Point is, you're arguing for the sake of arguing, as you have no understanding what PCI is, based on your own admission.
On Tue, Apr 27, 2010 at 7:51 AM, Christian Sciberras <[email protected]>wrote: > Nice way of reading whatever feels right to you. Perhaps you'd have better > read what I wrote a few lines before that? > > > > > > > On Tue, Apr 27, 2010 at 4:43 PM, Mike Hale <[email protected]>wrote: > >> "-they are arguing for the fun of it without any real arguments (why >> else prove me right on my arguments and later on deny it?)" >> >> So you fall into this category? >> On Tue, Apr 27, 2010 at 1:22 AM, Christian Sciberras <[email protected] >> > wrote: >> >>> In short, you just said that PCI compliance _is_ a waste of time and >>> money. >>> >>> Why else would you protect something which is bound to fail anyway?! >>> >>> This is a lost battle, as I said no one cares about the arguments because >>> these people fall into three categories: >>> -they believe the illusion that PCI by itself enhances security >>> -they do there job and don't give a f*ck about it >>> -they are arguing for the fun of it without any real arguments (why else >>> prove me right on my arguments and later on deny it?) >>> >>> >>> >>> >>> >>> >>> On Tue, Apr 27, 2010 at 10:03 AM, Shaqe Wan <[email protected]> wrote: >>> >>>> You won't know not now, not ever. Maybe they do get a commission for >>>> your AV installation, who knows ! But maybe they think it is something that >>>> everybody needs so the force it. To get to know the true answer, we need to >>>> sit down with the guys who wrote the requirements and brainstorm with them >>>> those issues. We shall keep just running around and around in a circle >>>> here, >>>> because no one here "if no CC company guy is around" can give a definite >>>> answer. Just our simple argues ! >>>> >>>> As I said before, I have to use it on a windows box, because its a >>>> requirement, its not my opinion at all. >>>> >>>> I 100% agree with you about most of the companies seek the paper work >>>> and get PCI certified and don't really bother about true security measures, >>>> but in the end if a breach is discovered they are the ones who shall get >>>> the >>>> penalty in the face, not us :) >>>> >>>> NB: I don't use an AV, never did, and never will :p >>>> >>>> Regards, >>>> >>>> ------------------------------ >>>> *From:* Christian Sciberras <[email protected]> >>>> *To:* Shaqe Wan <[email protected]> >>>> *Cc:* [email protected] >>>> *Sent:* Tue, April 27, 2010 10:37:24 AM >>>> >>>> *Subject:* Re: [Full-disclosure] Compliance Is Wasted Money, Study >>>> Finds >>>> >>>> Surely being forced to install an anti-virus only brings in a monopoly? >>>> How do I know that PCI Standards writers are getting a nice commission off >>>> me installing the anti-virus? (I know they don't, I'm just hypothesizing). >>>> >>>> You stated it yourself, an anti-virus may not do any difference, it is >>>> there as per PCI standard.....so what is it's use? Why the heck do I have >>>> to >>>> install something useless? >>>> >>>> Lastly, that is where you are wrong, there is no "base starting point" >>>> companies don't give a shit about proper security measures, they get >>>> PCI-certified and all security ends there. >>>> That is the freaken problem. >>>> >>>> NB: I do use anti-virus software, what I specified above is not in any >>>> way my opinion about anti-virus vendors, etc. >>>> >>>> >>>> >>>> >>>> >>>> >>>> >>>> On Tue, Apr 27, 2010 at 9:25 AM, Shaqe Wan <[email protected]> wrote: >>>> >>>>> Hi, >>>>> >>>>> I don't actually beleive there is a "democratic society". No such thing >>>>> exists. If it does? Then ask the organizations who made the compliance >>>>> requirements drop them and make audits based on some other measure that >>>>> you >>>>> believe is more secure and has less flaws in it. Finally, regarding the AV >>>>> issue that I wish I end here, is that "I don't believe that an AV shall >>>>> make >>>>> your box secure, but its a requirement to be done - Added by PCI" >>>>> >>>>> And yes I have noticed that FD is for such security measures >>>>> discussion, but