|
Full Disclosure
mailing list archives
Re: Compliance Is Wasted Money, Study Finds
From: Christian Sciberras <uuf6429 () gmail com>
Date: Mon, 26 Apr 2010 14:54:20 +0200
Why exactly are you complying with Nick's statements? I would have thought
you guys were arguing against said statements?
By the way, requirement #6 is particularly funny; it sounds peculiarly
redundant to me...
Cheers.
On Mon, Apr 26, 2010 at 7:34 AM, Shaqe Wan <sha8e () yahoo com> wrote:
Nick,
Please if you don't know what the standards are, please read:
https://www.pcisecuritystandards.org/security_standards/pci_dss.shtml
See *Requirement #5*. Read that requirement carefully and its not bad to
read it twice though in case you don't figure it out from the first glance !
Also, I said that using an AV is some basic thing to do in any company that
wants to deal with CC, its a basic thing for even companies not dealing with
CC too !!! Or do you state that people must use a BOX with no AV installed
on it? If you believe in that fact? Then please request a change in the PCI
DSS requirements and make them force the usage of a non Windows O.S, such as
any *n?x system.
Finally, the topic here is not about "default allow vs default deny" and if
I understand what that is or not! You can open a new discussion about that,
and I shall join there and discuss it further with you, in case you need
some clarification regarding it.
Regards,
Shaqe
--- On *Sun, 4/25/10, Nick FitzGerald <nick () virus-l demon co uk>* wrote:
From: Nick FitzGerald <nick () virus-l demon co uk>
Subject: Re: [Full-disclosure] Compliance Is Wasted Money, Study Finds
To: full-disclosure () lists grok org uk
Date: Sunday, April 25, 2010, 1:57 PM
Shaqe Wan wrote:
<<snip>>
Because it shall be nonsense to deal with CC, and not have an Anti-virus
for example !!
Well, you see, _that_ is abject nonsense on its face.
Do you have any understanding of one of the most basic of security
issues -- default allow vs. default deny?
There are many more secure ways to run systems _without_ antivirus
software.
Anyone authoritatively stating that antivirus software is a necessary
component of a "reasonably secure" system is a fool.
Anyone authoritatively stating that antivirus software is a necessary
component of a "sufficiently secure" system is one (or more) of; a
fool, a person with an unusually low standard of system security, or a
shill for an antivirus producer.
So _if_, as you and another recent poster strongly imply, the PCI
standards include a specific _requirement_ for antivirus software, then
the standards themselves are total nonsense...
Regards,
Nick FitzGerald
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
 By Date 
By Thread
Current thread:
Re: Compliance Is Wasted Money, Study Finds Shaqe Wan (Apr 26)
(Thread continues...)
|
