[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Full-disclosure] Compliance Is Wasted Money, Study Finds

To: Christian Sciberras <uuf6429@xxxxxxxxx>
Subject: Re: [Full-disclosure] Compliance Is Wasted Money, Study Finds
From: Mike Hale <eyeronic.design@xxxxxxxxx>
Date: Tue, 27 Apr 2010 07:55:19 -0700

Point is, you're arguing for the sake of arguing, as you have no
understanding what PCI is, based on your own admission.

On Tue, Apr 27, 2010 at 7:51 AM, Christian Sciberras <uuf6429@xxxxxxxxx>wrote:

> Nice way of reading whatever feels right to you. Perhaps you'd have better
> read what I wrote a few lines before that?
>
>
>
>
>
>
> On Tue, Apr 27, 2010 at 4:43 PM, Mike Hale <eyeronic.design@xxxxxxxxx>wrote:
>
>>  "-they are arguing for the fun of it without any real arguments (why
>> else prove me right on my arguments and later on deny it?)"
>>
>> So you fall into this category?
>>   On Tue, Apr 27, 2010 at 1:22 AM, Christian Sciberras <uuf6429@xxxxxxxxx
>> > wrote:
>>
>>> In short, you just said that PCI compliance _is_ a waste of time and
>>> money.
>>>
>>> Why else would you protect something which is bound to fail anyway?!
>>>
>>> This is a lost battle, as I said no one cares about the arguments because
>>> these people fall into three categories:
>>> -they believe the illusion that PCI by itself enhances security
>>> -they do there job and don't give a f*ck about it
>>> -they are arguing for the fun of it without any real arguments (why else
>>> prove me right on my arguments and later on deny it?)
>>>
>>>
>>>
>>>
>>>
>>>
>>> On Tue, Apr 27, 2010 at 10:03 AM, Shaqe Wan <sha8e@xxxxxxxxx> wrote:
>>>
>>>>  You won't know not now, not ever. Maybe they do get a commission for
>>>> your AV installation, who knows ! But maybe they think it is something that
>>>> everybody needs so the force it. To get to know the true answer, we need to
>>>> sit down with the guys who wrote the requirements and brainstorm with them
>>>> those issues. We shall keep just running around and around in a circle 
>>>> here,
>>>> because no one here "if no CC company guy is around" can give a definite
>>>> answer. Just our simple argues !
>>>>
>>>> As I said before, I have to use it on a windows box, because its a
>>>> requirement, its not my opinion at all.
>>>>
>>>> I 100% agree with you about most of the companies seek the paper work
>>>> and get PCI certified and don't really bother about true security measures,
>>>> but in the end if a breach is discovered they are the ones who shall get 
>>>> the
>>>> penalty in the face, not us :)
>>>>
>>>> NB: I don't use an AV, never did, and never will :p
>>>>
>>>> Regards,
>>>>
>>>>  ------------------------------
>>>> *From:* Christian Sciberras <uuf6429@xxxxxxxxx>
>>>> *To:* Shaqe Wan <sha8e@xxxxxxxxx>
>>>> *Cc:* full-disclosure@xxxxxxxxxxxxxxxxx
>>>> *Sent:* Tue, April 27, 2010 10:37:24 AM
>>>>
>>>> *Subject:* Re: [Full-disclosure] Compliance Is Wasted Money, Study
>>>> Finds
>>>>
>>>> Surely being forced to install an anti-virus only brings in a monopoly?
>>>> How do I know that PCI Standards writers are getting a nice commission off
>>>> me installing the anti-virus? (I know they don't, I'm just hypothesizing).
>>>>
>>>> You stated it yourself, an anti-virus may not do any difference, it is
>>>> there as per PCI standard.....so what is it's use? Why the heck do I have 
>>>> to
>>>> install something useless?
>>>>
>>>> Lastly, that is where you are wrong, there is no "base starting point"
>>>> companies don't give a shit about proper security measures, they get
>>>> PCI-certified and all security ends there.
>>>> That is the freaken problem.
>>>>
>>>> NB: I do use anti-virus software, what I specified above is not in any
>>>> way my opinion about anti-virus vendors, etc.
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>> On Tue, Apr 27, 2010 at 9:25 AM, Shaqe Wan <sha8e@xxxxxxxxx> wrote:
>>>>
>>>>>  Hi,
>>>>>
>>>>> I don't actually beleive there is a "democratic society". No such thing
>>>>> exists. If it does? Then ask the organizations who made the compliance
>>>>> requirements drop them and make audits based on some other measure that 
>>>>> you
>>>>> believe is more secure and has less flaws in it. Finally, regarding the AV
