Nice way of reading whatever feels right to you. Perhaps you'd have better read what I wrote a few lines before that?
On Tue, Apr 27, 2010 at 4:43 PM, Mike Hale <[email protected]>wrote: > "-they are arguing for the fun of it without any real arguments (why else > prove me right on my arguments and later on deny it?)" > > So you fall into this category? > On Tue, Apr 27, 2010 at 1:22 AM, Christian Sciberras <[email protected]>wrote: > >> In short, you just said that PCI compliance _is_ a waste of time and >> money. >> >> Why else would you protect something which is bound to fail anyway?! >> >> This is a lost battle, as I said no one cares about the arguments because >> these people fall into three categories: >> -they believe the illusion that PCI by itself enhances security >> -they do there job and don't give a f*ck about it >> -they are arguing for the fun of it without any real arguments (why else >> prove me right on my arguments and later on deny it?) >> >> >> >> >> >> >> On Tue, Apr 27, 2010 at 10:03 AM, Shaqe Wan <[email protected]> wrote: >> >>> You won't know not now, not ever. Maybe they do get a commission for >>> your AV installation, who knows ! But maybe they think it is something that >>> everybody needs so the force it. To get to know the true answer, we need to >>> sit down with the guys who wrote the requirements and brainstorm with them >>> those issues. We shall keep just running around and around in a circle here, >>> because no one here "if no CC company guy is around" can give a definite >>> answer. Just our simple argues ! >>> >>> As I said before, I have to use it on a windows box, because its a >>> requirement, its not my opinion at all. >>> >>> I 100% agree with you about most of the companies seek the paper work and >>> get PCI certified and don't really bother about true security measures, but >>> in the end if a breach is discovered they are the ones who shall get the >>> penalty in the face, not us :) >>> >>> NB: I don't use an AV, never did, and never will :p >>> >>> Regards, >>> >>> ------------------------------ >>> *From:* Christian Sciberras <[email protected]> >>> *To:* Shaqe Wan <[email protected]> >>> *Cc:* [email protected] >>> *Sent:* Tue, April 27, 2010 10:37:24 AM >>> >>> *Subject:* Re: [Full-disclosure] Compliance Is Wasted Money, Study Finds >>> >>> Surely being forced to install an anti-virus only brings in a monopoly? >>> How do I know that PCI Standards writers are getting a nice commission off >>> me installing the anti-virus? (I know they don't, I'm just hypothesizing). >>> >>> You stated it yourself, an anti-virus may not do any difference, it is >>> there as per PCI standard.....so what is it's use? Why the heck do I have to >>> install something useless? >>> >>> Lastly, that is where you are wrong, there is no "base starting point" >>> companies don't give a shit about proper security measures, they get >>> PCI-certified and all security ends there. >>> That is the freaken problem. >>> >>> NB: I do use anti-virus software, what I specified above is not in any >>> way my opinion about anti-virus vendors, etc. >>> >>> >>> >>> >>> >>> >>> >>> On Tue, Apr 27, 2010 at 9:25 AM, Shaqe Wan <[email protected]> wrote: >>> >>>> Hi, >>>> >>>> I don't actually beleive there is a "democratic society". No such thing >>>> exists. If it does? Then ask the organizations who made the compliance >>>> requirements drop them and make audits based on some other measure that you >>>> believe is more secure and has less flaws in it. Finally, regarding the AV >>>> issue that I wish I end here, is that "I don't believe that an AV shall >>>> make >>>> your box secure, but its a requirement to be done - Added by PCI" >>>> >>>> And yes I have noticed that FD is for such security measures discussion, >>>> but never thought of joining it and discussing with others until a couple >>>> of >>>> days ago when I saw