An important lesson from childhood, sharing, could help keep you out of
jail.
According to the following (dated) Wired article,
http://www.wired.com/threatlevel/2009/12/stephen-watt/ Stephen Watt got
screwed because he supplied his friend with a software tool he wrote and his
friend used it to com
Discovered a security flaw in a production system you had no authority or
permission to audit? Afraid to disclose the information for fear of
prosecution? Don't stress too much, you have some protection if you redefine
yourself as a "vulnerability journalist"
According to a recent Wired article on
--On Tuesday, April 27, 2010 13:37:39 -0700 J Roger
wrote:
>
> Is PCI Compliance a giant bluff from VISA? Have any large companies ever been
> forced to stop processing CCs because they failed to be PCI compliant?
>
They don't force you to stop processing. They fine you. VISA assessed $3.3
mi
>
> If a business wants to accept credit cards as a means of payment (based on
> volume) then part of their agreement is that they must undergo compliance to
> a standard implemented by the industry
>
PCI (Payment Card Industry) compliances is what people HAVE to do, as in
> FORCED to do whether t
> If a business wants to accept credit cards as a means of payment (based on
> volume) then part of their agreement is that they must undergo compliance to
> a standard implemented by the industry
>
PCI (Payment Card Industry) compliances is what people HAVE to do, as in
> FORCED to do whether the
On Tue, 27 Apr 2010 13:48:11 EDT, Michael Holstein said:
> You've already stated in a prior email that you have no involvement with
> PCI implementation on either side of the fence ("hell no", was your
> answer, I believe) .. so I don't see where you're really qualified to
> make a categorical sta
You need admin privileges for it. It's not a vulnerability, it's a
feature.
-Original Message-
From: full-disclosure-boun...@lists.grok.org.uk
[mailto:full-disclosure-boun...@lists.grok.org.uk] On Behalf Of Justin
C. Klein Keane
Sent: Tuesday, April 27, 2010 3:07 PM
To: full-disclosure@lis
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Hello,
I did not apply for a CVE identifier because there are folks who would
argue that the conditions described below do not qualify as a
"vulnerability." I must confess I'm ignorant of the CVE guidelines
surrounding such a situation. Any furthe
I wanted to share a neat little trick I discovered while playing with
gcc's FORTIFY_SOURCE feature. For those who don't know, this feature
attempts to prevent exploitation of a subset of buffer overflows by
inserting a set of checks at compile-time, including stack canaries
for some functions. It
> My point isn't about a particular section, nor whether the amount of
> experience I have in PCI DSS compliance (which is next to novice).
>
So we can agree that you're arguing about something with which you have
no experience?
> The point is, what s PCI aiming at?
>
It's on the first su
> Besides, in a democratic society (where CC do operate as well), you can't
> "force" someone to install an anti-virus just because _you_ think it is
> secure.
>
>
This isn't a democracy .. it's a business.
You want to process credit cards in-house, you need to comply with the
PCI standards.
Haven't had my coffee yet... ;)
I thought so, that would explain everything. :)
Cheers,
On Tue, Apr 27, 2010 at 6:30 PM, Mike Hale wrote:
> "The point is, what s PCI aiming at?"
> It's aiming for a basic level of security among companies that process
> credit cards. Nothing more. You have t
On Tue, 27 Apr 2010 12:07:17 -0400
"Justin C. Klein Keane" wrote:
> -BEGIN PGP SIGNED MESSAGE-
> Hash: SHA1
>
> Description of Vulnerability:
> - -
> Drupal (http://drupal.org) is a robust content management system (CMS)
> written in PHP and MySQL. The Drupal
"The point is, what s PCI aiming at?"
It's aiming for a basic level of security among companies that process
credit cards. Nothing more. You have to remember that PCI didn't come
about in a vacuum. It was created to solve a specific problem that the
major credit cards faced in regards to the sec
Actually, you're right. You're not the one who said that, I apologize.
But I maintain that you're arguing over something that you don't
understand. You took one section (the anti-virus one) and got your panties
in a bunch over a security standard that says you *should* run anti-virus.
