LISTSERV - SCIENTIFIC-LINUX-USERS Archives

SCIENTIFIC-LINUX-USERS Archives

April 2014

SCIENTIFIC-LINUX-USERS@LISTSERV.FNAL.GOV

	LISTSERV Archives
	SCIENTIFIC-LINUX-USERS Home
	SCIENTIFIC-LINUX-USERS April 2014

	Log In
	Register

	Subscribe or Unsubscribe

	Search Archives

Options:	Use Monospaced Font Show Text Part by Default Show All Mail Headers
Message:	[<< First] [< Prev] [Next >] [Last >>]
Topic:	[<< First] [< Prev] [Next >] [Last >>]
Author:	[<< First] [< Prev] [Next >] [Last >>]

Subject:	Re: Any 7 rumors?
From:	Paul Robert Marino <[log in to unmask]>
Reply To:	Paul Robert Marino <[log in to unmask]>
Date:	Wed, 9 Apr 2014 10:27:22 -0400
Content-Type:	text/plain
Parts/Attachments:	text/plain (114 lines)

No it was always required because the shopping cart itself may in some
cases contain data which could possibly be used to gain access to
sensitive customer data. Also in a sense data about who purchases what
and where could also be used to mask credit card fraud by making the
fraudulent charges look like the normal shopping activities of the
card holder.

Finally even if their weren't upstream standard referenced in PCI
which requier signed verified binaries. lets talk about the legal
ramifications of not paying for support on systems containing
sensitive data.

If you did have a breach because of a compromised binary and in the
aftermath you can say "The box was running RHEL, and was fully up to
date at the time of the breach. We've reported the issue to Red Hat
and they are currently investigating the cause and how to fix it."
well then you are done because you have done every thing that can be
reasonably expected of you as a systems administrator. If you say the
box was running distro X and we don not have a support contract with
them because they do not offer such an option you will be asked one
simple question "Who decided to store sensitive information on a box
running Distro X?" if the answer is you did than you and your company
are now legally responsible. if the answer is that other guy he and
your company are now legally responsible. Even if Distro X is
identical to RHEL in every way and the box was fully updated it
doesn't matter because in the eyes of the credit card companies, the
layers, and court you made a conscious choice to save money by not
buying support which put the customer data at risk, and you know what
they are right. there is a lag time in getting patches and if you
don't pay for support on critical systems then you have no way of
ensuring that any vulnerabilities in the binaries you find or some one
else finds on you box get fixed in a timely manner.

While I often contribute patches upstream to project to fix bugs I
find I'm not an expert in every programing language an every subtle
aspect of ever protocol and operation my systems run and no one person
is. by paying for support you are really paying for a large group of
experts who when added all up are as close as possible to experts on
every aspect of the OS who you can call for help when you need them.

On Wed, Apr 9, 2014 at 8:13 AM, James M. Pulver <[log in to unmask]> wrote:
> We were recently informed PCI compliance also extends to the shopping cart
> software, this may be new this year...
>
>
>
> --
>
> James Pulver
>
> CLASSE Computer Group
>
> Cornell University
>
>
>
> From: [log in to unmask]
> [mailto:[log in to unmask]] On Behalf Of Paul
> Robert Marino
> Sent: Tuesday, April 08, 2014 11:26 PM
> To: Nico Kadel-Garcia; ToddAndMargo
> Cc: Scientific Linux Users
> Subject: Re: Any 7 rumors?
>
>
>
> Well frankly if you need PCI-DSS compliance pay for RHEL. Its honestly not
> that expensive for the few systems that really require it. Only  the
> system's that handle credit cards supposedly require it and in most
> ecommerce companies that's probably 2 to 4 system's so what's the problem
> wit paying $750 a year each for those few systems to not have to deal with
> the problems and giving the stock investors a warm and fuzzy feeling. Your
> time spent on it costs them more money and ti reduces all the stress on
> every one if you buy compliance on the cheap.
>
>
> -- Sent from my HP Pre3
>
>
>
> ________________________________
>
> On Apr 8, 2014 22:55, Nico Kadel-Garcia <[log in to unmask]> wrote:
>
> On Tue, Apr 8, 2014 at 10:14 PM, ToddAndMargo <[log in to unmask]> wrote:
>> Hi All,
>>
>> I have a customer who is going to have to upgrade a
>> whole pail of stuff for PCI compliance (credit card
>> security).
>>
>> Part of what he is going to have upgrade is his old
>> CentOS 5.x server (it is too underpowered to handle
>> his new software along with the addition drag
>> caused by adding File Integrity Monitoring
>> [FIM] Software).
>>
>> Any rumors as to when EL 7 will be out?
>>
>> Many thanks,
>> -T
>
> Shortly after our favorite upstream vendor publishes it? I don't see
> the relevance though. If he needs to update CentOS 5, update it to SL
> 6 or CentOS 6. Why wait for RHE 7 to update? It's going to be major
> cluster futz with the the switch tu systemd from init scripts, with
> "/bin" being migrated to "/usr/bin", and the other major changes. It
> will be much simpler, and much, much safer, to update to CentOS 6 or
> SL 6 first!

ATOM RSS1 RSS2

LISTSERV.FNAL.GOV