never thought of joining it and discussing with others >>>>> until >>>>> a couple of days ago when I saw this topic. >>>>> >>>>> Finally, the compliance can be taken of as a base starting point, and >>>>> then moving further, like that it shall not be a waste of money ! >>>>> >>>>> Regards, >>>>> >>>>> >>>>> ------------------------------ >>>>> *From:* Christian Sciberras <[email protected]> >>>>> *To:* Shaqe Wan <[email protected]> >>>>> *Cc:* [email protected] >>>>> *Sent:* Tue, April 27, 2010 9:59:59 AM >>>>> >>>>> *Subject:* Re: [Full-disclosure] Compliance Is Wasted Money, Study >>>>> Finds >>>>> >>>>> Perhaps you haven't noticed, this is Full-Disclosure, which at least, >>>>> is used to discuss security measures. >>>>> As such, it is only natural to argue with PCI's possible security >>>>> flaws. >>>>> >>>>> Besides, in a democratic society (where CC do operate as well), you >>>>> can't "force" someone to install an anti-virus just because _you_ think it >>>>> is secure. >>>>> >>>>> The argument were compliance is wasted money still holds. >>>>> >>>>> Cheers. >>>>> >>>>> >>>>> >>>>> >>>>> On Tue, Apr 27, 2010 at 7:36 AM, Shaqe Wan <[email protected]> wrote: >>>>> >>>>>> Hola, >>>>>> >>>>>> The problem is not weather they are educated against other standards >>>>>> or policies or not, the problem is that without this compliance you can't >>>>>> work with CC !!! Its something that is enforced on you ! >>>>>> >>>>>> BTW: why don't people discuss what is the points missing in the PCI >>>>>> Compliance better than this argue ? >>>>>> >>>>>> Regards, >>>>>> >>>>>> >>>>>> ------------------------------ >>>>>> *From:* Christian Sciberras <[email protected]> >>>>>> *To:* Shaqe Wan <[email protected]> >>>>>> *Cc:* [email protected] >>>>>> *Sent:* Mon, April 26, 2010 4:19:27 PM >>>>>> >>>>>> *Subject:* Re: [Full-disclosure] Compliance Is Wasted Money, Study >>>>>> Finds >>>>>> >>>>>> OK. >>>>>> >>>>>> "All those in favour of PCI raises their hands." >>>>>> >>>>>> Kidding aside, of course it is a must, since the said companies >>>>>> doesn't have any notion of security before this happens. >>>>>> However, how much is this actually helpful? Now let's be honest, how >>>>>> much would it stop a potential attacker from getting into a system >>>>>> "protected" by PCI? >>>>>> Little, if at all. >>>>>> >>>>>> On the other hand, a company should adopt real and complete security >>>>>> practices. >>>>>> >>>>>> Again, my point is, these companies shouldn't be "educated" or limit >>>>>> their security to this standard. Because if they do (and I'm pretty sure >>>>>> they do) would make this standard pretty much useless. >>>>>> >>>>>> Anyway, I won't get into this argument, since no one will give a sh*t >>>>>> about it anyway. >>>>>> >>>>>> Cheers. >>>>>> >>>>>> >>>>>> >>>>>> >>>>>> On Mon, Apr 26, 2010 at 3:02 PM, Shaqe Wan <[email protected]> wrote: >>>>>> >>>>>>> Christian, >>>>>>> >>>>>>> Did you read my first post? >>>>>>> >>>>>>> ((( IMO, PCI is not that big security policy, but without it your >>>>>>> not able to use the credit card companies gateway. I think its just >>>>>>> the basics that any company dealing with CC must implement. Because it >>>>>>> shall >>>>>>> be nonsense to deal with CC, and not have an Anti-virus for example >>>>>>> !!))) >>>>>>> >>>>>>> I am not stating that PCI is good in no way, but I am saying that its >>>>>>> a MUST for companies dealing with CC. And in a windows environment, an >>>>>>> AV is >>>>>>> important. >>>>>>> >>>>>>> He probably thought that I am with the rules of PCI, or that I don't >>>>>>> have any idea that the world is not just WINDOWS !!! >>>>>>> >>>>>>> Regards, >>>>>>> >>>>>>> ------------------------------ >>>>>>> *From:* Christian Sciberras <[email protected]> >>>>>>> *To:* Shaqe Wan <[email protected]> >>>>>>> *Cc:* [email protected] >>>>>>> *Sent:* Mon, April 26, 2010 3:54:20 PM >>>>>>> >>>>>>> *Subject:* Re: [Full-disclosure] Compliance Is Wasted Money, Study >>>>>>> Finds >>>>>>> >>>>>>> Why exactly are you complying with Nick's statements? I would have >>>>>>> thought you guys were arguing against said