Re: Comments on the Draft

[vcerf@NRI.Reston.VA.US]

Marty,

I suppose we could label this Internet Security Practice.

I think it is correct that users are or ought to be accountable
for their behavior - but I think this is just a general statement
about personal responsibility. I do not agree with your conclusion
that such a statement allows organizations to escape culpability.
If we said that ONLY individual users were responsible, then your
observation would make more sense to me, but we didn't say that.
Maybe we should also say something about the responsibility of
organizations since, later in the text, I think the notion of
organizational responsibility shows up.

I did not follow your comment about being in deep yogurt if you
cooperated with enforcement agencies using a prt time network
manager - the status of the manager as part time seems to
be irrelevant? As to corporations and universities that have
policy not to assist - this could use some back up - can you
provide some examples? Most of the telephone companies actually
have a policy of working together in security matters, including
informing each other of what they find on public bulletin boards
as to account numbers, passwords and the like.

Vint