based on your own admission On who's admission? Perhaps you should bother to cite sources next time? And, how is quoting me in a different argument "your point"?
On Tue, Apr 27, 2010 at 4:55 PM, Mike Hale <[email protected]>wrote: > Point is, you're arguing for the sake of arguing, as you have no > understanding what PCI is, based on your own admission. > > On Tue, Apr 27, 2010 at 7:51 AM, Christian Sciberras <[email protected]>wrote: > >> Nice way of reading whatever feels right to you. Perhaps you'd have better >> read what I wrote a few lines before that? >> >> >> >> >> >> >> On Tue, Apr 27, 2010 at 4:43 PM, Mike Hale <[email protected]>wrote: >> >>> "-they are arguing for the fun of it without any real arguments (why >>> else prove me right on my arguments and later on deny it?)" >>> >>> So you fall into this category? >>> On Tue, Apr 27, 2010 at 1:22 AM, Christian Sciberras < >>> [email protected]> wrote: >>> >>>> In short, you just said that PCI compliance _is_ a waste of time and >>>> money. >>>> >>>> Why else would you protect something which is bound to fail anyway?! >>>> >>>> This is a lost battle, as I said no one cares about the arguments >>>> because these people fall into three categories: >>>> -they believe the illusion that PCI by itself enhances security >>>> -they do there job and don't give a f*ck about it >>>> -they are arguing for the fun of it without any real arguments (why else >>>> prove me right on my arguments and later on deny it?) >>>> >>>> >>>> >>>> >>>> >>>> >>>> On Tue, Apr 27, 2010 at 10:03 AM, Shaqe Wan <[email protected]> wrote: >>>> >>>>> You won't know not now, not ever. Maybe they do get a commission for >>>>> your AV installation, who knows ! But maybe they think it is something >>>>> that >>>>> everybody needs so the force it. To get to know the true answer, we need >>>>> to >>>>> sit down with the guys who wrote the requirements and brainstorm with them >>>>> those issues. We shall keep just running around and around in a circle >>>>> here, >>>>> because no one here "if no CC company guy is around" can give a definite >>>>> answer. Just our simple argues ! >>>>> >>>>> As I said before, I have to use it on a windows box, because its a >>>>> requirement, its not my opinion at all. >>>>> >>>>> I 100% agree with you about most of the companies seek the paper work >>>>> and get PCI certified and don't really bother about true security >>>>> measures, >>>>> but in the end if a breach is discovered they are the ones who shall get >>>>> the >>>>> penalty in the face, not us :) >>>>> >>>>> NB: I don't use an AV, never did, and never will :p >>>>> >>>>> Regards, >>>>> >>>>> ------------------------------ >>>>> *From:* Christian Sciberras <[email protected]> >>>>> *To:* Shaqe Wan <[email protected]> >>>>> *Cc:* [email protected] >>>>> *Sent:* Tue, April 27, 2010 10:37:24 AM >>>>> >>>>> *Subject:* Re: [Full-disclosure] Compliance Is Wasted Money, Study >>>>> Finds >>>>> >>>>> Surely being forced to install an anti-virus only brings in a monopoly? >>>>> How do I know that PCI Standards writers are getting a nice commission off >>>>> me installing the anti-virus? (I know they don't, I'm just hypothesizing). >>>>> >>>>> You stated it yourself, an anti-virus may not do any difference, it is >>>>> there as per PCI standard.....so what is it's use? Why the heck do I have >>>>> to >>>>> install something useless? >>>>> >>>>> Lastly, that is where you are wrong, there is no "base starting point" >>>>> companies don't give a shit about proper security measures, they get >>>>> PCI-certified and all security ends there. >>>>> That is the freaken problem. >>>>> >>>>> NB: I do use anti-virus software, what I specified above is not in any >>>>> way my opinion about anti-virus vendors, etc. >>>>> >>>>> >>>>> >>>>> >>>>> >>>>> >>>>> >>>>> On Tue, Apr 27, 2010 at 9:25 AM, Shaqe Wan <[email protected]> wrote: >>>>> >>>>>> Hi, >>>>>> >>>>>> I don't actually beleive there is a "democratic society". No such >>>>>> thing exists. If it does? Then ask the organizations who made the >>>>>> compliance >>>>>> requirements drop them and make audits based on some other measure that >>>>>> you >>>>>> believe is more secure and has less flaws in it. Finally, regarding the >>>>>> AV >>>>>> issue that I wish I end here, is that "I don't believe that an AV shall >>>>>> make >>>>>> your box secure, but its a requirement to be done - Added by PCI" >>>>>> >>>>>> And yes I have noticed that FD is for such security measures >>>>>> discussion, but never thought of joining it and discussing with others >>>>>> until >>>>>> a couple of days ago when I saw this topic. >>>>>> >>>>>> Finally, the compliance can be taken of as a base starting point, and >>>>>> then moving further, like that it shall not be a waste of money ! >>>>>> >>>>>> Regards, >>>>>> >>>>>> >>>>>> ------------------------------ >>>>>> *From:* Christian Sciberras <[email protected]> >>>>>> *To:* Shaqe Wan <[email protected]> >>>>>> *Cc:* [email protected] >>>>>> *Sent:* Tue, April 27, 2010 9:59:59 AM >>>>>> >>>>>> *Subject:* Re: [Full-disclosure] Compliance Is Wasted Money, Study >>>>>> Finds >>>>>> >>>>>> Perhaps you haven't noticed, this is Full-Disclosure, which at least, >>>>>> is used to discuss security measures. >>>>>> As such, it is only natural to argue with PCI's possible security >>>>>> flaws. >>>>>> >>>>>> Besides, in a democratic society (where CC do operate as well), you >>>>>> can't "force" someone to install an anti-virus just because _you_ think >>>>>> it >>>>>> is secure. >>>>>> >>>>>> The argument were compliance is wasted money still holds. >>>>>> >>>>>> Cheers. >>>>>> >>>>>> >>>>>> >>>>>> >>>>>> On Tue, Apr 27, 2010 at 7:36 AM, Shaqe Wan <[email protected]> wrote: >>>>>> >>>>>>> Hola, >>>>>>> >>>>>>> The problem is not weather they are educated against other standards >>>>>>> or policies or not, the problem is that without this compliance you >>>>>>> can't >>>>>>> work with CC !!! Its something that is enforced on you ! >>>>>>> >>>>>>> BTW: why don't people discuss what is the points missing in the PCI >>>>>>> Compliance better than this argue ? >>>>>>> >>>>>>> Regards, >>>>>>> >>>>>>> >>>>>>> ------------------------------ >>>>>>> *From:* Christian Sciberras <[email protected]> >>>>>>> *To:* Shaqe Wan <[email protected]> >>>>>>> *Cc:* [email protected] >>>>>>> *Sent:* Mon, April 26, 2010 4:19:27 PM >>>>>>> >>>>>>> *Subject:* Re: [Full-disclosure] Compliance Is Wasted Money, Study >>>>>>> Finds >>>>>>> >>>>>>> OK. >>>>>>> >>>>>>> "All those in favour of PCI raises their hands." >>>>>>> >>>>>>> Kidding aside, of course it is a must, since the said companies >>>>>>> doesn't have any notion of security before this happens. >>>>>>> However, how much is this actually helpful? Now let's be honest, how >>>>>>> much would it stop a potential attacker from getting into a system >>>>>>> "protected" by PCI? >>>>>>> Little, if at all. >>>>>>> >>>>>>> On the other hand, a company should adopt real and complete security >>>>>>> practices. >>>>>>> >>>>>>> Again, my point is, these companies shouldn't be "educated" or limit >>>>>>> their security to this standard. Because if they do (and I'm pretty sure >>>>>>> they do) would make this standard pretty much useless. >>>>>>> >>>>>>> Anyway, I won't get into this argument, since no one will give a sh*t >>>>>>> about it anyway. >>>>>>> >>>>>>> Cheers. >>>>>>> >>>>>>> >>>>>>> >>>>>>> >>>>>>> On Mon, Apr 26, 2010 at 3:02 PM, Shaqe Wan <[email protected]> wrote: >>>>>>> >>>>>>>> Christian, >>>>>>>> >>>>>>>> Did you read my first post? >>>>>>>> >>>>>>>> ((( IMO, PCI is not that big security policy, but without it your >>>>>>>> not able to use the credit card companies gateway. I think its just >>>>>>>> the basics that any company dealing with CC must implement. Because it >>>>>>>> shall >>>>>>>> be nonsense to deal with CC, and not have an Anti-virus for example >>>>>>>> !!))) >>>>>>>> >>>>>>>> I am not stating that PCI is good in no way, but I am saying that >>>>>>>> its a MUST for companies dealing with CC. And in a windows >>>>>>>> environment, an >>>>>>>> AV is important. >>>>>>>> >>>>>>>> He probably thought that I am with the rules of PCI, or that I don't >>>>>>>> have any idea that the world is not just WINDOWS !!! >>>>>>>> >>>>>>>> Regards, >>>>>>>> >>>>>>>> ------------------------------ >>>>>>>> *From:* Christian Sciberras <[email protected]> >>>>>>>> *To:* Shaqe Wan <[email protected]> >>>>>>>> *Cc:* [email protected] >>>>>>>> *Sent:* Mon, April 26, 2010 3:54:20 PM >>>>>>>> >>>>>>>> *Subject:* Re: [Full-disclosure] Compliance Is Wasted Money, Study >>>>>>>> Finds >>>>>>>> >>>>>>>> Why exactly are you complying with Nick's statements? I