>>>>> issue that I wish I end here, is that "I don't believe that an AV shall 
>>>>> make
>>>>> your box secure, but its a requirement to be done - Added by PCI"
>>>>>
>>>>> And yes I have noticed that FD is for such security measures
>>>>> discussion, but never thought of joining it and discussing with others 
>>>>> until
>>>>> a couple of days ago when I saw this topic.
>>>>>
>>>>> Finally, the compliance can be taken of as a base starting point, and
>>>>> then moving further, like that it shall not be a waste of money !
>>>>>
>>>>> Regards,
>>>>>
>>>>>
>>>>>  ------------------------------
>>>>> *From:* Christian Sciberras <uuf6429@xxxxxxxxx>
>>>>> *To:* Shaqe Wan <sha8e@xxxxxxxxx>
>>>>> *Cc:* full-disclosure@xxxxxxxxxxxxxxxxx
>>>>> *Sent:* Tue, April 27, 2010 9:59:59 AM
>>>>>
>>>>> *Subject:* Re: [Full-disclosure] Compliance Is Wasted Money, Study
>>>>> Finds
>>>>>
>>>>> Perhaps you haven't noticed, this is Full-Disclosure, which at least,
>>>>> is used to discuss security measures.
>>>>> As such, it is only natural to argue with PCI's possible security
>>>>> flaws.
>>>>>
>>>>> Besides, in a democratic society (where CC do operate as well), you
>>>>> can't "force" someone to install an anti-virus just because _you_ think it
>>>>> is secure.
>>>>>
>>>>> The argument were compliance is wasted money still holds.
>>>>>
>>>>> Cheers.
>>>>>
>>>>>
>>>>>
>>>>>
>>>>> On Tue, Apr 27, 2010 at 7:36 AM, Shaqe Wan <sha8e@xxxxxxxxx> wrote:
>>>>>
>>>>>>  Hola,
>>>>>>
>>>>>> The problem is not weather they are educated against other standards
>>>>>> or policies or not, the problem is that without this compliance you can't
>>>>>> work with CC !!! Its something that is enforced on you !
>>>>>>
>>>>>> BTW: why don't people discuss what is the points missing in the PCI
>>>>>> Compliance better than this argue ?
>>>>>>
>>>>>> Regards,
>>>>>>
>>>>>>
>>>>>>  ------------------------------
>>>>>> *From:* Christian Sciberras <uuf6429@xxxxxxxxx>
>>>>>> *To:* Shaqe Wan <sha8e@xxxxxxxxx>
>>>>>> *Cc:* full-disclosure@xxxxxxxxxxxxxxxxx
>>>>>> *Sent:* Mon, April 26, 2010 4:19:27 PM
>>>>>>
>>>>>> *Subject:* Re: [Full-disclosure] Compliance Is Wasted Money, Study
>>>>>> Finds
>>>>>>
>>>>>> OK.
>>>>>>
>>>>>> "All those in favour of PCI raises their hands."
>>>>>>
>>>>>> Kidding aside, of course it is a must, since the said companies
>>>>>> doesn't have any notion of security before this happens.
>>>>>> However, how much is this actually helpful? Now let's be honest, how
>>>>>> much would it stop a potential attacker from getting into a system
>>>>>> "protected" by PCI?
>>>>>> Little, if at all.
>>>>>>
>>>>>> On the other hand, a company should adopt real and complete security
>>>>>> practices.
>>>>>>
>>>>>> Again, my point is, these companies shouldn't be "educated" or limit
>>>>>> their security to this standard. Because if they do (and I'm pretty sure
>>>>>> they do) would make this standard pretty much useless.
>>>>>>
>>>>>> Anyway, I won't get into this argument, since no one will give a sh*t
>>>>>> about it anyway.
>>>>>>
>>>>>> Cheers.
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>> On Mon, Apr 26, 2010 at 3:02 PM, Shaqe Wan <sha8e@xxxxxxxxx> wrote:
>>>>>>
>>>>>>>  Christian,
>>>>>>>
>>>>>>> Did you read my first post?
>>>>>>>
>>>>>>> ((( IMO, PCI is not that big security policy, but without it your
>>>>>>> not able to use the credit card companies gateway. I think its just
>>>>>>> the basics that any company dealing with CC must implement. Because it 
>>>>>>> shall
>>>>>>> be nonsense to deal with CC, and not have an Anti-virus for example 
>>>>>>> !!)))
>>>>>>>
>>>>>>> I am not stating that PCI is good in no way, but I am saying that its
>>>>>>> a MUST for companies dealing with CC. And in a windows environment, an 
>>>>>>> AV is
>>>>>>> important.
>>>>>>>
>>>>>>> He probably thought that I am with the rules of PCI, or that I don't
>>>>>>> have any idea that the world is not just WINDOWS !!!
>>>>>>>
>>>>>>> Regards,
>>>>>>>
>>>>>>>  ------------------------------
>>>>>>> *From:* Christian Sciberras <uuf6429@xxxxxxxxx>
>>>>>>> *To:* Shaqe Wan <sha8e@xxxxxxxxx>
>>>>>>> *Cc:* full-disclosure@xxxxxxxxxxxxxxxxx
>>>>>>> *Sent:* Mon, April 26, 2010 3:54:20 PM
>>>>>>>
>>>>>>> *Subject:* Re: [Full-disclosure] Compliance Is Wasted Money, Study