this topic. >>>> >>>> Finally, the compliance can be taken of as a base starting point, and >>>> then moving further, like that it shall not be a waste of money ! >>>> >>>> Regards, >>>> >>>> >>>> ------------------------------ >>>> *From:* Christian Sciberras <[email protected]> >>>> *To:* Shaqe Wan <[email protected]> >>>> *Cc:* [email protected] >>>> *Sent:* Tue, April 27, 2010 9:59:59 AM >>>> >>>> *Subject:* Re: [Full-disclosure] Compliance Is Wasted Money, Study >>>> Finds >>>> >>>> Perhaps you haven't noticed, this is Full-Disclosure, which at least, is >>>> used to discuss security measures. >>>> As such, it is only natural to argue with PCI's possible security flaws. >>>> >>>> Besides, in a democratic society (where CC do operate as well), you >>>> can't "force" someone to install an anti-virus just because _you_ think it >>>> is secure. >>>> >>>> The argument were compliance is wasted money still holds. >>>> >>>> Cheers. >>>> >>>> >>>> >>>> >>>> On Tue, Apr 27, 2010 at 7:36 AM, Shaqe Wan <[email protected]> wrote: >>>> >>>>> Hola, >>>>> >>>>> The problem is not weather they are educated against other standards or >>>>> policies or not, the problem is that without this compliance you can't >>>>> work >>>>> with CC !!! Its something that is enforced on you ! >>>>> >>>>> BTW: why don't people discuss what is the points missing in the PCI >>>>> Compliance better than this argue ? >>>>> >>>>> Regards, >>>>> >>>>> >>>>> ------------------------------ >>>>> *From:* Christian Sciberras <[email protected]> >>>>> *To:* Shaqe Wan <[email protected]> >>>>> *Cc:* [email protected] >>>>> *Sent:* Mon, April 26, 2010 4:19:27 PM >>>>> >>>>> *Subject:* Re: [Full-disclosure] Compliance Is Wasted Money, Study >>>>> Finds >>>>> >>>>> OK. >>>>> >>>>> "All those in favour of PCI raises their hands." >>>>> >>>>> Kidding aside, of course it is a must, since the said companies doesn't >>>>> have any notion of security before this happens. >>>>> However, how much is this actually helpful? Now let's be honest, how >>>>> much would it stop a potential attacker from getting into a system >>>>> "protected" by PCI? >>>>> Little, if at all. >>>>> >>>>> On the other hand, a company should adopt real and complete security >>>>> practices. >>>>> >>>>> Again, my point is, these companies shouldn't be "educated" or limit >>>>> their security to this standard. Because if they do (and I'm pretty sure >>>>> they do) would make this standard pretty much useless. >>>>> >>>>> Anyway, I won't get into this argument, since no one will give a sh*t >>>>> about it anyway. >>>>> >>>>> Cheers. >>>>> >>>>> >>>>> >>>>> >>>>> On Mon, Apr 26, 2010 at 3:02 PM, Shaqe Wan <[email protected]> wrote: >>>>> >>>>>> Christian, >>>>>> >>>>>> Did you read my first post? >>>>>> >>>>>> ((( IMO, PCI is not that big security policy, but without it your not >>>>>> able to use the credit card companies gateway. I think its just the >>>>>> basics that any company dealing with CC must implement. Because it shall >>>>>> be >>>>>> nonsense to deal with CC, and not have an Anti-virus for example !!))) >>>>>> >>>>>> I am not stating that PCI is good in no way, but I am saying that its >>>>>> a MUST for companies dealing with CC. And in a windows environment, an >>>>>> AV is >>>>>> important. >>>>>> >>>>>> He probably thought that I am with the rules of PCI, or that I don't >>>>>> have any idea that the world is not just WINDOWS !!! >>>>>> >>>>>> Regards, >>>>>> >>>>>> ------------------------------ >>>>>> *From:* Christian Sciberras <[email protected]> >>>>>> *To:* Shaqe Wan <[email protected]> >>>>>> *Cc:* [email protected] >>>>>> *Sent:* Mon, April 26, 2010 3:54:20 PM >>>>>> >>>>>> *Subject:* Re: [Full-disclosure] Compliance Is Wasted Money, Study >>>>>> Finds >>>>>> >>>>>> Why exactly are you complying with Nick's statements? I would have >>>>>> thought you guys were arguing against said