funsec mailing list archives
Re: The PCI sky *isn't* falling!
From: Drsolly <drsollyp () drsolly com>
Date: Tue, 24 Mar 2009 02:27:34 +0000 (GMT)
On Mon, 23 Mar 2009, Alex Eckelberry wrote:
I agree, PCI is a stupid, idiotic standard but it does force some basic best practices.
But it doesn't. A) you can choose which level of security you want to be under, and at least some banks are happy if you choose the lowest, even if it's plainly wrong. At the lowest level of security, you're required to do bugger-all. B) you get compliant by self-certification, and if you decide that any of the requirements are not applicable, you can avoid them. C) you choose which of your IP addresses are tested by the outside auto-tester.
But to think it's a fix is "whistling past the graveyard". Alex -----Original Message----- From: funsec-bounces () linuxbox org [mailto:funsec-bounces () linuxbox org] On Behalf Of Anton Chuvakin Sent: Monday, March 23, 2009 8:01 PM To: funsec () linuxbox org Subject: Re: [funsec] The PCI sky *isn't* falling!same answer: "I don't participate in security theater." I think thisFirst, I am amazed how people so intelligent can hold opinions so shortsighted :-) I'd say that PCI DSS did more to information security than *anything else* since Windows added automated updates. Now, I've said it :-) But if you are looking for a proof of this, it is actually elsewhere: that mentioned "security theater" actually made people who were COMPLETELY ignoring security look at security - and then screw it up. And you know what? I think such motion from total ignorance to doing "a piss-poor job" of security represents a huge progress for such, mostly small, organizations. Now, some might say that my argument is of the type "Why do 99% of lawyers give the rest a bad name?", but it is not. I am pretty sure that even companies that "do it just the auditor" or, worse, deceive their PCI assessor still gain a tiny fraction of risk reduction, both for themselves - and for the rest of us.
_______________________________________________ Fun and Misc security discussion for OT posts. https://linuxbox.org/cgi-bin/mailman/listinfo/funsec Note: funsec is a public and open mailing list.
Current thread:
- The PCI sky *isn't* falling! Rob, grandpa of Ryan, Trevor, Devon & Hannah (Mar 23)
- Re: The PCI sky *isn't* falling! Todd Parker (Mar 23)
- Re: The PCI sky *isn't* falling! Jon Kibler (Mar 23)
- Re: The PCI sky *isn't* falling! Jon Kibler (Mar 23)
- Re: The PCI sky *isn't* falling! Anton Chuvakin (Mar 23)
- Re: The PCI sky *isn't* falling! Alex Eckelberry (Mar 23)
- Re: The PCI sky *isn't* falling! Drsolly (Mar 23)
- Re: The PCI sky *isn't* falling! security curmudgeon (Mar 23)
- Re: The PCI sky *isn't* falling! Anton Chuvakin (Mar 23)
- Re: The PCI sky *isn't* falling! Amrit Williams (Mar 23)
- Re: The PCI sky *isn't* falling! Paul Ferguson (Mar 23)
- Re: The PCI sky *isn't* falling! Anton Chuvakin (Mar 23)
- Re: The PCI sky *isn't* falling! security curmudgeon (Mar 23)
- Re: The PCI sky *isn't* falling! Drsolly (Mar 24)
- Re: The PCI sky *isn't* falling! Anton Chuvakin (Mar 24)
- Re: The PCI sky *isn't* falling! Todd Parker (Mar 23)
- Re: The PCI sky *isn't* falling! Justin D. Scott (Mar 23)
- Re: The PCI sky *isn't* falling! Drsolly (Mar 24)
- Re: The PCI sky *isn't* falling! Justin Scott (Mar 24)