>>>>>>> Finds
>>>>>>>
>>>>>>> Why exactly are you complying with Nick's statements? I would have
>>>>>>> thought you guys were arguing against said statements?
>>>>>>>
>>>>>>>
>>>>>>> By the way, requirement #6 is particularly funny; it sounds
>>>>>>> peculiarly redundant to me...
>>>>>>>
>>>>>>> Cheers.
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>> On Mon, Apr 26, 2010 at 7:34 AM, Shaqe Wan <sha8e@xxxxxxxxx> wrote:
>>>>>>>
>>>>>>>>
>>>>>>>>    Nick,
>>>>>>>>
>>>>>>>> Please if you don't know what the standards are, please read:
>>>>>>>>
>>>>>>>>
>>>>>>>> https://www.pcisecuritystandards.org/security_standards/pci_dss.shtml
>>>>>>>>
>>>>>>>> See *Requirement #5*. Read that requirement carefully and its not
>>>>>>>> bad to read it twice though in case you don't figure it out from the 
>>>>>>>> first
>>>>>>>> glance !
>>>>>>>>
>>>>>>>> Also, I said that using an AV is some basic thing to do in any
>>>>>>>> company that wants to deal with CC, its a basic thing for even 
>>>>>>>> companies not
>>>>>>>> dealing with CC too !!! Or do you state that people must use a BOX 
>>>>>>>> with no
>>>>>>>> AV installed on it? If you believe in that fact? Then please request a
>>>>>>>> change in the PCI DSS requirements and make them force the usage of a 
>>>>>>>> non
>>>>>>>> Windows O.S, such as any *n?x system.
>>>>>>>>
>>>>>>>> Finally, the topic here is not about "default allow vs default deny"
>>>>>>>> and if I understand what that is or not! You can open a new discussion 
>>>>>>>> about
>>>>>>>> that, and I shall join there and discuss it further with you, in case 
>>>>>>>> you
>>>>>>>> need some clarification regarding it.
>>>>>>>>
>>>>>>>> Regards,
>>>>>>>> Shaqe
>>>>>>>>
>>>>>>>>
>>>>>>>> --- On *Sun, 4/25/10, Nick FitzGerald <nick@xxxxxxxxxxxxxxxxxxx>*wrote:
>>>>>>>>
>>>>>>>>
>>>>>>>> From: Nick FitzGerald <nick@xxxxxxxxxxxxxxxxxxx>
>>>>>>>> Subject: Re: [Full-disclosure] Compliance Is Wasted Money, Study
>>>>>>>> Finds
>>>>>>>> To: full-disclosure@xxxxxxxxxxxxxxxxx
>>>>>>>> Date: Sunday, April 25, 2010, 1:57 PM
>>>>>>>>
>>>>>>>>  Shaqe Wan wrote:
>>>>>>>>
>>>>>>>> <<snip>>
>>>>>>>> > Because it shall be nonsense to deal with CC, and not have an
>>>>>>>> Anti-virus for example !!
>>>>>>>>
>>>>>>>> Well, you see, _that_ is abject nonsense on its face.
>>>>>>>>
>>>>>>>> Do you have any understanding of one of the most basic of security
>>>>>>>> issues -- default allow vs. default deny?
>>>>>>>>
>>>>>>>> There are many more secure ways to run systems _without_ antivirus
>>>>>>>> software.
>>>>>>>>
>>>>>>>> Anyone authoritatively stating that antivirus software is a
>>>>>>>> necessary
>>>>>>>> component of a "reasonably secure" system is a fool.
>>>>>>>>
>>>>>>>> Anyone authoritatively stating that antivirus software is a
>>>>>>>> necessary
>>>>>>>> component of a "sufficiently secure" system is one (or more) of; a
>>>>>>>> fool, a person with an unusually low standard of system security, or
>>>>>>>> a
>>>>>>>> shill for an antivirus producer.
>>>>>>>>
>>>>>>>> So _if_, as you and another recent poster strongly imply, the PCI
>>>>>>>> standards include a specific _requirement_ for antivirus software,
>>>>>>>> then
>>>>>>>> the standards themselves are total nonsense...
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>> Regards,
>>>>>>>>
>>>>>>>> Nick FitzGerald
>>>>>>>>
>>>>>>>>
>>>>>>>> _______________________________________________
>>>>>>>> Full-Disclosure - We believe in it.
>>>>>>>> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
>>>>>>>> Hosted and sponsored by Secunia - http://secunia.com/
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>> _______________________________________________
>>>>>>>> Full-Disclosure - We believe in it.
>>>>>>>> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
>>>>>>>> Hosted and sponsored by Secunia - http://secunia.com/
>>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>
>>>>>>
>>>>>
>>>>>
>>>>
>>>>
>>>
>>> _______________________________________________
>>> Full-Disclosure - We believe in it.
>>> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
>>> Hosted and sponsored by Secunia - http://secunia.com/
>>>
>>
>>
>>
>>  --
>> 09 F9 11 02 9D 74 E3 5B D8 41 56 C5 63 56 88 C0
>>
>
>


