Re: [Full-disclosure] Compliance Is Wasted Money, Study Finds

[Shaqe Wan <sha8e@xxxxxxxxx>]

Christian,

I said "most" not all :)

And yes for me I don't give the f*ck about it, as long as there is no one that 
hears you. Do I have to jump from a tower so they see what I am stating? 

Cheers





________________________________
From: Christian Sciberras <uuf6429@xxxxxxxxx>
To: Shaqe Wan <sha8e@xxxxxxxxx>
Cc: full-disclosure@xxxxxxxxxxxxxxxxx
Sent: Tue, April 27, 2010 11:34:22 AM
Subject: Re: [Full-disclosure] Compliance Is Wasted Money, Study Finds

"Where did I say that its a waste of time and money? "
Here you go:
"I 100% agree with you 
about most of the companies seek the paper work and get PCI certified 
and don't really bother about true security measures, but in the end if a 
breach is discovered they are 
the ones who shall get the penalty in the face, not us :)"


"BTW: I argued a lot with my managers about the PCI stuff, but no one 
gives you an ear, so let me be categorized in category #2 of yours :D"
Then I'm afraid this argument ends here.


Cheers.




On Tue, Apr 27, 2010 at 10:28 AM, Shaqe Wan <sha8e@xxxxxxxxx> wrote:

>Where did I say that its a waste of time and money? 
>
>Hmmm, strange !!!
>
>BTW: I argued a lot with my managers about the PCI stuff, but no one gives you 
>an ear, so let me be categorized in category #2 of yours :D
>
>
>
________________________________
From: Christian Sciberras <uuf6429@xxxxxxxxx>
>To: Shaqe Wan <sha8e@xxxxxxxxx>
>Cc: full-disclosure@xxxxxxxxxxxxxxxxx
>Sent: Tue, April 27, 2010 11:22:59 AM
>
>Subject: Re: [Full-disclosure] Compliance Is Wasted Money, Study Finds
>
>
>>In short, you just said that PCI compliance _is_ a waste of time and money.
>
>Why else would you protect something which is bound to fail anyway?!
>
>This is a lost battle, as I said no one cares about the arguments because 
>these people fall into three categories:
>>
>-they believe the illusion that PCI by itself enhances security
>-they do there job and don't give a f*ck about it
>-they are arguing for the fun of it without any real arguments (why else prove 
>me right on my arguments and later on deny it?)
>
>
>
>
>
>
>On Tue, Apr 27, 2010 at 10:03 AM, Shaqe Wan <sha8e@xxxxxxxxx> wrote:
>
>>>
>>You won't know not now, not ever. Maybe they do get a commission for your AV 
>>installation, who knows ! But maybe they think it is something that everybody 
>>needs so the force it. To get to know the true answer, we need to sit down 
>>with the guys who wrote the requirements and brainstorm with them those 
>>issues. We shall keep just running around and around in a circle here, 
>>because no one here "if no CC company guy is around" can give a definite 
>>answer. Just our simple argues !
>>
>>As I said before, I have to use it on a windows box, because its a 
>>requirement, its not my opinion at all.
>>
>>I 100% agree with you about most of the companies seek the paper work and get 
>>PCI certified and don't really bother about true
>> security measures, but in the end if a breach is discovered they are the 
>> ones who shall get the penalty in the face, not us :)
>>
>>NB: I don't use an AV, never did, and never will :p
>>
>>Regards,
>>
>>
>>>>
________________________________
From: Christian Sciberras <uuf6429@xxxxxxxxx>
>>To: Shaqe Wan <sha8e@xxxxxxxxx>
>>Cc: full-disclosure@xxxxxxxxxxxxxxxxx
>>Sent: Tue, April 27, 2010 10:37:24 AM
>>>>
>>
>>Subject: Re: [Full-disclosure] Compliance Is Wasted Money, Study Finds
>>
>>
>>>>Surely being forced to install an anti-virus only brings in a monopoly? How 
>>>>do I know that PCI Standards writers are getting a nice commission off me 
>>>>installing the anti-virus? (I know they don't, I'm just hypothesizing).
>>
>>You stated it yourself, an anti-virus may not do any difference, it is there 
>>as per PCI standard.....so what is it's use? Why the heck do I have to 
>>install something useless?
>>
>>Lastly, that is where you are wrong, there is no "base starting point" 
>>companies don't give a shit about proper security measures, they get 
>>PCI-certified and all security ends there.
>>>>
>>
>>That is the freaken problem.
>>
>>NB: I do use anti-virus software, what I specified above is not in any way my 
>>opinion about anti-virus vendors, etc.
>>
>>
>>
>>
>>
>>
>>
>>
>>On Tue, Apr 27, 2010 at 9:25 AM, Shaqe Wan <sha8e@xxxxxxxxx> wrote:
>>
>>Hi,
>>>
>>>I don't actually beleive there is a "democratic society". No such thing 
>>>exists. If it does? Then ask the organizations who made the compliance 
>>>requirements drop them and make audits based on some other measure that you 
>>>believe is more secure and has less flaws in it. Finally, regarding the AV 
>>>issue that I wish I end here, is that "I don't believe that an AV shall make 
>>>your box secure, but its a requirement to be done - Added by PCI"
>>>
>>>
>>>And yes I have noticed that FD is for such security measures discussion, but 
>>>never thought of joining it and discussing with others until a couple of 
>>>days ago when I saw this topic.
>>>
>>>Finally, the compliance can be taken of as a base starting point, and then 
>>>moving further, like that it shall not be a waste of money
>>> !
>>>
>>>Regards,
>>>
>>>
>>>
>>>
>>>>>>
>>>
________________________________
From: Christian Sciberras <uuf6429@xxxxxxxxx>
>>>To: Shaqe Wan <sha8e@xxxxxxxxx>
>>>Cc: full-disclosure@xxxxxxxxxxxxxxxxx
>>>Sent: Tue, April 27, 2010 9:59:59 AM
>>>>>>
>>>
>>>
>>>Subject: Re: [Full-disclosure] Compliance Is Wasted Money, Study Finds
>>>
>>>
>>>>>>Perhaps you haven't noticed, this is Full-Disclosure, which at least, is 
>>>>>>used to discuss security measures.
>>>As such, it is only natural to argue with PCI's possible security flaws.
>>>
>>>Besides, in a democratic society (where CC do operate as well), you can't 
>>>"force" someone to install an anti-virus just because _you_ think it is 
>>>secure.
>>>
>>>The argument were compliance is wasted money still holds.
>>>
>>>Cheers.
>>>
>>>
>>>
>>>
>>>
>>>On Tue, Apr 27, 2010 at 7:36 AM, Shaqe Wan <sha8e@xxxxxxxxx> wrote:
>>>
>>>Hola,
>>>>
>>>>The problem is not weather they are educated against other standards or 
>>>>policies or not, the problem is that without this compliance you can't work 
>>>>with CC !!! Its something that is enforced on you !
>>>>
>>>>BTW: why don't people discuss what is the points missing in the PCI 
>>>>Compliance better than this argue ?
>>>>
>>>>Regards,
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>>>>>
>>>>
>>>>
________________________________
From: Christian Sciberras <uuf6429@xxxxxxxxx>
>>>>To: Shaqe Wan <sha8e@xxxxxxxxx>
>>>>Cc: full-disclosure@xxxxxxxxxxxxxxxxx
>>>>Sent: Mon, April 26, 2010 4:19:27 PM
>>>>>>>>
>>>>
>>>>
>>>>Subject: Re: [Full-disclosure] Compliance Is Wasted Money, Study Finds
>>>>
>>>>
>>>>>>>>OK.
>>>>
>>>>"All those in favour of PCI raises their hands."
>>>>
>>>>Kidding aside, of course it is a must, since the said companies doesn't 
>>>>have any notion of security before this happens.
>>>>However, how much is this actually helpful? Now let's be honest, how much 
>>>>would it stop a potential attacker from getting into a system "protected" 
>>>>by PCI?
>>>>>>>>
>>>>
>>>>
>>>>
>>>>Little, if at all.
>>>>
>>>>On the other hand, a company should adopt real and complete security 
>>>>practices.
>>>>
>>>>Again, my point is, these companies shouldn't be "educated" or limit their 
>>>>security to this standard. Because if they do (and I'm pretty sure they do) 
>>>>would make this standard pretty much useless.
>>>>
>>>>Anyway, I won't get into this argument, since no one will give a sh*t about 
>>>>it anyway.
>>>>
>>>>Cheers.
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>On Mon, Apr 26, 2010 at 3:02 PM, Shaqe Wan <sha8e@xxxxxxxxx> wrote:
>>>>
>>>>Christian,
>>>>>
>>>>>Did you read my first post? 
>>>>>
>>>>>((( IMO, PCI is not that big security policy, but without it your not able 
>>>>>to use the credit card companies gateway. Ithink its just the basics that 
>>>>>any company dealing with CC must implement. Because it shall be nonsense 
>>>>>to deal with CC, and not have an Anti-virus for example !! )))
>>>>>
>>>>>
>>>>>
>>>>>>>>>>
>>>>>
>>>>>
>>>>>
>>>>>I am not stating that PCI is good in no way, but I am saying that its a 
>>>>>MUST for companies dealing with CC. And in a windows environment, an AV is 
>>>>>important. 
>>>>>
>>>>>He probably thought that I am with the rules of PCI, or that I don't have 
>>>>>any idea that the world is not just WINDOWS !!!
>>>>>
>>>>>Regards,
>>>>>
>>>>>
>>>>>
________________________________