statements? >>>>>> >>>>>> >>>>>> By the way, requirement #6 is particularly funny; it sounds peculiarly >>>>>> redundant to me... >>>>>> >>>>>> Cheers. >>>>>> >>>>>> >>>>>> >>>>>> >>>>>> On Mon, Apr 26, 2010 at 7:34 AM, Shaqe Wan <[email protected]> wrote: >>>>>> >>>>>>> >>>>>>> Nick, >>>>>>> >>>>>>> Please if you don't know what the standards are, please read: >>>>>>> >>>>>>> https://www.pcisecuritystandards.org/security_standards/pci_dss.shtml >>>>>>> >>>>>>> See *Requirement #5*. Read that requirement carefully and its not >>>>>>> bad to read it twice though in case you don't figure it out from the >>>>>>> first >>>>>>> glance ! >>>>>>> >>>>>>> Also, I said that using an AV is some basic thing to do in any >>>>>>> company that wants to deal with CC, its a basic thing for even >>>>>>> companies not >>>>>>> dealing with CC too !!! Or do you state that people must use a BOX with >>>>>>> no >>>>>>> AV installed on it? If you believe in that fact? Then please request a >>>>>>> change in the PCI DSS requirements and make them force the usage of a >>>>>>> non >>>>>>> Windows O.S, such as any *n?x system. >>>>>>> >>>>>>> Finally, the topic here is not about "default allow vs default deny" >>>>>>> and if I understand what that is or not! You can open a new discussion >>>>>>> about >>>>>>> that, and I shall join there and discuss it further with you, in case >>>>>>> you >>>>>>> need some clarification regarding it. >>>>>>> >>>>>>> Regards, >>>>>>> Shaqe >>>>>>> >>>>>>> >>>>>>> --- On *Sun, 4/25/10, Nick FitzGerald <[email protected]>*wrote: >>>>>>> >>>>>>> >>>>>>> From: Nick FitzGerald <[email protected]> >>>>>>> Subject: Re: [Full-disclosure] Compliance Is Wasted Money, Study >>>>>>> Finds >>>>>>> To: [email protected] >>>>>>> Date: Sunday, April 25, 2010, 1:57 PM >>>>>>> >>>>>>> Shaqe Wan wrote: >>>>>>> >>>>>>> <<snip>> >>>>>>> > Because it shall be nonsense to deal with CC, and not have an >>>>>>> Anti-virus for example !! >>>>>>> >>>>>>> Well, you see, _that_ is abject nonsense on its face. >>>>>>> >>>>>>> Do you have any understanding of one of the most basic of security >>>>>>> issues -- default allow vs. default deny? >>>>>>> >>>>>>> There are many more secure ways to run systems _without_ antivirus >>>>>>> software. >>>>>>> >>>>>>> Anyone authoritatively stating that antivirus software is a necessary >>>>>>> >>>>>>> component of a "reasonably secure" system is a fool. >>>>>>> >>>>>>> Anyone authoritatively stating that antivirus software is a necessary >>>>>>> >>>>>>> component of a "sufficiently secure" system is one (or more) of; a >>>>>>> fool, a person with an unusually low standard of system security, or >>>>>>> a >>>>>>> shill for an antivirus producer. >>>>>>> >>>>>>> So _if_, as you and another recent poster strongly imply, the PCI >>>>>>> standards include a specific _requirement_ for antivirus software, >>>>>>> then >>>>>>> the standards themselves are total nonsense... >>>>>>> >>>>>>> >>>>>>> >>>>>>> Regards, >>>>>>> >>>>>>> Nick FitzGerald >>>>>>> >>>>>>> >>>>>>> _______________________________________________ >>>>>>> Full-Disclosure - We believe in it. >>>>>>> Charter: http://lists.grok.org.uk/full-disclosure-charter.html >>>>>>> Hosted and sponsored by Secunia - http://secunia.com/ >>>>>>> >>>>>>> >>>>>>> >>>>>>> >>>>>>> _______________________________________________ >>>>>>> Full-Disclosure - We believe in it. >>>>>>> Charter: http://lists.grok.org.uk/full-disclosure-charter.html >>>>>>> Hosted and sponsored by Secunia - http://secunia.com/ >>>>>>> >>>>>> >>>>>> >>>>>> >>>>> >>>>> >>>> >>>> >>> >>> >> >> _______________________________________________ >> Full-Disclosure - We believe in it. >> Charter: http://lists.grok.org.uk/full-disclosure-charter.html >> Hosted and sponsored by Secunia - http://secunia.com/ >> > > > > -- > 09 F9 11 02 9D 74 E3 5B D8 41 56 C5 63 56 88 C0 >
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
