* Posts by Sebastian Flothow

3 posts • joined 9 Jul 2007

Spanish firm brings 20MW solar ‘ranch’ online in Arizona

Sebastian Flothow

"power for around 3,400 homes a year"

That really should be "power for around 3,400 homes" PERIOD. After all, we're talking about power here, not energy. It's bad enough that PR folks and mainstream journalists fail to grasp basic concepts of physics; a technology-related publication really ought to do better.


Firms are RUBBISH at payment security

Sebastian Flothow

PCI DSS audit procedures are rubbish, too

I'm wondering if these statistics are actually worth anything ...

I've seen questionnaire-based PCI DSS audits where the auditors themselves didn't understand their own questionnaire, or demanded answers to question which were not applicable to the situation (such as whether media containing payment data are handled by specially instructed staff during transport, when payment data isn't ever transported by physical media).

There was even one case where a truthful answer would have meant failing the audit, while the "correct" answer was obviously nonsensical: The audit form required my client to state that the systems processing credit card data are not connected to any other devices or networks, when in fact they were using a web-based transaction processing service (and the provider of this very service initiated the audit)! In the end, *the auditor knowingly told us to provide false information* in order to pass the audit.

So I guess even among the 21 % who pass are a number of companies who simply lie during the audits - sometimes at the auditor's request, as in the case I witnessed, but probably otherwise as well. This isn't very surprising either as they are often under the threat of having their payments - i.e. their revenue stream - cut off at short notice.

On the other hand, I guess among the other 79 % are quite a lot of companies that do have adequate security, yet made the mistake of answering the questionnaires honestly and were tripped up by some idiotic question.

BTW, there's a wonderful tale of an auditor demanding usernames and passwords for all employees of a company over at serfault: http://serverfault.com/questions/293217/our-security-auditor-is-an-idiot-how-do-i-give-him-the-information-he-wants


Time to blacklist blacklists

Sebastian Flothow

Re: Don't bounce spam

There's two kinds of rejecting mail which need to be distinguished here:

- Accepting all mail first, and then sending a bounce when messages proves undesirable/undeliverable. This is indeed bad, as in the case of spam the bounce will go to a spoofed address.

- Refusing the message during the SMTP dialogue. This way, the receiving server never becomes responsible for delivery of the message, rather the sending server has to send the bounce. Ideally, unwanted messages will never leave their origin this way, rendering spoofed sender addressed ineffective.

So I hope Simon is using the second kind of rejecting.



Biting the hand that feeds IT © 1998–2017