Haven't had my coffee yet... ;) I thought so, that would explain everything. :)
Cheers, On Tue, Apr 27, 2010 at 6:30 PM, Mike Hale <[email protected]>wrote: > "The point is, what s PCI aiming at?" > It's aiming for a basic level of security among companies that process > credit cards. Nothing more. You have to remember that PCI didn't come > about in a vacuum. It was created to solve a specific problem that the > major credit cards faced in regards to the security posture of their > processors. > > The two alternatives for the Payment Card Industry are: > 1) The base level of security specified by PCI > 2) No base level of security, with most companies not implementing any > security whatsoever. > > PCI does not stop a company from enacting stricter and better security > controls. If your internal security is better than what PCI specifies, but > you do not meet one of the requirements, you use the compensating control > mechanism to justify it. > > For the record, I apologize for the 'panties in a bunch' comment. I lost > track of who said what, and you did not bring up the AV stuff. Haven't had > my coffee yet... ;) > > On Tue, Apr 27, 2010 at 8:33 AM, Christian Sciberras <[email protected]>wrote: > >> My point isn't about a particular section, nor whether the amount of >> experience I have in PCI DSS compliance (which is next to novice). >> The point is, what s PCI aiming at? >> Real security, or just a way companies can excuse their incompetence by >> citing full PCI compliance? >> Which reminds me, it wasn't I that brought anti-viruses to the discussion. >> >> Cheers. >> >> >> >> >> >> On Tue, Apr 27, 2010 at 5:16 PM, Mike Hale <[email protected]>wrote: >> >>> Actually, you're right. You're not the one who said that, I apologize. >>> >>> But I maintain that you're arguing over something that you don't >>> understand. You took one section (the anti-virus one) and got your panties >>> in a bunch over a security standard that says you *should* run anti-virus. >>> You completely ignored that PCI allows you to have compensating controls in >>> place for virtually any requirement. >>> >>> On Tue, Apr 27, 2010 at 8:07 AM, Christian Sciberras < >>> [email protected]> wrote: >>> >>>> based on your own admission >>>> >>>> On who's admission? Perhaps you should bother to cite sources next time? >>>> And, how is quoting me in a different argument "your point"? >>>> >>>> >>>> >>>> >>>> >>>> >>>> On Tue, Apr 27, 2010 at 4:55 PM, Mike Hale >>>> <[email protected]>wrote: >>>> >>>>> Point is, you're arguing for the sake of arguing, as you have no >>>>> understanding what PCI is, based on your own admission. >>>>> >>>>> On Tue, Apr 27, 2010 at 7:51 AM, Christian Sciberras < >>>>> [email protected]> wrote: >>>>> >>>>>> Nice way of reading whatever feels right to you. Perhaps you'd have >>>>>> better read what I wrote a few lines before that? >>>>>> >>>>>> >>>>>> >>>>>> >>>>>> >>>>>> >>>>>> On Tue, Apr 27, 2010 at 4:43 PM, Mike Hale <[email protected] >>>>>> > wrote: >>>>>> >>>>>>> "-they are arguing for the fun of it without any real arguments >>>>>>> (why else prove me right on my arguments and later on deny it?)" >>>>>>> >>>>>>> So you fall into this category? >>>>>>> On Tue, Apr 27, 2010 at 1:22 AM, Christian Sciberras < >>>>>>> [email protected]> wrote: >>>>>>> >>>>>>>> In short, you just said that PCI compliance _is_ a waste of time and >>>>>>>> money. >>>>>>>> >>>>>>>> Why else would you protect something which