>>>>>From: Christian Sciberras <uuf6429@xxxxxxxxx>
>>>>>To: Shaqe Wan <sha8e@xxxxxxxxx>
>>>>>Cc: full-disclosure@xxxxxxxxxxxxxxxxx
>>>>>Sent: Mon, April 26, 2010 3:54:20 PM
>>>>>
>>>>>Subject: Re: [Full-disclosure] Compliance Is Wasted Money, Study Finds
>>>>>
>>>>>
>>>>>>>>>>Why exactly are you complying with Nick's statements? I would have 
>>>>>>>>>>thought you guys were arguing against said statements?
>>>>>
>>>>>
>>>>>By the way, requirement #6 is particularly funny; it sounds peculiarly 
>>>>>redundant to me...
>>>>>
>>>>>Cheers.
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>On Mon, Apr 26, 2010 at 7:34 AM, Shaqe Wan <sha8e@xxxxxxxxx> wrote:
>>>>>
>>>>>
>>>>>>
>>>>>>>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>Nick,
>>>>>>
>>>>>>Please if you don't know what the standards are, please read:
>>>>>>
>>>>>>https://www.pcisecuritystandards.org/security_standards/pci_dss.shtml
>>>>>>
>>>>>>See Requirement  #5. Read that requirement carefully and its not bad to 
>>>>>>read it twice though in case you don't figure it out from the first 
>>>>>>glance !
>>>>>>
>>>>>>Also, I said that using an AV is some basic thing to do in any company 
>>>>>>that wants to deal with CC, its a
>>>>>> basic thing for even companies not dealing with CC too !!! Or do you 
>>>>>> state that people must use a BOX with no AV installed on it? If you 
>>>>>> believe in that fact? Then please request a change in the PCI DSS 
>>>>>> requirements and make them force the usage of a non Windows O.S, such as 
>>>>>> any *n?x system.
>>>>>>
>>>>>>Finally, the topic here is not about "default allow vs default deny" and 
>>>>>>if
>>>>>> I understand what that is or not! You can open a new discussion about 
>>>>>> that, and I shall join there and discuss it further with you, in case 
>>>>>> you need some clarification regarding it.
>>>>>>
>>>>>>Regards,
>>>>>>Shaqe
>>>>>>
>>>>>>
>>>>>>--- On Sun, 4/25/10, Nick FitzGerald <nick@xxxxxxxxxxxxxxxxxxx> wrote:
>>>>>>
>>>>>>
>>>>>>>From: Nick FitzGerald <nick@xxxxxxxxxxxxxxxxxxx>
>>>>>>>>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>Subject: Re: [Full-disclosure] Compliance Is Wasted Money, Study Finds
>>>>>>>To: full-disclosure@xxxxxxxxxxxxxxxxx
>>>>>>>Date: Sunday, April 25, 2010, 1:57 PM
>>>>>>>
>>>>>>>
>>>>>>>Shaqe Wan wrote:
>>>>>>>
>>>>>>><<snip>>
>>>>>>>> Because it shall be nonsense to deal with CC, and not have an 
>>>>>>>> Anti-virus for example !!
>>>>>>>
>>>>>>>Well, you see, _that_ is abject nonsense on its face.
>>>>>>>
>>>>>>>Do you have any understanding of one of the most basic of security 
>>>>>>>issues -- default allow vs.
>>>>>>> default deny?
>>>>>>>
>>>>>>>There are many more secure ways to run systems _without_ antivirus 
>>>>>>>software.
>>>>>>>
>>>>>>>
>>>>>>>Anyone authoritatively stating that antivirus software is a necessary 
>>>>>>>component of a "reasonably secure" system is a fool.
>>>>>>>
>>>>>>>Anyone authoritatively stating that antivirus software is a necessary 
>>>>>>>
>>>>>>>component of a "sufficiently secure" system is one (or more) of; a 
>>>>>>>fool, a person with an unusually low standard of system security, or a 
>>>>>>>>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>shill for an antivirus producer.
>>>>>>>
>>>>>>>
>>>>>>>So _if_, as you and another recent poster strongly imply, the PCI 
>>>>>>>standards include a specific _requirement_ for antivirus software, then 
>>>>>>>the standards themselves are total nonsense...
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>Regards,
>>>>>>>
>>>>>>>Nick FitzGerald
>>>>>>>
>>>>>>>
>>>>>>>_______________________________________________
>>>>>>>Full-Disclosure - We believe in it.
>>>>>>>Charter: http://lists.grok.org.uk/full-disclosure-charter.html
>>>>>>>Hosted and sponsored by Secunia - http://secunia.com/
>>>>>>> 
>>>>>>
>>>>>>
>>>>>>_______________________________________________
>>>>>>>>>>>>Full-Disclosure - We believe in it.
>>>>>>>>>>>>Charter: http://lists.grok.org.uk/full-disclosure-charter.html
>>>>>>>>>>>>Hosted and sponsored by Secunia - http://secunia.com/
>>>>>>
>>>>>
>>>>>
>>>>
>>>>
>>>
>>>
>>
>>
>
>



_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/