Actually, you're right. You're not the one who said that, I apologize. But I maintain that you're arguing over something that you don't understand. You took one section (the anti-virus one) and got your panties in a bunch over a security standard that says you *should* run anti-virus. You completely ignored that PCI allows you to have compensating controls in place for virtually any requirement.
On Tue, Apr 27, 2010 at 8:07 AM, Christian Sciberras <[email protected]>wrote: > based on your own admission > > On who's admission? Perhaps you should bother to cite sources next time? > And, how is quoting me in a different argument "your point"? > > > > > > > On Tue, Apr 27, 2010 at 4:55 PM, Mike Hale <[email protected]>wrote: > >> Point is, you're arguing for the sake of arguing, as you have no >> understanding what PCI is, based on your own admission. >> >> On Tue, Apr 27, 2010 at 7:51 AM, Christian Sciberras >> <[email protected]>wrote: >> >>> Nice way of reading whatever feels right to you. Perhaps you'd have >>> better read what I wrote a few lines before that? >>> >>> >>> >>> >>> >>> >>> On Tue, Apr 27, 2010 at 4:43 PM, Mike Hale <[email protected]>wrote: >>> >>>> "-they are arguing for the fun of it without any real arguments (why >>>> else prove me right on my arguments and later on deny it?)" >>>> >>>> So you fall into this category? >>>> On Tue, Apr 27, 2010 at 1:22 AM, Christian Sciberras < >>>> [email protected]> wrote: >>>> >>>>> In short, you just said that PCI compliance _is_ a waste of time and >>>>> money. >>>>> >>>>> Why else would you protect something which is bound to fail anyway?! >>>>> >>>>> This is a lost battle, as I said no one cares about the arguments >>>>> because these people fall into three categories: >>>>> -they believe the illusion that PCI by itself enhances security >>>>> -they do there job and don't give a f*ck about it >>>>> -they are arguing for the fun of it without any real arguments (why >>>>> else prove me right on my arguments and later on deny it?) >>>>> >>>>> >>>>> >>>>> >>>>> >>>>> >>>>> On Tue, Apr 27, 2010 at 10:03 AM, Shaqe Wan <[email protected]> wrote: >>>>> >>>>>> You won't know not now, not ever. Maybe they do get a commission for >>>>>> your AV installation, who knows ! But maybe they think it is something >>>>>> that >>>>>> everybody needs so the force it. To get to know the true answer, we need >>>>>> to >>>>>> sit down with the guys who wrote the requirements and brainstorm with >>>>>> them >>>>>> those issues. We shall keep just running around and around in a circle >>>>>> here, >>>>>> because no one here "if no CC company guy is around" can give a definite >>>>>> answer. Just our simple argues ! >>>>>> >>>>>> As I said before, I have to use it on a windows box, because its a >>>>>> requirement, its not my opinion at all. >>>>>> >>>>>> I 100% agree with you about most of the companies seek the paper work >>>>>> and get PCI certified and don't really bother about true security >>>>>> measures, >>>>>> but in the end if a breach is discovered they are the ones who shall get >>>>>> the >>>>>> penalty in the face, not us :) >>>>>> >>>>>> NB: I don't use an AV, never did, and never will :p >>>>>> >>>>>> Regards, >>>>>> >>>>>> ------------------------------ >>>>>> *From:* Christian Sciberras <[email protected]> >>>>>> *To:* Shaqe Wan <[email protected]> >>>>>> *Cc:* [email protected] >>>>>> *Sent:* Tue, April 27, 2010 10:37:24 AM >>>>>> >>>>>> *Subject:* Re: [Full-disclosure] Compliance Is Wasted Money, Study >>>>>> Finds >>>>>> >>>>>> Surely being forced to install an anti-virus only brings in a >>>>>> monopoly? How do I know that PCI Standards writers are getting a nice >>>>>> commission off me installing the anti-virus? (I know they don't, I'm just >>>>>> hypothesizing). >>>>>> >>>>>> You stated it yourself, an anti-virus may not do any difference, it is >>>>>> there as per PCI standard.....so what is it's use? Why the heck do I >>>>>> have to >>>>>> install something useless? >>>>>> >>>>>> Lastly, that is where you are wrong, there is no "base starting point" >>>>>> companies don't give a shit about proper security measures, they get >>>>>> PCI-certified and all security ends there. >>>>>> That is the freaken problem. >>>>>> >>>>>> NB: I do use anti-virus software, what I specified above is not in any >>>>>> way my opinion about anti-virus vendors, etc. >>>>>> >>>>>> >>>>>> >>>>>> >>>>>> >>>>>> >>>>>> >>>>>> On Tue, Apr 27, 2010 at 9:25 AM, Shaqe Wan <[email protected]> wrote: >>>>>> >>>>>>> Hi, >>>>>>> >>>>>>> I don't actually beleive there is a "democratic society". No such >>>>>>> thing exists. If it does? Then ask the organizations who made the >>>>>>> compliance >>>>>>> requirements drop them and make audits based on some other measure that >>>>>>> you >>>>>>> believe is more secure and has less flaws in it. Finally, regarding the >>>>>>> AV >>>>>>> issue that I wish I end here, is that "I don't believe that an AV shall >>>>>>> make >>>>>>> your box secure, but its a requirement to be done - Added by PCI" >>>>>>> >>>>>>> And yes I have noticed that FD is for such security measures >>>>>>> discussion, but never thought of joining it and discussing with others >>>>>>> until >>>>>>> a couple of days ago when I saw this topic. >>>>>>> >>>>>>> Finally, the compliance can be taken of as a base starting point, and >>>>>>> then moving further, like that it shall not be a waste of money ! >>>>>>> >>>>>>> Regards, >>>>>>> >>>>>>> >>>>>>> ------------------------------ >>>>>>> *From:* Christian Sciberras <[email protected]> >>>>>>> *To:* Shaqe Wan <[email protected]> >>>>>>> *Cc:* [email protected] >>>>>>> *Sent:* Tue, April 27, 2010 9:59:59 AM >>>>>>> >>>>>>> *Subject:* Re: [Full-disclosure] Compliance Is Wasted Money, Study >>>>>>> Finds >>>>>>> >>>>>>> Perhaps you haven't noticed, this is Full-Disclosure, which at least, >>>>>>> is used to discuss security measures. >>>>>>> As such, it is only natural to argue with PCI's possible security >>>>>>> flaws. >>>>>>> >>>>>>> Besides, in a democratic society (where CC do operate as well), you >>>>>>> can't "force" someone to install an anti-virus just because _you_ think >>>>>>> it >>>>>>> is secure. >>>>>>> >>>>>>> The argument were compliance is wasted money still holds. >>>>>>> >>>>>>> Cheers. >>>>>>> >>>>>>> >>>>>>> >>>>>>> >>>>>>> On Tue, Apr 27, 2010 at 7:36 AM, Shaqe Wan <[email protected]> wrote: >>>>>>> >>>>>>>> Hola, >>>>>>>> >>>>>>>> The problem is not weather they are educated against other standards >>>>>>>> or policies or not, the problem is that without this compliance you >>>>>>>> can't >>>>>>>> work with CC !!! Its something that is enforced on you ! >>>>>>>> >>>>>>>> BTW: why don't people discuss what is the points missing in the PCI >>>>>>>> Compliance better than this argue ? >>>>>>>> >>>>>>>> Regards, >>>>>>>> >>>>>>>> >>>>>>>> ------------------------------ >>>>>>>> *From:* Christian Sciberras <[email protected]> >>>>>>>> *To:* Shaqe Wan <[email protected]> >>>>>>>> *Cc:* [email protected] >>>>>>>> *Sent:* Mon, April 26, 2010 