statements? >>>>>>> >>>>>>> >>>>>>> By the way, requirement #6 is particularly funny; it sounds >>>>>>> peculiarly redundant to me... >>>>>>> >>>>>>> Cheers. >>>>>>> >>>>>>> >>>>>>> >>>>>>> >>>>>>> On Mon, Apr 26, 2010 at 7:34 AM, Shaqe Wan <[email protected]> wrote: >>>>>>> >>>>>>>> >>>>>>>> Nick, >>>>>>>> >>>>>>>> Please if you don't know what the standards are, please read: >>>>>>>> >>>>>>>> >>>>>>>> https://www.pcisecuritystandards.org/security_standards/pci_dss.shtml >>>>>>>> >>>>>>>> See *Requirement #5*. Read that requirement carefully and its not >>>>>>>> bad to read it twice though in case you don't figure it out from the >>>>>>>> first >>>>>>>> glance ! >>>>>>>> >>>>>>>> Also, I said that using an AV is some basic thing to do in any >>>>>>>> company that wants to deal with CC, its a basic thing for even >>>>>>>> companies not >>>>>>>> dealing with CC too !!! Or do you state that people must use a BOX >>>>>>>> with no >>>>>>>> AV installed on it? If you believe in that fact? Then please request a >>>>>>>> change in the PCI DSS requirements and make them force the usage of a >>>>>>>> non >>>>>>>> Windows O.S, such as any *n?x system. >>>>>>>> >>>>>>>> Finally, the topic here is not about "default allow vs default deny" >>>>>>>> and if I understand what that is or not! You can open a new discussion >>>>>>>> about >>>>>>>> that, and I shall join there and discuss it further with you, in case >>>>>>>> you >>>>>>>> need some clarification regarding it. >>>>>>>> >>>>>>>> Regards, >>>>>>>> Shaqe >>>>>>>> >>>>>>>> >>>>>>>> --- On *Sun, 4/25/10, Nick FitzGerald <[email protected]>*wrote: >>>>>>>> >>>>>>>> >>>>>>>> From: Nick FitzGerald <[email protected]> >>>>>>>> Subject: Re: [Full-disclosure] Compliance Is Wasted Money, Study >>>>>>>> Finds >>>>>>>> To: [email protected] >>>>>>>> Date: Sunday, April 25, 2010, 1:57 PM >>>>>>>> >>>>>>>> Shaqe Wan wrote: >>>>>>>> >>>>>>>> <<snip>> >>>>>>>> > Because it shall be nonsense to deal with CC, and not have an >>>>>>>> Anti-virus for example !! >>>>>>>> >>>>>>>> Well, you see, _that_ is abject nonsense on its face. >>>>>>>> >>>>>>>> Do you have any understanding of one of the most basic of security >>>>>>>> issues -- default allow vs. default deny? >>>>>>>> >>>>>>>> There are many more secure ways to run systems _without_ antivirus >>>>>>>> software. >>>>>>>> >>>>>>>> Anyone authoritatively stating that antivirus software is a >>>>>>>> necessary >>>>>>>> component of a "reasonably secure" system is a fool. >>>>>>>> >>>>>>>> Anyone authoritatively stating that antivirus software is a >>>>>>>> necessary >>>>>>>> component of a "sufficiently secure" system is one (or more) of; a >>>>>>>> fool, a person with an unusually low standard of system security, or >>>>>>>> a >>>>>>>> shill for an antivirus producer. >>>>>>>> >>>>>>>> So _if_, as you and another recent poster strongly imply, the PCI >>>>>>>> standards include a specific _requirement_ for antivirus software, >>>>>>>> then >>>>>>>> the standards themselves are total nonsense... >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>> Regards, >>>>>>>> >>>>>>>> Nick FitzGerald >>>>>>>> >>>>>>>> >>>>>>>> _______________________________________________ >>>>>>>> Full-Disclosure - We believe in it. >>>>>>>> Charter: http://lists.grok.org.uk/full-disclosure-charter.html >>>>>>>> Hosted and sponsored by Secunia - http://secunia.com/ >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>> _______________________________________________ >>>>>>>> Full-Disclosure - We believe in it. >>>>>>>> Charter: http://lists.grok.org.uk/full-disclosure-charter.html >>>>>>>> Hosted and sponsored by Secunia - http://secunia.com/ >>>>>>>> >>>>>>> >>>>>>> >>>>>>> >>>>>> >>>>>> >>>>> >>>>> >>>> >>>> >>> >>> _______________________________________________ >>> Full-Disclosure - We believe in it. >>> Charter: http://lists.grok.org.uk/full-disclosure-charter.html >>> Hosted and sponsored by Secunia - http://secunia.com/ >>> >> >> >> >> -- >> 09 F9 11 02 9D 74 E3 5B D8 41 56 C5 63 56 88 C0 >> > > -- 09 F9 11 02 9D 74 E3 5B D8 41 56 C5 63 56 88 C0
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
