Skip site navigation (1)Skip section navigation (2)
Date:      Wed, 13 Dec 2017 06:10:36 +1100
From:      Michelle Sullivan <michelle@sorbs.net>
To:        =?UTF-8?Q?Dag-Erling_Sm=c3=b8rgrav?= <des@des.no>
Cc:        Yuri <yuri@rawbw.com>, Igor Mozolevsky <mozolevsky@gmail.com>, freebsd security <freebsd-security@freebsd.org>
Subject:   Re: http subversion URLs should be discontinued in favor of https URLs
Message-ID:  <5A3029AC.8040203@sorbs.net>
In-Reply-To: <86h8swgnwk.fsf@desk.des.no>
References:  <97f76231-dace-10c4-cab2-08e5e0d792b5@rawbw.com> <8788fb0d-4ee9-968a-1e33-e3bd84ffb892@heuristicsystems.com.au> <20171205220849.GH9701@gmail.com> <20171205231845.5028d01d@gumby.homeunix.com> <CADWvR2gVn8H5h6LYB5ddwUHYwDtiLCuYndsXhJywi7Q9vNsYvw@mail.gmail.com> <20171210173222.GF5901@funkthat.com> <CADWvR2iGQOtcU=FnU-fNsso2eLCCQn=swnOLoqws%2B33V8VzX1Q@mail.gmail.com> <5c810101-9092-7665-d623-275c15d4612b@rawbw.com> <CADWvR2j_LLEPKnSynRRmP4LG3mypdkNitwg%2B7vSh=iuJ=JU09Q@mail.gmail.com> <fd888f6b-bf16-f029-06d3-9a9b754dc676@rawbw.com> <CADWvR2jnxVwXmTA9XpZhGYnCAhFVifqqx2MvYeSeHmYEybaNnA@mail.gmail.com> <19bd6d57-4fa6-24d4-6262-37e1487d7ed6@rawbw.com> <CADWvR2gkFGY8CH5L7N67z8mfOux=Vjv8eobpK=pOpCKW3ysAkA@mail.gmail.com> <913910fb-723b-e450-8f02-4c26b3c15287@rawbw.com> <CADWvR2hR2-DPayNVOUvTxMQ=tj7YpotVzKFHGQFPoC5ZGDvnNA@mail.gmail.com> <898df78d-c0b1-9e9f-0630-2665c3939960@rawbw.com> <5A2DB9F8.1040301@sorbs.net> <86h8swgnwk.fsf@desk.des.no>

next in thread | previous in thread | raw e-mail | index | archive | help
Dag-Erling Smørgrav wrote:
> Michelle Sullivan <michelle@sorbs.net> writes:
>> User gets an email saying his banking details are compromised, and to
>> update them now.  User clicks the link and gives banking details to
>> phishing site as well as having a keylogger and rootkit installed
>> during the process.  User has bank account hacked.  Where did the bank
>> go wrong?
> Banks and financial institutions have whole teams working 24/7

Not out side of Europe (and those that do are not large.)

> , usually
> in cooperation with national authorities, to detect, investigate and
> shut down phishing campaigns, and to warn customers (either directly or
> through mass media) of particularly large or well-executed campaigns.

No.
> In the EU and EEA, banks are liable for losses in excess of €150 unless
> the customer acted “with intent or gross negligence”, but the definition
> of “gross negligence” is fluid.  Legal precedent in Norway is to hold
> the customer liable only if the email was “an obvious forgery”, for some
> definition of “obvious”.
Maybe that will change stuff.

> TL;DR: yes, banks are held liable for losses attributable to phishing.

No, and I can tell you I had a discussion with some un-named bank (but 
very well known, very very very well known) online security managers and 
I said to them, hold the users responsible for 419 type spams.  The 
response was a resounding 'no', and not because of regulation, but 
purely because they were worried about losing market share to other 
banks through bad publicity!
>
> Source: I do this for a living (although not at a bank).
>
> DES

So do I, have been in the business I am since 2000, and a lot of what I 
do and who for I can't even mention.  What I can tell you is I built 
SORBS, I still run SORBS and I still work closely with LEOs and Banks 
(amongst others) dealing with online security for the company that now 
owns SORBS.

This is getting way off-topic though.  The topic is about forcing the 
use of https over http in the name of 'securing' an inherently insecure 
and compromised network, in the name of privacy for a couple of people.  
Wrong solution, for the wrong reasons, svn over https is already 
available those people that believe it gives security should use it and 
get out of other peoples business.  If they really want to make an 
impact on the perceived problem they should target the malicious actors 
and the use of Tor as a pseudo secure platform (ie the few that would 
use http over Tor for downloading source that don't know the dangers 
should probably learn or not use Tor in the first place!)

Regards,

Michelle



Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?5A3029AC.8040203>