My point isn't about a particular section, nor whether the amount of experience I have in PCI DSS compliance (which is next to novice). The point is, what s PCI aiming at? Real security, or just a way companies can excuse their incompetence by citing full PCI compliance? Which reminds me, it wasn't I that brought anti-viruses to the discussion.
Cheers. On Tue, Apr 27, 2010 at 5:16 PM, Mike Hale <[email protected]>wrote: > Actually, you're right. You're not the one who said that, I apologize. > > But I maintain that you're arguing over something that you don't > understand. You took one section (the anti-virus one) and got your panties > in a bunch over a security standard that says you *should* run anti-virus. > You completely ignored that PCI allows you to have compensating controls in > place for virtually any requirement. > > On Tue, Apr 27, 2010 at 8:07 AM, Christian Sciberras <[email protected]>wrote: > >> based on your own admission >> >> On who's admission? Perhaps you should bother to cite sources next time? >> And, how is quoting me in a different argument "your point"? >> >> >> >> >> >> >> On Tue, Apr 27, 2010 at 4:55 PM, Mike Hale <[email protected]>wrote: >> >>> Point is, you're arguing for the sake of arguing, as you have no >>> understanding what PCI is, based on your own admission. >>> >>> On Tue, Apr 27, 2010 at 7:51 AM, Christian Sciberras >>> <[email protected]>wrote: >>> >>>> Nice way of reading whatever feels right to you. Perhaps you'd have >>>> better read what I wrote a few lines before that? >>>> >>>> >>>> >>>> >>>> >>>> >>>> On Tue, Apr 27, 2010 at 4:43 PM, Mike Hale >>>> <[email protected]>wrote: >>>> >>>>> "-they are arguing for the fun of it without any real arguments (why >>>>> else prove me right on my arguments and later on deny it?)" >>>>> >>>>> So you fall into this category? >>>>> On Tue, Apr 27, 2010 at 1:22 AM, Christian Sciberras < >>>>> [email protected]> wrote: >>>>> >>>>>> In short, you just said that PCI compliance _is_ a waste of time and >>>>>> money. >>>>>> >>>>>> Why else would you protect something which is bound to fail anyway?! >>>>>> >>>>>> This is a lost battle, as I said no one cares about the arguments >>>>>> because these people fall into three categories: >>>>>> -they believe the illusion that PCI by itself enhances security >>>>>> -they do there job and don't give a f*ck about it >>>>>> -they are arguing for the fun of it without any real arguments (why >>>>>> else prove me right on my arguments and later on deny it?) >>>>>> >>>>>> >>>>>> >>>>>> >>>>>> >>>>>> >>>>>> On Tue, Apr 27, 2010 at 10:03 AM, Shaqe Wan <[email protected]> wrote: >>>>>> >>>>>>> You won't know not now, not ever. Maybe they do get a commission >>>>>>> for your AV installation, who knows ! But maybe they think it is >>>>>>> something >>>>>>> that everybody needs so the force it. To get to know the true answer, we >>>>>>> need to sit down with the guys who wrote the requirements and brainstorm >>>>>>> with them those issues. We shall keep just running around and around in >>>>>>> a >>>>>>> circle here, because no one here "if no CC company guy is around" can >>>>>>> give a >>>>>>> definite answer. Just our simple argues ! >>>>>>> >>>>>>> As I said before, I have to use it on a windows box, because its a >>>>>>> requirement, its not my opinion at all. >>>>>>> >>>>>>> I 100% agree with you about most of the companies seek the paper work >>>>>>> and get PCI certified and don't really bother about true security >>>>>>> measures, >>>>>>> but in the end if a breach is discovered they are the ones who shall >>>>>>> get the >>>>>>> penalty in the face, not us :) >>>>>>> >>>>>>> NB: I don't use an AV, never did, and never will :p >>>>>>> >>>>>>> Regards, >>>>>>> >>>>>>> ------------------------------ >>>>>>> *From:* Christian Sciberras <[email protected]> >>>>>>> *To:* Shaqe Wan <[email protected]> >>>>>>> *Cc:* [email protected] >>>>>>> *Sent:* Tue, April 27, 2010 10:37:24 AM >>>>>>> >>>>>>> *Subject:* Re: [Full-disclosure] Compliance Is Wasted Money, Study >>>>>>> Finds >>>>>>> >>>>>>> Surely being forced to install an anti-virus only brings in a >>>>>>> monopoly? How do I know that PCI Standards writers are getting a nice >>>>>>> commission off me installing the anti-virus? (I know they don't, I'm >>>>>>> just >>>>>>> hypothesizing). >>>>>>> >>>>>>> You stated it yourself, an anti-virus may not do any difference, it >>>>>>> is there as per PCI standard.....so what is it's use? Why the heck do I >>>>>>> have >>>>>>> to install something useless? >>>>>>> >>>>>>> Lastly, that is where you are wrong, there is no "base starting >>>>>>> point" companies don't give a shit about proper security measures, they >>>>>>> get >>>>>>> PCI-certified and all security ends there. >>>>>>> That is the freaken problem. >>>>>>> >>>>>>> NB: I do use anti-virus software, what I specified above is not in >>>>>>> any way my opinion about anti-virus vendors, etc. >>>>>>> >>>>>>> >>>>>>> >>>>>>> >>>>>>> >>>>>>> >>>>>>> >>>>>>> On Tue, Apr 27, 2010 at 9:25 AM, Shaqe Wan <[email protected]> wrote: >>>>>>> >>>>>>>> Hi, >>>>>>>> >>>>>>>> I don't actually beleive there is a "democratic society". No such >>>>>>>> thing exists. If it does? Then ask the organizations who made the >>>>>>>> compliance >>>>>>>> requirements drop them and make audits based on some other measure >>>>>>>> that you >>>>>>>> believe is more secure and has less flaws in it. Finally, regarding >>>>>>>> the AV >>>>>>>> issue that I wish I end here, is that "I don't believe that an AV >>>>>>>> shall make >>>>>>>> your box secure, but its a requirement to be done - Added by PCI" >>>>>>>> >>>>>>>> And yes I have noticed that FD is for such security measures >>>>>>>> discussion, but never thought of joining it and discussing with others >>>>>>>> until >>>>>>>> a couple of days ago when I saw this topic. >>>>>>>> >>>>>>>> Finally, the compliance can be taken of as a base starting point, >>>>>>>> and then moving further, like that it shall not be a waste of money ! >>>>>>>> >>>>>>>> Regards, >>>>>>>> >>>>>>>> >>>>>>>> ------------------------------ >>>>>>>> *From:* Christian Sciberras <[email protected]> >>>>>>>> *To:* Shaqe Wan <[email protected]> >>>>>>>> *Cc:* [email protected] >>>>>>>> *Sent:* Tue, April 27, 2010 9:59:59 AM >>>>>>>> >>>>>>>> *Subject:* Re: [Full-disclosure] Compliance Is Wasted Money, Study >>>>>>>> Finds >>>>>>>> >>>>>>>> Perhaps you haven't noticed, this is Full-Disclosure, which at >>>>>>>> least, is used to discuss security measures. >>>>>>>> As such, it is only natural to argue with PCI's possible security >>>>>>>> flaws. >>>>>>>> >>>>>>>> Besides, in a democratic society (where CC do operate as well), you >>>>>>>> can't "force" someone to install an anti-virus just because _you_ >>>>>>>> think it >>>>>>>> is secure. >>>>>>>> >>>>>>>> The argument were compliance is wasted money still holds. >>>>>>>> >>>>>>>> Cheers. >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>> On Tue, Apr 27, 2010 at 7:36 AM, Shaqe Wan <[email protected]> wrote: >>>>>>>> >>>>>>>>> Hola, >>>>>>>>> >>>>>>>>> The problem is not weather they are educated against other >>>>>>>>> standards or policies or not, the problem is that without this >>>>>>>>> compliance >>>>>>>>> you can't work with CC !!! Its something that is enforced on you ! >>>>>>>>> >>>>>>>>> BTW: why don't people discuss what is the points missing in the PCI >>>>>>>>> Compliance better than this argue ? >>>>>>>>> >>>>>>>>> Regards, >>>>>>>>> >>>>>>>>> >>>>>>>>> ------------------------------ >>>>>>>>> *From:* Christian Sciberras <[email protected]> >>>>>>>>> *To:* Shaqe Wan <[email protected]> >>>>>>>>> *Cc:* [email protected] >>>>>>>>> *Sent:* Mon, April 26, 2010 4:19:27 PM >>>>>>>>> >>>>>>>>> *Subject:* Re: [Full-disclosure] Compliance Is Wasted Money, Study >>>>>>>>> Finds >>>>>>>>> >>>>>>>>> OK. >>>>>>>>> >>>>>>>>> "All those in favour of PCI raises their hands." >>>>>>>>> >>>>>>>>> Kidding aside, of course it is a must, since the said companies >>>>>>>>> doesn't have any notion of security before this happens. >>>>>>>>> However, how much is this actually helpful? Now let's be honest, >>>>>>>>> how much would it stop a potential attacker from getting into a system >>>>>>>>> "protected" by PCI? >>>>>>>>> Little, if at all. >>>>>>>>> >>>>>>>>> On the other hand, a company should adopt real and complete >>>>>>>>> security practices. >>>>>>>>> >>>>>>>>> Again, my point is, these companies shouldn't be "educated" or >>>>>>>>> limit their security to this standard. Because if they do (and I'm >>>>>>>>> pretty >>>>>>>>> sure they do) would make this standard pretty much useless. >>>>>>>>> >>>>>>>>> Anyway, I won't get into this argument, since no one will give a >>>>>>>>> sh*t about it anyway. >>>>>>>>> >>>>>>>>> Cheers. >>>>>>>>> >>>>>>>>> >>>>>>>>> >>>>>>>>> >>>>>>>>> On Mon, Apr 26, 2010 at 3:02 PM, Shaqe Wan <[email protected]>wrote: >>>>>>>>> >>>>>>>>>> Christian, >>>>>>>>>> >>>>>>>>>> Did you read my first post? >>>>>>>>>> >>>>>>>>>> ((( IMO, PCI is not that big security policy, but without it your >>>>>>>>>> not able to use the credit card companies gateway. I think its >>>>>>>>>> just the basics that any company dealing with CC must implement. >>>>>>>>>> Because it >>>>>>>>>> shall be nonsense to deal with CC, and not have an Anti-virus for >>>>>>>>>> example !!))) >>>>>>>>>> >>>>>>>>>> I am not stating that PCI is good in no way, but I am saying that >>>>>>>>>> its a MUST for companies dealing with CC. And in a windows >>>>>>>>>> environment, an >>>>>>>>>> AV is important. >>>>>>>>>> >>>>>>>>>> He probably thought that I am with the rules of PCI, or that I >>>>>>>>>> don't have any idea that the world is not just WINDOWS !!! >>>>>>>>>> >>>>>>>>>> Regards, >>>>>>>>>> >>>>>>>>>> ------------------------------ >>>>>>>>>> *From:* Christian Sciberras <[email protected]> >>>>>>>>>> *To:* Shaqe Wan <[email protected]> >>>>>>>>>> *Cc:* [email protected] >>>>>>>>>> *Sent:* Mon, April 26, 2010 3:54:20 PM >>>>>>>>>> >>>>>>>>>> *Subject:* Re: [Full-disclosure] Compliance Is Wasted Money, >>>>>>>>>> Study Finds >>>>>>>>>> >>>>>>>>>> Why exactly are you complying with Nick's statements? I would have >>>>>>>>>> thought you guys were arguing against said statements? >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> By the way, requirement #6 is particularly funny; it sounds >>>>>>>>>> peculiarly redundant to me... >>>>>>>>>> >>>>>>>>>> Cheers. >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> On Mon, Apr 26, 2010 at 7:34 AM, Shaqe Wan <[email protected]>wrote: >>>>>>>>>> >>>>>>>>>>> >>>>>>>>>>> Nick, >>>>>>>>>>> >>>>>>>>>>> Please if you don't know what the standards are, please read: >>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>>> https://www.pcisecuritystandards.org/security_standards/pci_dss.shtml >>>>>>>>>>> >>>>>>>>>>> See *Requirement #5*. Read that requirement carefully and its >>>>>>>>>>> not bad to read it twice though in case you don't figure it out >>>>>>>>>>> from the >>>>>>>>>>> first glance ! >>>>>>>>>>> >>>>>>>>>>> Also, I said that using an AV is some basic thing to do in any >>>>>>>>>>> company that wants to deal with CC, its a basic thing for even >>>>>>>>>>> companies not >>>>>>>>>>> dealing with CC too !!! Or do you state that