[59930] in North American Network Operators' Group
Re: OT: Re: User negligence?
daemon@ATHENA.MIT.EDU (Valdis.Kletnieks@vt.edu)
Sun Jul 27 01:08:42 2003
To: Len Rose <len@netsys.com>
Cc: nanog@merit.edu
In-Reply-To: Your message of "Sun, 27 Jul 2003 00:56:28 EDT."
<20030727045628.GA6646@netsys.com>
From: Valdis.Kletnieks@vt.edu
Date: Sun, 27 Jul 2003 01:08:05 -0400
Errors-To: owner-nanog-outgoing@merit.edu
--==_Exmh_699040017P
Content-Type: text/plain; charset=us-ascii
On Sun, 27 Jul 2003 00:56:28 EDT, Len Rose <len@netsys.com> said:
> I humbly disagree. It is not user negligence, but rather neglgence on
> behalf of the entity's systems team, or perhaps the entity's failure
> to support their own systems team by hiring competent staff instead
> of relying on people who play office politik or look nice in a suit
> and tie. User's are not expected to be secure their machines, or
> even barely know more than how to use a handful of applications.
> In the bank's case hopefully they are supposed to be financial experts.
Right. The problem was that it was exactly that clueless *USER* machine that
got trojaned.
So for instance, if you are one of the people who got burned by the recent
Kinko key-sniffer hacks, and the hacker used the info to logon to your bank
account, in what way is the bank liable? What *realistic* steps is the bank
supposed to take? (Hint - what percentage of *security professionals* use an
S/Key or similar for remote logins?)
--==_Exmh_699040017P
Content-Type: application/pgp-signature
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.2 (GNU/Linux)
Comment: Exmh version 2.5 07/13/2001
iD8DBQE/I141cC3lWbTT17ARAjPcAKDZYSroZjkb0JIhHuFoWdqoEssyDgCgvEOG
Ec9c9O3PSbumWg9/ZIaXm3Q=
=msK/
-----END PGP SIGNATURE-----
--==_Exmh_699040017P--