is bound to fail anyway?! >>>>>>>> >>>>>>>> This is a lost battle, as I said no one cares about the arguments >>>>>>>> because these people fall into three categories: >>>>>>>> -they believe the illusion that PCI by itself enhances security >>>>>>>> -they do there job and don't give a f*ck about it >>>>>>>> -they are arguing for the fun of it without any real arguments (why >>>>>>>> else prove me right on my arguments and later on deny it?) >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>> On Tue, Apr 27, 2010 at 10:03 AM, Shaqe Wan <[email protected]>wrote: >>>>>>>> >>>>>>>>> You won't know not now, not ever. Maybe they do get a commission >>>>>>>>> for your AV installation, who knows ! But maybe they think it is >>>>>>>>> something >>>>>>>>> that everybody needs so the force it. To get to know the true answer, >>>>>>>>> we >>>>>>>>> need to sit down with the guys who wrote the requirements and >>>>>>>>> brainstorm >>>>>>>>> with them those issues. We shall keep just running around and around >>>>>>>>> in a >>>>>>>>> circle here, because no one here "if no CC company guy is around" can >>>>>>>>> give a >>>>>>>>> definite answer. Just our simple argues ! >>>>>>>>> >>>>>>>>> As I said before, I have to use it on a windows box, because its a >>>>>>>>> requirement, its not my opinion at all. >>>>>>>>> >>>>>>>>> I 100% agree with you about most of the companies seek the paper >>>>>>>>> work and get PCI certified and don't really bother about true security >>>>>>>>> measures, but in the end if a breach is discovered they are the ones >>>>>>>>> who >>>>>>>>> shall get the penalty in the face, not us :) >>>>>>>>> >>>>>>>>> NB: I don't use an AV, never did, and never will :p >>>>>>>>> >>>>>>>>> Regards, >>>>>>>>> >>>>>>>>> ------------------------------ >>>>>>>>> *From:* Christian Sciberras <[email protected]> >>>>>>>>> *To:* Shaqe Wan <[email protected]> >>>>>>>>> *Cc:* [email protected] >>>>>>>>> *Sent:* Tue, April 27, 2010 10:37:24 AM >>>>>>>>> >>>>>>>>> *Subject:* Re: [Full-disclosure] Compliance Is Wasted Money, Study >>>>>>>>> Finds >>>>>>>>> >>>>>>>>> Surely being forced to install an anti-virus only brings in a >>>>>>>>> monopoly? How do I know that PCI Standards writers are getting a nice >>>>>>>>> commission off me installing the anti-virus? (I know they don't, I'm >>>>>>>>> just >>>>>>>>> hypothesizing). >>>>>>>>> >>>>>>>>> You stated it yourself, an anti-virus may not do any difference, it >>>>>>>>> is there as per PCI standard.....so what is it's use? Why the heck do >>>>>>>>> I have >>>>>>>>> to install something useless? >>>>>>>>> >>>>>>>>> Lastly, that is where you are wrong, there is no "base starting >>>>>>>>> point" companies don't give a shit about proper security measures, >>>>>>>>> they get >>>>>>>>> PCI-certified and all security ends there. >>>>>>>>> That is the freaken problem. >>>>>>>>> >>>>>>>>> NB: I do use anti-virus software, what I specified above is not in >>>>>>>>> any way my opinion about anti-virus vendors, etc. >>>>>>>>> >>>>>>>>> >>>>>>>>> >>>>>>>>> >>>>>>>>> >>>>>>>>> >>>>>>>>> >>>>>>>>> On Tue, Apr 27, 2010 at 9:25 AM, Shaqe Wan <[email protected]>wrote: >>>>>>>>> >>>>>>>>>> Hi, >>>>>>>>>> >>>>>>>>>> I don't actually beleive there is a "democratic society". No such >>>>>>>>>> thing exists. If it does? Then ask the organizations who made the >>>>>>>>>> compliance >>>>>>>>>> requirements drop them and make audits based on some other measure >>>>>>>>>> that you >>>>>>>>>> believe is more secure and has less flaws in it. Finally, regarding >>>>>>>>>> the AV >>>>>>>>>> issue that I wish I end here, is that "I don't believe that an AV >>>>>>>>>> shall make >>>>>>>>>> your box secure, but its a requirement to be done - Added by PCI" >>>>>>>>>> >>>>>>>>>> And yes I have noticed that FD is for such security measures >>>>>>>>>> discussion, but never thought of joining it and discussing with >>>>>>>>>> others until >>>>>>>>>> a couple of days ago when I saw this topic. >>>>>>>>>> >>>>>>>>>> Finally, the compliance can be taken of as a base starting point, >>>>>>>>>> and then moving further, like that it shall not be a waste of money ! >>>>>>>>>> >>>>>>>>>> Regards, >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> ------------------------------ >>>>>>>>>> *From:* Christian Sciberras <[email protected]> >>>>>>>>>> *To:* Shaqe Wan <[email protected]> >>>>>>>>>> *Cc:* [email protected] >>>>>>>>>> *Sent:* Tue, April 27, 2010 9:59:59 AM >>>>>>>>>> >>>>>>>>>> *Subject:* Re: [Full-disclosure] Compliance Is Wasted Money, >>>>>>>>>> Study Finds >>>>>>>>>> >>>>>>>>>> Perhaps you haven't noticed, this is Full-Disclosure, which at >>>>>>>>>> least, is used to discuss security measures. >>>>>>>>>> As such, it is only natural to argue with PCI's possible security >>>>>>>>>> flaws. >>>>>>>>>> >>>>>>>>>> Besides, in a democratic society (where CC do operate as well), >>>>>>>>>> you can't "force" someone to install an anti-virus just because >>>>>>>>>> _you_ think >>>>>>>>>> it is secure. >>>>>>>>>> >>>>>>>>>> The argument were compliance is wasted money still holds. >>>>>>>>>> >>>>>>>>>> Cheers. >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> On Tue, Apr 27, 2010 at 7:36 AM, Shaqe Wan <[email protected]>wrote: >>>>>>>>>> >>>>>>>>>>> Hola, >>>>>>>>>>> >>>>>>>>>>> The problem is not weather they are educated against other >>>>>>>>>>> standards or policies or not, the problem is that without this >>>>>>>>>>> compliance >>>>>>>>>>> you can't work with CC !!! Its something that is enforced on you ! >>>>>>>>>>> >>>>>>>>>>> BTW: why don't people discuss what is the points missing in the >>>>>>>>>>> PCI Compliance better than this argue ? >>>>>>>>>>> >>>>>>>>>>> Regards, >>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>>> ------------------------------ >>>>>>>>>>> *From:* Christian Sciberras <[email protected]> >>>>>>>>>>> *To:* Shaqe Wan <[email protected]> >>>>>>>>>>> *Cc:* [email protected] >>>>>>>>>>> *Sent:* Mon, April 26, 2010 4:19:27 PM >>>>>>>>>>> >>>>>>>>>>> *Subject:* Re: [Full-disclosure] Compliance Is Wasted Money, >>>>>>>>>>> Study Finds >>>>>>>>>>> >>>>>>>>>>> OK. >>>>>>>>>>> >>>>>>>>>>> "All those in favour of PCI raises their hands." >>>>>>>>>>> >>>>>>>>>>> Kidding aside, of course it is a must, since the said companies >>>>>>>>>>> doesn't have any notion of security before this happens. >>>>>>>>>>> However, how much is this actually helpful? Now let's be honest, >>>>>>>>>>> how much would it stop a potential attacker from getting into a >>>>>>>>>>> system >>>>>>>>>>> "protected" by PCI? >>>>>>>>>>> Little, if at all. >>>>>>>>>>> >>>>>>>>>>> On the other hand, a company should adopt real and complete >>>>>>>>>>> security practices. >>>>>>>>>>> >>>>>>>>>>> Again, my point is, these companies shouldn't be "educated" or >>>>>>>>>>> limit their security to this standard. Because if they do (and I'm >>>>>>>>>>> pretty >>>>>>>>>>> sure they do) would make this standard