people must use a BOX >>>>>>>>>>> with no >>>>>>>>>>> AV installed on it? If you believe in that fact? Then please >>>>>>>>>>> request a >>>>>>>>>>> change in the PCI DSS requirements and make them force the usage of >>>>>>>>>>> a non >>>>>>>>>>> Windows O.S, such as any *n?x system. >>>>>>>>>>> >>>>>>>>>>> Finally, the topic here is not about "default allow vs default >>>>>>>>>>> deny" and if I understand what that is or not! You can open a new >>>>>>>>>>> discussion >>>>>>>>>>> about that, and I shall join there and discuss it further with you, >>>>>>>>>>> in case >>>>>>>>>>> you need some clarification regarding it. >>>>>>>>>>> >>>>>>>>>>> Regards, >>>>>>>>>>> Shaqe >>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>>> --- On *Sun, 4/25/10, Nick FitzGerald <[email protected]> >>>>>>>>>>> * wrote: >>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>>> From: Nick FitzGerald <[email protected]> >>>>>>>>>>> Subject: Re: [Full-disclosure] Compliance Is Wasted Money, Study >>>>>>>>>>> Finds >>>>>>>>>>> To: [email protected] >>>>>>>>>>> Date: Sunday, April 25, 2010, 1:57 PM >>>>>>>>>>> >>>>>>>>>>> Shaqe Wan wrote: >>>>>>>>>>> >>>>>>>>>>> <<snip>> >>>>>>>>>>> > Because it shall be nonsense to deal with CC, and not have an >>>>>>>>>>> Anti-virus for example !! >>>>>>>>>>> >>>>>>>>>>> Well, you see, _that_ is abject nonsense on its face. >>>>>>>>>>> >>>>>>>>>>> Do you have any understanding of one of the most basic of >>>>>>>>>>> security >>>>>>>>>>> issues -- default allow vs. default deny? >>>>>>>>>>> >>>>>>>>>>> There are many more secure ways to run systems _without_ >>>>>>>>>>> antivirus >>>>>>>>>>> software. >>>>>>>>>>> >>>>>>>>>>> Anyone authoritatively stating that antivirus software is a >>>>>>>>>>> necessary >>>>>>>>>>> component of a "reasonably secure" system is a fool. >>>>>>>>>>> >>>>>>>>>>> Anyone authoritatively stating that antivirus software is a >>>>>>>>>>> necessary >>>>>>>>>>> component of a "sufficiently secure" system is one (or more) >>>>>>>>>>> of; a >>>>>>>>>>> fool, a person with an unusually low standard of system security, >>>>>>>>>>> or a >>>>>>>>>>> shill for an antivirus producer. >>>>>>>>>>> >>>>>>>>>>> So _if_, as you and another recent poster strongly imply, the PCI >>>>>>>>>>> >>>>>>>>>>> standards include a specific _requirement_ for antivirus >>>>>>>>>>> software, then >>>>>>>>>>> the standards themselves are total nonsense... >>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>>> Regards, >>>>>>>>>>> >>>>>>>>>>> Nick FitzGerald >>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>>> _______________________________________________ >>>>>>>>>>> Full-Disclosure - We believe in it. >>>>>>>>>>> Charter: http://lists.grok.org.uk/full-disclosure-charter.html >>>>>>>>>>> Hosted and sponsored by Secunia - http://secunia.com/ >>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>>> _______________________________________________ >>>>>>>>>>> Full-Disclosure - We believe in it. >>>>>>>>>>> Charter: http://lists.grok.org.uk/full-disclosure-charter.html >>>>>>>>>>> Hosted and sponsored by Secunia - http://secunia.com/ >>>>>>>>>>> >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> >>>>>>>>> >>>>>>>>> >>>>>>>> >>>>>>>> >>>>>>> >>>>>>> >>>>>> >>>>>> _______________________________________________ >>>>>> Full-Disclosure - We believe in it. >>>>>> Charter: http://lists.grok.org.uk/full-disclosure-charter.html >>>>>> Hosted and sponsored by Secunia - http://secunia.com/ >>>>>> >>>>> >>>>> >>>>> >>>>> -- >>>>> 09 F9 11 02 9D 74 E3 5B D8 41 56 C5 63 56 88 C0 >>>>> >>>> >>>> >>> >>> >>> -- >>> 09 F9 11 02 9D 74 E3 5B D8 41 56 C5 63 56 88 C0 >>> >> >> > > > -- > 09 F9 11 02 9D 74 E3 5B D8 41 56 C5 63 56 88 C0 >
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
