[CentOS] security compliance vs. old software versions

Tue Jul 6 21:44:41 UTC 2010
John Hinton <webmaster at ew3d.com>

On 7/6/2010 5:34 PM, Whit Blauvelt wrote:
> On Tue, Jul 06, 2010 at 05:21:36PM -0400, John Hinton wrote:
>> My point is these 'security metrics' businesses that are paid, generally
>> by credit card companies, to do these software scans and don't ever do
>> these most basic checks. Not that my quoted text is the name of one of
>> these companies or anything. ;) I really feel the scans are just scams.
>> Pun intended.
> As devils' advocate here, yes the scans are far from thorough or complete.
> But there is a significant number of really insecure sites where they do
> flag some of that. The credit card companies aren't going for 100%
> perfection, any more than merchants go for 100% safety from shrinkage. They
> aren't trying to eliminate sites where credit card data is insecure (or
> stores that can be shoplifted from), just keep the incidence down to levels
> where they can afford to write off the losses.
> Between finding real security problems sometimes, and scaring sysadmins into
> at least thinking about it other times, they accomplish that. Meanwhile it's
> a PITA for competent sysadmins, for all the reasons discussed here, because
> the scans are worthless against a system with a good security design, giving
> false positives and not probing deeply enough to improve our occasionally
> half-assed practices. But we're just collateral damage to them. The main aim
> is to knock down some portion of the really bad apples, and keep their
> insurers and the government happy.
> Whit
You are right Whit. It makes us think and that is positive.

The only other good thing I can think of in all of this, is apparently 
someone has figured out a way to get money out of a credit card company 
and that is a huge feat in itself! :) Unfortunately, we the consumers 
pay for that, too. :(

OK... I guess my old frustration with this is now vented.