North American Network Operators Group

Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical

Re: OT: Re: User negligence?

  • From: Valdis.Kletnieks
  • Date: Sun Jul 27 01:10:24 2003

On Sun, 27 Jul 2003 00:56:28 EDT, Len Rose <[email protected]>  said:

> I humbly disagree. It is not user negligence, but rather neglgence on 
> behalf of the entity's systems team, or perhaps the entity's failure 
> to support their own systems team by hiring competent staff instead
> of relying on people who play office politik or look nice in a suit 
> and tie. User's are not expected to be secure their machines, or
> even barely know more than how to use a handful of applications. 
> In the bank's case hopefully they are supposed to be financial experts.

Right.  The problem was that it was exactly that clueless *USER* machine that
got trojaned.

So for instance, if you are one of the people who got burned by the recent
Kinko key-sniffer hacks, and the hacker used the info to logon to your bank
account, in what way is the bank liable?  What *realistic* steps is the bank
supposed to take? (Hint - what percentage of *security professionals* use an
S/Key or similar for remote logins?)

Attachment: pgp00028.pgp
Description: PGP signature