pretty much useless. >>>>>>>>>>> >>>>>>>>>>> Anyway, I won't get into this argument, since no one will give a >>>>>>>>>>> sh*t about it anyway. >>>>>>>>>>> >>>>>>>>>>> Cheers. >>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>>> On Mon, Apr 26, 2010 at 3:02 PM, Shaqe Wan <[email protected]>wrote: >>>>>>>>>>> >>>>>>>>>>>> Christian, >>>>>>>>>>>> >>>>>>>>>>>> Did you read my first post? >>>>>>>>>>>> >>>>>>>>>>>> ((( IMO, PCI is not that big security policy, but without it >>>>>>>>>>>> your not able to use the credit card companies gateway. I think >>>>>>>>>>>> its just the basics that any company dealing with CC must >>>>>>>>>>>> implement. Because >>>>>>>>>>>> it shall be nonsense to deal with CC, and not have an Anti-virus >>>>>>>>>>>> for example >>>>>>>>>>>> !! ))) >>>>>>>>>>>> >>>>>>>>>>>> I am not stating that PCI is good in no way, but I am saying >>>>>>>>>>>> that its a MUST for companies dealing with CC. And in a windows >>>>>>>>>>>> environment, >>>>>>>>>>>> an AV is important. >>>>>>>>>>>> >>>>>>>>>>>> He probably thought that I am with the rules of PCI, or that I >>>>>>>>>>>> don't have any idea that the world is not just WINDOWS !!! >>>>>>>>>>>> >>>>>>>>>>>> Regards, >>>>>>>>>>>> >>>>>>>>>>>> ------------------------------ >>>>>>>>>>>> *From:* Christian Sciberras <[email protected]> >>>>>>>>>>>> *To:* Shaqe Wan <[email protected]> >>>>>>>>>>>> *Cc:* [email protected] >>>>>>>>>>>> *Sent:* Mon, April 26, 2010 3:54:20 PM >>>>>>>>>>>> >>>>>>>>>>>> *Subject:* Re: [Full-disclosure] Compliance Is Wasted Money, >>>>>>>>>>>> Study Finds >>>>>>>>>>>> >>>>>>>>>>>> Why exactly are you complying with Nick's statements? I would >>>>>>>>>>>> have thought you guys were arguing against said statements? >>>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>>>> By the way, requirement #6 is particularly funny; it sounds >>>>>>>>>>>> peculiarly redundant to me... >>>>>>>>>>>> >>>>>>>>>>>> Cheers. >>>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>>>> On Mon, Apr 26, 2010 at 7:34 AM, Shaqe Wan <[email protected]>wrote: >>>>>>>>>>>> >>>>>>>>>>>>> >>>>>>>>>>>>> Nick, >>>>>>>>>>>>> >>>>>>>>>>>>> Please if you don't know what the standards are, please read: >>>>>>>>>>>>> >>>>>>>>>>>>> >>>>>>>>>>>>> https://www.pcisecuritystandards.org/security_standards/pci_dss.shtml >>>>>>>>>>>>> >>>>>>>>>>>>> See *Requirement #5*. Read that requirement carefully and its >>>>>>>>>>>>> not bad to read it twice though in case you don't figure it out >>>>>>>>>>>>> from the >>>>>>>>>>>>> first glance ! >>>>>>>>>>>>> >>>>>>>>>>>>> Also, I said that using an AV is some basic thing to do in any >>>>>>>>>>>>> company that wants to deal with CC, its a basic thing for even >>>>>>>>>>>>> companies not >>>>>>>>>>>>> dealing with CC too !!! Or do you state that people must use a >>>>>>>>>>>>> BOX with no >>>>>>>>>>>>> AV installed on it? If you believe in that fact? Then please >>>>>>>>>>>>> request a >>>>>>>>>>>>> change in the PCI DSS requirements and make them force the usage >>>>>>>>>>>>> of a non >>>>>>>>>>>>> Windows O.S, such as any *n?x system. >>>>>>>>>>>>> >>>>>>>>>>>>> Finally, the topic here is not about "default allow vs default >>>>>>>>>>>>> deny" and if I understand what that is or not! You can open a new >>>>>>>>>>>>> discussion >>>>>>>>>>>>> about that, and I shall join there and discuss it further with >>>>>>>>>>>>> you, in case >>>>>>>>>>>>> you need some clarification regarding