FYI, The Evolution of PCI DSS
http://www.net-security.org/secworld.php?id=9202 Guys, they are evolving, so be calm :) ________________________________ From: Christian Sciberras <[email protected]> To: Shaqe Wan <[email protected]> Cc: [email protected] Sent: Tue, April 27, 2010 11:34:22 AM Subject: Re: [Full-disclosure] Compliance Is Wasted Money, Study Finds "Where did I say that its a waste of time and money? " Here you go: "I 100% agree with you about most of the companies seek the paper work and get PCI certified and don't really bother about true security measures, but in the end if a breach is discovered they are the ones who shall get the penalty in the face, not us :)" "BTW: I argued a lot with my managers about the PCI stuff, but no one gives you an ear, so let me be categorized in category #2 of yours :D" Then I'm afraid this argument ends here. Cheers. On Tue, Apr 27, 2010 at 10:28 AM, Shaqe Wan <[email protected]> wrote: >Where did I say that its a waste of time and money? > >Hmmm, strange !!! > >BTW: I argued a lot with my managers about the PCI stuff, but no one gives you >an ear, so let me be categorized in category #2 of yours :D > > > ________________________________ From: Christian Sciberras <[email protected]> >To: Shaqe Wan <[email protected]> >Cc: [email protected] >Sent: Tue, April 27, 2010 11:22:59 AM > >Subject: Re: [Full-disclosure] Compliance Is Wasted Money, Study Finds > > >>In short, you just said that PCI compliance _is_ a waste of time and money. > >Why else would you protect something which is bound to fail anyway?! > >This is a lost battle, as I said no one cares about the arguments because >these people fall into three categories: >> >-they believe the illusion that PCI by itself enhances security >-they do there job and don't give a f*ck about it >-they are arguing for the fun of it without any real arguments (why else prove >me right on my arguments and later on deny it?) > > > > > > >On Tue, Apr 27, 2010 at 10:03 AM, Shaqe Wan <[email protected]> wrote: > >>> >>You won't know not now, not ever. Maybe they do get a commission for your AV >>installation, who knows ! But maybe they think it is something that everybody >>needs so the force it. To get to know the true answer, we need to sit down >>with the guys who wrote the requirements and brainstorm with them those >>issues. We shall keep just running around and around in a circle here, >>because no one here "if no CC company guy is around" can give a definite >>answer. Just our simple argues ! >> >>As I said before, I have to use it on a windows box, because its a >>requirement, its not my opinion at all. >> >>I 100% agree with you about most of the companies seek the paper work and get >>PCI certified and don't really bother about true >> security measures, but in the end if a breach is discovered they are the >> ones who shall get the penalty in the face, not us :) >> >>NB: I don't use an AV, never did, and never will :p >> >>Regards, >> >> >>>> ________________________________ From: Christian Sciberras <[email protected]> >>To: Shaqe Wan <[email protected]> >>Cc: [email protected] >>Sent: Tue, April 27, 2010 10:37:24 AM >>>> >> >>Subject: Re: [Full-disclosure] Compliance Is Wasted Money, Study Finds >> >> >>>>Surely being forced to install an anti-virus only brings in a monopoly? How >>>>do I know that PCI Standards writers are getting a nice commission off me >>>>installing the anti-virus? (I know they don't, I'm just hypothesizing). >> >>You stated it yourself, an anti-virus may not do any difference, it is there >>as per PCI standard.....so what is it's use? Why the heck do I have to >>install something useless? >> >>Lastly, that is where you are wrong, there is no "base starting point" >>companies don't give a shit about proper security measures, they get >>PCI-certified and all security ends there. >>>> >> >>That is the freaken problem. >> >>NB: I do use anti-virus software, what I specified above is not in any way my >>opinion about anti-virus vendors, etc. >> >> >> >> >> >> >> >> >>On Tue, Apr 27, 2010 at 9:25 AM, Shaqe