On Sun, 27 Jul 2003 00:56:28 EDT, Len Rose <len@netsys.com> said:
I humbly disagree. It is not user negligence, but rather neglgence on behalf of the entity's systems team, or perhaps the entity's failure to support their own systems team by hiring competent staff instead of relying on people who play office politik or look nice in a suit and tie. User's are not expected to be secure their machines, or even barely know more than how to use a handful of applications. In the bank's case hopefully they are supposed to be financial experts.
Right. The problem was that it was exactly that clueless *USER* machine that got trojaned. So for instance, if you are one of the people who got burned by the recent Kinko key-sniffer hacks, and the hacker used the info to logon to your bank account, in what way is the bank liable? What *realistic* steps is the bank supposed to take? (Hint - what percentage of *security professionals* use an S/Key or similar for remote logins?)