-- 
09 F9 11 02 9D 74 E3 5B D8 41 56 C5 63 56 88 C0

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Follow-Ups:
- Re: [Full-disclosure] Compliance Is Wasted Money, Study Finds
  - From: Christian Sciberras

References:
- Re: [Full-disclosure] Compliance Is Wasted Money, Study Finds
  - From: Shaqe Wan
- Re: [Full-disclosure] Compliance Is Wasted Money, Study Finds
  - From: Christian Sciberras
- Re: [Full-disclosure] Compliance Is Wasted Money, Study Finds
  - From: Shaqe Wan
- Re: [Full-disclosure] Compliance Is Wasted Money, Study Finds
  - From: Christian Sciberras
- Re: [Full-disclosure] Compliance Is Wasted Money, Study Finds
  - From: Shaqe Wan
- Re: [Full-disclosure] Compliance Is Wasted Money, Study Finds
  - From: Christian Sciberras
- Re: [Full-disclosure] Compliance Is Wasted Money, Study Finds
  - From: Shaqe Wan
- Re: [Full-disclosure] Compliance Is Wasted Money, Study Finds
  - From: Christian Sciberras
- Re: [Full-disclosure] Compliance Is Wasted Money, Study Finds
  - From: Mike Hale
- Re: [Full-disclosure] Compliance Is Wasted Money, Study Finds
  - From: Christian Sciberras

Prev by Date: Re: [Full-disclosure] Compliance Is Wasted Money, Study Finds
Next by Date: Re: [Full-disclosure] Compliance Is Wasted Money, Study Finds
Previous by thread: Re: [Full-disclosure] Compliance Is Wasted Money, Study Finds
Next by thread: Re: [Full-disclosure] Compliance Is Wasted Money, Study Finds
Index(es):
- Date
- Thread