Wan <[email protected]> wrote: >> >>Hi, >>> >>>I don't actually beleive there is a "democratic society". No such thing >>>exists. If it does? Then ask the organizations who made the compliance >>>requirements drop them and make audits based on some other measure that you >>>believe is more secure and has less flaws in it. Finally, regarding the AV >>>issue that I wish I end here, is that "I don't believe that an AV shall make >>>your box secure, but its a requirement to be done - Added by PCI" >>> >>> >>>And yes I have noticed that FD is for such security measures discussion, but >>>never thought of joining it and discussing with others until a couple of >>>days ago when I saw this topic. >>> >>>Finally, the compliance can be taken of as a base starting point, and then >>>moving further, like that it shall not be a waste of money >>> ! >>> >>>Regards, >>> >>> >>> >>> >>>>>> >>> ________________________________ From: Christian Sciberras <[email protected]> >>>To: Shaqe Wan <[email protected]> >>>Cc: [email protected] >>>Sent: Tue, April 27, 2010 9:59:59 AM >>>>>> >>> >>> >>>Subject: Re: [Full-disclosure] Compliance Is Wasted Money, Study Finds >>> >>> >>>>>>Perhaps you haven't noticed, this is Full-Disclosure, which at least, is >>>>>>used to discuss security measures. >>>As such, it is only natural to argue with PCI's possible security flaws. >>> >>>Besides, in a democratic society (where CC do operate as well), you can't >>>"force" someone to install an anti-virus just because _you_ think it is >>>secure. >>> >>>The argument were compliance is wasted money still holds. >>> >>>Cheers. >>> >>> >>> >>> >>> >>>On Tue, Apr 27, 2010 at 7:36 AM, Shaqe Wan <[email protected]> wrote: >>> >>>Hola, >>>> >>>>The problem is not weather they are educated against other standards or >>>>policies or not, the problem is that without this compliance you can't work >>>>with CC !!! Its something that is enforced on you ! >>>> >>>>BTW: why don't people discuss what is the points missing in the PCI >>>>Compliance better than this argue ? >>>> >>>>Regards, >>>> >>>> >>>> >>>> >>>> >>>>>>>> >>>> >>>> ________________________________ From: Christian Sciberras <[email protected]> >>>>To: Shaqe Wan <[email protected]> >>>>Cc: [email protected] >>>>Sent: Mon, April 26, 2010 4:19:27 PM >>>>>>>> >>>> >>>> >>>>Subject: Re: [Full-disclosure] Compliance Is Wasted Money, Study Finds >>>> >>>> >>>>>>>>OK. >>>> >>>>"All those in favour of PCI raises their hands." >>>> >>>>Kidding aside, of course it is a must, since the said companies doesn't >>>>have any notion of security before this happens. >>>>However, how much is this actually helpful? Now let's be honest, how much >>>>would it stop a potential attacker from getting into a system "protected" >>>>by PCI? >>>>>>>> >>>> >>>> >>>> >>>>Little, if at all. >>>> >>>>On the other hand, a company should adopt real and complete security >>>>practices. >>>> >>>>Again, my point is, these companies shouldn't be "educated" or limit their >>>>security to this standard. Because if they do (and I'm pretty sure they do) >>>>would make this standard pretty much useless. >>>> >>>>Anyway, I won't get into this argument, since no one will give a sh*t about >>>>it anyway. >>>> >>>>Cheers. >>>> >>>> >>>> >>>> >>>> >>>>On Mon, Apr 26, 2010 at 3:02 PM, Shaqe Wan <[email protected]> wrote: >>>> >>>>Christian, >>>>> >>>>>Did you read my first post? >>>>> >>>>>((( IMO, PCI is not that big security policy, but without it your not able >>>>>to use the credit card companies gateway. Ithink its just the basics that >>>>>any company dealing with CC must implement. Because it shall be nonsense >>>>>to deal with CC, and not have an Anti-virus for example !! ))) >>>>> >>>>> >>>>> >>>>>>>>>> >>>>> >>>>> >>>>> >>>>>I am not stating that PCI is good in no way, but I am saying that its a >>>>>MUST for companies dealing with CC. And in a windows environment, an AV is >>>>>important. >>>>> >>>>>He probably thought that I am with the rules of PCI, or that I don't have >>>>>any idea that the world is not just WINDOWS !!! >>>>> >>>>>Regards, >>>>> >>>>> >>>>> ________________________________ >>>>>From: Christian Sciberras <[email protected]> >>>>>To: Shaqe Wan <[email protected]> >>>>>Cc: [email protected] >>>>>Sent: Mon, April 26, 2010 3:54:20 PM >>>>> >>>>>Subject: Re: [Full-disclosure] Compliance Is Wasted Money, Study Finds >>>>> >>>>> >>>>>>>>>>Why exactly are you complying with Nick's statements? I would have >>>>>>>>>>thought you guys were arguing against said statements? >>>>> >>>>> >>>>>By the way, requirement #6 is particularly funny; it sounds peculiarly >>>>>redundant to me... >>>>> >>>>>Cheers. >>>>> >>>>> >>>>> >>>>> >>>>> >>>>>On Mon, Apr 26, 2010 at 7:34 AM, Shaqe Wan <[email protected]> wrote: >>>>> >>>>> >>>>>> >>>>>>>>>>>> >>>>>> >>>>>> >>>>>> >>>>>>Nick, >>>>>> >>>>>>Please if you don't know what the standards are, please read: >>>>>> >>>>>>https://www.pcisecuritystandards.org/security_standards/pci_dss.shtml >>>>>> >>>>>>See Requirement #5. Read that requirement carefully and its not bad to >>>>>>read it twice though in case you don't figure it out from the first >>>>>>glance ! >>>>>> >>>>>>Also, I said that using an AV is some basic thing to do in any company >>>>>>that wants to deal with CC, its a >>>>>> basic thing for even companies not dealing with CC too !!! Or do you >>>>>> state that people must use a BOX with no AV installed on it? If you >>>>>> believe in that fact? Then please request a change in the PCI DSS >>>>>> requirements and make them force the usage of a non Windows O.S, such as >>>>>> any *n?x system. >>>>>> >>>>>>Finally, the topic here is not about "default allow vs default deny" and >>>>>>if >>>>>> I understand what that is or not! You can open a new discussion about >>>>>> that, and I shall join there and discuss it further with you, in case >>>>>> you need some clarification regarding it. >>>>>> >>>>>>Regards, >>>>>>Shaqe >>>>>> >>>>>> >>>>>>--- On Sun, 4/25/10, Nick FitzGerald <[email protected]> wrote: >>>>>> >>>>>> >>>>>>>From: Nick FitzGerald <[email protected]> >>>>>>>>>>>>>> >>>>>>> >>>>>>> >>>>>>> >>>>>>> >>>>>>>Subject: Re: [Full-disclosure] Compliance Is Wasted Money, Study Finds >>>>>>>To: [email protected] >>>>>>>Date: Sunday, April 25, 2010, 1:57 PM >>>>>>> >>>>>>> >>>>>>>Shaqe Wan wrote: >>>>>>> >>>>>>><<snip>> >>>>>>>> Because it shall be nonsense to deal with CC, and not have an >>>>>>>> Anti-virus for example !! >>>>>>> >>>>>>>Well, you see, _that_ is abject nonsense on its face. >>>>>>> >>>>>>>Do you have any understanding of one of the most basic of security >>>>>>>issues -- default allow vs. >>>>>>> default deny? >>>>>>> >>>>>>>There are many more secure ways to run systems _without_ antivirus >>>>>>>software. >>>>>>> >>>>>>> >>>>>>>Anyone authoritatively stating that antivirus software is a necessary >>>>>>>component of a "reasonably secure" system is a fool. >>>>>>> >>>>>>>Anyone authoritatively stating that antivirus software is a necessary >>>>>>> >>>>>>>component of a "sufficiently secure" system is one (or more) of; a >>>>>>>fool, a person with an unusually low standard of system security, or a >>>>>>>>>>>>>> >>>>>>> >>>>>>> >>>>>>> >>>>>>> >>>>>>>shill for an antivirus producer. >>>>>>> >>>>>>> >>>>>>>So _if_, as you and another recent poster strongly imply, the PCI >>>>>>>standards include a specific _requirement_ for antivirus software, then >>>>>>>the standards themselves are total nonsense... >>>>>>> >>>>>>> >>>>>>> >>>>>>> >>>>>>>Regards, >>>>>>> >>>>>>>Nick FitzGerald >>>>>>> >>>>>>> >>>>>>>_______________________________________________ >>>>>>>Full-Disclosure - We believe in it. >>>>>>>Charter: http://lists.grok.org.uk/full-disclosure-charter.html >>>>>>>Hosted and sponsored by Secunia - http://secunia.com/ >>>>>>> >>>>>> >>>>>> >>>>>>_______________________________________________ >>>>>>>>>>>>Full-Disclosure - We believe in it. >>>>>>>>>>>>Charter: http://lists.grok.org.uk/full-disclosure-charter.html >>>>>>>>>>>>Hosted and sponsored by Secunia - http://secunia.com/ >>>>>> >>>>> >>>>> >>>> >>>> >>> >>> >> >> > >
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