You comple
Point is, you're arguing for the sake of arguing, as you have no
understanding what PCI is, based on your own admission.
On Tue, Apr 27, 2010 at 7:51 AM, Christian Sciberras wrote:
> Nice way of reading whatever feels right to you. Perhaps you'd have better
> read what I wrote a few lines before
"-they are arguing for the fun of it without any real arguments (why else
prove me right on my arguments and later on deny it?)"
So you fall into this category?
On Tue, Apr 27, 2010 at 1:22 AM, Christian Sciberras wrote:
> In short, you just said that PCI compliance _is_ a waste of time and money
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Description of Vulnerability:
- -
Drupal (http://drupal.org) is a robust content management system (CMS)
written in PHP and MySQL. The Drupal Better Formats module
(http://drupal.org/project/better_formats) contains a cross
My point isn't about a particular section, nor whether the amount of
experience I have in PCI DSS compliance (which is next to novice).
The point is, what s PCI aiming at?
Real security, or just a way companies can excuse their incompetence by
citing full PCI compliance?
Which reminds me, it wasn't
based on your own admission
On who's admission? Perhaps you should bother to cite sources next time?
And, how is quoting me in a different argument "your point"?
On Tue, Apr 27, 2010 at 4:55 PM, Mike Hale wrote:
> Point is, you're arguing for the sake of arguing, as you have no
> understandi
Nice way of reading whatever feels right to you. Perhaps you'd have better
read what I wrote a few lines before that?
On Tue, Apr 27, 2010 at 4:43 PM, Mike Hale wrote:
> "-they are arguing for the fun of it without any real arguments (why else
> prove me right on my arguments and later on den
Has everyone on this list read the PCI DSS requirements?
They are freely available, at www.pcisecuritystandards.org.
Were you even following the thread? There's been at least 4 times were
different people cited different parts of the standard.
But I would suppose that there's always the possibilit
Christian,
I said "most" not all :)
And yes for me I don't give the f*ck about it, as long as there is no one that
hears you. Do I have to jump from a tower so they see what I am stating?
Cheers
From: Christian Sciberras
To: Shaqe Wan
Cc: full-disclosure
Where did I say that its a waste of time and money?
Hmmm, strange !!!
BTW: I argued a lot with my managers about the PCI stuff, but no one gives you
an ear, so let me be categorized in category #2 of yours :D
From: Christian Sciberras
To: Shaqe Wan
Cc: full
> What's your choice:
> Company A installs an anti-virus and updates it regularly (BTW
regularly
> includes once a year).
> Company B has a recovery concept, incident response team,
vulnerability
> monitoring, patch management, NIDS, security training but no
anti-virus.
You do realize that PCI sa
FYI,
The Evolution of PCI DSS
http://www.net-security.org/secworld.php?id=9202
Guys, they are evolving, so be calm :)
From: Christian Sciberras
To: Shaqe Wan
Cc: full-disclosure@lists.grok.org.uk
Sent: Tue, April 27, 2010 11:34:22 AM
Subject: Re: [Full-dis
You won't know not now, not ever. Maybe they do get a commission for your AV
installation, who knows ! But maybe they think it is something that everybody
needs so the force it. To get to know the true answer, we need to sit down with
the guys who wrote the requirements and brainstorm with them
Hi,
I don't actually beleive there is a "democratic society". No such thing exists.
If it does? Then ask the organizations who made the compliance requirements
drop them and make audits based on some other measure that you believe is more
secure and has less flaws in it. Finally, regarding the
Great survey enjoyed filling it :)
With you good luck.
Regards,
From: Henri Doreau
To: Full disclosure
Sent: Tue, April 27, 2010 9:32:00 AM
Subject: [Full-disclosure] 2010 Nmap/SecTools.org survey
Hello FD,
the Nmap poject is currently conducting a survey
Yep, your right. The auditors nowadays even ask for an AV on a *n?x OS (what a
shame) !!!
From: Digital X
To: Tracy Reed ; Nick FitzGerald
Cc: Full-disclosure
Sent: Mon, April 26, 2010 3:48:05 PM
Subject: Re: [Full-disclosure] Compliance Is Wasted Money, Stu
Michel,
Sorry, I didn't understand your first question!