4:19:27 PM >>>>>>>> >>>>>>>> *Subject:* Re: [Full-disclosure] Compliance Is Wasted Money, Study >>>>>>>> Finds >>>>>>>> >>>>>>>> OK. >>>>>>>> >>>>>>>> "All those in favour of PCI raises their hands." >>>>>>>> >>>>>>>> Kidding aside, of course it is a must, since the said companies >>>>>>>> doesn't have any notion of security before this happens. >>>>>>>> However, how much is this actually helpful? Now let's be honest, how >>>>>>>> much would it stop a potential attacker from getting into a system >>>>>>>> "protected" by PCI? >>>>>>>> Little, if at all. >>>>>>>> >>>>>>>> On the other hand, a company should adopt real and complete security >>>>>>>> practices. >>>>>>>> >>>>>>>> Again, my point is, these companies shouldn't be "educated" or limit >>>>>>>> their security to this standard. Because if they do (and I'm pretty >>>>>>>> sure >>>>>>>> they do) would make this standard pretty much useless. >>>>>>>> >>>>>>>> Anyway, I won't get into this argument, since no one will give a >>>>>>>> sh*t about it anyway. >>>>>>>> >>>>>>>> Cheers. >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>> On Mon, Apr 26, 2010 at 3:02 PM, Shaqe Wan <[email protected]> wrote: >>>>>>>> >>>>>>>>> Christian, >>>>>>>>> >>>>>>>>> Did you read my first post? >>>>>>>>> >>>>>>>>> ((( IMO, PCI is not that big security policy, but without it your >>>>>>>>> not able to use the credit card companies gateway. I think its >>>>>>>>> just the basics that any company dealing with CC must implement. >>>>>>>>> Because it >>>>>>>>> shall be nonsense to deal with CC, and not have an Anti-virus for >>>>>>>>> example !!))) >>>>>>>>> >>>>>>>>> I am not stating that PCI is good in no way, but I am saying that >>>>>>>>> its a MUST for companies dealing with CC. And in a windows >>>>>>>>> environment, an >>>>>>>>> AV is important. >>>>>>>>> >>>>>>>>> He probably thought that I am with the rules of PCI, or that I >>>>>>>>> don't have any idea that the world is not just WINDOWS !!! >>>>>>>>> >>>>>>>>> Regards, >>>>>>>>> >>>>>>>>> ------------------------------ >>>>>>>>> *From:* Christian Sciberras <[email protected]> >>>>>>>>> *To:* Shaqe Wan <[email protected]> >>>>>>>>> *Cc:* [email protected] >>>>>>>>> *Sent:* Mon, April 26, 2010 3:54:20 PM >>>>>>>>> >>>>>>>>> *Subject:* Re: [Full-disclosure] Compliance Is Wasted Money, Study >>>>>>>>> Finds >>>>>>>>> >>>>>>>>> Why exactly are you complying with Nick's statements? I would have >>>>>>>>> thought you guys were arguing against said statements? >>>>>>>>> >>>>>>>>> >>>>>>>>> By the way, requirement #6 is particularly funny; it sounds >>>>>>>>> peculiarly redundant to me... >>>>>>>>> >>>>>>>>> Cheers. >>>>>>>>> >>>>>>>>> >>>>>>>>> >>>>>>>>> >>>>>>>>> On Mon, Apr 26, 2010 at 7:34 AM, Shaqe Wan <[email protected]>wrote: >>>>>>>>> >>>>>>>>>> >>>>>>>>>> Nick, >>>>>>>>>> >>>>>>>>>> Please if you don't know what the standards are, please read: >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> https://www.pcisecuritystandards.org/security_standards/pci_dss.shtml >>>>>>>>>> >>>>>>>>>> See *Requirement #5*. Read that requirement carefully and its not >>>>>>>>>> bad to read it twice though in case you don't figure it out from the >>>>>>>>>> first >>>>>>>>>> glance ! >>>>>>>>>> >>>>>>>>>> Also, I said that using an AV is some basic thing to do in any >>>>>>>>>> company that wants to deal with CC, its a basic thing for even >>>>>>>>>> companies not >>>>>>>>>> dealing with CC too !!! Or do you state that people must use a BOX >>>>>>>>>> with no >>>>>>>>>> AV installed on it? If