On 7/6/2010 5:34 PM, Whit Blauvelt wrote: > On Tue, Jul 06, 2010 at 05:21:36PM -0400, John Hinton wrote: > > >> My point is these 'security metrics' businesses that are paid, generally >> by credit card companies, to do these software scans and don't ever do >> these most basic checks. Not that my quoted text is the name of one of >> these companies or anything. ;) I really feel the scans are just scams. >> Pun intended. >> > As devils' advocate here, yes the scans are far from thorough or complete. > But there is a significant number of really insecure sites where they do > flag some of that. The credit card companies aren't going for 100% > perfection, any more than merchants go for 100% safety from shrinkage. They > aren't trying to eliminate sites where credit card data is insecure (or > stores that can be shoplifted from), just keep the incidence down to levels > where they can afford to write off the losses. > > Between finding real security problems sometimes, and scaring sysadmins into > at least thinking about it other times, they accomplish that. Meanwhile it's > a PITA for competent sysadmins, for all the reasons discussed here, because > the scans are worthless against a system with a good security design, giving > false positives and not probing deeply enough to improve our occasionally > half-assed practices. But we're just collateral damage to them. The main aim > is to knock down some portion of the really bad apples, and keep their > insurers and the government happy. > > Whit > You are right Whit. It makes us think and that is positive. The only other good thing I can think of in all of this, is apparently someone has figured out a way to get money out of a credit card company and that is a huge feat in itself! :) Unfortunately, we the consumers pay for that, too. :( OK... I guess my old frustration with this is now vented. John