>> >>> Besides, in a democratic society (where CC do operate as well), you can't >>> "force" someone to install an anti-virus just because _you_ think it is >>> secure. >>> >>> The argument were compliance is wasted money still holds. >>> >>> Cheers. >>> >>> >>> >>> >>> On Tue, Apr 27, 2010 at 7:36 AM, Shaqe Wan <[email protected]> wrote: >>> >>>> Hola, >>>> >>>> The problem is not weather they are educated against other standards or >>>> policies or not, the problem is that without this compliance you can't work >>>> with CC !!! Its something that is enforced on you ! >>>> >>>> BTW: why don't people discuss what is the points missing in the PCI >>>> Compliance better than this argue ? >>>> >>>> Regards, >>>> >>>> >>>> ------------------------------ >>>> *From:* Christian Sciberras <[email protected]> >>>> *To:* Shaqe Wan <[email protected]> >>>> *Cc:* [email protected] >>>> *Sent:* Mon, April 26, 2010 4:19:27 PM >>>> >>>> *Subject:* Re: [Full-disclosure] Compliance Is Wasted Money, Study >>>> Finds >>>> >>>> OK. >>>> >>>> "All those in favour of PCI raises their hands." >>>> >>>> Kidding aside, of course it is a must, since the said companies doesn't >>>> have any notion of security before this happens. >>>> However, how much is this actually helpful? Now let's be honest, how >>>> much would it stop a potential attacker from getting into a system >>>> "protected" by PCI? >>>> Little, if at all. >>>> >>>> On the other hand, a company should adopt real and complete security >>>> practices. >>>> >>>> Again, my point is, these companies shouldn't be "educated" or limit >>>> their security to this standard. Because if they do (and I'm pretty sure >>>> they do) would make this standard pretty much useless. >>>> >>>> Anyway, I won't get into this argument, since no one will give a sh*t >>>> about it anyway. >>>> >>>> Cheers. >>>> >>>> >>>> >>>> >>>> On Mon, Apr 26, 2010 at 3:02 PM, Shaqe Wan <[email protected]> wrote: >>>> >>>>> Christian, >>>>> >>>>> Did you read my first post? >>>>> >>>>> ((( IMO, PCI is not that big security policy, but without it your not >>>>> able to use the credit card companies gateway. I think its just the >>>>> basics that any company dealing with CC must implement. Because it shall >>>>> be >>>>> nonsense to deal with CC, and not have an Anti-virus for example !!))) >>>>> >>>>> I am not stating that PCI is good in no way, but I am saying that its a >>>>> MUST for companies dealing with CC. And in a windows environment, an AV is >>>>> important. >>>>> >>>>> He probably thought that I am with the rules of PCI, or that I don't >>>>> have any idea that the world is not just WINDOWS !!! >>>>> >>>>> Regards, >>>>> >>>>> ------------------------------ >>>>> *From:* Christian Sciberras <[email protected]> >>>>> *To:* Shaqe Wan <[email protected]> >>>>> *Cc:* [email protected] >>>>> *Sent:* Mon, April 26, 2010 3:54:20 PM >>>>> >>>>> *Subject:* Re: [Full-disclosure] Compliance Is Wasted Money, Study >>>>> Finds >>>>> >>>>> Why exactly are you complying with Nick's statements? I would have >>>>> thought you guys were arguing against said statements? >>>>> >>>>> >>>>> By the way, requirement #6 is particularly funny; it sounds peculiarly >>>>> redundant to me... >>>>> >>>>> Cheers. >>>>> >>>>> >>>>> >>>>> >>>>> On Mon, Apr 26, 2010 at 7:34 AM, Shaqe Wan <[email protected]> wrote: >>>>> >>>>>> >>>>>> Nick, >>>>>> >>>>>> Please if you don't know what the standards are, please read: >>>>>> >>>>>> https://www.pcisecuritystandards.org/security_standards/pci_dss.shtml >>>>>> >>>>>> See *Requirement #5*. Read that requirement carefully and its not bad >>>>>> to read it twice though in case you don't figure it out from the first >>>>>> glance ! >>>>>> >>>>>> Also, I said that using an AV is some basic thing to do in any company >>>>>> that wants to deal with CC, its a basic thing for even companies not >>>>>> dealing >>>>>> with CC too !!! Or do you state that people must use a BOX with no AV >>>>>> installed on it? If you believe in that fact? Then please request a >>>>>> change >>>>>> in the PCI DSS requirements and make them force the usage of a non >>>>>> Windows >>>>>> O.S, such as any *n?x system. >>>>>> >>>>>> Finally, the topic here is not about "default allow vs default deny" >>>>>> and if I understand what that is or not! You can open a new discussion >>>>>> about >>>>>> that, and I shall join there and discuss it further with you, in case you >>>>>> need some clarification regarding it. >>>>>> >>>>>> Regards, >>>>>> Shaqe >>>>>> >>>>>> >>>>>> --- On *Sun, 4/25/10, Nick FitzGerald <[email protected]>*wrote: >>>>>> >>>>>> >>>>>> From: Nick FitzGerald <[email protected]> >>>>>> Subject: Re: [Full-disclosure] Compliance Is Wasted Money, Study Finds >>>>>> To: [email protected] >>>>>> Date: Sunday, April 25, 2010, 1:57 PM >>>>>> >>>>>> Shaqe Wan wrote: >>>>>> >>>>>> <<snip>> >>>>>> > Because it shall be nonsense to deal with CC, and not have an >>>>>> Anti-virus for example !! >>>>>> >>>>>> Well, you see, _that_ is abject nonsense on its face. >>>>>> >>>>>> Do you have any understanding of one of the most basic of security >>>>>> issues -- default allow vs. default deny? >>>>>> >>>>>> There are many more secure ways to run systems _without_ antivirus >>>>>> software. >>>>>> >>>>>> Anyone authoritatively stating that antivirus software is a necessary >>>>>> component of a "reasonably secure" system is a fool. >>>>>> >>>>>> Anyone authoritatively stating that antivirus software is a necessary >>>>>> component of a "sufficiently secure" system is one (or more) of; a >>>>>> fool, a person with an unusually low standard of system security, or a >>>>>> >>>>>> shill for an antivirus producer. >>>>>> >>>>>> So _if_, as you and another recent poster strongly imply, the PCI >>>>>> standards include a specific _requirement_ for antivirus software, >>>>>> then >>>>>> the standards themselves are total nonsense... >>>>>> >>>>>> >>>>>> >>>>>> Regards, >>>>>> >>>>>> Nick FitzGerald >>>>>> >>>>>> >>>>>> _______________________________________________ >>>>>> Full-Disclosure - We believe in it. >>>>>> Charter: http://lists.grok.org.uk/full-disclosure-charter.html >>>>>> Hosted and sponsored by Secunia - http://secunia.com/ >>>>>> >>>>>> >>>>>> >>>>>> >>>>>> _______________________________________________ >>>>>> Full-Disclosure - We believe in it. >>>>>> Charter: http://lists.grok.org.uk/full-disclosure-charter.html >>>>>> Hosted and sponsored by Secunia - http://secunia.com/ >>>>>> >>>>> >>>>> >>>>> >>>> >>>> >>> >>> >> >> > >
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
