On Sun, 27 Jul 2003 00:56:28 EDT, Len Rose <[EMAIL PROTECTED]> said:
> I humbly disagree. It is not user negligence, but rather neglgence on > behalf of the entity's systems team, or perhaps the entity's failure > to support their own systems team by hiring competent staff instead > of relying on people who play office politik or look nice in a suit > and tie. User's are not expected to be secure their machines, or > even barely know more than how to use a handful of applications. > In the bank's case hopefully they are supposed to be financial experts. Right. The problem was that it was exactly that clueless *USER* machine that got trojaned. So for instance, if you are one of the people who got burned by the recent Kinko key-sniffer hacks, and the hacker used the info to logon to your bank account, in what way is the bank liable? What *realistic* steps is the bank supposed to take? (Hint - what percentage of *security professionals* use an S/Key or similar for remote logins?)
pgp00000.pgp
Description: PGP signature