Re: The PCI sky *isn't* falling!

["Alex Eckelberry" <AlexE () sunbelt-software com>]

I agree, PCI is a stupid, idiotic standard but it does force some basic
best practices.  

But to think it's a fix is "whistling past the graveyard". 

Alex
 

-----Original Message-----
From: funsec-bounces () linuxbox org [mailto:funsec-bounces () linuxbox org]
On Behalf Of Anton Chuvakin
Sent: Monday, March 23, 2009 8:01 PM
To: funsec () linuxbox org
Subject: Re: [funsec] The PCI sky *isn't* falling!

> same answer: "I don't participate in security theater." I think this

First, I am amazed how people so intelligent can hold opinions so
shortsighted :-)

I'd say that PCI DSS did more to information security than *anything
else* since Windows added automated updates.

Now, I've said it :-)

But if you are looking for a proof of this,  it is actually elsewhere:
that mentioned "security theater" actually made people who were
COMPLETELY ignoring security look at security - and then screw it up.
And you know what? I think such motion from total ignorance to doing "a
piss-poor job" of security represents a huge progress for such, mostly
small, organizations.

Now, some might say that my argument is of the type "Why do 99% of
lawyers give the rest a bad name?", but it is not. I am pretty sure that
even companies that "do it just the auditor" or, worse, deceive their
PCI assessor still gain a tiny fraction of risk reduction, both for
themselves - and for the rest of us.

-- 
    Anton Chuvakin, Ph.D
   http://www.chuvakin.org
http://chuvakin.blogspot.com
  http://www.info-secure.org
_______________________________________________
Fun and Misc security discussion for OT posts.
https://linuxbox.org/cgi-bin/mailman/listinfo/funsec
Note: funsec is a public and open mailing list.

_______________________________________________
Fun and Misc security discussion for OT posts.
https://linuxbox.org/cgi-bin/mailman/listinfo/funsec
Note: funsec is a public and open mailing list.