Regarding your 2nd question. You won't get compliant if you update your AV on a
annually basis. You shall fail the quarter check done by an QSA(s). So first
check is not available. For me if the companies staff is well educated and a we
h
Pieter,
I somehow agree with you that using an AV is not
always necessary if you have implemented a good protection for your
environment, but I mean in my previous comments that using an AV is a
requirement of PCI, it is forced on us. If you deal with CC then you
need to get compliant and that mea
Hola,
The problem is not weather they are educated against other standards or
policies or not, the problem is that without this compliance you can't work
with CC !!! Its something that is enforced on you !
BTW: why don't people discuss what is the points missing in the PCI Compliance
better th
Pieter,
I somehow agree with you that using an AV is not always necessary if you have
implemented a good protection for your environment, but I mean in my previous
comments that using an AV is a requirement of PCI, it is forced on us. If you
deal with CC then you need to get compliant and tha
# Exploit Title: ZDI-10-078: NovellZENworks Configuration Management
UploadServlet Remote Code Execution Vulnerability
# Date: 2009-04-26
# Author: tucanalamigo http://tucanalamigo.blogspot.com
# Software Link:
http://www.novell.com/products/zenworks/configurationmanagement/
# Version: 10.2
# Tes
Has everyone on this list read the PCI DSS requirements?
They are freely available, at www.pcisecuritystandards.org.
AV is about 4 requirements out of over 230 requirements, covering secure
coding/development, patching, network security, hardening systems, least
privilege, robust authenticaiton, s
Your comparison doesn't work.
It's not A versus B, it's A versus C, with C being "Company does
nothing because it can't afford a thorough security program."
On Mon, Apr 26, 2010 at 2:07 PM, Michel Messerschmidt
wrote:
> On Mon, Apr 26, 2010 at 06:02:48AM -0700, Shaqe Wan wrote:
>> I am not stati
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
-
Debian Security Advisory DSA-2021-2 secur...@debian.org
http://www.debian.org/security/Giuseppe Iuculano
April 26, 2010
INVITATION
Note that we are entering the last few days to submit work to one of the
InfoWare 2010 events. Please consider to contribute and encourage your
team members and fellow scientists to contribute to the following
federated events.
The submission deadline is April 30, 2010.
Publisher:
There is a big difference between being secure and being compliant.If its a
company's desire to be compliant, they may never be secure. However, if they
strive to be secure, they will always be compliant no mater what framework they
are chasing.
I agree... money spent on compliance is us
"Where did I say that its a waste of time and money? "
Here you go:
"I 100% agree with you about most of the companies seek the paper work and
get PCI certified and don't really bother about true security measures, but
in the end if a breach is discovered they are the ones who shall get the
penalty
In short, you just said that PCI compliance _is_ a waste of time and money.
Why else would you protect something which is bound to fail anyway?!
This is a lost battle, as I said no one cares about the arguments because
these people fall into three categories:
-they believe the illusion that PCI b
Why are you saying "wasted money"? They didn't waste it, they allocated that
sum to cater for PCI compliance and they are still PCI compliant.
Ie, it is not wasted in the sense that they obtained what they wanted. The
point in question is, does PCI obtain what it should be?
However, as many alread
"Lastly, that is where you are wrong, there is no "base starting point"
companies don't give a shit about proper security measures, they get
PCI-certified and all security ends there.
That is the freaken problem."
Well, when this occurs, they are not compliant = Epic FAIL = wasted dollars.
i.e. t
Surely being forced to install an anti-virus only brings in a monopoly? How
do I know that PCI Standards writers are getting a nice commission off me
installing the anti-virus? (I know they don't, I'm just hypothesizing).
You stated it yourself, an anti-virus may not do any difference, it is there
Perhaps you haven't noticed, this is Full-Disclosure, which at least, is
used to discuss security measures.
As such, it is only natural to argue with PCI's possible security flaws.
Besides, in a democratic society (where CC do operate as well), you can't
"force" someone to install an anti-virus ju
46 matches
Mail list logo