would have >>>>>>>> thought you guys were arguing against said statements? >>>>>>>> >>>>>>>> >>>>>>>> By the way, requirement #6 is particularly funny; it sounds >>>>>>>> peculiarly redundant to me... >>>>>>>> >>>>>>>> Cheers. >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>> On Mon, Apr 26, 2010 at 7:34 AM, Shaqe Wan <[email protected]> wrote: >>>>>>>> >>>>>>>>> >>>>>>>>> Nick, >>>>>>>>> >>>>>>>>> Please if you don't know what the standards are, please read: >>>>>>>>> >>>>>>>>> >>>>>>>>> https://www.pcisecuritystandards.org/security_standards/pci_dss.shtml >>>>>>>>> >>>>>>>>> See *Requirement #5*. Read that requirement carefully and its not >>>>>>>>> bad to read it twice though in case you don't figure it out from the >>>>>>>>> first >>>>>>>>> glance ! >>>>>>>>> >>>>>>>>> Also, I said that using an AV is some basic thing to do in any >>>>>>>>> company that wants to deal with CC, its a basic thing for even >>>>>>>>> companies not >>>>>>>>> dealing with CC too !!! Or do you state that people must use a BOX >>>>>>>>> with no >>>>>>>>> AV installed on it? If you believe in that fact? Then please request a >>>>>>>>> change in the PCI DSS requirements and make them force the usage of a >>>>>>>>> non >>>>>>>>> Windows O.S, such as any *n?x system. >>>>>>>>> >>>>>>>>> Finally, the topic here is not about "default allow vs default >>>>>>>>> deny" and if I understand what that is or not! You can open a new >>>>>>>>> discussion >>>>>>>>> about that, and I shall join there and discuss it further with you, >>>>>>>>> in case >>>>>>>>> you need some clarification regarding it. >>>>>>>>> >>>>>>>>> Regards, >>>>>>>>> Shaqe >>>>>>>>> >>>>>>>>> >>>>>>>>> --- On *Sun, 4/25/10, Nick FitzGerald >>>>>>>>> <[email protected]>*wrote: >>>>>>>>> >>>>>>>>> >>>>>>>>> From: Nick FitzGerald <[email protected]> >>>>>>>>> Subject: Re: [Full-disclosure] Compliance Is Wasted Money, Study >>>>>>>>> Finds >>>>>>>>> To: [email protected] >>>>>>>>> Date: Sunday, April 25, 2010, 1:57 PM >>>>>>>>> >>>>>>>>> Shaqe Wan wrote: >>>>>>>>> >>>>>>>>> <<snip>> >>>>>>>>> > Because it shall be nonsense to deal with CC, and not have an >>>>>>>>> Anti-virus for example !! >>>>>>>>> >>>>>>>>> Well, you see, _that_ is abject nonsense on its face. >>>>>>>>> >>>>>>>>> Do you have any understanding of one of the most basic of security >>>>>>>>> issues -- default allow vs. default deny? >>>>>>>>> >>>>>>>>> There are many more secure ways to run systems _without_ antivirus >>>>>>>>> software. >>>>>>>>> >>>>>>>>> Anyone authoritatively stating that antivirus software is a >>>>>>>>> necessary >>>>>>>>> component of a "reasonably secure" system is a fool. >>>>>>>>> >>>>>>>>> Anyone authoritatively stating that antivirus software is a >>>>>>>>> necessary >>>>>>>>> component of a "sufficiently secure" system is one (or more) of; >>>>>>>>> a >>>>>>>>> fool, a person with an unusually low standard of system security, >>>>>>>>> or a >>>>>>>>> shill for an antivirus producer. >>>>>>>>> >>>>>>>>> So _if_, as you and another recent poster strongly imply, the PCI >>>>>>>>> standards include a specific _requirement_ for antivirus software, >>>>>>>>> then >>>>>>>>> the standards themselves are total nonsense... >>>>>>>>> >>>>>>>>> >>>>>>>>> >>>>>>>>> Regards, >>>>>>>>> >>>>>>>>> Nick FitzGerald >>>>>>>>> >>>>>>>>> >>>>>>>>> _______________________________________________ >>>>>>>>> Full-Disclosure - We believe in it. >>>>>>>>> Charter: http://lists.grok.org.uk/full-disclosure-charter.html >>>>>>>>> Hosted and sponsored by Secunia - http://secunia.com/ >>>>>>>>> >>>>>>>>> >>>>>>>>> >>>>>>>>> >>>>>>>>> _______________________________________________ >>>>>>>>> Full-Disclosure - We believe in it. >>>>>>>>> Charter: http://lists.grok.org.uk/full-disclosure-charter.html >>>>>>>>> Hosted and sponsored by Secunia - http://secunia.com/ >>>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>> >>>>>>> >>>>>> >>>>>> >>>>> >>>>> >>>> >>>> _______________________________________________ >>>> Full-Disclosure - We believe in it. >>>> Charter: http://lists.grok.org.uk/full-disclosure-charter.html >>>> Hosted and sponsored by Secunia - http://secunia.com/ >>>> >>> >>> >>> >>> -- >>> 09 F9 11 02 9D 74 E3 5B D8 41 56 C5 63 56 88 C0 >>> >> >> > > > -- > 09 F9 11 02 9D 74 E3 5B D8 41 56 C5 63 56 88 C0 >
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
