The PCI SSC is reminding QSAs that we’re just one month away from an important change to PCI DSS reporting requirements. June 30, 2012 is the day when aspects of Requirements 6.2 and 6.5.6 will shift from a best practice to required. The Council has mentioned a couple simple and common-sense guidelines that will help organisations meet the new requirements.

• Risk rankings should be based on standards or best practices
• Risks should be classified to facilitate remediation and by priority (e.g. high, moderate, low)

The requirements read as follows:

6.2 Establish a process to identify and assign a risk ranking to newly discovered security vulnerabilities.
Notes:

• Risk rankings should be based on industry best practices. For example, criteria for ranking “High” risk vulnerabilities may include a CVSS base score of 4.0 or above, and/or a vendor-supplied patch classified by the vendor as “critical,” and/or a vulnerability affecting a critical system component.
• The ranking of vulnerabilities as defined in 6.2.a is considered a best practice until June 30, 2012, after which it becomes a requirement.

[…]
6.5.6 [Develop applications based on secure coding guidelines. Prevent common coding vulnerabilities in software development processes, to include the following:] All “High” vulnerabilities identified in the vulnerability identification process (as defined in PCI DSS Requirement 6.2).
Note:

This requirement is considered a best practice until June 30, 2012, after which it becomes a requirement.

The change in Requirement 6.2 is linked into other requirements:

2.2.b Verify that system configuration standards are updated as new vulnerability issues are identified, as defined in Requirement 6.2.
[…]
10.4.a Verify that time-synchronization technology is implemented and kept current per PCI DSS Requirements 6.1 and 6.2.
[…]
11.2.1.b Review the scan reports and verify that the scan process includes rescans until passing results are obtained, or all “High” vulnerabilities as defined in PCI DSS Requirement 6.2 are resolved.
[…]
11.2.3.b Review scan reports and verify that the scan process includes rescans until:

• For external scans, no vulnerabilities exist that are scored greater than a 4.0 by the CVSS,
• For internal scans, a passing result is obtained or all “High” vulnerabilities as defined in PCI DSS Requirement 6.2 are resolved.

In addition the Council says that when 6.5.6 is applicable (pun not intended) due to application development there now must be a test phase to find vulnerabilities classified as “high” risk.

I can’t say I’m fond of the Ubuntu move to a HUD (Head-Up Display), yet.

I’m still getting used to the “Dash home” search box that becomes only intermittently available (e.g. disappears over time after switching a laptop to different external monitors while running VMware Workstation in full screen mode). What happens when you lose your HUD…?

On really large monitors, if your HUD decides to appear, it mockingly sits stuck to the upper left corner forcing you to constantly be running your focus back-and-forth across the screen(s). Menus on dual or quad 24″ screens used to be so convenient but the HUD is often far away from where you naturally look.

Another serious concern is that you have to constantly use an input field to find data. You have the problem of typing accidentally and exposing info, being fooled by a bogus HUD, having the HUD log monitored or mined…I haven’t seen anyone discussing the privacy implications of the input.

That being said, Ubuntu has announced the general availability of 12.04 LTS. It’s the logical progression from 10.04 LTS for servers that have no graphical interface but the desktop path may be less clear.

I have seen the direction Ubuntu is taking discussed as though someone is removing our wheels and telling us to fly before they have fully attached the wings. Who is really driving this thing? And then Gnome3 classic on Ubuntu 12.04 LTS isn’t classic so switching back isn’t a full option.

Meanwhile LinuxMint continues to give an experience more in-line with what people are used to, without proselyting a UI. Ever wonder why DuckDuckGo has suddenly become so popular? It’s the default search engine on LinuxMint so maybe, just maybe, it reflects popularity of an OS with the classic menus?

It seems like a good time to wait and see how Ubuntu polishes their story and the interface. It might not be long before we say “there goes the HUD”. Note, there’s at least one other good reason to wait: after upgrading to Ubuntu 12.04 LTS, VMware Workstation 8.0.2 needs a vmware802fixlinux320.tar.gz patch to run again.

On a slightly related note, my impression of 12.04 has shifted after Shuttleworth’s comments on HUD. At first I was caught up in the heat of the moment from a new LTS release and new features…so I whipped up a little pangolin bling based on the 12.04 wallpapers. Here’s my initial remix of one of the (un)official selections:

Then, after a month or so of fighting with the intermittent Dash Home errors and developing workarounds for the new UI, I found myself thinking about a very different pangolin picture.

Here are two very different trailers for the comedy Man Without a Cell Phone, which explores Israeli-Arab tensions in the context of mobile phone service and the average every-day concern of people who use it.