it. >>>>>>>>>>>>> >>>>>>>>>>>>> Regards, >>>>>>>>>>>>> Shaqe >>>>>>>>>>>>> >>>>>>>>>>>>> >>>>>>>>>>>>> --- On *Sun, 4/25/10, Nick FitzGerald < >>>>>>>>>>>>> [email protected]>* wrote: >>>>>>>>>>>>> >>>>>>>>>>>>> >>>>>>>>>>>>> From: Nick FitzGerald <[email protected]> >>>>>>>>>>>>> Subject: Re: [Full-disclosure] Compliance Is Wasted Money, >>>>>>>>>>>>> Study Finds >>>>>>>>>>>>> To: [email protected] >>>>>>>>>>>>> Date: Sunday, April 25, 2010, 1:57 PM >>>>>>>>>>>>> >>>>>>>>>>>>> Shaqe Wan wrote: >>>>>>>>>>>>> >>>>>>>>>>>>> <<snip>> >>>>>>>>>>>>> > Because it shall be nonsense to deal with CC, and not have an >>>>>>>>>>>>> Anti-virus for example !! >>>>>>>>>>>>> >>>>>>>>>>>>> Well, you see, _that_ is abject nonsense on its face. >>>>>>>>>>>>> >>>>>>>>>>>>> Do you have any understanding of one of the most basic of >>>>>>>>>>>>> security >>>>>>>>>>>>> issues -- default allow vs. default deny? >>>>>>>>>>>>> >>>>>>>>>>>>> There are many more secure ways to run systems _without_ >>>>>>>>>>>>> antivirus >>>>>>>>>>>>> software. >>>>>>>>>>>>> >>>>>>>>>>>>> Anyone authoritatively stating that antivirus software is a >>>>>>>>>>>>> necessary >>>>>>>>>>>>> component of a "reasonably secure" system is a fool. >>>>>>>>>>>>> >>>>>>>>>>>>> Anyone authoritatively stating that antivirus software is a >>>>>>>>>>>>> necessary >>>>>>>>>>>>> component of a "sufficiently secure" system is one (or more) >>>>>>>>>>>>> of; a >>>>>>>>>>>>> fool, a person with an unusually low standard of system >>>>>>>>>>>>> security, or a >>>>>>>>>>>>> shill for an antivirus producer. >>>>>>>>>>>>> >>>>>>>>>>>>> So _if_, as you and another recent poster strongly imply, the >>>>>>>>>>>>> PCI >>>>>>>>>>>>> standards include a specific _requirement_ for antivirus >>>>>>>>>>>>> software, then >>>>>>>>>>>>> the standards themselves are total nonsense... >>>>>>>>>>>>> >>>>>>>>>>>>> >>>>>>>>>>>>> >>>>>>>>>>>>> Regards, >>>>>>>>>>>>> >>>>>>>>>>>>> Nick FitzGerald >>>>>>>>>>>>> >>>>>>>>>>>>> >>>>>>>>>>>>> _______________________________________________ >>>>>>>>>>>>> Full-Disclosure - We believe in it. >>>>>>>>>>>>> Charter: http://lists.grok.org.uk/full-disclosure-charter.html >>>>>>>>>>>>> Hosted and sponsored by Secunia - http://secunia.com/ >>>>>>>>>>>>> >>>>>>>>>>>>> >>>>>>>>>>>>> >>>>>>>>>>>>> >>>>>>>>>>>>> _______________________________________________ >>>>>>>>>>>>> Full-Disclosure - We believe in it. >>>>>>>>>>>>> Charter: http://lists.grok.org.uk/full-disclosure-charter.html >>>>>>>>>>>>> Hosted and sponsored by Secunia - http://secunia.com/ >>>>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>> >>>>>>>>>> >>>>>>>>> >>>>>>>>> >>>>>>>> >>>>>>>> _______________________________________________ >>>>>>>> Full-Disclosure - We believe in it. >>>>>>>> Charter: http://lists.grok.org.uk/full-disclosure-charter.html >>>>>>>> Hosted and sponsored by Secunia - http://secunia.com/ >>>>>>>> >>>>>>> >>>>>>> >>>>>>> >>>>>>> -- >>>>>>> 09 F9 11 02 9D 74 E3 5B D8 41 56 C5 63 56 88 C0 >>>>>>> >>>>>> >>>>>> >>>>> >>>>> >>>>> -- >>>>> 09 F9 11 02 9D 74 E3 5B D8 41 56 C5 63 56 88 C0 >>>>> >>>> >>>> >>> >>> >>> -- >>> 09 F9 11 02 9D 74 E3 5B D8 41 56 C5 63 56 88 C0 >>> >> >> > > > -- > 09 F9 11 02 9D 74 E3 5B D8 41 56 C5 63 56 88 C0 > > _______________________________________________ > Full-Disclosure - We believe in it. > Charter: http://lists.grok.org.uk/full-disclosure-charter.html > Hosted and sponsored by Secunia - http://secunia.com/ >
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