you believe in that fact? Then please request >>>>>>>>>> a >>>>>>>>>> change in the PCI DSS requirements and make them force the usage of >>>>>>>>>> a non >>>>>>>>>> Windows O.S, such as any *n?x system. >>>>>>>>>> >>>>>>>>>> Finally, the topic here is not about "default allow vs default >>>>>>>>>> deny" and if I understand what that is or not! You can open a new >>>>>>>>>> discussion >>>>>>>>>> about that, and I shall join there and discuss it further with you, >>>>>>>>>> in case >>>>>>>>>> you need some clarification regarding it. >>>>>>>>>> >>>>>>>>>> Regards, >>>>>>>>>> Shaqe >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> --- On *Sun, 4/25/10, Nick FitzGerald >>>>>>>>>> <[email protected]>*wrote: >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> From: Nick FitzGerald <[email protected]> >>>>>>>>>> Subject: Re: [Full-disclosure] Compliance Is Wasted Money, Study >>>>>>>>>> Finds >>>>>>>>>> To: [email protected] >>>>>>>>>> Date: Sunday, April 25, 2010, 1:57 PM >>>>>>>>>> >>>>>>>>>> Shaqe Wan wrote: >>>>>>>>>> >>>>>>>>>> <<snip>> >>>>>>>>>> > Because it shall be nonsense to deal with CC, and not have an >>>>>>>>>> Anti-virus for example !! >>>>>>>>>> >>>>>>>>>> Well, you see, _that_ is abject nonsense on its face. >>>>>>>>>> >>>>>>>>>> Do you have any understanding of one of the most basic of security >>>>>>>>>> >>>>>>>>>> issues -- default allow vs. default deny? >>>>>>>>>> >>>>>>>>>> There are many more secure ways to run systems _without_ antivirus >>>>>>>>>> >>>>>>>>>> software. >>>>>>>>>> >>>>>>>>>> Anyone authoritatively stating that antivirus software is a >>>>>>>>>> necessary >>>>>>>>>> component of a "reasonably secure" system is a fool. >>>>>>>>>> >>>>>>>>>> Anyone authoritatively stating that antivirus software is a >>>>>>>>>> necessary >>>>>>>>>> component of a "sufficiently secure" system is one (or more) of; a >>>>>>>>>> >>>>>>>>>> fool, a person with an unusually low standard of system security, >>>>>>>>>> or a >>>>>>>>>> shill for an antivirus producer. >>>>>>>>>> >>>>>>>>>> So _if_, as you and another recent poster strongly imply, the PCI >>>>>>>>>> standards include a specific _requirement_ for antivirus software, >>>>>>>>>> then >>>>>>>>>> the standards themselves are total nonsense... >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> Regards, >>>>>>>>>> >>>>>>>>>> Nick FitzGerald >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> _______________________________________________ >>>>>>>>>> Full-Disclosure - We believe in it. >>>>>>>>>> Charter: http://lists.grok.org.uk/full-disclosure-charter.html >>>>>>>>>> Hosted and sponsored by Secunia - http://secunia.com/ >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> _______________________________________________ >>>>>>>>>> Full-Disclosure - We believe in it. >>>>>>>>>> Charter: http://lists.grok.org.uk/full-disclosure-charter.html >>>>>>>>>> Hosted and sponsored by Secunia - http://secunia.com/ >>>>>>>>>> >>>>>>>>> >>>>>>>>> >>>>>>>>> >>>>>>>> >>>>>>>> >>>>>>> >>>>>>> >>>>>> >>>>>> >>>>> >>>>> _______________________________________________ >>>>> Full-Disclosure - We believe in it. >>>>> Charter: http://lists.grok.org.uk/full-disclosure-charter.html >>>>> Hosted and sponsored by Secunia - http://secunia.com/ >>>>> >>>> >>>> >>>> >>>> -- >>>> 09 F9 11 02 9D 74 E3 5B D8 41 56 C5 63 56 88 C0 >>>> >>> >>> >> >> >> -- >> 09 F9 11 02 9D 74 E3 5B D8 41 56 C5 63 56 88 C0 >> > > -- 09 F9 11 02 9D 74 E3 5B D8 41 56 C5 63 56 88 C0
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
